Privacy Policy

Alloy Technologies Operations Pty Ltd (ACN 684 502 332) ("Alloy", "we", "us", "our") provides a cloud-based data platform that ingests multimodal data, enables natural language search and analytics, generates mission summary reports, and exposes integrations and observability tools (the "Services").

This Privacy Policy explains how we collect, use, disclose, retain and protect Personal Data across our website, the Services, and our agent and connector integrations. In this Policy, "Personal Data" means information that identifies, relates to, or could reasonably be linked to an identified or identifiable individual.

This Policy applies alongside our Terms of Service and any customer agreements or data processing terms we enter into with Customers. Where we process Personal Data on behalf of a Customer, that processing is governed by our agreement with that Customer. Any applicable customer agreement or data processing terms will prevail over this Privacy Policy in the event of any inconsistency regarding the processing of Personal Data.

1. Who this policy applies to

This Privacy Policy describes how we handle Personal Data about three categories of people:

  • Visitors to our website at usealloy.ai, including those who fill in contact forms, subscribe to communications, apply for roles, or browse our content.
  • Platform users — individuals who hold an account with us, including those who sign up directly on a self-serve basis and those authorised by our Customers to access the Services (including engineers, operators, analysts, and administrators).
  • Data subjects in uploaded content — individuals whose Personal Data appears within data that our Customers upload to the Services (for example, individuals identifiable in sensor data, images, logs, or scenario records).

Different parts of this Policy apply to each category. Where we process Personal Data about Platform users or data subjects in uploaded content on behalf of a Customer, that processing is governed by our agreement with that Customer.

2. Personal Data we collect

The categories of Personal Data we collect depend on the relationship you have with us.

From website visitors

  • Contact details you submit (name, email address, organisation, telephone, message content).
  • Information from job applications and recruitment processes.
  • Browser and device information (IP address, browser type, operating system, language, referrer).
  • Pages visited, time spent, and other interactions on usealloy.ai.
  • Cookies and similar technologies (see Section 11).

From Platform users

  • Account and authentication data (name, email address, organisation membership, user identifier, role).
  • Authentication artefacts: passwords are hashed; access and refresh tokens are stored to maintain your session; multi-factor authentication factors may be processed by our authentication providers.
  • Usage telemetry from your use of the Services (device information, IP address, platform usage logs, search queries, feature interactions, error and performance data).
  • Communications you send to us (support tickets, feedback, correspondence).

From data uploaded by our Customers

  • Any Personal Data contained within mission data, sensor data, images, logs, scenario records, or other files that our Customers upload to the Services.
  • We do not require or request special category data (as defined in Article 9 of the GDPR) or sensitive information for the provision of the Services. Customers must not upload such data unless permitted by their agreement with us or approved by us in writing, and additional safeguards may apply.

We may also collect Personal Data about you from third parties, including: (i) our Customers (where you are an authorised user of theirs, or where they upload data containing your Personal Data); (ii) authentication and identity providers (where you sign in via a third-party account); (iii) recruitment platforms (where you apply for a role with us); and (iv) analytics and integration providers (where you have authorised the disclosure or it is permitted by law).

3. How we use Personal Data

We use Personal Data for the following purposes.

To operate and provide the Services

  • Authenticate users and maintain sessions.
  • Ingest, store, search, and analyse data uploaded to the Services.
  • Generate mission summary reports, natural language responses, and other outputs from the Services.
  • Provide observability and monitoring features.
  • Communicate with you about your account, the Services, and changes to either.

To improve the Services

  • Analyse usage telemetry, Customer Data, derived information and other information we are permitted to use under your applicable agreement to identify failure modes, prioritise features, improve performance, evaluate and develop our products, features, systems and related capabilities.
  • Improve, test and refine internal systems and capabilities that support features such as search ranking, anomaly detection, capacity planning, analytics and automation.
  • Conduct internal product analytics through our analytics providers.

To secure the Services

  • Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms.
  • Maintain audit logs and monitoring for incident response and compliance.
  • Comply with our security and compliance obligations.

To communicate with you

  • Respond to enquiries, support requests, and feedback.
  • Send transactional and service-related communications.
  • Send marketing communications where you have consented or where permitted by law (you can opt out at any time).

To meet our legal obligations

  • Comply with applicable laws, regulations, court orders, and regulator requests.
  • Establish, exercise, or defend legal claims.
  • Manage employment applications.

4. MCP, connectors, and third-party platforms

We may expose the Services through Model Context Protocol (MCP) servers, agent integrations, and connector integrations made available on third-party platforms and developer marketplaces.

When you use the Services through one of these integrations, the following applies.

