Privacy Policy

Last updated: 5 December 2025

1. Introduction

Militant.AI ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and services.

This policy is designed to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). While we primarily operate under Australian privacy law, we acknowledge that our services are accessible globally and we respect the privacy rights of all users regardless of their location.

By using our services, you consent to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

Anonymity and Pseudonymity (APP 2): Where it is lawful and practicable, you may interact with us anonymously or using a pseudonym. However, some services require identification (such as account creation, payment processing, or newsletter subscriptions) and cannot be provided anonymously.

Privacy Collection Notice (APP 5)

When we collect your personal information, we will inform you about:

Why we collect it: We collect personal information to provide, maintain, and improve our services, process transactions, communicate with you, and comply with legal obligations
Legal basis: We collect personal information with your consent, to perform our contract with you, to comply with legal obligations, or for our legitimate business interests
Consequences if not provided: If you choose not to provide certain personal information, we may not be able to provide you with some or all of our services
Who we may disclose it to: We may disclose your personal information to third-party service providers (as detailed in Section 4), legal authorities when required by law, or with your consent
How to access and correct: You can access and correct your personal information by contacting us using the details in Section 13 (Contact Us), or through your account settings where available

2. Information We Collect

We collect information that you provide directly to us, as well as information that is automatically collected when you use our services. The types of information we collect include:

2.1 Account Information

When you create an account, we collect authentication information through our authentication provider, including your email address, name, and any other information you choose to provide during registration.

2.2 Payment Information

When you make a purchase or subscribe to our services, our payment processor collects billing information including payment card details, billing address, and transaction history. We do not store full payment card numbers on our servers. Subscription status and billing history are stored in our database.

2.3 Survey Data

When you complete our business survey, we collect information including your preferred name, organisation name, email address, website, country of origin, role, industry, team size, experience with AI, familiar products, reasons for interest, implementation interests, problems you're facing, content locations, current usage, concerns, constraints, budget, timing, and any additional information you choose to provide.

2.4 File Uploads

When you upload files through our service, we collect metadata about those files including the filename, file size, file type (MIME type), upload timestamp, and a reference to the stored file location.

2.5 Newsletter Subscriptions

When you subscribe to our newsletter, we collect your email address and subscription status (pending, subscribed, unsubscribed, bounced, or complained).

2.6 Usage Data

We automatically collect information about how you interact with our services, including page views, features used, and interactions with our interface. This data is collected through our analytics provider and is used to improve our services.

2.7 Error and Performance Data

Our analytics and error monitoring provider collects information about errors, exceptions, and performance issues that occur while you use our services. This may include technical details about your device, browser, and the circumstances of the error.

2.8 Technical Data

We collect technical information including your IP address, browser type and version, device information, operating system, and other technical identifiers. Our bot protection provider uses this information to prevent abuse and ensure service security.

2.9 Sensitive Information

Under the Australian Privacy Act, "sensitive information" includes information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, or health information.

We generally do not collect sensitive information. If we do collect sensitive information, we will only use it for the purpose for which it was provided, unless you consent to other uses, or as required or permitted by law. We will take reasonable steps to ensure that sensitive information is protected against misuse, interference, loss, unauthorised access, modification, or disclosure.

3. How We Use Your Information

We use the information we collect for the following purposes:

To provide, maintain, and improve our services
To process transactions and manage your subscriptions
To communicate with you about your account, transactions, and service updates
To send you newsletters and marketing communications (where you have consented)
To respond to your inquiries and provide customer support
To analyse usage patterns and improve user experience
To monitor and prevent errors, fraud, and abuse
To comply with legal obligations and enforce our terms of service
To protect our rights, property, and safety, and that of our users

4. Third-Party Services

4.1 Introduction

To provide and improve our services, we engage with various third-party service providers who help us operate our platform, process payments, store data, and analyse usage patterns. These providers are essential for delivering the services you use and expect from Militant.AI.

All third-party service providers we work with are contractually obligated to protect your personal information and use it only for the specific purposes we authorise. They are required to comply with applicable privacy laws, including the Australian Privacy Act, and implement appropriate security measures to safeguard your data.

We carefully select our service providers based on their commitment to data protection and security. We regularly review their privacy practices and security measures to ensure they continue to meet our standards and comply with applicable laws.

