Legal

Privacy Policy

Effective 16 May 2026 · employeeX Pty Ltd

We built EmployeeX for enterprises that take audit trails seriously. Privacy is part of that posture — your data is used to run your agents, not to build ours.

OverviewWhat We CollectHow We Use ItAI & LLM DataData ResidencySharing & SubprocessorsRetentionSecurityYour RightsSubprocessorsContact

1. Overview

This Privacy Policy describes how employeeX Pty Ltd ("EmployeeX", "we", "us") collects, uses, stores, and protects personal information and Customer Content when you use the EmployeeX agent operations platform ("Platform").

We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For customers operating in the European Economic Area, we comply with the GDPR as a data processor acting on your instructions. For UK customers, we comply with the UK GDPR.

Where EmployeeX processes personal data on behalf of a Customer, the Customer is the data controller and EmployeeX is the data processor. A Data Processing Addendum (DPA) is available on request for enterprise agreements.

2. What We Collect

Account & identity data

  • Name, work email address, job title, and organisational unit — sourced from your identity provider (Entra ID, Okta) during onboarding and sync.
  • Authentication events: sign-in timestamps, IP addresses, device information.
  • Role assignments, team membership, and manager hierarchy — read from your IdP and used solely for access control.

Usage & operational data

  • Agent configurations, profiles, and prompt versions you create in the Platform.
  • Chat messages, file uploads, and agent outputs generated in sessions.
  • Tool invocations, approval decisions, and audit ledger entries — every action agents take on your behalf.
  • Budget allocations and per-team cost attribution data.
  • Integration connection events (Slack, Teams, GitHub, Jira, and others you connect).

Technical data

  • Server-side logs: request timestamps, endpoint paths, response status codes, and latency. Logs do not include message content.
  • Error traces for debugging — content is redacted before being sent to error monitoring services.
  • Anonymised aggregate usage metrics for capacity planning and service improvement.

What we do not collect

  • Payment card data — handled entirely by our payment processor (Stripe). We store only invoice references and plan identifiers.
  • Biometric data of any kind.
  • Consumer personal data. EmployeeX is a B2B enterprise platform. We do not target consumers.

3. How We Use Data

We use collected data exclusively to:

  • Deliver the Platform — route agent requests, enforce Policy Gate rules, populate the Audit Ledger, and provide Business Unit Oversight.
  • Enforce access control — map IdP roles to Platform permissions, resolve tool access, and restrict data retrieval to authorised scopes.
  • Provide the Audit Ledger — maintain an immutable, hash-chained record of every agent action for your compliance and incident response use.
  • Support billing — attribute model call costs to teams and profiles; enforce budget caps.
  • Communicate with you — send service notifications, security alerts, and invoices to account administrators.
  • Improve reliability — analyse anonymised error patterns and latency data to improve the Platform. We do not use Content for this purpose.

We do not sell personal data. We do not use personal data for advertising. We do not combine your data with third-party data sets to build profiles.

4. AI & LLM Data Handling

No model training on your data. Customer Content — including messages, documents, prompts, and agent outputs — is never used to train, fine-tune, or improve AI models operated by EmployeeX or third-party model providers. We contractually enforce this with our model provider partners.

Model provider routing. When an agent makes a model call, the prompt (including context from your documents and tools) is transmitted to the selected model provider (Anthropic, OpenAI, or others configured in your profile) over an encrypted channel. The model provider processes the prompt and returns a response. No content is retained by the model provider beyond the duration of the API call, per their zero-retention API agreements.

PII detection. The Platform's Policy Gate includes optional PII detection on agent inputs and outputs. When enabled, PII is detected, flagged, and handled per your configured policy (warn, redact, or block). Redacted content is not transmitted to model providers or stored in plaintext.

Agent memory. If you enable agent memory features, summaries of prior sessions are stored in your tenancy's encrypted storage and retrieved only for your agents. Memory is scoped per agent profile and per user, subject to your RBAC configuration.

Execution runtimes. When agents execute code or drive a browser, they do so in isolated, per-invocation sandboxes. Files produced in a session are stored as encrypted attachments in your tenancy. Runtime environments are destroyed after each invocation — no state persists between runs.

Knowledge bases. Documents you index for retrieval (RAG) are chunked, embedded, and stored in your tenancy's vector index. Embeddings are used solely for semantic retrieval within your tenancy. We do not cross-contaminate vector indices between tenants.

5. Data Residency

Enterprise plans may select a primary data residency region:

  • Australia — default for all plans. Data stored in AWS ap-southeast-2 (Sydney).
  • Europe — data stored in AWS eu-west-1 (Ireland) or eu-central-1 (Frankfurt).
  • United States — data stored in AWS us-east-1 (N. Virginia) or us-west-2 (Oregon).