When you connect Alloy to a third-party platform, the permissions you authorise determine what the platform or assistant can access or do in your Alloy account or Customer organisation. Depending on the tools enabled, this may include retrieving, creating, modifying or deleting data. You can revoke access by disconnecting the integration in the third-party platform or in Alloy, where supported.

What we receive

  • The specific request that you, or the third-party platform or assistant on your behalf, make to one of our tools, together with the parameters required to fulfil that request.
  • Authentication credentials issued by the third-party platform that link the request to your Alloy account or Customer organisation.
  • Operational metadata such as request identifiers, timestamps, and error codes, needed to deliver and debug the response.

What we return

  • The response to your request, drawn from the Services. We aim to return only what is necessary to fulfil the request and apply data minimisation and redaction controls designed to avoid exposing identifiers, secrets or Personal Data where they are not required for the response.

What we do not do

  • We do not capture, store, or process the broader conversation context, chat history, transcripts, or other content from the third-party AI assistant outside of the specific request directed to our tool.
  • Our use of content received through MCP or connector integrations is governed by this Privacy Policy and your applicable agreement with us.
  • We do not share data received through MCP or connector integrations with other Customers.

Relationship with the third-party platform

Your use of the third-party platform itself is governed by that platform's own terms and privacy policy.

Logging and redaction

  • We apply data minimisation and redaction controls designed to avoid storing identifiers, secrets or Personal Data in internal logs where they are not required for service operation, debugging, security or compliance.
  • Operational logs are retained for as long as reasonably necessary for service operation, debugging, security and compliance, consistent with Section 7.

5. How we share and disclose Personal Data

We share Personal Data with the following categories of recipients.

Subprocessors. We engage trusted third-party Subprocessors to help us operate the Services. These include providers of cloud infrastructure and hosting, data processing and analysis, authentication, transactional email, internal collaboration, monitoring and observability, product analytics, and payment processing.

Where we engage a Subprocessor, we use contractual and other safeguards designed to ensure the Subprocessor accesses and uses Personal Data only as needed to provide services to us and on terms consistent with this Policy and our customer commitments. Our current Subprocessor list, including each Subprocessor's identity, location and processing purpose, is maintained at https://trust.usealloy.ai/.

Other categories of recipients

  • Our employees, contractors, and related entities — on a need-to-know basis, subject to confidentiality and security obligations.
  • Professional advisors — legal, accounting, audit, insurance, and other advisors who require access to perform their services.
  • Acquirers or successors in interest — if Alloy is involved in a merger, acquisition, financing, or sale of assets, in which case Personal Data may be transferred subject to standard confidentiality and continuity-of-policy commitments.
  • Courts, regulators, and law enforcement — where required by law, court order, or regulator request; in connection with actual or prospective legal proceedings; or to establish, exercise, or defend our legal rights.
  • Third parties you direct us to share with — for example, when you use an integration that you have configured to send data outside the Services.

We do not sell or rent Personal Data. We do not disclose Personal Data to other Customers, except as directed by the relevant Customer or as required by law.

6. International transfers

We may process Personal Data in Australia and other countries where we or our service providers operate. Where required by applicable law, we use appropriate safeguards for international transfers, which may include standard contractual clauses or equivalent transfer mechanisms for transfers from the EEA, United Kingdom or Switzerland. More information about our current service providers and their locations is available at https://trust.usealloy.ai/.

7. Data retention and deletion

We retain Personal Data for only as long as needed.

  • Personal Data — retained for the duration of the service relationship and as required by applicable laws. Customers may delete data in-product where the Services provide that functionality. Upon termination, we handle Personal Data in accordance with applicable law, product functionality and any applicable written agreement. Where required by applicable law or an applicable written agreement, we will provide confirmation of deletion.
  • Operational logs — retained for as long as reasonably necessary for security, debugging, compliance and service operation, unless a longer period is required by law or an applicable written agreement. Logs containing Personal Data are subject to minimisation and redaction controls where appropriate for the operational purpose.
  • Marketing communications and website analytics — retained for the duration of your engagement with us, or until you withdraw consent or unsubscribe.
  • Employment applications — retained for the duration of the recruitment process and a reasonable period afterwards, in accordance with applicable law.

Our retention periods are reviewed annually. Where Personal Data is no longer needed, we delete it using secure disposal methods.

8. Security

We use administrative, technical and organisational safeguards designed to protect Personal Data against unauthorised access, loss, misuse, alteration and disclosure. These safeguards may include encryption in transit and at rest, access controls, authentication controls, logging and monitoring, vulnerability management, backup and recovery procedures, personnel security measures and incident response processes.

