Privacy Policy

Last updated: 5 May 2026

This Privacy Policy explains how PUM AI PTY LTD (ABN 43697367963), trading as PumAI ("we", "us", "our"), collects, uses, stores and discloses personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Who we are

PUM AI PTY LTD is an Australian proprietary company (ABN 43697367963) operating the PumAI platform — AI-powered conversational agents for Webchat, WhatsApp, Instagram Direct and Facebook Messenger. We are the data controller for the personal information described in this policy. For privacy matters contact privacy@pumai.com.au.

2. Information we collect

  • Account data: name, email, password (hashed), business name, industry, phone.
  • Billing data: collected and stored by Stripe (we do not store card details).
  • Conversation data: messages exchanged between customers and AI agents, including attachments.
  • Usage data: dashboard access logs, feature usage, error logs.
  • Integration data: tokens and identifiers supplied by Meta (Page IDs, access tokens) and Whapi (WhatsApp session).
  • Technical data: IP address, browser type, device identifiers.

3. How we collect it

  • Directly from you when you register, configure channels or update your account.
  • From third parties when you connect integrations (Meta, Whapi, Google OAuth).
  • Automatically when you use the service (cookies, logs, analytics).

4. Why we collect it (purposes)

  • Provide, maintain and improve the service.
  • Process payments and manage subscriptions.
  • Generate AI responses to messages.
  • Send service-related notifications.
  • Comply with legal obligations.

5. Who we share it with

We share limited information with the following sub-processors, only as necessary to operate the service:

  • Google LLC — Google Cloud Platform (Singapore region) — application hosting (Cloud Run), database (Cloud SQL for PostgreSQL), Redis, secret storage. Google Cloud DPA applies (link).
  • OpenAI Ireland Ltd (United States / Ireland) — processes conversation text to generate AI responses. We use the API with zero data retention; OpenAI does not train its models on customer data.
  • Stripe Payments Australia Pty Ltd (Australia / United States / Ireland) — processes payments and manages subscriptions. We do not store card details.
  • Meta Platforms Inc. (United States) — provides the Facebook Messenger and Instagram APIs we use on your behalf when you connect those channels.
  • Whapi (Israel / United States) — WhatsApp Business integration (third-party service).
  • Redis Ltd — Redis Cloud (Singapore / United States) — short-lived OAuth state, rate limiting, webhook deduplication.

We do not sell your personal information to third parties. We do not use it for advertising. The full and current list of sub-processors is available on request from privacy@pumai.com.au.

6. Cross-border disclosure (APP 8)

Some of our processors operate outside Australia. By using PumAI you acknowledge that your personal information (including the content of conversations) may be transferred to and processed in the United States, Ireland, Israel and other jurisdictions where our providers operate. These transfers are governed by the data protection agreements we maintain with each provider.

7. How we secure it (APP 11)

  • Passwords hashed with bcrypt.
  • Data transmitted over HTTPS / TLS in production.
  • Access to production systems restricted to authorised personnel.
  • Regular backups with retention.
  • Encryption at rest for sensitive credentials.

8. How long we keep it

  • Account data: while your account is active, then up to 12 months after deletion for legal purposes.
  • Conversation data: up to 24 months unless deleted earlier by you.
  • Billing records: 7 years, as required by Australian tax law.
  • Logs: 12 months.

9. Your rights (APP 12, APP 13)

  • Access: request a copy of your personal information.
  • Correction: correct inaccurate or outdated information.
  • Deletion: request deletion of your account and associated data.
  • Portability: request export of your data in a machine-readable format.
  • Complaint: lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC).

Requests can be made via privacy@pumai.com.au.

10. AI-generated content

Conversations with PumAI are handled by artificial intelligence. Responses may contain errors and should not be relied upon for professional, legal, medical or financial advice. You can request human takeover of any conversation at any time.

11. Meta Platform Data — Facebook Messenger and Instagram

When you connect your Facebook Page or Instagram Business account to PumAI through Facebook Login, we receive Meta Platform Data on your behalf. This includes:

  • The IDs of the Facebook Pages you administer (via the pages_show_list permission).
  • A Page Access Token for the Page you select (used to post webhook subscriptions and send replies).
  • The IDs and usernames of Instagram Business accounts linked to those Pages (via instagram_basic).
  • The content of inbound messages received on the connected Page or Instagram account, plus the Page-Scoped User ID (PSID) or Instagram-Scoped User ID (IGSID) of the customer who sent the message, the message timestamp, and attachments referenced by URL.
  • The basic profile fields of customers who have messaged the Page (first name, last name, profile picture URL), retrieved on demand to display a human-readable name in your inbox (pages_read_engagement).

How we use Meta Platform Data:

  • We process inbound messages through our AI agent so that an automated reply can be sent within the standard 24-hour messaging window using pages_messaging or instagram_manage_messages.
  • We persist messages and contact records so that you, the business owner, can review conversations and take over manually from the dashboard.
  • We never use Meta Platform Data for advertising, marketing to third parties, model training, profiling, or re-identification of de-identified data.
  • Page Access Tokens are encrypted application-side with AES-256-GCM before being written to the database. The plaintext token never leaves the server boundary.

How long we keep Meta Platform Data: while your channel is connected and for the standard retention windows in section 8. You may delete Meta Platform Data at any time by disconnecting the channel from your dashboard, by emailing privacy@pumai.com.au, or by following the user-initiated deletion flow at pumai.com.au/data-deletion. Meta's automated data deletion callback is implemented at https://pumai.com.au/api/meta/deletion-callback and processes signed deletion requests from Meta within 30 days.

Our use of Meta Platform Data complies with the Meta Platform Terms, the Meta Developer Policies and the WhatsApp Business and Instagram Platform Policies.

12. Google API Services — User Data Policy

PumAI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect your Google account we request the following scopes:

  • openid, email, profile — to authenticate you and display your name and email in the dashboard.
  • https://www.googleapis.com/auth/calendar.readonly — to read your calendar events so the AI agent can answer customer questions about availability.
  • https://www.googleapis.com/auth/calendar.events — to create, update or cancel calendar events on your behalf when a customer books an appointment through an AI conversation.

Google Calendar data is used solely to provide these features. We do not sell Google user data, do not transfer it to third parties for advertising or independent purposes, do not use it for serving ads, and do not allow humans to read it except (a) with your explicit consent, (b) for security investigations or to comply with applicable law, or (c) where data is aggregated and anonymised. Calendar tokens are encrypted at rest. You can revoke PumAI's access at any time from your Google Account permissions page or by disconnecting the integration from the PumAI dashboard.

13. Notifiable Data Breaches

In the event of an eligible data breach we will notify affected individuals and the OAIC within the timeframes required by the Notifiable Data Breaches scheme.

14. Changes to this policy

We may update this policy. We will notify you of material changes by email or via the dashboard. The effective date is shown at the top of this page.

15. Contact

PUM AI PTY LTD · ABN 43697367963 · Australia
Privacy Officer — privacy@pumai.com.au