Back

Thalio.app Privacy Policy

(including Data Collection Notice)

Effective: December 2025

This Privacy Policy explains how Thalio.app ("Thalio", "we", "us", "our") collects, uses, stores, and discloses personal information.

We operate from Australia and aim to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1) Data Collection Notice (quick summary)

What we collect

We collect:

  • Account information: name, email address, organisation name
  • Technical and security information: IP address, browser type, device and log data (for security, auditing, and service reliability)
  • Customer content: information entered into the app by users (for example, assessment checks and responses)

Why we collect it

We use this information to:

  • provide and secure the service
  • create and manage user access (including invitations and SSO login)
  • operate the app's core features (including AI-driven features)
  • troubleshoot issues and respond to support requests
  • maintain records and meet legal obligations

Where it goes

  • Hosted in the United States on Google Cloud Platform (GCP)
  • We use third parties including:
    • Cloudflare (security and protection)
    • OpenAI (AI processing)
    • Resend (sending service emails)

2) Personal information we collect

A) Information you provide

  • Name
  • Email address
  • Organisation name
  • Any content you enter into Thalio (including assessment checks and responses)

B) Information we collect automatically

When you use Thalio, we may collect:

  • IP address
  • browser and device information
  • security and audit logs
  • event/activity logs (for example login events, access events, errors)

Note about logs: Our logs may contain user-entered content and may include your name, email address, and organisation name.

C) Support communications

If you contact the Thalio support team, we will receive and store the content of your communication. Support communications may be stored in third-party email systems we use to operate the service.

3) How we use personal information

We use personal information to:

  • provide and maintain Thalio
  • invite users and enable access via Google or Microsoft Single Sign-On (SSO)
  • secure the service (fraud prevention, abuse detection, monitoring, auditing)
  • operate AI features (see Section 6)
  • communicate service-related information (for example invitations, login-related messages, service notices)
  • meet legal and compliance obligations

We do not collect payment details inside Thalio. Payments, if any, are handled separately and covered by your Terms of Service.

4) Customer content and ownership

Users may enter content into Thalio as part of using the service. That content remains the customer's property.

We store customer content in our systems so the app can function and so users can access their data.

5) Disclosure of personal information

We may disclose personal information:

  • to our service providers where needed to run Thalio (see Section 7)
  • if required or authorised by law (for example court orders, regulatory requests)
  • to protect the rights, property, or safety of Thalio, our users, or others
  • as part of investigating or responding to security incidents

We do not sell personal information.

6) AI processing (OpenAI)

Thalio includes AI features. To provide these features:

  • We send assessment checks and user answers to our AI provider for processing.
  • We store the AI output (responses) in our database so it can be viewed later in the app.

We do not intentionally send your name, email address, or organisation name to our AI provider as part of AI requests.

7) Overseas storage and third-party providers

Thalio is operated from Australia, but data is stored and processed overseas.

Hosting (United States)

Thalio is hosted on Google Cloud Platform (GCP) in the United States. This means personal information and customer content may be stored and processed in the US.

Other service providers

We use:

  • Cloudflare for security and protection (and potentially caching as part of normal operation)
  • OpenAI for AI processing (checks, answers, and AI outputs)
  • Resend to send service emails (and related delivery metadata)

These providers may process personal information as part of delivering their services.

8) Cookies

Thalio uses security cookies only (for example, to support sessions and protect the service). We do not currently use analytics cookies.

9) Data retention and deletion

Retention

We retain personal information, logs, and customer content for as long as needed to:

  • provide the service
  • maintain security and audit records
  • comply with legal obligations
  • resolve disputes and enforce agreements

Logs may be retained long-term and may contain user-entered content and identifiers (name, email, organisation name).

Deletion after termination

If a customer terminates their contract, we will delete customer content and account data from active systems within approximately one (1) month, except where we need to keep information for legal, audit, or record-keeping purposes.

Backups: Data may remain in backups until it is removed through normal backup rotation cycles.

10) Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Security measures include (as appropriate):

  • access controls and authentication via SSO
  • network and application protections (including Cloudflare)
  • logging and monitoring for suspicious activity

No method of transmission or storage is completely secure, but we aim to apply sensible safeguards appropriate to the service.

11) Data Breach Response (including notification)

If we become aware of a data breach affecting Thalio:

  • we will take steps to contain and investigate it
  • we will work with affected customers to reduce risk as far as is reasonable
  • we will make best efforts to notify the affected customer's account owner within 24 hours of becoming aware, even if details are still developing
  • we will provide updates as we learn more

We will assess our obligations under Australia's Notifiable Data Breaches (NDB) scheme and, where required, notify affected individuals and the Office of the Australian Information Commissioner (OAIC).

12) Access, correction, and complaints (APPs)

You can request access to, or correction of, personal information we hold about you by contacting the Thalio support team.

If you have a complaint about how we handle personal information, contact the Thalio support team and we will respond within a reasonable time. If you are not satisfied, you may contact the Office of the Australian Information Commissioner (OAIC).

13) Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version online and notify customers of material changes through the contact details associated with their account.