Privacy & Data Security Policy | Nucleotto

Nucleotto Pty Ltd ("Nucleotto", "we", "us", "our") helps organisations design and implement workflow automations and AI agents that are safe, auditable and outcome-driven. This policy explains how we handle data across our website, discovery sessions, and delivery of automation/AI projects.

1.Scope

This policy covers:

Visitors to our website and landing pages.
Prospective clients who complete forms or book discovery workshops.
Clients who engage us for Discovery, Pilot, and Retainer work (including data shared for analysis, build and support).

It explains:

What data we collect and why
How we secure, retain and delete it
How we use AI and automation in a safe, controlled way
Your rights and how to contact us

2.What Data We Collect

2.1 Website & Marketing

When you visit our website, we may collect:

Usage data: pages visited, time on site, referrer, basic device and browser information (via analytics tools and server logs).
Cookies and similar technologies: to remember preferences and measure campaign performance.
Marketing interactions: email opens, clicks and form submissions.

We use this to understand interest in our services and improve the site experience.

2.2 Contact and Discovery Enquiries

When you contact us or book a discovery workshop, we may collect:

Name, role and organisation
Work email, phone and communication preferences
Any information you choose to share in free-text fields (e.g. current processes, systems, pain points, high-level metrics).

2.3 Client Project Data

For Discovery, Pilot and Retainer engagements, we may process:

Operational data samples (usually 10–100 rows) to understand structure, quality, and edge cases.
System and integration metadata: API documentation, event schemas, configuration details.
Workflow information: process maps, hand-offs, approvals, error patterns.
Business metrics: volumes, cycle times, error rates, and similar KPIs to calculate ROI.

Where this data includes personal information or other sensitive data, we treat it in line with our security and privacy controls (see below) and any contract we sign with you.

We design projects so that:

Sandbox/pilot phases use anonymised, synthetic or masked data wherever possible.
Access is limited to the minimum required to deliver agreed outcomes.

3.How We Use Your Data

We use data to:

Provide and Improve Services

Run discovery workshops and produce artefacts (e.g. opportunity backlog, pilot spec, ROI estimates).
Design, build and support automations, AI agents and lightweight apps.

Communicate With You

Respond to enquiries and schedule sessions.
Send proposals, statements of work, reports and invoices.

Operate Our Business

Maintain internal records, manage accounts and comply with legal obligations.
Analyse aggregate performance and ROI of pilots (using anonymised or aggregated metrics where possible).

We do not sell your personal information.

4.Legal Basis & Jurisdiction

Nucleotto operates from Australia and aims to handle personal information in line with:

The Australian Privacy Act 1988 and Australian Privacy Principles (APPs).
Other applicable privacy laws where our clients or their customers are located (e.g. UK/EU data protection laws), to the extent they apply.

Where required, we will enter into appropriate contractual terms (such as data processing agreements or standard contractual clauses) with clients to cover international transfers and processing responsibilities.

5.Data Security

Security, auditability and control are core to how we work, not an afterthought.

5.1 Access Control & Least Privilege

Access to client systems, environments and data is granted only to authorised team members and only to the minimum level required ("least privilege").
API keys, credentials and tokens are stored in secure vaults or secrets managers, rotated periodically and access-logged.
Client-specific environments are logically separated.

5.2 Encryption

Data is protected in transit using TLS/HTTPS.
Data at rest is stored using industry-standard encryption where supported by our infrastructure providers.

5.3 Infrastructure

Depending on client needs, we may use:

Cloud infrastructure providers for hosting workflows, APIs and supporting services.
Orchestration tools (e.g. workflow automation platforms) for integrating systems and implementing approvals and audit trails.

We select vendors that demonstrate strong security practices and compliance posture. Where a client mandates specific platforms (e.g. Azure-only, restricted regions), we design within those constraints.

5.4 Logging, Monitoring & Audit Trails

We design automations and AI workflows with full audit trails for key actions (who did what, when, and with what outcome).
We implement logging and metrics for success rates, error frequency and processing time, with alerts for anomalies where appropriate.

5.5 Kill-Switch & Rollback

Every production pilot we build is designed with:

A named kill-switch owner on the client side,
Documented rollback procedures, and
A clear path to pause or reverse changes if required.

5.6 Internal Governance

We maintain internal guidelines for handling client data, access approvals and incident response.
Any suspected security incident is investigated promptly, and we will notify affected clients without unreasonable delay.