4.2 Data Sharing Practices

We share your personal information with third-party service providers only when necessary to provide our services and only to the extent required for their specific functions. Our data sharing practices are governed by the following principles:

Purpose Limitation: We only share data that is necessary for the provider to perform their specific service function
Contractual Safeguards: All providers are bound by contractual agreements that require them to protect your information and use it only for authorised purposes
No Unauthorised Use: Providers are prohibited from using your personal information for their own purposes or sharing it with other parties without our authorisation
Security Requirements: Providers must implement appropriate technical and organisational security measures to protect your data
Compliance Obligations: Providers must comply with applicable privacy laws, including the Australian Privacy Act

We do not sell your personal information to third parties. We do not share your personal information with third parties for their marketing purposes without your explicit consent.

4.3 Service Providers

Below are the categories of third-party service providers we use, along with details about what data is shared, why it is shared, and how it is protected:

4.3.1 Authentication Provider - Clerk (Clerk Inc.)

Provider: Clerk (Clerk Inc.). You can view Clerk's privacy policy at https://clerk.com/privacy.

What data is shared: Email address, name, account identifiers, authentication credentials (hashed for email/password accounts), and account metadata. All authentication is handled through Clerk. If you choose to sign in using Google, Clerk processes the OAuth flow with Google on your behalf, which may include your Google account email address and profile information.

Purpose: We use Clerk to manage user accounts, handle authentication and authorisation, and maintain account security. Clerk processes all authentication requests, including email/password accounts and Google sign-in (OAuth). All authentication methods are funneled through Clerk, which securely manages your login credentials and account information.

Safeguards: Clerk uses industry-standard encryption and security measures. For email/password accounts, authentication credentials are hashed and never stored in plain text. For Google sign-in, Clerk handles the OAuth flow securely with Google. Clerk is contractually bound to protect your information and comply with applicable privacy laws. When you use Google sign-in, the OAuth process is also subject to Google's privacy policy and terms of service.

4.3.2 Payment Processor - Stripe (Stripe Inc.)

Provider: Stripe (Stripe Inc.). You can view Stripe's privacy policy at https://stripe.com/privacy.

What data is shared: Payment card details (card number, expiry date, CVV), billing address, transaction amounts, and transaction history.

Purpose: We use Stripe to handle all payment transactions. Stripe processes payment card information securely and manages subscription billing.

Safeguards: Stripe processes payment card information in compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements. We do not store full payment card numbers on our servers. All payment data is encrypted in transit and at rest. Stripe is certified for PCI DSS compliance and is contractually obligated to protect your payment information.

4.3.3 Database Provider - Convex (Convex Inc.)

Provider: Convex (Convex Inc.).

What data is shared: All personal information you provide to us, including account data, survey responses, file metadata, subscription information, and other data stored in our database.

Purpose: We use Convex to store and manage your data. Convex hosts our database infrastructure and ensures data availability, security, and backup capabilities.

Safeguards: Convex implements comprehensive security measures including encryption at rest and in transit, access controls, regular security audits, and data backup systems. Convex is contractually bound to protect your data and comply with applicable privacy and data protection laws.

4.3.4 File Storage Provider - UploadThing (T3 Tools, Inc.)

Provider: UploadThing (T3 Tools, Inc.). You can view UploadThing's privacy policy at https://uploadthing.com/info/privacy-policy.

What data is shared: Files you upload, file metadata (filename, size, type, upload timestamp), and file access information.

Purpose: We use UploadThing to host and deliver files you upload through our services. UploadThing stores your files securely and provides access through signed URLs when appropriate.

Safeguards: Files are encrypted at rest and in transit. Access to files is controlled through signed URLs with time-limited access. UploadThing implements access controls and security measures to protect your files. UploadThing is contractually obligated to protect your data and not access your files except as necessary to provide the service. UploadThing does not use your personal information to train AI models.

Sub-processors: UploadThing uses the following sub-processors to provide its services: Cloudflare (CDN and security), Amazon Web Services (AWS) (hosting), Vercel (hosting and CDN), PlanetScale (database), Stripe (payment processing), and Clerk (authentication). These sub-processors are bound by contractual obligations to protect your data.

