EAGLE888 AI HUMAN — PRIVACY POLICY
Version 2.0 — Effective 1 March 2026

Governing Law: Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)

1. About This Policy

Eagle888 Pty Ltd (ACN 624 709 486) ("Eagle888", "we", "us", "our") is an organisation bound by the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth) ("Privacy Act").

This Privacy Policy explains how Eagle888 collects, holds, uses, discloses and otherwise manages personal information in connection with the Eagle888 service ("Service"). It applies to all personal information handled by Eagle888, including personal information of Subscribers, their personnel, and any third parties whose personal information is processed through the Service.

Eagle888 is committed to managing personal information in an open and transparent way and has implemented practices, procedures and systems to ensure compliance with the APPs and to deal with inquiries and complaints about its handling of personal information.

This Policy is available free of charge on the Eagle888 website at www.eagle888.co/privacy. A copy in an alternative format will be provided upon request.

Contact details
Privacy Officer, Eagle888 Pty Ltd
Email: privacy_policy@eagle888.co
Address: 40 Koola Avenue, East Killara NSW 2071, Australia

2. Kinds of Personal Information We Collect and Hold

Depending on how you interact with us, Eagle888 may collect and hold the following kinds of personal information:

Account registration details: name, business email address, telephone number, company name, ABN/ACN, job title.

Payment information: billing name, billing address, payment method details. Full card numbers are processed by our PCI-DSS compliant payment gateway and are not stored by Eagle888.

Onboarding data: corporate documents, brand guidelines, organisational charts, policies, templates and other materials uploaded by the Subscriber to configure the AI Human instance.

Usage data: login timestamps, feature usage metrics, storage consumption, error logs, IP addresses, browser type and device identifiers.

Communication data: correspondence between the AI Human instance and Subscriber personnel, including email content, chat transcripts and task instructions.

Third-party personal information: personal information of the Subscriber’s clients, customers, employees or other individuals contained within documents, data or communications uploaded to or processed by the Service.

Sensitive information
Eagle888 does not intentionally collect sensitive information (such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record or biometric data). Where sensitive information is incidentally received because it is included in Subscriber-uploaded content, we treat it with the highest level of protection and only use or disclose it, where permitted by law or with the relevant individual’s consent.

3. How We Collect Personal Information

We collect personal information in the following ways:

Directly from you, when you register an account, configure onboarding, communicate with us or otherwise use the Service.

Automatically, when you access the Service or our website, via system logs, analytics, cookies and similar technologies.

From third parties, such as our payment processors (for transaction confirmations and billing status) and, in some cases, our service providers (for example, where they provide information about system status or errors linked to your account).

From Subscriber-uploaded content, which may include personal information of third parties.

We only collect personal information that is reasonably necessary for one or more of our functions or activities. If we receive personal information that we did not solicit, we will determine whether we could lawfully have collected it. If not, we will destroy or de-identify it as soon as practicable, where lawful and reasonable to do so.​

4. Anonymity and Pseudonymity

For general enquiries (for example, browsing our website or asking a high-level question), you may choose not to identify yourself or may use a pseudonym.

However, it is not practicable for us to provide the Service (including account registration, billing, onboarding configuration and support) without identifying you or your organisation. For those interactions, we require accurate identifying information.

5. Notification of Collection

When we collect personal information, we take reasonable steps to notify you (or otherwise ensure you are aware) of:

Our identity and contact details

The fact and circumstances of collection

Whether collection is required or authorised by law

The purposes for which we collect the information

The consequences if the information is not provided

The types of entities to which we usually disclose the information

How to access and correct the information and how to complain

Whether we are likely to disclose the information to overseas recipients and, if practicable, the countries involved.

For Subscribers and their personnel, this notification occurs primarily through this Privacy Policy, our Subscription Agreement and onboarding materials. For third parties whose personal information is processed through the Service (for example, our Subscriber’s customers), the Subscriber is responsible for providing appropriate privacy notices.

