Privacy Policy
Effective date: 26 February 2026
This Privacy Policy explains how The Art of Service Pty Ltd (ABN 19 095 825 308) ("The Art of Service", "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our AI Compliance Intelligence Platform at compliance.theartofservice.com (the "Platform").
We are committed to complying with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR), and other applicable privacy laws.
1. Information We Collect
1.1 Information you provide
- Account information — name, email address, and password (stored as a one-way hash) when you create an account.
- Assessment responses — your answers and maturity scores when you complete self-assessments.
- AI advisory queries — the questions you submit to the AI advisory feature.
- Portfolio data — saved comparisons, managed frameworks, remediation tasks, and control notes you create.
- Team information — names and email addresses of team members you invite (Enterprise tier).
- Communications — messages you send to us via email.
1.2 Information collected automatically
- Usage data — pages visited, features used, and timestamps of interactions.
- Device information — browser type, operating system, and screen resolution.
- IP address — used for security, rate limiting, and approximate geographic location.
1.3 Information from third parties
- Social login providers — if you sign in via Google, Microsoft, or GitHub, we receive your name and email address from the provider. We do not receive your password.
- Payment processor — Stripe provides us with your subscription status and billing identifiers. We do not receive or store your credit card number.
2. How We Use Your Information
We use your personal information to:
- Provide, maintain, and improve the Platform and its features.
- Authenticate your identity and manage your account and subscription.
- Process your assessment responses, generate results, and store your compliance data.
- Provide AI advisory responses based on your queries and selected frameworks.
- Send you transactional emails related to your account (e.g., password resets, subscription confirmations).
- Send you product updates and compliance tips, if you have opted in to marketing communications.
- Detect, prevent, and address security issues, fraud, and abuse.
- Comply with legal obligations.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
- Contract — processing necessary to provide the Platform services you requested (account management, assessments, AI advisory).
- Legitimate interest — processing necessary for security, fraud prevention, and Platform improvement, where our interests do not override your rights.
- Consent — marketing communications. You can withdraw consent at any time.
- Legal obligation — where we are required to process data by law.
4. Third-Party Services
We share personal information with the following third-party service providers, solely to operate the Platform:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, subscription status | United States |
| SendGrid (Twilio) | Transactional and marketing email | Name, email address | United States |
| Cerebras | AI advisory (LLM inference) | Advisory queries (anonymised) | United States |
| Vercel | Frontend hosting | IP address, usage data | Global edge network |
| Hetzner | Backend hosting | All Platform data (encrypted at rest) | Germany |
We do not sell your personal information to third parties. We do not share your data for advertising purposes.
5. International Data Transfers
Our backend servers are hosted in Germany (Hetzner). Some third-party services (Stripe, SendGrid, Cerebras) are based in the United States. Where personal data is transferred outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- The service provider's participation in recognised data transfer frameworks.
6. Data Retention
- Account data — retained for as long as your account is active. If you request account deletion, we delete your personal data within 30 days, except where retention is required by law.
- Assessment data — retained for the lifetime of your account. Deleted when your account is deleted.
- AI advisory queries — stored in your browser's local storage. Not retained on our servers beyond the duration of the request.
- Payment records — retained for 7 years as required by Australian tax law.
- Server logs — retained for up to 90 days for security and debugging purposes.
7. Data Storage and Security
We protect your data through:
- Encryption in transit (TLS/HTTPS on all connections).
- Password hashing using bcrypt (we never store plaintext passwords).
- Access controls limiting data access to authorised personnel.
- Regular security reviews of our infrastructure.
While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is 100% secure.
8. Your Rights
Depending on your location, you have the following rights regarding your personal information:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your personal data ("right to be forgotten").
- Portability — request your data in a structured, machine-readable format.
- Restriction — request that we limit processing of your data.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — withdraw consent for marketing communications at any time.
To exercise any of these rights, contact us at privacy@theartofservice.com. We will respond within 30 days (or within the timeframe required by applicable law).
EEA residents: You have the right to lodge a complaint with your local data protection authority.
Australian residents: You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
9. Cookies and Local Storage
The Platform uses browser local storage to maintain your session and preferences. Specifically, we store:
- Authentication token — a JSON Web Token (JWT) to keep you signed in.
- Assessment progress — your in-progress assessment state.
- AI advisory history — your chat messages (stored locally in your browser, not on our servers).
- Onboarding state — whether you have completed the platform tour.
We do not use third-party tracking cookies or advertising cookies. You can clear local storage at any time through your browser settings.
10. Marketing Communications
We may send you product updates and compliance tips by email if you have opted in during registration. You can unsubscribe at any time by:
- Clicking the unsubscribe link in any marketing email.
- Contacting us at privacy@theartofservice.com.
Unsubscribing from marketing communications does not affect transactional emails (e.g., account notifications, billing receipts).
11. Children
The Platform is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.
13. Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
Email: privacy@theartofservice.com
General enquiries: support@theartofservice.com
Postal address: The Art of Service Pty Ltd, Queensland, Australia
The Art of Service Pty Ltd (ABN 19 095 825 308), Queensland, Australia.