Where applicable, customer-facing security reports, certifications or trust materials may be made available to eligible Customers under confidentiality.

No information system can be guaranteed to be fully secure. The transmission and exchange of information over the internet is at your own risk. If we become aware of a security incident affecting Personal Data, we will respond in accordance with applicable law and any applicable agreement with the affected Customer. To the maximum extent permitted by law, our liability arising from any security incident is limited as set out in your applicable agreement with us.

9. Your rights and choices

Subject to applicable law, you have the following rights with respect to your Personal Data.

Universal rights

  • Access — request a copy of the Personal Data we hold about you.
  • Correction — ask us to correct Personal Data that is inaccurate, out of date, incomplete, or misleading.
  • Deletion — request that we delete Personal Data we hold about you, subject to legal retention requirements.
  • Object or restrict — object to certain processing, or ask us to restrict our use of your Personal Data.
  • Withdraw consent — where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Lodge a complaint — you may complain to a privacy regulator. In Australia, this is the Office of the Australian Information Commissioner (oaic.gov.au).

For Platform users and data subjects in uploaded content

Where we hold Personal Data about you on behalf of a Customer (for example, because your employer is our Customer, or because you appear in content uploaded by a Customer), you should first contact the Customer to exercise your rights. We will support the Customer in responding to your request. If you cannot reach the Customer or believe the Customer is not handling your request appropriately, you may contact us using the details in Section 13 and we will assist where we are able to under applicable law and our agreements with the Customer.

Where you are a self-serve user with no separate Customer organisation, you may contact us directly using the details in Section 13 and we will handle your request as the Controller of your account data.

Additional rights for residents of the European Economic Area or United Kingdom

  • Right of access (GDPR Article 15).
  • Right to rectification (Article 16).
  • Right to erasure (Article 17).
  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20).
  • Right to object (Article 21).
  • Rights related to automated decision-making (Article 22).
  • Right to lodge a complaint with a supervisory authority.

The legal bases on which we rely include: performance of a contract (Art 6(1)(b)), legitimate interests (Art 6(1)(f)), compliance with legal obligations (Art 6(1)(c)), and consent (Art 6(1)(a)).

Additional rights for residents of California

  • Right to know what categories of Personal Data we collect, the purposes for which we use it, and the categories of third parties with whom we share it.
  • Right to delete Personal Data.
  • Right to correct inaccurate Personal Data.
  • Right to opt out of "sale" or "sharing" of Personal Data, where required by applicable law. We do not sell Personal Data.
  • Where required by applicable law, we honour legally recognised opt-out preference signals, such as Global Privacy Control, in accordance with our technical capabilities and legal obligations.
  • Right to limit use of sensitive Personal Data.
  • Right to non-discrimination for exercising your rights.

You may exercise these rights by contacting us using the details in Section 13. We aim to respond to verified rights requests within 30 days of receipt; where the request is complex or where we receive a high volume of requests, we may extend this period by up to 60 additional days and will notify you of the extension.

10. Children's data

The Services are intended for business use by our Customers and are not directed at individuals under the age of 16. We do not knowingly collect Personal Data from children under 16. If you believe we have inadvertently collected such information, please contact us using the details in Section 13 and we will take reasonable steps to delete it.

11. Cookies and analytics technologies

We use a small number of cookies and similar technologies on our website (usealloy.ai) to measure usage and improve your experience. The categories of cookies we use include:

  • Strictly necessary cookies — set automatically by our content delivery network for security and bot-management purposes; these cannot be disabled.
  • Analytics cookies — set by our website analytics provider to measure aggregated usage of usealloy.ai (page views, sessions, referral sources).

We do not use cookies for advertising, retargeting, or cross-site tracking. You can control or disable cookies through your browser settings and, where available, through controls provided by our analytics provider.

We do not use cookies to identify individual users of the Services beyond authentication and session management.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will notify you by posting an updated policy on our website and, where appropriate, by direct communication. The "Last updated" date shows when this Policy was last revised.

13. Contact us

If you have any questions, concerns, or requests about this Privacy Policy or our handling of Personal Data, please contact us.

Alloy Technologies Operations Pty Ltd (ACN 684 502 332)
604/46 Kippax Street, Surry Hills, NSW 2010, Australia
Email: [email protected]

Last updated 20/05/2026

home
Blog
Careers
contact
linkedin
x (twitter)
github
instagram
home
home
home
home
homeblogcareerstry alloytechnologycontact
home
home
home
home
© 2026 Alloy. All rights reserved.
PRIVACY POLICYTERMS OF SERVICE