6. Purposes for Which We Collect, Use and Disclose Personal Information

We collect, hold, use and disclose personal information for the following primary purposes:

To provide, operate and maintain the Service, including provisioning and running AI Human instances

To configure and refine the AI Human based on Subscriber-provided materials

To process payments, manage billing and administer subscriptions

To communicate with you about your account, the Service, updates, incidents and support requests

To monitor, detect and prevent fraud, abuse, security incidents and unauthorised access

To comply with legal and regulatory obligations (for example, taxation, anti-money laundering, law enforcement requests and court orders)

To enforce our agreements, protect our legal rights and manage disputes.

We may also use de-identified and aggregated information to analyse trends, improve the Service, develop new features and generate statistics and insights. De-identified information cannot reasonably be used to identify an individual.

We will not use or disclose personal information for a secondary purpose unless:

You have consented;

You would reasonably expect us to use or disclose the information for that secondary purpose and it is related (or, for sensitive information, directly related) to the primary purpose; or

The use or disclosure is required or authorised by law.

Direct marketing
We do not use personal information for third-party direct marketing. We may send you service-related communications (for example, notices about changes to the Service or this Policy, security alerts and transaction confirmations). You cannot opt out of receiving essential service communications, as they are necessary for the operation of your account.

7. Disclosure of Personal Information

We may disclose personal information to the following categories of recipients:

AI backbone providers (such as OpenAI and Google): to process prompts and generate outputs for the AI Human via API. These providers are contractually restricted from using Subscriber data for their own model training.

Cloud infrastructure providers (such as Amazon Web Services): for hosting, storage and infrastructure services.

Payment processors (such as Stripe): to process payments and manage billing.

Professional advisers (lawyers, accountants, auditors, insurers): to obtain professional advice and manage risk, under confidentiality obligations.

Related entities: where necessary for internal administration, corporate reporting or intra-group services.

Regulators, law enforcement and courts: where required or authorised by or under an Australian law or court/tribunal order.

Potential acquirers: in connection with any merger, acquisition, sale of assets or similar transaction, subject to appropriate confidentiality protections.

We do not sell personal information.

8. Cross-Border Disclosure of Personal Information

We primarily store personal information in Australia (for example, using AWS data centres in the Sydney region).

We are likely to disclose personal information to overseas recipients in the following countries:

United States of America – AI backbone providers (for example, OpenAI, Google) and infrastructure providers (for example, certain AWS services).

Other countries – where our service providers host or process data in data centres outside Australia, as described in their published documentation.

Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.

These steps include:

Contractual obligations requiring the overseas recipient to protect personal information to standards comparable to the APPs

Technical and organisational measures (for example, API-based stateless processing, encryption in transit and at rest, and limited retention)

Due diligence on the recipient’s privacy and security practices.

Where required by law, we remain responsible for personal information disclosed to overseas recipients and may be accountable if they mishandle it.

9. Government Identifiers

We do not adopt, use or disclose government-related identifiers (such as Tax File Numbers, Medicare numbers or driver’s licence numbers) as our own identifiers for individuals. Where such identifiers appear in Subscriber-uploaded content, they are treated as personal information in accordance with this Policy.

10. Quality of Personal Information

We take reasonable steps to ensure that the personal information we collect, use and disclose is accurate, up-to-date, complete and relevant. You can help us by promptly updating your account details if they change and letting us know if any information we hold about you is incorrect or incomplete.​

11. Data Security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Measures include:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)

Role-based access control with the principle of least privilege and multi-factor authentication for administrative access

Immutable audit logs of access and key actions

Network security controls, including firewalls and intrusion detection

Annual independent penetration testing and regular internal security reviews

Staff confidentiality obligations and regular privacy and security training

A documented incident response and data breach response plan.

12. Data Retention and Destruction

We retain personal information only for as long as it is needed for the purposes described in this Policy or as required by law.

Active subscriptions: We retain personal information for the duration of the subscription so that we can provide continuity of the Service.

Cancellation during onboarding: If a Subscriber cancels during the 2-month onboarding period, all Subscriber operational data (including onboarding data, AI Human content and configuration data) is permanently destroyed immediately upon cancellation.

