Privacy Notice

Last updated: 26 June 2026

SupportFlow AI is operated by Kui Moffitt, sole trader (Australia) ("we", "us"). We act as the data controller for personal data collected through the Service. This notice explains what we collect, why, and your rights under Australian privacy law (the Privacy Act 1988 and the Australian Privacy Principles).

Personal data we collect

• Account data — name, email, password hash, organisation name, professional role.
• Content you submit — progress notes, incident reports, shift summaries, voice recordings for transcription, and any participant information you choose to record.
• Usage and telemetry — pages visited, features used, AI generations performed, device type, browser, IP address, approximate location.
• Support messages — anything you send us when you contact support.

Payment card details are collected directly by our payment provider, Paddle.com, and are not stored on our systems.

Why we use it

• To create and maintain your account (contract performance).
• To provide the AI rewriting, dictation, and summary features (contract performance).
• To detect fraud, abuse, and security incidents (legitimate interests).
• To improve the product, debug issues, and measure performance (legitimate interests).
• To send transactional emails (e.g. receipts, password resets) (contract performance).
• To comply with our legal obligations (legal obligation).

Who we share it with

• Paddle.com — our Merchant of Record, for payment processing, subscription management, tax compliance, and invoicing.
• Hosting and infrastructure providers — for hosting the application, database, and AI model inference.
• Professional advisers — legal, accounting, and tax advisers where necessary.
• Authorities — where required by law or to protect the rights, safety, or property of our users or the public.

International transfers

Some of our service providers process data outside Australia. Where this happens we rely on appropriate safeguards such as standard contractual clauses or providers covered by recognised adequacy frameworks.

Data retention

We retain account and content data for as long as your account is active, plus up to 90 days after closure for backup and dispute-resolution purposes. Billing records are retained for the period required by Australian tax law (typically 5 years). After these periods data is deleted or anonymised.

Your rights

Under Australian Privacy Principles you may request access to, correction of, or deletion of your personal data, and you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. To exercise these rights, email us using the address associated with your account.

Security

We use industry-standard technical and organisational measures including encrypted connections (TLS), encryption at rest for the database, role-based access controls, and row-level security so users can only access their own data.

Cookies

We use only essential cookies required for authentication and session management. We do not use third-party advertising or analytics cookies.

Contact

For privacy questions or requests, contact us via the email address linked to your account.