4.3.5 Analytics and Error Monitoring Provider - PostHog (PostHog Inc.)

Provider: PostHog (PostHog Inc.).

What data is shared: Usage data including page views, features used, interactions with our interface, device information, browser type, IP address (anonymised where possible), and technical information about errors and performance issues including error messages, stack traces, and performance metrics.

Purpose: We use PostHog to understand how users interact with our services, track and diagnose errors, and monitor performance. This helps us improve user experience, identify issues, fix bugs, and make informed decisions about service enhancements. Analytics and error monitoring requests are proxied through our domain (via the `/_ph` path) to avoid being blocked by privacy tools.

Safeguards: PostHog is contractually bound to protect your information and use it only for analytics and error monitoring purposes. We configure PostHog to minimise data collection, anonymise data where possible, and exclude sensitive personal information from error reports. PostHog does not use your data for advertising purposes. You can opt out of analytics tracking through your browser settings or by using privacy tools.

4.3.6 Bot Protection Provider - Vercel BotID (Vercel Inc.)

Provider: Vercel BotID (Vercel Inc.). You can view Vercel's privacy policy at https://vercel.com/legal/privacy-policy.

What data is shared: IP address, browser fingerprint, device information, request metadata, and behavioural patterns.

Purpose: We use Vercel BotID to prevent abuse, fraud, and automated attacks. Vercel BotID analyses requests to identify and block malicious activity, protecting both our services and legitimate users.

Safeguards: Vercel BotID is contractually bound to protect your information and use it only for security and fraud prevention purposes. Vercel implements security measures to protect the data it collects and does not use it for advertising or other purposes.

4.3.7 Hosting and CDN Provider - Vercel (Vercel Inc.)

Provider: Vercel (Vercel Inc.). You can view Vercel's privacy policy at https://vercel.com/legal/privacy-policy.

What data is shared: All data transmitted through our website and services, including personal information, is processed through Vercel's hosting and content delivery network (CDN) infrastructure.

Purpose: We use Vercel to host our website and services and to deliver content through their global CDN. Vercel provides the infrastructure that enables our services to operate and be accessible to users worldwide.

Safeguards: Vercel implements comprehensive security measures including encryption in transit, DDoS protection, and secure infrastructure. Vercel is contractually bound to protect your data and comply with applicable privacy and data protection laws.

4.4 User Control and Opt-Out Options

You have control over how your data is shared with third-party service providers in certain circumstances:

Direct Marketing (APP 7): You can opt out of receiving marketing communications from us at any time by using the unsubscribe link in our emails or by contacting us directly. We will not use or disclose your personal information for direct marketing purposes without your consent, except where permitted by law.
Analytics: You can opt out of analytics tracking by adjusting your browser settings to block cookies or by using privacy tools. However, some analytics data may still be collected for essential service functionality. For more information about cookies and tracking, see Section 5 (Cookies and Tracking Technologies).
Essential Services: Some third-party services are essential for our services to function (such as authentication, payment processing, and database storage). These services cannot be opted out of if you wish to use our services.
Account Deletion: You can request deletion of your account at any time, which will result in the deletion of your data from our systems and, where applicable, from third-party service providers (subject to their data retention policies and our legal obligations).

If you have concerns about data sharing with specific third-party service providers, please contact us using the contact information provided at the end of this policy. We will work with you to address your concerns where possible.

4.5 International Data Transfers

Some of our third-party service providers may be located outside Australia or may process your data in countries other than Australia. When we transfer your personal information to these providers, we take appropriate steps to ensure that your information receives an adequate level of protection.

This includes using service providers that are subject to appropriate data protection obligations, implementing contractual safeguards where required, and ensuring compliance with applicable privacy laws. For more detailed information about international data transfers and the safeguards we have in place, see Section 9 (International Data Transfers).

