Privacy Policy | KylieBot

1. Introduction

Welcome to KylieBot’s privacy policy (Privacy Policy). KylieBot is an AI-driven platform that helps scientists, technologists, researchers, and entrepreneurs articulate the impact of their work through interview-based narrative creation.

This Privacy Policy explains how STEM Matters Pty Limited (ABN 69 169 537 142) (“we”, “us”, “our”), the operator of KylieBot, collects, uses, discloses, and protects your personal information in accordance with the Australian Privacy Principles (APPs). We use ‘you’ or ‘your’ to mean you and, where the context permits, includes an Authorised User.

By signing up for a KylieBot Account or using KylieBot you agree to the collection, use, and disclosure of your personal information in accordance with this Privacy Policy. We also use ‘point of collection’ click through privacy notices and consents so that we can be certain that you have actively given your consent to our collection and use of your personal information at the time we ask for it. Without your consent to collect personal information in accordance with this Privacy Policy, we will be unable to provide you with the Service.

We will not sell, rent, or trade your personal information to third parties. We do not share your information for marketing purposes or provide it to data brokers.

In this Privacy Policy, capitalised words that aren’t defined in the policy have the meanings set out in our Terms of Service.

2. Information We Collect (APP 3, 5)

2.1 Information you provide to us directly

Account information — first name, last name, email address, organisation name (if applicable) and a password (we encrypt passwords). Additional information may also be collected relating to account administration such as contact information for other persons you authorise on your Account and information we need for billing. Where your Account will include Authorised Users in addition to you, we collect personal information about those users: first name, last name, email address and a password.
Professional profile information — often in the form of biography (each individual’s bio is of course different and you may have multiple versions, but typically it may contain information on your research areas, expertise, and career achievements; there may also be a crossover with information supplied in the interview).
Interview content — via our AI-assisted interview process including transcripts generated from oral interviews, and typically may include professional stories and narratives, research descriptions, impact statements, grant application details, and career accomplishments shared during the AI-assisted interviews.
Voice recordings — audio captured during voice-based interviews. Recordings are processed by VAPI (our voice AI provider) and are not stored on KylieBot servers. VAPI retains recordings for 7 days, after which they are automatically deleted.
Other user-generated or user-originating content — for example when you input edits to KylieBot’s generated reports, provide feedback on narrative drafts, and when you communicate with our support team.

2.2 Information we collect automatically

Technical data — IP address, browser type and version, device type, operating system, and connection quality metrics. In common with many websites, we collect this data to assist us in the basic operation of the KylieBot website and platform. It also allows us to debug / monitor the service and improve it over time.
Usage data — pages visited, features used, interview session durations, report generation requests, credit usage history, login timestamps, and session activity. We collect this data to assist with the security of the website and for personalisation of the service to offer more relevant content.
Consent records — records of when you or an Authorised User indicated your agreement to this policy, including IP address, browser type, and policy version accepted.

3. How We Use Your Information (APP 6)

3.1 Primary purposes

(a) to enable us to provide the KylieBot Service to you and to do this we use personal information to:

Open and administer your Account.
Conduct AI-driven interviews using voice technology and transcribe interview audio.
Generate AI-driven narrative content (for example profile pieces, impact narratives, grant narratives, and funding pitches) based on your interview responses.
Deliver generated reports via email and the platform dashboard.
Provide account access, user authentication, and maintain account security.
Analyse usage patterns to improve platform functionality and fix technical issues.
Communicate with you about your account, interviews, outputs, and service updates.
Maintain compliance records, audit trails, and meet legal obligations.

(b) to provide your personal information inputs to third party AI service providers identified in this Privacy Policy for processing by their AI technology.

3.2 Secondary purposes (with consent)

(a) for internal aggregated analytics to help us improve the Service.

We will not otherwise use your information for secondary purposes (such as marketing).

4. Use of Artificial Intelligence and Third-Party Service Providers (APP 6)

The Service uses artificial intelligence (AI) technologies, including large language models (LLMs), to conduct structured interviews and generate narrative content.

In providing the Service, your personal information — including interview responses, voice recordings, and professional information, may be disclosed to and processed by third-party service providers who assist us in delivering AI functionality, data processing, and related services.

These third-party providers may include providers of AI and machine learning services, cloud infrastructure services, and data processing tools.

We take reasonable steps to ensure that these providers are subject to appropriate privacy and confidentiality obligations.

Our third-party providers may change from time to time as we improve or modify the Service. A current list of key service providers is available upon request.

5. Cross-Border (Overseas) Disclosure (APP 8)

Some of our third-party service providers are located outside Australia. As a result, your personal information may be transferred to, and processed in, countries including (but not limited to) the United States and other jurisdictions in which our providers operate. We take reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with Australian privacy laws.

Our primary database (Supabase) is hosted in Sydney, Australia (ap-southeast-2). We are committed to maximising Australian data residency where practicable.

