Privacy Policy

1. Introduction

This Privacy Policy (“Policy”) describes how Nebula Platform Pty Ltd (ABN 51 667 540 025) (“Nebula”, “we”, “us”, or “our”) collects, uses, discloses, stores, and protects personal information when you access or use the Nebula platform, website, APIs, and all related services (collectively, the “Platform”).

This Policy should be read together with our Terms of Service. By using the Platform, you consent to the collection and use of your information as described in this Policy. If you do not agree, you must not use the Platform.

2. Information We Collect

We collect the following categories of information:

2.1. Information you provide

• Account registration details: name, email address, password, and organisation name;
• Profile information: job title, contact details, and organisation details;
• User Content: contracts, scope documents, project communications, formal notices, and any other documents or data you upload to the Platform;
• Payment information: billing address and payment details processed through our third-party payment processor (we do not store full payment card numbers on our servers); and
• Communications: messages you send to us, including support requests and feedback.

2.2. Information collected automatically

• Device and browser information: IP address, browser type and version, operating system, device identifiers, and screen resolution;
• Usage data: pages visited, features used, actions taken, timestamps, referring URLs, and session duration; and
• Cookies and similar technologies: as described in Section 9 below.

2.3. Information derived from your use

• AI-extracted data: obligations, milestones, deliverables, payment terms, deadlines, and risk assessments derived from your uploaded documents; and
• Reputation data: delivery rate, response time, verification success rate, and dispute history calculated from verified project outcomes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• to provide, operate, and maintain the Platform and its features;
• to process your uploaded documents using artificial intelligence and extract structured project data;
• to track obligations, enforce deadlines, and automate project governance workflows;
• to calculate and display reputation scores based on verified project outcomes;
• to anchor records to the Polygon blockchain for permanent verification;
• to process payments and manage your subscription;
• to send you transactional notifications about project activity, deadlines, enforcement actions, and account events;
• to respond to your enquiries, support requests, and feedback;
• to improve the Platform through aggregated, anonymised usage analytics;
• to detect, investigate, and prevent fraudulent, unauthorised, or illegal activity; and
• to comply with applicable legal obligations.

4. Artificial Intelligence and Your Data

4.1. When you upload documents, our AI systems process them on secure servers to extract structured data, including obligations, milestones, payment terms, deadlines, and identified risks. The results of this processing are stored within your account and are accessible only to you and other authorised users on your projects.

4.2. We do not use your uploaded documents, their contents, or any AI-extracted data to train, fine-tune, or improve our AI models. AI processing is performed solely to deliver the Platform services to you.

4.3. You may review, correct, and override all AI-extracted data before it becomes active in your projects.

5. Blockchain Records

5.1. The Platform anchors certain events to the Polygon blockchain by storing a cryptographic hash of the relevant data. Only the hash is published on-chain. The full content of your documents, personal information, and project details are not published to the blockchain.

5.2. Blockchain records are permanent and immutable. Once a hash has been anchored, it cannot be altered or deleted, including upon request or upon termination of your account.

5.3. The cryptographic hash alone cannot be used to reconstruct or identify the underlying data without access to the Platform.

6. Disclosure of Your Information

We may disclose your information to the following categories of recipients:

6.1. Project counterparties

Other users on your projects may see your organisation name, role, project communications, reputation score, and relevant project data as necessary for collaboration.

6.2. Service providers

We engage third-party service providers for cloud hosting, email delivery, payment processing, analytics, and customer support. These providers process your information on our behalf under data processing agreements and are prohibited from using your data for their own purposes.

6.3. Legal and regulatory

We may disclose your information where required by law, regulation, legal process, or enforceable governmental request, or where we reasonably believe disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

6.4. Business transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred to the successor entity. We will provide notice of any such transfer and any changes to this Policy.

We do not sell your personal information to third parties. We do not share your uploaded documents with any party outside your designated project teams, except as described above.

