Last updated 21 June 2026
Kapalins Pty Ltd ("Kapālins", "we", "us", "our") is an Australian-owned AI security and governance company. This Privacy Policy explains how we collect, use, disclose and protect personal information. We handle personal information in line with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and — where they apply to our activities — the EU and UK General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act 2023 (DPDP Act).
This policy covers personal information we handle as a business: visitors to this website, prospective and current customers, individual contacts at our customers and partners, suppliers, and job applicants. Where we process personal information contained in a customer's data on the customer's behalf in providing our platform, we act as a processor and that processing is governed by our Data Processing Addendum and the customer's own privacy notices, not this policy.
We collect information you choose to give us — such as your name, work email, telephone, company, role, and the content of any enquiry, briefing request or support request you submit. If you become a customer, we collect account and billing administration details. When you use this website we also collect limited technical information such as your IP address, device and browser type, pages viewed, referring page and similar usage data through cookies and standard server logs.
We collect information directly from you (for example when you complete a form or correspond with us), automatically through your use of this website, and in some cases from third parties such as our customers, business partners and publicly available sources where it is reasonable to do so.
We use personal information to respond to your enquiries and arrange briefings; to provide, operate, secure and improve our products, services and website; to administer accounts and billing; to communicate with you about your relationship with us; to detect, prevent and respond to security incidents and misuse; and to meet our legal and regulatory obligations. Where the GDPR applies, we rely on one or more of the following legal bases: your consent, performance of a contract, our legitimate interests (such as running and securing our business), and compliance with a legal obligation. We do not sell your personal information.
The AI Hub on this website processes the text you enter through a third-party model provider (Groq) to generate a response. Please do not enter confidential, sensitive or personal information into the Hub. Generated answers are produced by AI, may be inaccurate or incomplete, and do not constitute professional, legal or security advice.
We use essential cookies to make this website work, and limited analytics to understand how the site is used so we can improve it. You can control or block cookies through your browser settings; some features of the site may not function correctly if you do.
We may disclose personal information to:
We do not sell personal information and we do not disclose it for third-party advertising.
We host our platform and supporting systems primarily on Google Cloud Platform in the Australian (Sydney) region. We also use Firebase (Google) for authentication and hosting, a reputable email-delivery provider for transactional email, and Sentry for error monitoring. Some of these providers may store or process limited data outside Australia. Before disclosing personal information overseas we take reasonable steps to ensure it is handled consistently with the APPs, including through contractual safeguards.
We apply technical and organisational measures appropriate to the risk — including encryption in transit, access controls and least-privilege, network segregation and tenant isolation, logging and monitoring, and a documented incident-response process. If a data breach occurs that is likely to result in serious harm, we will assess and, where required, notify affected individuals and the relevant regulator in accordance with the Notifiable Data Breaches scheme and any other applicable law.
We keep personal information only for as long as it is needed for the purposes described in this policy, or for as long as required to meet legal, accounting, tax or regulatory obligations, after which it is securely deleted or de-identified.
You may request access to, and correction of, the personal information we hold about you. Depending on where you are and which law applies, you may also have rights to erasure, restriction, objection, portability, and to withdraw consent (under the GDPR), and rights of access, correction, grievance redressal and nomination (under the DPDP Act). To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by applicable law and may need to verify your identity first.
Our website and services are intended for businesses and are not directed to children. We do not knowingly collect personal information from children.
We may update this policy from time to time to reflect changes in our practices or the law. The current version is always published on this page, with the "last updated" date shown above.
For privacy questions, requests or complaints, contact our privacy team at [email protected]. We will acknowledge and investigate any complaint. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or, where applicable, your local data-protection authority.
Kapalins Pty Ltd — Victoria, Australia.
A 30-minute walkthrough of the Trust Index, the three observation modes and your regulator’s evidence chain — on your estate.