Privacy Policy

This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”). It is not a substitute for the contractual terms in your Data Processing Addendum or Terms of Service, which control in case of conflict.

1. Who we are

Vorana Pty Ltd (82842478628) (“Vorana”, “we”, “us”) is an Australian company providing an AI reliability and governance platform that sits between enterprise applications and large-language-model providers. This Policy covers our website (vorana.ai) and our hosted service. We are an APP entity for the purposes of the Privacy Act.

2. Personal information we collect

• Information you provide. Name, work email, company, phone number (if given), and message contents when you contact us, request a demo, or sign up.
• Account & usage data. When you use the service, we record API request metadata (timestamps, tenant id, pipeline id, latency, status) for billing, audit, and quality purposes.
• Content you submit through the gateway. Treated as Customer Data under the DPA; handled only on your instructions and not used to train models.
• Site analytics. Anonymised page-view counts and aggregate device/browser information.

We collect personal information directly from you wherever practicable. We do not collect sensitive information (as defined in the Privacy Act) unless you provide it to us in the course of using the service and we have your consent.

3. How we use personal information

We use personal information for the primary purpose for which it was collected — to provide and operate the service, respond to inquiries, secure the platform against abuse, meet our legal obligations, and bill for usage — and for related secondary purposes you would reasonably expect (such as product improvement and account communications). We do not sell personal information and we do not use it for direct marketing without your consent or a related-purpose basis under APP 7.

4. Disclosure

We disclose personal information to service providers who help us run the service (cloud hosting, error monitoring, customer support, payment processing). Where any of those providers are located outside Australia, the disclosure is governed by APP 8 (see section 8 below). A current list of sub-processors is available on request and in your DPA. We may also disclose personal information if required or authorised by Australian law.

5. Data retention

Customer Data is retained per your account’s configured retention policy. Operational logs are retained for up to 13 months and then deleted or de-identified. Marketing inquiries are retained for 24 months unless you ask us to delete them sooner. We destroy or de-identify personal information once it is no longer needed for any permitted purpose, in accordance with APP 11.2.

6. Security and the Notifiable Data Breaches scheme

Customer Data is encrypted in transit (TLS 1.2+) and at rest. The audit store supports per-tenant customer-managed encryption keys (CMK). We maintain controls aligned with ISO/IEC 27001 and SOC 2, and have a documented incident response plan. If we become aware of a data breach that is likely to result in serious harm, we will assess and notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act. See Security overview.

7. Your rights under the APPs

Under the Privacy Act and APPs, you have the right to:

• request access to the personal information we hold about you (APP 12);
• request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13);
• opt out of receiving direct marketing from us at any time;
• be told whether we hold your information anonymously or under a pseudonym, where lawful and practicable (APP 2).

To exercise these rights, email privacy@vorana.ai. We will respond within a reasonable period (and in any event within 30 days). There is no charge to make a request, though we may recover reasonable costs of providing access in unusual cases.

8. Cross-border disclosure (APP 8)

We may disclose personal information to overseas recipients in the United States, the European Union, the United Kingdom, and other countries where our cloud and sub-processors operate. Before any such disclosure we take reasonable steps to ensure the recipient does not breach the APPs in relation to the information, including via contractual safeguards. Region-locked deployments are available for tenants that require data to remain in Australia.

9. Cookies

We use a small number of essential cookies and an anonymised analytics cookie. The cookie banner shown on first visit lets you accept or decline non-essential cookies. You can clear or change your choice at any time in your browser’s site settings.

10. Children

Vorana is a B2B service and is not directed to children under 16. We do not knowingly collect personal information from children.

11. Complaints

If you believe we have breached the APPs or mishandled your personal information, please contact us first at privacy@vorana.ai so we can investigate and respond. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by phoning 1300 363 992.

12. Changes

We will post material changes to this Policy here and update the “Last updated” date above. For customers under contract, we will notify the account contact in writing in advance of any material change.

13. Contact

Privacy Officer, Vorana Pty Ltd — privacy@vorana.ai.