7. Reputation Data

7.1. Your reputation score is calculated from objective, verifiable project outcomes and is visible to other Platform users, including in the marketplace.

7.2. Reputation data includes: delivery rate, average response time, verification success rate, and dispute history.

7.3. Reputation scores are derived algorithmically from project activity and are not manually adjusted by Nebula. If you believe a score reflects a Platform error, you may submit a review request to support@nebulaplatform.com.au.

7.4. Reputation data remains associated with your account for the duration of your use of the Platform and is not deleted upon request, as it constitutes a factual record of verified project outcomes.

8. Data Storage and Security

8.1. Your data is stored on secure cloud infrastructure with encryption at rest (AES-256) and in transit (TLS 1.2+).

8.2. We implement industry-standard security measures, including role-based access controls, audit logging, intrusion detection, vulnerability scanning, and regular security assessments.

8.3. Account credentials are hashed using strong, one-way cryptographic algorithms. We do not store passwords in plaintext.

8.4. While we take reasonable measures to protect your information, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.

9. Cookies and Tracking Technologies

9.1. Essential cookies: We use cookies strictly necessary for the operation of the Platform, including session management and authentication. These cookies cannot be disabled.

9.2. Analytics cookies: We may use analytics cookies to collect aggregated, anonymised data about Platform usage to help us improve our services. You may opt out of analytics cookies through your browser settings.

9.3. We do not use advertising cookies, tracking pixels for third-party ad networks, or cross-site tracking technologies.

10. Data Retention

10.1. We retain your account data and User Content for as long as your account remains active.

10.2. Upon account closure, we make your data available for export for thirty (30) days. After this period, we delete your data from active systems within ninety (90) days.

10.3. Some data may persist in encrypted backup systems for up to twelve (12) months following deletion from active systems.

10.4. Blockchain-anchored cryptographic hashes are permanent and cannot be removed.

10.5. We retain anonymised, aggregated analytics data indefinitely.

10.6. We may retain certain data for longer periods where required by law, regulation, or to resolve disputes or enforce our agreements.

11. Your Rights

Subject to applicable law, you may have the following rights in relation to your personal information:

• Access: the right to request a copy of the personal information we hold about you;
• Correction: the right to request correction of inaccurate or incomplete personal information;
• Deletion: the right to request deletion of your personal information, subject to our legal obligations and legitimate interests;
• Portability: the right to receive your personal information in a structured, commonly used, machine-readable format;
• Restriction: the right to request that we restrict processing of your personal information in certain circumstances;
• Objection: the right to object to processing of your personal information where we rely on legitimate interests; and
• Withdrawal of consent: where processing is based on your consent, the right to withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@nebulaplatform.com.au. We will respond to your request within thirty (30) days. We may ask you to verify your identity before processing your request. Some rights may be limited where we have an overriding legitimate interest or legal obligation.

12. International Data Transfers

12.1. Your data may be processed in countries other than your own, including Australia and the United States, where our cloud infrastructure providers operate.

12.2. Where personal information is transferred to a jurisdiction that does not provide an equivalent level of data protection, we ensure appropriate safeguards are in place, including standard contractual clauses, data processing agreements, or other legally recognised transfer mechanisms.

12.3. We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and applicable data protection legislation in all jurisdictions where we operate.

13. Children’s Privacy

The Platform is not directed at and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete that information. If you believe a child has provided personal information to us, please contact privacy@nebulaplatform.com.au.

14. Changes to This Policy

14.1. We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.2. We will notify you of material changes by email or through the Platform at least fourteen (14) days before the changes take effect.

14.3. Your continued use of the Platform after the effective date of the revised Policy constitutes your acceptance of the changes. If you disagree with any changes, you may close your account before the changes take effect.

14.4. The “Effective date” at the top of this page indicates when this Policy was last updated.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

For general legal enquiries, please refer to our Terms of Service or contact legal@nebulaplatform.com.au.

If you are not satisfied with our response to a privacy concern, you may have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or the relevant data protection authority in your jurisdiction.