6. Data Sharing

We may share your personal information with:

Your organisation — the organisation that arranged your access to KylieBot may have access to interview outputs and narratives generated on their behalf.
Service providers — third-party vendors who assist us in operating the platform (as described in Section 4) and where that disclosure is reasonably necessary for us to provide the Service.
Legal requirements — where we are required to disclose information by law, court order, or governmental authority, or to respond to Notifiable Data Breach requirements (see Section 9).

7. Data Security (APP 11)

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction.

All data in transit is protected with HTTPS/TLS encryption.
Database encryption at rest (Supabase AWS KMS).
Passwords are hashed with bcrypt.
Role-based access control (user, admin, super_admin) with least-privilege policies.
Administrative actions are logged with timestamps for audit purposes.
Regular security scanning and dependency vulnerability monitoring.

No method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

8. Data Retention (APP 11)

We retain your personal information for the periods outlined below:

Data type	Retention period	Deletion method
Account information	Active account + 30–45 days after deletion request	Permanent deletion
Interview transcripts	Active account + 12–15 months after account closure	Permanent deletion
Generated reports	Active account + 12–15 months after account closure	Permanent deletion
Audio recordings	Not stored by KylieBot; retained by VAPI for 7 days	Automatic purge by VAPI
Audit logs	24 months	Automatic purge
Consent records	Retained indefinitely (compliance audit trail)	Not deleted

After retention periods expire, data is permanently deleted and cannot be recovered.

9. Data Breach Notification

In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988, we have procedures to detect, assess, and respond to data breaches.

If we determine an eligible data breach has occurred, we will:

Notify the Office of the Australian Information Commissioner (OAIC) within 30 days.
Notify affected individuals as soon as practicable.
Provide a description of the breach, the kind of information involved, and recommended steps to mitigate potential harm.

If you suspect unauthorised access to your account, change your password immediately and contact us at privacy@kyliebot.com.

10. Your Rights (APP 12, 13)

10.1 Access your personal information

You can view your profile information in account settings and access generated reports in the dashboard. You may also email us at privacy@kyliebot.com to request a copy of your personal information; we will respond within 30 days.

10.2 Correct your personal information

You can update profile information directly in account settings. To correct inaccuracies in interview transcripts or other data, contact us and we will respond within 30 days.

10.3 Delete your account and data

You may request account deletion by contacting us at support@kyliebot.com, or via the account settings page. A 30-day grace period applies to allow cancellation. After that, all personal information is permanently deleted except audit logs (retained for 24 months) and financial transaction records (retained for 7 years as required by tax law).

10.4 Withdraw consent

You may withdraw consent in writing for AI processing of interview data or for non-essential email communications. To withdraw consent, contact us at privacy@kyliebot.com. You must not use the Service if you have withdrawn your consent. Because our use of personal information in accordance with this Privacy Policy is required to provide the Service, if you withdraw your consent you also consent to us suspending your access to Service and you acknowledge that under our Terms you may remain liable for payment of your subscription until the end of the subscription period.

11. Anonymity and Pseudonymity (APP 2)

Where practicable, you may interact with us anonymously or using a pseudonym (for example, for initial enquiries or general support questions). However, to provide our core services — interview processing, report generation, and account authentication — we require your real name and a valid email address.

12. Cookies

We use essential cookies to maintain your authenticated session. These cookies are necessary for the platform to function and cannot be disabled. We do not use advertising or tracking cookies.

13. Children’s Privacy

KylieBot is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a person under 18, please contact us immediately at privacy@kyliebot.com and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the platform and ask you to review and re-accept the updated policy before continuing to use the Service. Continued use after acceptance of an updated policy constitutes agreement to the revised Privacy Policy.

15. Complaints (APP 1)

If you have a concern about the way we handle your personal information under the Australian Privacy Principles, you may:

Step 1: Contact us — email privacy@kyliebot.com. We will investigate and respond within 30 days.
Step 2: Escalate to the OAIC — if you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, by phone on 1300 363 992, or by email at enquiries@oaic.gov.au.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy concern, please contact us at:

STEM MATTERS PTY LTD
ABN 69 169 537 142
Email: privacy@kyliebot.com

Appendix: Australian Privacy Principles Coverage

This Privacy Policy addresses all 13 Australian Privacy Principles:

APP	Principle	Covered in
APP 1	Open and transparent management	Sections 1, 15
APP 2	Anonymity and pseudonymity	Section 11
APP 3	Collection of solicited information	Section 2
APP 4	Dealing with unsolicited information	N/A (no unsolicited collection)
APP 5	Notification of collection	Sections 2, 4
APP 6	Use or disclosure	Sections 3, 4, 6
APP 7	Direct marketing	Section 3 (not used for marketing)
APP 8	Cross-border disclosure	Section 5
APP 9	Government related identifiers	N/A (not collected)
APP 10	Quality of personal information	Sections 2, 10
APP 11	Security of personal information	Sections 7, 8
APP 12	Access to personal information	Section 10
APP 13	Correction of personal information	Section 10