Data does not leave your selected region except:

  • For model API calls to providers — content is transmitted for inference only and not retained.
  • Where explicitly instructed by your integration configuration (e.g., sending a Slack message to a channel you connected).
  • Where required by applicable law or a valid legal process — we will notify you to the extent permitted by law.

Residency selection is configured at account creation. Changing residency region requires a data migration agreement and may involve downtime. Contact legal@empx.ai to initiate.

6. Sharing & Disclosure

We share data only:

  • With subprocessors as listed below, under contracts requiring equivalent data protection standards.
  • At your direction — when you connect integrations (Slack, Teams, Jira, etc.), you authorise us to act as your agent in those systems.
  • For legal compliance — when required by law, regulation, or valid legal process. We will challenge overbroad requests and notify you where legally permitted.
  • In a business transfer — if EmployeeX is acquired or merges, Customer data may be transferred as part of that transaction. We will notify Customers at least 30 days before such transfer and provide the option to export data before completion.

We never sell, rent, or trade personal data to third parties for their own use.

7. Retention

We retain data for the following periods:

  • Account and identity data — for the duration of your subscription, plus 90 days to allow for data export.
  • Chat sessions and agent outputs — per your configured retention policy (default: 365 days). Enterprise plans may configure custom retention periods or archive to your own storage.
  • Audit Ledger entries — minimum 2 years by default; configurable up to 7 years on enterprise plans to meet regulatory requirements.
  • Server logs — 90 days rolling, then deleted.
  • Billing records — 7 years as required by Australian tax law.

On subscription termination, you have 30 days to export your Content. After this period, Content is queued for deletion and removed from production systems within 90 days. Audit Ledger entries may be retained longer if required by law.

8. Security

We apply the following controls to protect your data:

  • Encryption at rest — AES-256 for all data stores, including attachments, vector indices, and database tables.
  • Encryption in transit — TLS 1.2 minimum on all connections. TLS 1.3 is preferred where supported.
  • Per-tenant isolation — Customer data is logically separated at the application layer and physically separated in storage. Database queries are scoped by organisation ID at the ORM level.
  • Access control — internal staff access to production data requires multi-factor authentication and is logged. Access is role-limited and reviewed quarterly.
  • Vulnerability management — dependencies are monitored for known CVEs. Critical patches are applied within 24 hours; high severity within 7 days.
  • Penetration testing — annual third-party penetration tests. Results and remediation timelines are available to enterprise customers under NDA.
  • SOC 2 Type II — in progress. Report available on completion (estimated H2 2026).

In the event of a confirmed breach affecting your data, we will notify you within 72 hours of discovery, as required by the Australian Privacy Act notifiable data breaches scheme and the GDPR (where applicable).

9. Your Rights

Subject to applicable law, individuals whose personal data we hold have the right to:

  • Access — request a copy of personal data we hold about you.
  • Correction — request correction of inaccurate or incomplete personal data.
  • Deletion — request deletion of personal data, subject to our legal retention obligations.
  • Portability — receive your personal data in a structured, machine-readable format (GDPR Article 20).
  • Objection — object to processing based on legitimate interests.
  • Restriction — request restriction of processing while a dispute is resolved.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

Requests from individuals should be directed to privacy@empx.ai. We respond within 30 days. Customer administrators can fulfil many of these requests directly through the Platform's User management and data export tools.

Australian residents may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. EU/UK residents may lodge complaints with their local supervisory authority.

10. Subprocessors

We use the following categories of subprocessors to deliver the Platform. All are bound by data processing agreements requiring equivalent protections to this Policy.

CategoryPurposeLocation
AWSCloud infrastructure, storage, networkingYour selected region
AnthropicClaude model inference (zero-retention API)United States
OpenAIGPT model inference (zero-retention API)United States
StripePayment processingUnited States
Error monitoringApplication error tracking (content redacted)United States
ObservabilityMetrics, tracing, performance monitoringYour selected region

We notify Customers 30 days before adding a material new subprocessor. This list was last updated 16 May 2026.

11. Contact & Updates

For privacy enquiries, data subject requests, or to request a Data Processing Addendum:

  • Email: privacy@empx.ai
  • Post: employeeX Pty Ltd, Privacy Officer, Sydney, New South Wales, Australia

We may update this Policy to reflect changes in our practices or applicable law. Material changes will be notified to account administrators by email at least 30 days before taking effect. The effective date at the top of this page reflects the most recent version.

Archived versions of this Policy are available on request.

Privacy questions?

Our privacy team responds within two business days. Enterprise customers can request a Data Processing Addendum, residency configuration, or a security review.

Contact privacy teamSecurity overview