Effective date: 10 May 2026 · Last updated: 10 May 2026
This policy explains how Cognitive Industries collects, uses, stores, and discloses your personal information. It applies to all our products and services, including ChazzAI, Lucky 100 Board, WebSwarm, Adtomaton, and MatchPoints.
Note: This policy is written to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the Privacy and Other Legislation Amendment Act 2024, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). If you have questions, email us at privacy@cognitive-industries.org.
1. Who We Are
Cognitive Industries ("we", "us", "our") is an Australian technology company operating at cognitive-industries.org. We build AI-powered products and research tools.
For the purposes of the Australian Privacy Act 1988 (Cth), Cognitive Industries is the entity responsible for your personal information. For the purposes of the GDPR, we act as a data controller for personal information collected from users in the European Economic Area (EEA).
Name, username, email address, and password (hashed)
Date of birth (where required for age verification)
Profile picture or avatar (if you provide one)
Payment Information
We do not store raw card details. Payments are processed by Stripe, Inc., which stores payment card data under PCI-DSS compliance.
We retain records of transaction amounts, dates, product purchased, and Stripe customer/subscription IDs (encrypted at rest).
Content You Create or Submit
Messages, stories, character descriptions, and creative content you submit via ChazzAI or other products
Bug reports and vulnerability descriptions submitted via the bounty program
Contact form messages
AI Interaction Data
Prompts and inputs you provide to AI models within our products
AI-generated outputs associated with your account
Persona preferences and model selections
Usage and Technical Data
IP address, browser type, device type, and operating system
Pages visited, features used, session duration, and click patterns
Crash logs and error reports
Anonymised hashed IP identifiers (used to detect abuse — not linked to your identity)
Communications
Emails you send us, including support requests
Responses to surveys or feedback forms
Sensitive Information: Some of our products (particularly ChazzAI) may incidentally involve sensitive information as defined under the Privacy Act (e.g., content relating to health, sexuality, or beliefs). We do not deliberately solicit sensitive information and we apply higher protections to any such data we hold, consistent with APP 3 and Article 9 GDPR.
3. How We Collect Your Information
Directly from you — when you create an account, make a purchase, use our products, or contact us
Automatically — through Firebase Analytics, server logs, and cookies/local storage as you use our services
From third parties — authentication providers (e.g., Google Sign-In if used), payment processors (Stripe), and age verification services
4. How We Use Your Information
Providing and operating our products and services
Processing payments and managing subscriptions or credit balances
Personalising your experience (e.g., remembered preferences, AI character memory)
Communicating with you about your account, transactions, or support requests
Sending product updates and announcements (you can opt out at any time)
Detecting and preventing fraud, abuse, and security threats
Complying with our legal obligations, including obligations under the Online Safety Act 2021 (Cth)
Improving and developing our products through aggregated, de-identified analytics
Verifying age where required by law or our terms
Disclosing information as required or permitted by law
We do not sell your personal information to third parties.
5. Legal Bases for Processing (GDPR)
If you are located in the EEA, Switzerland, or the UK, we rely on the following legal bases under Article 6 GDPR:
Contract — processing necessary to provide the services you've signed up for (account management, service delivery, payments)
Legitimate interests — security monitoring, fraud prevention, product analytics, and improving our services, where these interests are not overridden by your rights
Legal obligation — compliance with applicable laws, including online safety obligations and financial regulations
Consent — where we ask for your explicit consent (e.g., marketing emails, certain cookies). You may withdraw consent at any time.
Where we process special category data (Article 9), we rely on your explicit consent or, where applicable, substantial public interest grounds.
6. Who We Share Your Information With
We share personal information only where necessary:
Service Providers (Processors)
Google / Firebase — cloud hosting, database (Firestore), authentication, and analytics. Servers may be located in the United States or other Google Cloud regions. Governed by Google's Data Processing Addendum and, for EU transfers, Standard Contractual Clauses.
Stripe, Inc. — payment processing. Stripe is PCI-DSS Level 1 certified. See Stripe's Privacy Policy.
Venice AI — AI model inference used in Adtomaton (image, video, and text generation). Input prompts may be transmitted to Venice AI's API.
ElevenLabs — voice synthesis used in Adtomaton. Audio prompts are transmitted to ElevenLabs' API.
Adsterra — advertising network used on ChazzAI. Subject to Adsterra's own privacy policy and cookie practices.
Legal and Safety Disclosures
We may disclose your information to law enforcement, regulators, or other parties where we are required to do so by law, court order, or where we reasonably believe disclosure is necessary to protect the safety of any person or to prevent fraud or illegal activity.
Business Transfers
If Cognitive Industries is acquired, merged, or sells substantially all its assets, your information may be transferred to the acquiring entity. We will notify you via email or a prominent notice on our website before such a transfer occurs, and you will have the opportunity to object.
We do not sell, rent, or trade your personal information.
7. International Data Transfers
Cognitive Industries is based in Australia. When we transfer personal information outside Australia, we comply with APP 8 of the Australian Privacy Principles and take reasonable steps to ensure the overseas recipient handles the information in a manner consistent with the APPs.
For transfers of personal information of EEA residents outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards. Australia does not currently hold an EU adequacy decision.
Our primary third-party processors (Google Firebase, Stripe) operate under their own SCCs and data processing agreements. Copies are available on request.
EU Representative: Cognitive Industries does not yet have a formally appointed EU representative under Article 27 GDPR. If you are an EEA resident and wish to raise a data protection matter, please contact us directly at privacy@cognitive-industries.org. We are taking steps to appoint an EU representative and will update this policy when that appointment is made.