Cancellation after onboarding: If a Subscriber cancels after onboarding, we permanently destroy operational data (including AI Human content, communication data and uploaded documents) within 30 days of the effective cancellation date, subject to any legal retention requirements. During that period, the Subscriber may request an export of certain data.

Audit, billing and compliance records: We retain audit logs, billing records and compliance records (which may contain personal information) for up to 7 years, where reasonably necessary to comply with legal obligations (for example, taxation or anti-money-laundering laws) or to establish, exercise or defend legal claims. After this period, records are destroyed or de-identified.

When we no longer need personal information for any purpose permitted by law, and it is no longer required to be retained, we take reasonable steps to destroy it or de-identify it (including instructing our service providers to do the same, where applicable).​

13. Access to Personal Information

You may request access to personal information we hold about you by contacting our Privacy Officer at privacy_policy@eagle888.co.

We will respond within a reasonable period (normally within 30 days) and will give you access in the manner you request, where reasonable and practicable.

We may refuse access in certain circumstances permitted by law, for example where:

Providing access would pose a serious threat to the life, health or safety of any individual or to public health or public safety

Providing access would have an unreasonable impact on the privacy of others

The request is frivolous or vexatious

The information relates to existing or anticipated legal proceedings and would not normally be discoverable in those proceedings

Providing access would be unlawful, or would prejudice law enforcement or regulatory functions

Providing access would reveal our commercially sensitive decision-making processes.

If we refuse access, we will provide written reasons and information about how you can lodge a complaint.

14. Correction of Personal Information

If you believe personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, you may request correction by contacting our Privacy Officer.

We will respond within a reasonable period (normally within 30 days). If we correct the information, and if you ask us to, we will take reasonable steps to notify any third parties to whom we have previously disclosed that information where, lawful and practicable.

If we refuse to correct your personal information, we will provide written reasons and explain how you can lodge a complaint. You may also request that we associate a statement with the information that you consider it to be inaccurate, out-of-date, incomplete, irrelevant or misleading.

15. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act.

If we experience a data breach that is likely to result in serious harm to one or more individuals, we will:

Promptly undertake an assessment of the suspected breach

Prepare a statement containing the required information (including the nature of the breach, the kinds of information involved and recommended steps for individuals)

Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.

We will also take steps to contain, mitigate and remediate any data breach.

16. Complaints and How We Will Handle Them

If you believe we have breached the Privacy Act or the APPs, or have otherwise mishandled your personal information, you may lodge a complaint with our Privacy Officer using the contact details in Section 1.

Please provide:

Your name and contact details

Details of your concern, including any relevant dates

Any documents you wish us to consider.

We will:

Acknowledge receipt of your complaint within 5 business days.

Investigate the matter and respond in writing within 30 days (or inform you if we need more time).

Set out the outcome of our investigation and any steps we will take to resolve your complaint.

If you are not satisfied with our response, you may lodge a complaint with the OAIC:

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Mail: GPO Box 5218, Sydney NSW 2001

17. Cookies

Our Subscriber portal uses essential cookies only, including for:

Session management and authentication

Basic security and load balancing

Remembering certain user preferences.

We do not use third-party advertising cookies. To the extent cookie identifiers are personal information, we handle them in accordance with this Policy.

18. Supplementary Obligations for EU/EEA Subscribers (GDPR)

Where the EU General Data Protection Regulation (GDPR) applies to a Subscriber or their end-users, we will act as a data processor and will enter into a Data Processing Agreement (DPA) on request. The DPA will address GDPR-specific requirements (for example, data subject rights, international transfers and processor obligations).

19. Supplementary Obligations for California Residents (CCPA)

We do not sell personal information as that term is defined under the California Consumer Privacy Act (CCPA). California residents who interact with our Service may contact us to exercise rights under the CCPA (such as the right to know and the right to delete), to the extent applicable.

Requests should be sent to privacy_policy@eagle888.co.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or the Service. When we make material changes, we will notify Subscribers by email and/or prominent notice in the Subscriber portal at least 30 days before the changes take effect. The latest version will always be available at www.eagle888.co/privacy