6.Use of AI & Agentic Workflows

We design AI usage to be guardrail-first.

6.1 Human-in-the-Loop by Default

For material actions (e.g. communicating with customers, triggering payments, updating finance systems), we typically operate at L0–L2 autonomy:

AI observes and drafts; humans review and approve before execution.
Where "safe" actions can be automated (e.g. classifications, low-risk updates), we agree the thresholds with you in advance.

6.2 RAG & Explainability

For knowledge tasks (e.g. policy lookup, internal FAQ answers), we prefer retrieval-augmented generation (RAG) with citations:

Responses draw from approved source documents you provide.
Outputs are traceable to sources and can be audited and rolled back.

6.3 Training & Model Usage

Unless explicitly agreed in writing:

We do not use client data to train public models in a way that would expose your information to other customers of that provider.
We configure LLM providers and infrastructure to prevent cross-tenant data sharing where such options exist.

If a project requires fine-tuning or more persistent training, we will document this clearly in the pilot spec and contract.

7.Data Retention & Deletion

We aim to retain data only for as long as needed to:

Deliver our services
Meet legal, accounting or reporting obligations
Resolve disputes and enforce contracts

7.1 Website & Marketing

Analytics data: retained in line with our analytics provider's standard retention (typically 12–26 months), after which it is aggregated or deleted.
Contact form submissions & email correspondence: typically retained for up to 24 months from last interaction, unless required longer for contractual or legal reasons.

7.2 Discovery & Proposals

Pre-sales discovery notes, opportunity backlogs and pilot specs may be retained for up to 3 years to support follow-on work and maintain continuity of understanding.
Where sample data was provided for scoping only, we can delete or anonymise it on request or within a shorter window agreed with you (e.g. 90 days post-discovery).

7.3 Client Project Data (Build & Pilot)

Unless otherwise agreed in a Statement of Work or Data Processing Agreement:

Working datasets & logs in non-production environments: typically deleted or anonymised within 90 days of pilot completion.
Configuration, schemas and non-identifying metrics: may be retained to support ongoing support, optimisation and auditability.
Production logs: retained in line with the agreed support, compliance and audit requirements (often 12–24 months).

7.4 Backups

Data stored in system backups may persist for longer than primary copies, but will be securely destroyed as backups roll over in the normal course of business.

7.5 Your Rights to Deletion

Subject to any legal or contractual retention obligations, you may request deletion or anonymisation of your data. See Section 10 – Your Rights.

8.Data Sharing & Third Parties

We may share data with:

Service providers and subprocessors that support our operations (e.g. cloud hosting, workflow orchestration, error tracking, analytics, email and CRM tools, LLM providers).
Professional advisers (lawyers, accountants, auditors) where reasonably necessary.
Regulators or law enforcement where legally required.

Where we use third-party processors:

We limit data sharing to what is necessary for the service.
We seek contractual commitments on confidentiality, security and (where relevant) data protection.
For cross-border transfers, we will work with you to ensure appropriate safeguards are in place.

We do not permit third-party subprocessors to use your data for their own marketing.

9.Cookies & Tracking

Our website may use:

Strictly necessary cookies for core site functionality.
Performance/analytics cookies to understand how visitors use the site and to improve content.
Marketing cookies in connection with campaigns.

Where required by law, we will:

Present a cookie banner or settings panel, and
Allow you to opt out of non-essential cookies.

You can also control cookies via your browser settings.

10.Your Rights

Depending on where you are located and the laws that apply, you may have rights to:

Access the personal information we hold about you
Request correction of inaccurate or incomplete information
Request deletion, restriction or anonymisation of your information
Object to certain types of processing (e.g. direct marketing)
Withdraw consent, where processing is based on consent
Lodge a complaint with your local data protection regulator

We will respond to all valid requests within a reasonable timeframe and in accordance with applicable law. For security, we may need to verify your identity before acting on a request.

11.Client Responsibilities

When you provide us with data, especially data that includes information about your customers, staff or other individuals, you are responsible for:

Ensuring you have a lawful basis to collect and share that data with us.
Ensuring any necessary notices and consents are in place.
Providing data that is accurate, relevant and minimised to what is needed for the agreed scope.

We will rely on you, as controller or equivalent, to satisfy these obligations; Nucleotto typically acts as a processor or service provider in relation to client data.

