Privacy Policy
This Privacy Policy explains what information ABS AI ("we", "us", "the service") collects, why, how it's used, who it's shared with, and your rights.
Read this first. ABS AI is a community-driven public-data project. Every question you ask and every answer the AI returns is stored on our servers, and any question or answer may become publicly visible at absai.com.au/answers if it is flagged for the public library and approved. The onus is on you, the user, to not include personally identifiable information (PII) in your questions. We make reasonable effort to surface only non-personal content publicly, but the responsibility for what goes in is yours.
1. What we collect
1.1 Account information
- Email address — required for sign-in and account recovery. Stored in our authentication provider (Supabase).
- OAuth profile — if you sign in with Google, we receive your name and email from Google. We don't request additional scopes (e.g. contacts, calendar).
- Acceptance of these policies — a timestamp and version number recording your acceptance of the Terms of Use and this Privacy Policy.
1.2 Usage information
- Question text + AI responses — the questions you submit and the answers the service generates. Stored linked to your account so you can revisit past conversations.
- IP address — used for rate limiting (so anonymous use doesn't blow our budget) and for security investigation if abuse is suspected. Stored hashed where used for anonymous rate-limit counters.
- Feedback ratings — when you click 👍 / 👎 on an answer, we store the rating + any comment you add, linked to the question + answer.
- Browser metadata — standard request headers (user-agent, language) seen by our server in the normal course of an HTTP request. Not actively logged beyond standard request logs (which are rotated regularly).
1.3 Analytics
This site uses Google Analytics 4 (GA4) to understand which questions and answer pages get the most traffic, where users come from, and how we can improve the service. GA4 uses first-party cookies and may collect IP address (anonymised by GA4 by default), browser, device, and behaviour data per Google's own privacy terms. No advertising pixels, cross-site cookies, or fingerprinting are in use. Local development builds do not load GA4 at all.
User ID and event detail (v1.3, May 2026). When you are signed in, we associate a non-identifying user ID (a random UUID issued by Supabase Auth — not your email) with analytics events so we can understand cross-device usage and feature engagement (e.g. "do users who view a public answer page sign up and ask their own question?"). We also fire a small set of structured events from our server alongside the browser fires so that ad-blockers and tab-close events don't skew our reliability metrics. We do not send your question text, the answer text, any part of the conversation content, your email address, or any data you enter into the chat to analytics services. Event parameters are limited to non-personal metadata: the dataset family (e.g. "GCP"), the response category (answer/clarification/error), latency buckets, error codes, and similar shape-level attributes.
2. Third-party processors
We use the following services to operate ABS AI. Each is bound by its own privacy obligations (linked below). Data is passed to them only to the extent needed to operate the service:
- Supabase (auth + database + sessions). Data stored in Sydney (ap-southeast-2). See supabase.com/privacy.
- Google Cloud (Vertex AI Agent Engine in Melbourne, Gemini language models). Question text is sent to Gemini to generate the answer. Google has data processing terms that prohibit using Vertex AI customer data to train models.
- Vercel (hosting the web frontend). Vercel terminates HTTPS, serves static assets, and proxies API calls. See vercel.com/legal/privacy-policy.
We don't sell or rent your information. We don't share it with advertisers. We share it only with the processors listed above, and only as required to make the service work.
3. How we use what we collect
- To answer your questions — your question is sent to Gemini (via Vertex AI in Melbourne) and to our Postgres database (Supabase in Sydney) to retrieve the relevant ABS data.
- To remember your conversations — past Q&A is stored against your account so the chat sidebar can list them.
- To enforce rate limits — your IP (anon) or user ID (signed-in) is the counter key.
- To improve the service — we look at thumbs-down feedback and the surrounding question/answer to fix bad outputs. Aggregate, non-identifying patterns may inform future improvements.
- To prevent abuse — if we detect attempts to bypass rate limits or generate harmful content, we may review the relevant request logs.
4. Published answers — important
When you click "Make this answer public" on an answer in the chat, you opt your question and the resulting answer into our public Answers library at absai.com.au/answers. Specifically:
- The question text (possibly lightly edited by us for clarity or to remove personal info) will be published publicly.
- The AI-generated answer, source citations, and chart will be published publicly.
- Published content will be indexable by search engines and AI crawlers.
- Published content is retained indefinitely, even if you later delete your account, because removing it would orphan inbound links and break SEO equity built by the community.
The onus is on you, the user, to keep personally identifiable information (PII) out of every question you submit — your name, address, phone, ID numbers, the same about anyone else, or anything that could identify a living person. Even if you don't flag an answer for publishing, your questions are still stored and reviewable by us, and may be promoted to the public Answers library later via the admin curator surface (see Terms of Use §3).
We make reasonable effort to surface only non-personal, statistical content publicly. Admins review every flagged candidate and may edit the question wording to remove personal info. But this is best-effort review, not a guarantee — the responsibility for what goes into the system in the first place is yours.
You can ask us to take down a published answer you submitted by connecting on LinkedIn and messaging us — we'll consider each request on its merits. Takedowns are not automatic because the content is owned by the service per the Terms of Use.
5. Your rights
You may request, at any time:
- A copy of all the data we have linked to your account ("data export").
- Deletion of your account and all linked private data ("right to be forgotten"). Note: published answers (§4) are retained.
- Correction of inaccurate information.
Send requests by connecting on LinkedIn and messaging us. We'll respond within 30 days.
If you believe we've handled your personal information in a way that doesn't meet our obligations under the Australian Privacy Principles, you may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We'd appreciate the chance to address your concern first, but you're not required to contact us before contacting the OAIC.
6. How long we keep things
- Account + email — for the life of the account. Deleted within 7 days of your deletion request.
- Questions + AI responses — stored for the life of the account; deleted with the account.
- Rate-limit counters — purged after 24 hours.
- Published answers — retained indefinitely (see §4).
- Standard request logs — rotated every 30 days unless flagged for abuse investigation.
7. Data breach notification
If we discover a data breach involving your personal information that is likely to result in serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, consistent with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). The notice will describe what happened, what information was involved, the steps we are taking, and the steps you can take to protect yourself.
8. Cookies, storage, and tracking
We use a small number of essential storage mechanisms in your browser to make the service work:
- Supabase auth tokens — to keep you signed in across page loads. These are first-party cookies / localStorage entries managed by Supabase.
- Theme preference (
abs-adk:themein localStorage) — so dark/light mode persists. - Chat draft — your in-progress message is briefly held in localStorage to avoid loss on page reload.
We do not use third-party advertising cookies or cross-site behavioural tracking. Google Analytics 4 sets first-party cookies for traffic analytics only — see §1.3 for what's collected and how IP anonymisation is configured.
9. Children
ABS AI is not directed at children under 13 and we don't knowingly collect information from them. If you believe a child has provided us with information, please contact us so we can delete it.
10. International users
The service operates from Australia and is intended for an Australian audience exploring Australian Census data. Personal information is processed in Australia (Sydney, Melbourne) and routed through Google Cloud's Vertex AI endpoints for AI inference. We do not specifically market to or target users outside Australia.
If you access the service from outside Australia, your personal information may be transferred to and processed in Australia, which may not provide the same level of data protection as your home jurisdiction. By using the service you consent to that processing. For information about how our processors handle cross-border data flows from your jurisdiction, see the linked privacy notices in §2.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by a prompt the next time you sign in. The version and effective date at the top of this page reflect the current version.
12. Contact
Privacy questions, data export requests, deletion requests, and takedown requests: connect with me on LinkedIn and send me a message.
This policy works in tandem with the Terms of Use. Together they form the complete agreement between you and ABS AI.