AO
AOservices

Privacy Notice

Last updated: 22 April 2026

1. Who is the data controller

Otis Moras-Young, trading as AOservices, is a sole trader based in Australia and is the data controller for personal information collected through the AOservices website and Service. Contact: hello@aoservices.ai.

2. Personal information we collect

  • Account data: name, email, password (hashed), organisation name.
  • Content you submit: URLs, knowledge documents, AI prompts, conversation history with the agent, and support messages.
  • Usage & telemetry: pages viewed, actions taken, session timestamps, error logs.
  • Device data: IP address, browser type, operating system, device identifiers.
  • Communications: emails, support tickets, demo bookings, contact-form submissions.
  • Billing data: handled by Paddle (see Section 5). We receive limited records such as plan, status, last 4 digits of card, and country.

3. How we use it & legal basis

  • Provide the Service — performance of contract.
  • Authenticate accounts & secure the platform — legitimate interests, legal obligation.
  • Train your AI agent on content you supply — performance of contract.
  • Customer support & ticket forwarding — performance of contract.
  • Improve the product (aggregated/anonymised analytics) — legitimate interests.
  • Send service emails (e.g. delivery confirmations, security alerts) — performance of contract / legitimate interests.
  • Send marketing emails (where allowed) — consent; you can unsubscribe at any time.
  • Comply with law and respond to lawful requests — legal obligation.

We do not use the contents of your uploaded knowledge or end-user conversations to train our own foundation models.

4. AI processing

When you or your end users interact with the AI agent, prompts and relevant context are sent to AI model providers (e.g. Google, OpenAI) via the Lovable AI Gateway to generate a response. Providers process this data under their own terms as our subprocessors and do not train their public models on this content.

5. Who we share data with

  • Paddle.com Market Limited — our Merchant of Record for the sale of subscriptions, payments, billing, tax compliance, invoicing, refunds, and chargeback handling.
  • Hosting & infrastructure — Lovable Cloud (Supabase) for database, authentication, and edge compute.
  • AI model providers — to generate AI responses (see Section 4).
  • Email delivery — Resend, for transactional and support-ticket emails.
  • Professional advisers — legal, accounting, where strictly necessary.
  • Authorities — when required by law, court order, or to protect rights and safety.

We do not sell your personal information.

6. International transfers

Some of our subprocessors are located outside Australia (e.g. in the United States, the European Union, or the United Kingdom). When personal information is transferred overseas we rely on the recipient's compliance with applicable safeguards such as Standard Contractual Clauses, adequacy decisions, or equivalent contractual protections.

7. Retention

We keep personal information only for as long as needed to provide the Service, comply with legal and tax obligations (typically up to 7 years for billing records), resolve disputes, and enforce agreements. Account data and content are deleted or anonymised within a reasonable period after account closure, unless retention is required by law.

8. Your rights

Subject to applicable law (including the Australian Privacy Act 1988 and, where relevant, the GDPR/UK GDPR), you may have the right to:

  • access the personal information we hold about you;
  • request correction of inaccurate information;
  • request deletion or restriction of processing;
  • object to certain processing or withdraw consent;
  • request portability of information you have provided;
  • lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or with your local supervisory authority if in the UK/EEA.

To exercise these rights, email hello@aoservices.ai. We will respond within the period required by law (typically within 30 days).

9. Security

We use appropriate technical and organisational measures to protect personal information, including encryption in transit (HTTPS), hashed passwords, access controls, row-level security on databases, and audit logging. No system is 100% secure; please notify us immediately if you suspect unauthorised access.

10. Cookies

We use strictly necessary cookies for authentication, session management, and security. We may use limited analytics cookies to understand aggregated usage of the Service. You can control cookies through your browser settings; disabling strictly necessary cookies will prevent the Service from functioning.

11. Children

The Service is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

12. Changes to this notice

We may update this Privacy Notice from time to time. The "Last updated" date above shows when it was last revised. Material changes will be communicated by email or in-product notice.