Privacy Policy
OAIC & GDPR-aligned
Last updated: 8 December 2025
1. Overview
This Privacy Policy explains how LocalLabs Pty Ltd (ABN 74 688 587 260) trading as InsightFlow ("we", "us", "our") collects, uses, stores and shares personal information.
We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and relevant international standards including the EU General Data Protection Regulation (GDPR) where applicable.
2. Information We Collect
2.1 Account Information
- Name
- Email address
- Billing information
- Company details
- Role and permissions
2.2 Study Content
We collect data you upload, including:
- Research questions and study design
- Discussion guides and flow configurations
- Raw participant responses
- AI-generated materials and insights
- Exported files and reports
2.3 Automatically Collected
- IP address
- Device information
- Browser type and version
- Operating system
- Usage analytics and session data
- Cookies and similar technologies
2.4 Panel Provider Cookies
We allow external panel providers to set tracking pixels/cookies on:
- Study start page
- Study completion page
This enables panel providers to verify participant eligibility and process reward payouts.
3. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Provide and operate the Platform | Contractual necessity |
| Generate insights and reports | Contractual necessity |
| Process payments through Stripe | Contractual necessity |
| Communicate with you | Legitimate interest |
| Ensure security and integrity | Legitimate interest |
| Improve our product | Legitimate interest |
| Produce anonymised benchmarking | Legitimate interest |
| Analytics and cookies | Consent |
| Legal compliance | Legal obligation |
We do not use or share your identifiable study data for any external purpose.
4. Legal Bases (GDPR)
Where GDPR applies, we process data under:
- Contractual necessity – To provide the services you've requested
- Legitimate interests – For security, fraud prevention, and product improvement
- Consent – For cookies, analytics, and marketing communications
- Legal compliance – To meet legal obligations
5. Sharing & Disclosure
We share personal data only with trusted partners who assist in providing our services:
| Partner | Purpose | Data Shared |
|---|---|---|
| Vercel | Hosting | Technical logs |
| Supabase | Database | All platform data (encrypted) |
| Stripe | Payments | Billing information |
| OpenAI | AI processing | Study prompts and responses |
| Google Analytics | Analytics | Usage data |
| Panel providers | Participant tracking | Completion cookies only |
We do not sell personal information.
We may also disclose information:
- To comply with legal obligations
- To protect our rights or the safety of others
- In connection with a merger, acquisition, or asset sale
6. International Transfers
Your data may be stored or processed outside Australia, including in the United States and European Union.
Where data is transferred internationally, we ensure equivalent safeguards through:
- Standard Contractual Clauses (SCCs)
- Data Processing Agreements with subprocessors
- Compliance with applicable transfer mechanisms
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 7 years for tax records |
| Study content | Until you delete it or close your account |
| Interview messages | Until study deletion |
| Payment records | 7 years (legal requirement) |
| Anonymised/aggregated data | Indefinitely |
8. Security
We implement industry-standard security measures including:
- Encryption at rest and in transit (TLS 1.3)
- Access control policies and role-based permissions
- Database security with row-level security (RLS)
- Regular security assessments
- Secure hosting infrastructure
No system is completely secure. We cannot guarantee absolute security but commit to prompt notification and remediation in the event of any breach.
9. Your Rights
You have the right to:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Correction | Request correction of inaccurate data |
| Deletion | Request deletion of your data |
| Restriction | Request we limit processing |
| Portability | Receive your data in a portable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent for cookies/marketing |
To exercise these rights, contact: joel@locallabs.dev
We will respond within 30 days (or 72 hours for access requests under GDPR).
10. Cookies
We use cookies for:
- Essential cookies – Required for platform functionality
- Analytics cookies – To understand usage patterns
- Panel provider cookies – For participant verification
You can manage cookie preferences through your browser settings or our cookie consent banner.
11. Children's Privacy
InsightFlow is not intended for use by individuals under 18. We do not knowingly collect data from minors. If you believe we have collected data from a minor, contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Substantive changes will be notified via email or platform notification.
13. Contact Us
For privacy inquiries or to exercise your rights:
- Privacy Officer
- Email: joel@locallabs.dev
- Phone: +61 432 497 673
For complaints, you may also contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
© 2025 LocalLabs Pty Ltd. All rights reserved.