8. Data Retention
We retain personal information for as long as is necessary to provide our services, meet legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:
Account data — retained while your account is active and for up to 7 years after closure (to meet Australian tax and financial record-keeping obligations)
Payment records — retained for 7 years in accordance with the Corporations Act 2001 (Cth) and tax law
Content and AI interaction data — retained while your account is active; deleted within 90 days of account deletion where technically feasible
Usage and analytics data — de-identified after 24 months
Support communications — retained for 3 years
You may request deletion of your account and associated personal information at any time (see Section 9). Some data may be retained beyond deletion where required by law.
9. Your Rights
Australian Residents (Privacy Act / APPs)
Access (APP 12) — You have the right to request access to the personal information we hold about you.
Correction (APP 13) — You have the right to request correction of inaccurate or out-of-date personal information.
Complaints — You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs (see Section 16).
EEA, Switzerland, and UK Residents (GDPR / UK GDPR)
Right of access — request a copy of the personal information we hold about you
Right to rectification — request correction of inaccurate personal information
Right to erasure — request deletion of your personal information in certain circumstances ("right to be forgotten")
Right to restriction of processing — request that we limit how we use your information in certain circumstances
Right to data portability — receive your personal information in a structured, commonly used, machine-readable format
Right to object — object to processing based on legitimate interests, including direct marketing
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
Right to lodge a complaint — with your local data protection authority (e.g., the UK ICO, or your EU member state's supervisory authority)
California Residents (CCPA / CPRA)
Right to know — what personal information we collect, use, disclose, or sell
Right to delete — request deletion of your personal information, subject to certain exceptions
Right to correct — request correction of inaccurate personal information
Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising
Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
To exercise any of these rights, email us at privacy@cognitive-industries.org. We will respond within 30 days (or 45 days for GDPR requests where an extension is reasonably required, with notice). We may need to verify your identity before processing requests.
10. Children's Privacy
Our services are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at privacy@cognitive-industries.org and we will delete it promptly.
ChazzAI: The general platform requires users to be at least 13 years of age. Access to adult or explicit content within ChazzAI requires users to be 18 years or older. We implement age assurance measures consistent with the Australian Online Safety Act 2021 (Cth) and the Online Safety (Mandatory Age Assurance for Social Media Services) Act 2024. From 9 March 2026, we are subject to applicable Online Safety Codes relating to age assurance for restricted content.
Users under the applicable minimum age must not create accounts or use our services. If we discover an underage account, we will terminate it and delete associated data.
11. Cookies and Tracking
We and our third-party service providers use cookies, local storage, and similar technologies for the following purposes:
Strictly necessary — authentication tokens, session management, and security (cannot be disabled)
Functional — remembering your preferences and settings
Analytics — Firebase Analytics to understand how users interact with our products (can be disabled)
Advertising — Adsterra advertising cookies on ChazzAI (subject to your consent where required by applicable law)
You may manage cookie preferences through your browser settings. Blocking certain cookies may affect functionality. Where required by law (e.g., for EEA users), we obtain your consent before placing non-essential cookies.
12. Automated Decision-Making
We may use automated processes in our services, including:
Content moderation systems to detect violations of our Acceptable Use Policy
Fraud and abuse detection algorithms
Age verification systems
In accordance with the Privacy and Other Legislation Amendment Act 2024 (Cth), where we make a decision that significantly affects you using solely automated means, we will disclose this to you and, where legally required from December 2026 onwards, provide you with information about the logic involved and the right to seek human review of that decision.
Under GDPR Article 22, EEA residents have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except where necessary for a contract, authorised by law, or based on explicit consent. To request human review of an automated decision, contact us at privacy@cognitive-industries.org.
13. Security
We implement reasonable technical and organisational security measures to protect your personal information, including:
AES-256-GCM field-level encryption for sensitive stored data (including emails, payment identifiers, and personal content)
TLS encryption in transit for all communications
Firebase Security Rules to restrict data access at the database level
Role-based access controls for internal systems
A public bug bounty program (see our Bounty Board) that rewards researchers for responsibly disclosing vulnerabilities
No security measure is perfect. In the event of a data breach that is likely to result in serious harm to you, we will notify you and the relevant regulator (the OAIC and, where applicable, EU supervisory authorities within 72 hours) as required by law.
14. Statutory Privacy Tort (Australia)
The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a statutory tort for serious invasions of privacy, which commenced on 11 June 2025. This provides individuals in Australia with a right to bring a civil action for serious invasions of privacy. Cognitive Industries takes this obligation seriously. If you believe we have seriously invaded your privacy, you may:
Contact us directly to resolve the matter
Lodge a complaint with the OAIC
Pursue civil action under the statutory tort if applicable
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
Posting the updated policy on this page with a new effective date
Sending an email notification to registered users for significant changes
Displaying a prominent notice on our products where changes materially affect you
Your continued use of our services after a policy update constitutes acceptance of the updated policy. Where required by law, we will seek your express consent for material changes.
16. Contact and Complaints
For any privacy-related questions, requests, or concerns:
If you are not satisfied with our response to a privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
EEA residents may lodge a complaint with their local data protection supervisory authority. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.
Disclaimer: This Privacy Policy has been prepared in good faith to comply with applicable Australian and international privacy laws. It does not constitute legal advice. Cognitive Industries recommends that users with specific legal concerns seek independent legal advice.