4.6 Compliance and Safeguards

All third-party service providers we engage with are required to comply with applicable privacy laws, including the Australian Privacy Act. We ensure compliance through:

Contractual Obligations: All providers are bound by contractual agreements that require them to protect your personal information, use it only for authorised purposes, and comply with applicable privacy laws
Security Requirements: Providers must implement appropriate technical and organisational security measures to protect your data against unauthorised access, alteration, disclosure, or destruction
Data Minimisation: We only share the minimum amount of data necessary for each provider to perform their specific service function
Regular Reviews: We regularly review our third-party service providers to ensure they continue to meet our standards and comply with applicable laws
Incident Response: Providers are required to notify us of any data breaches or security incidents that may affect your personal information

If a third-party service provider fails to meet our standards or comply with applicable laws, we will take appropriate action, which may include terminating our relationship with that provider and, where necessary, finding an alternative provider.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your preferences and activity on our services. Cookies are small data files stored on your device.

We use the following types of cookies:

Essential Cookies: Required for the service to function, including authentication and security features
Analytics Cookies: Used to understand how visitors interact with our services through our analytics provider
Session Cookies: Used to maintain your session while you use our services
Preference Cookies: Used to remember your preferences and settings

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our services.

5.1 Do Not Track

Do Not Track (DNT) is a preference you can set in your web browser to let websites you visit know that you do not want them collecting certain information about you. We currently do not respond to Do Not Track browser settings or signals.

However, you can control tracking through your browser settings and privacy tools. You can opt out of analytics tracking by adjusting your browser settings to block cookies or by using privacy tools. For more information about Do Not Track, including how to enable or disable this preference, visit https://www.allaboutdnt.com.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS/SSL protocols
Encryption of sensitive data at rest
Access controls and authentication requirements
Regular security assessments and updates
Secure third-party integrations with industry-standard security practices
Row-level access controls to ensure users can only access their own data
Physical security measures for any physical infrastructure we control
Staff training on privacy and security best practices
Regular security audits and vulnerability assessments
Incident response procedures to detect, respond to, and recover from security incidents
Data backup and recovery procedures to ensure business continuity

6.1 Staff Training and Awareness

We provide regular training to our staff on privacy and security best practices, including their obligations under the Australian Privacy Act and how to handle personal information securely. All staff are required to comply with our privacy and security policies.

6.2 Incident Response

We have procedures in place to detect, respond to, and recover from security incidents. In the event of a security incident that may affect your personal information, we will assess the incident, take steps to contain and remediate it, and notify affected individuals and relevant authorities as required by law (see Section 12 - Data Breach Notification).

Despite our efforts, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required or permitted by law:

Account Data: Retained while your account is active and for a reasonable period after account closure for legal and business purposes
Payment Records: Retained as required by law (typically 7 years for tax and accounting purposes)
Survey Data: Retained for business purposes to improve our services and understand user needs
File Uploads: Retained according to your preferences and until you delete them or close your account
Newsletter Subscriptions: Retained until you unsubscribe or we determine the email is no longer valid

When you close your account, we will delete or anonymise your personal information within a reasonable timeframe, except where we are required to retain it by law or for legitimate business purposes.

7.1 Data Disposal Procedures

When personal information is no longer needed for the purposes outlined in this policy, we will securely dispose of it in accordance with the Australian Privacy Principles (APP 11). Our data disposal procedures include:

Electronic Data: Secure deletion using methods that make the data unrecoverable, including overwriting storage media and permanent deletion from all systems and backups
Anonymisation: Where deletion is not immediately possible, we may anonymise data by removing all identifying information so that it can no longer be associated with an individual
Physical Records: Secure destruction through shredding or other methods that ensure the information cannot be reconstructed
Third-Party Providers: We require all third-party service providers to securely dispose of personal information in accordance with their contractual obligations and applicable privacy laws
Timeframes: Data disposal occurs within 30 days after the retention period expires, unless a longer period is required by law or for legitimate business purposes

We maintain records of data disposal activities to demonstrate compliance with our obligations under the Australian Privacy Act.

8. Your Rights

Under the Australian Privacy Act and other applicable privacy laws, you have the following rights regarding your personal information:

8.1 Access

You have the right to request access to the personal information we hold about you. We will provide you with a copy of your personal information within a reasonable timeframe, subject to verification of your identity.

8.2 Correction

You have the right to request correction of any inaccurate, incomplete, or out-of-date personal information we hold about you. We will take reasonable steps to correct the information promptly.

8.3 Deletion

You have the right to request deletion of your personal information, subject to our legal obligations to retain certain information (such as payment records for tax purposes).

