Last updated: 5 May 2026

Welcome to Aleesa.ai. This Privacy Policy (“Policy”) explains how we, Aleesa.ai, Inc. (or our affiliate, “we”, “us”, “our”), collect, hold, use, disclose and otherwise manage personal information when you use our services, visit our website or otherwise interact with our AI-powered platform (collectively the “Services”). In this Policy, “you” and “your” refer to the individual or entity using the Services or submitting information.

1. Overview & Applicability

We recognise the importance of protecting your privacy. This Policy is designed to reflect your rights and our obligations under Australian privacy law, including the APPs. If you are located in Australia or we handle personal information of individuals in Australia, this Policy explains how we comply with our obligations under the Privacy Act 1988 (Cth) and the APPs.

2. What kinds of personal information we collect

a) Personal information

When you register for or use our Services, we may collect personal information about you or your users, such as:

• Contact details (name, address, email address, phone number);
• Employment or professional details if you use the Service in a business context;
• Billing and payment information (e.g., credit card, bank account) if you purchase our Services;
• Usage data, interaction logs with our platform (e.g., times of use, features accessed);
• Transcripts, voice recordings, chat logs, metadata from interaction with the AI;
• Technical data: IP address, device identifiers, browser/operating system details, authentication tokens, system logs;
• Preferences, behavioural data, inferred data derived from your usage of the Services;
• If you connect a Gmail or Google account: your Google account email address and profile information, OAuth tokens issued by Google, and the contents of email messages in the connected mailbox (subject, sender, recipients, body, attachments, labels and timestamps). See Section 16 for full details.

b) Sensitive information

Under Australian law, “sensitive information” is a subset of personal information (e.g., health data, political opinions, racial or ethnic origin). We generally do not collect sensitive information unless required, with your consent, or permitted by law.

3. How we collect personal information

• Directly from you when you provide it (e.g., account registration, forms, communications).
• Automatically through your use of our website or Services (via cookies, logging, tracking technologies).
• From third-party sources (for instance, service providers, publicly available sources, business partners), subject to applicable laws.
• From Google APIs when you connect a Gmail account, in accordance with the OAuth scopes you authorize (see Section 16).

4. Purposes of collection, use and disclosure

We may use or disclose your personal information for the following purposes:

• To provide, operate, maintain and improve our Services.
• To respond to your enquiries or support requests.
• To manage billing, invoicing, accounts and subscriptions.
• To personalise and customise your experience (e.g., recommendations, interface customisation).
• To train, validate and improve our AI models, algorithms, and features (this does not apply to data received from Google APIs, including Gmail content, which we never use to train AI models — see Section 16).
• To detect, prevent or investigate fraud, security incidents, misuse of Services or other harmful activity.
• To comply with legal or regulatory obligations.
• To send marketing or promotional communications if you have opted-in (you may opt-out at any time).

We will only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose if you would reasonably expect it or you have consented, or as otherwise permitted under the APPs.

5. Disclosure to third parties & cross-border transfers

We may disclose your personal information to:

• Our service providers, subcontractors, cloud hosting providers, analytics providers, payment processors, etc., who assist in providing the Services.
• With your consent.
• As required by law or regulatory authority.

If your personal information is likely to be disclosed overseas, we will take reasonable steps to ensure the overseas recipient does not breach the APPs (or equivalent protections) or ensure there is a legally enforceable mechanism in place. We will inform you of the countries where the information is likely to be disclosed if practicable.

6. Security & Data Retention

We implement reasonable technical, administrative and organisational safeguards to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. These measures may include encryption, access controls, log monitoring, multi-factor authentication and regular security reviews. We retain personal information only for as long as required for the purposes for which it was collected (or as required by law), and will securely destroy or de-identify the information when it is no longer needed.

7. Access, correction and deletion of your personal information

Under the APPs, you have the right to access the personal information we hold about you, and to request correction of that information if it is inaccurate, incomplete, irrelevant or out-of-date. To exercise those rights, please contact our Privacy Officer (see contact details below). We may ask you to verify your identity before providing access or making corrections. In some circumstances, we may refuse access or correction, in which case we will provide you with reasons and how you may complain.

8. Cookies and tracking technologies

We use cookies, pixels, tags, and other tracking technologies to collect information about your usage of our website and Services (e.g., pages visited, time/date, device/browser type, IP address). You may manage certain cookie preferences via your browser settings. Note that disabling some cookies may affect your ability to use or access parts of the Services.