12.Changes to This Policy

We may update this policy from time to time to reflect:

Changes in law or regulatory guidance
Changes to our services, infrastructure or subprocessors
Improvements to clarity or transparency

If changes are material, we will notify clients via email or a notice on our website.

The "Last updated" date at the top of this page indicates when the latest version took effect.

13.Contact Us

If you have questions about this policy or how we handle data, or if you want to exercise your privacy rights, please contact:

Nucleotto Pty Ltd

Newcastle / Sydney, Australia

Email: hello@nucleotto.com

1.Scope

This policy covers:

Visitors to our website and landing pages.
Prospective clients who complete forms or book discovery workshops.
Clients who engage us for Discovery, Pilot, and Retainer work (including data shared for analysis, build and support).

It explains:

What data we collect and why
How we secure, retain and delete it
How we use AI and automation in a safe, controlled way
Your rights and how to contact us

2.What Data We Collect

2.1 Website & Marketing

When you visit our website, we may collect:

Usage data: pages visited, time on site, referrer, basic device and browser information (via analytics tools and server logs).
Cookies and similar technologies: to remember preferences and measure campaign performance.
Marketing interactions: email opens, clicks and form submissions.

We use this to understand interest in our services and improve the site experience.

2.2 Contact and Discovery Enquiries

When you contact us or book a discovery workshop, we may collect:

Name, role and organisation
Work email, phone and communication preferences
Any information you choose to share in free-text fields (e.g. current processes, systems, pain points, high-level metrics).

2.3 Client Project Data

For Discovery, Pilot and Retainer engagements, we may process:

Operational data samples (usually 10–100 rows) to understand structure, quality, and edge cases.
System and integration metadata: API documentation, event schemas, configuration details.
Workflow information: process maps, hand-offs, approvals, error patterns.
Business metrics: volumes, cycle times, error rates, and similar KPIs to calculate ROI.

Where this data includes personal information or other sensitive data, we treat it in line with our security and privacy controls (see below) and any contract we sign with you.

We design projects so that:

Sandbox/pilot phases use anonymised, synthetic or masked data wherever possible.
Access is limited to the minimum required to deliver agreed outcomes.

3.How We Use Your Data

We use data to:

Provide and Improve Services

Run discovery workshops and produce artefacts (e.g. opportunity backlog, pilot spec, ROI estimates).
Design, build and support automations, AI agents and lightweight apps.

Communicate With You

Respond to enquiries and schedule sessions.
Send proposals, statements of work, reports and invoices.

Operate Our Business

Maintain internal records, manage accounts and comply with legal obligations.
Analyse aggregate performance and ROI of pilots (using anonymised or aggregated metrics where possible).

We do not sell your personal information.

4.Legal Basis & Jurisdiction

Nucleotto operates from Australia and aims to handle personal information in line with:

The Australian Privacy Act 1988 and Australian Privacy Principles (APPs).
Other applicable privacy laws where our clients or their customers are located (e.g. UK/EU data protection laws), to the extent they apply.

5.Data Security

Security, auditability and control are core to how we work, not an afterthought.

5.1 Access Control & Least Privilege

Access to client systems, environments and data is granted only to authorised team members and only to the minimum level required ("least privilege").
API keys, credentials and tokens are stored in secure vaults or secrets managers, rotated periodically and access-logged.
Client-specific environments are logically separated.

5.2 Encryption

Data is protected in transit using TLS/HTTPS.
Data at rest is stored using industry-standard encryption where supported by our infrastructure providers.

5.3 Infrastructure

Depending on client needs, we may use:

Cloud infrastructure providers for hosting workflows, APIs and supporting services.
Orchestration tools (e.g. workflow automation platforms) for integrating systems and implementing approvals and audit trails.

5.4 Logging, Monitoring & Audit Trails

We design automations and AI workflows with full audit trails for key actions (who did what, when, and with what outcome).
We implement logging and metrics for success rates, error frequency and processing time, with alerts for anomalies where appropriate.

5.5 Kill-Switch & Rollback

Every production pilot we build is designed with:

A named kill-switch owner on the client side,
Documented rollback procedures, and
A clear path to pause or reverse changes if required.

5.6 Internal Governance

We maintain internal guidelines for handling client data, access approvals and incident response.
Any suspected security incident is investigated promptly, and we will notify affected clients without unreasonable delay.

6.Use of AI & Agentic Workflows

We design AI usage to be guardrail-first.