8.4 Data Portability

You have the right to request a copy of your personal information in a structured, machine-readable format that you can transfer to another service provider.

8.5 Opt-Out

You can opt out of receiving marketing communications from us at any time by using the unsubscribe link in our emails or by contacting us directly. You can also opt out of certain analytics tracking through your browser settings. For more information about opting out of direct marketing, see Section 4.4 (User Control and Opt-Out Options).

8.6 Complaints

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, you have the right to lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC).

Internal Complaint Procedure: We encourage you to contact us first to attempt to resolve any privacy concerns. To lodge a complaint with us, please:

Contact us using the contact information provided in Section 13 (Contact Us), clearly marking your communication as a privacy complaint
Provide details of your complaint, including what happened, when it occurred, and how you believe your privacy has been affected
Include any relevant documentation or evidence to support your complaint

We will acknowledge your complaint within 7 days and respond within 30 days. If we need more time to investigate, we will inform you of the delay and provide an estimated timeframe for resolution.

Escalation to OAIC: If you are not satisfied with our response, or if you prefer not to contact us directly, you may lodge a complaint with the OAIC. The OAIC can investigate your complaint and may make a determination. You can contact the OAIC at:

Website: https://www.oaic.gov.au/privacy/privacy-complaints
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5218, Sydney NSW 2001

Privacy Officer: For privacy-related inquiries or complaints, please contact our Privacy Officer at legal@militant.ai.

9. International Data Transfers

Your personal information may be transferred to, stored, and processed in countries other than Australia, including countries that may not have the same data protection laws as Australia. Our third-party service providers operate globally and may process your data in various jurisdictions.

In accordance with Australian Privacy Principle 8 (APP 8), when we transfer your personal information internationally, we take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles. This includes:

Using service providers that are subject to appropriate data protection obligations under their local laws or international agreements
Implementing contractual safeguards that require overseas recipients to comply with the Australian Privacy Principles or equivalent standards
Ensuring compliance with applicable privacy laws, including the Australian Privacy Act 1988
Regularly reviewing our third-party service providers to ensure they continue to meet our standards

9.1 Countries Where Data is Processed

Our third-party service providers may process your personal information in the following countries:

United States: Clerk, Stripe, Convex, UploadThing, PostHog, and Vercel operate primarily in the United States
European Union: Some providers may process data in EU member states, which have strong data protection laws under the GDPR
Other jurisdictions: Some providers may use global infrastructure that processes data in various countries to ensure service availability and performance

For specific information about where each provider processes data, please refer to their respective privacy policies listed in Section 4.3 (Service Providers).

By using our services, you consent to the transfer of your personal information to countries outside Australia for the purposes described in this policy. We will continue to take reasonable steps to ensure that your information receives an adequate level of protection in accordance with the Australian Privacy Principles.

10. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately so we can delete the information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of any material changes by:

Posting the updated policy on this page with a new "Last updated" date
Sending you an email notification if the changes are significant
Displaying a notice on our website for a reasonable period

Your continued use of our services after any changes to this policy constitutes your acceptance of the updated policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

12. Data Breach Notification

In accordance with the Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act 1988, we have procedures in place to identify, assess, and respond to data breaches.

If we become aware of a data breach that is likely to result in serious harm to any individuals whose personal information is involved, we will:

Assess the breach and determine whether it is an eligible data breach under the Privacy Act
Notify affected individuals as soon as practicable, and in any case within 30 days of becoming aware of the breach
Notify the Office of the Australian Information Commissioner (OAIC) as required by law
Take steps to contain the breach and prevent further unauthorised access or disclosure
Provide information about the breach, including what information was involved and what steps we are taking to address it

An "eligible data breach" occurs when there is unauthorised access to, unauthorised disclosure of, or loss of personal information, and a reasonable person would conclude that the breach would be likely to result in serious harm to any of the individuals to whom the information relates.

If you believe your personal information has been subject to a data breach, please contact us immediately using the contact information provided in Section 13 (Contact Us).

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

Business Name: Militant.AI

ABN: 17 861 145 488

Postal Address:
PO Box 983
Gold Coast QLD 4211
Australia

Privacy Contact Email: legal@militant.ai

We will respond to your inquiry within 30 days and in accordance with applicable privacy laws, including the Australian Privacy Act 1988.