9. Direct marketing

If you have subscribed to receive marketing communications, we may send you information about our products, services, offers or events. You will be given the opportunity to opt-out of receiving marketing communications. If you choose to unsubscribe, we will cease sending marketing messages to you.

10. Complaints handling & breach notification

If you believe we have mishandled your personal information or breached this Policy, you may lodge a complaint by contacting us (see contact details below). We will endeavour to respond to your complaint within a reasonable period and keep you informed of progress. Under the Privacy Act and APPs (and the Notifiable Data Breaches scheme), if there is a data breach involving your personal information that is likely to result in serious harm, we will notify you and the OAIC in accordance with legal requirements.

11. Anonymity and Pseudonymity

Where it is lawful and practicable, you may interact with the Services anonymously or by using a pseudonym. If the Services require registration or verification, we may need your real identity.

12. Quality of personal information

We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date.

13. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top will reflect the changes. If we make material changes, we will notify you by posting the updated Policy on our website (and/or via email). Your continued use of the Services after the update constitutes acceptance of the updated Policy.

14. Children

Our Services are not directed at minors under 16 years of age. We do not knowingly collect personal information from minors without parental or guardian consent. If you believe we may have collected information from a minor, please contact us and we will delete it.

15. Anonymized and aggregated data

We may create anonymized or aggregated data that cannot reasonably be used to identify you, and use it for research, analytics, and product improvement. Anonymized or aggregated data derived from Google user data is not used in any way that could re-identify the user.

16. Google API Services and Gmail data

When you connect a Gmail account to Aleesa, we access Google user data under the OAuth scopes you authorize. This section describes that data handling specifically and supplements the rest of this Policy.

a) Google data we access

• Gmail messages (subject, sender, recipients, body, attachments, labels, timestamps) — via the gmail.readonly scope
• Permission to send email on your behalf — via the gmail.send scope
• Your Google account email address and basic profile information — via userinfo.email, userinfo.profile, and openid scopes
• OAuth access and refresh tokens issued by Google, which we store encrypted at rest using AES-256-GCM

b) How we use Gmail data

We use Gmail data only to provide the Aleesa email assistant Service to you:

• To display your incoming emails inside Aleesa
• To classify emails by category, priority, and sentiment using AI
• To generate AI-assisted reply drafts for your review
• To send replies you have approved (or that your organisation’s review policy has authorised) on your behalf

c) How we do NOT use Gmail data

We do not:

• Use Gmail data to train, develop, or improve any generalised AI/ML models (ours or third parties’)
• Serve advertising based on Gmail data
• Sell Gmail data to data brokers or any third party
• Allow humans to read Gmail data except (i) with your explicit consent, (ii) for security investigations, (iii) to comply with applicable law, or (iv) for limited internal operations such as debugging when strictly necessary, in line with the Google API Services User Data Policy

d) Sharing Gmail data with subprocessors

We share Gmail data only with the following service providers, only as necessary to operate the Service:

Provider	Purpose	What is shared
Cerebras Systems, Inc.	AI processing for email classification and reply draft generation	The text of the email being processed
MongoDB Atlas	Encrypted database hosting	Stored email data (encrypted at rest)
DigitalOcean	Application hosting infrastructure	Encrypted data in transit during processing

Cerebras’s privacy policy states that they do not retain inputs or outputs from their inference services and do not use them to train models. The model used (gpt-oss-120b) is an open-weights model whose parameters are publicly available. Email content sent to Cerebras is processed solely to return classification or draft output to Aleesa.

e) Limited Use disclosure (required by Google)

Aleesa’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

f) Retention and deletion of Google data

• Gmail data is retained for as long as your Google account remains connected to Aleesa.
• When you disconnect your Google account in Aleesa, we revoke the OAuth tokens and delete associated Gmail data within 30 days.
• When you delete your Aleesa account, all stored Gmail data is permanently deleted within 30 days.
• You may revoke Aleesa’s access to your Google account at any time at https://myaccount.google.com/permissions.
• You may request immediate deletion of your data by emailing info@aleesa.ai.

17. Contacting us

If you have any questions, concerns or complaints about this Policy or our privacy practices, please contact our Privacy Officer: You may also lodge a complaint with the OAIC if you believe your personal information has been mishandled.