6.1 Human-in-the-Loop by Default

For material actions (e.g. communicating with customers, triggering payments, updating finance systems), we typically operate at L0–L2 autonomy:

AI observes and drafts; humans review and approve before execution.
Where "safe" actions can be automated (e.g. classifications, low-risk updates), we agree the thresholds with you in advance.

6.2 RAG & Explainability

For knowledge tasks (e.g. policy lookup, internal FAQ answers), we prefer retrieval-augmented generation (RAG) with citations:

Responses draw from approved source documents you provide.
Outputs are traceable to sources and can be audited and rolled back.

6.3 Training & Model Usage

Unless explicitly agreed in writing:

We do not use client data to train public models in a way that would expose your information to other customers of that provider.
We configure LLM providers and infrastructure to prevent cross-tenant data sharing where such options exist.

If a project requires fine-tuning or more persistent training, we will document this clearly in the pilot spec and contract.

7.Data Retention & Deletion

We aim to retain data only for as long as needed to:

Deliver our services
Meet legal, accounting or reporting obligations
Resolve disputes and enforce contracts

7.1 Website & Marketing

Analytics data: retained in line with our analytics provider's standard retention (typically 12–26 months), after which it is aggregated or deleted.
Contact form submissions & email correspondence: typically retained for up to 24 months from last interaction, unless required longer for contractual or legal reasons.

7.2 Discovery & Proposals

Pre-sales discovery notes, opportunity backlogs and pilot specs may be retained for up to 3 years to support follow-on work and maintain continuity of understanding.
Where sample data was provided for scoping only, we can delete or anonymise it on request or within a shorter window agreed with you (e.g. 90 days post-discovery).

7.3 Client Project Data (Build & Pilot)

Unless otherwise agreed in a Statement of Work or Data Processing Agreement:

Working datasets & logs in non-production environments: typically deleted or anonymised within 90 days of pilot completion.
Configuration, schemas and non-identifying metrics: may be retained to support ongoing support, optimisation and auditability.
Production logs: retained in line with the agreed support, compliance and audit requirements (often 12–24 months).

7.4 Backups

Data stored in system backups may persist for longer than primary copies, but will be securely destroyed as backups roll over in the normal course of business.

7.5 Your Rights to Deletion

Subject to any legal or contractual retention obligations, you may request deletion or anonymisation of your data. See Section 10 – Your Rights.

8.Data Sharing & Third Parties

We may share data with:

Service providers and subprocessors that support our operations (e.g. cloud hosting, workflow orchestration, error tracking, analytics, email and CRM tools, LLM providers).
Professional advisers (lawyers, accountants, auditors) where reasonably necessary.
Regulators or law enforcement where legally required.

Where we use third-party processors:

We limit data sharing to what is necessary for the service.
We seek contractual commitments on confidentiality, security and (where relevant) data protection.
For cross-border transfers, we will work with you to ensure appropriate safeguards are in place.

We do not permit third-party subprocessors to use your data for their own marketing.

9.Cookies & Tracking

Our website may use:

Strictly necessary cookies for core site functionality.
Performance/analytics cookies to understand how visitors use the site and to improve content.
Marketing cookies in connection with campaigns.

Where required by law, we will:

Present a cookie banner or settings panel, and
Allow you to opt out of non-essential cookies.

You can also control cookies via your browser settings.

10.Your Rights

Depending on where you are located and the laws that apply, you may have rights to:

Access the personal information we hold about you
Request correction of inaccurate or incomplete information
Request deletion, restriction or anonymisation of your information
Object to certain types of processing (e.g. direct marketing)
Withdraw consent, where processing is based on consent
Lodge a complaint with your local data protection regulator

We will respond to all valid requests within a reasonable timeframe and in accordance with applicable law. For security, we may need to verify your identity before acting on a request.

11.Client Responsibilities

When you provide us with data, especially data that includes information about your customers, staff or other individuals, you are responsible for:

Ensuring you have a lawful basis to collect and share that data with us.
Ensuring any necessary notices and consents are in place.
Providing data that is accurate, relevant and minimised to what is needed for the agreed scope.

We will rely on you, as controller or equivalent, to satisfy these obligations; Nucleotto typically acts as a processor or service provider in relation to client data.

12.Changes to This Policy

We may update this policy from time to time to reflect:

Changes in law or regulatory guidance
Changes to our services, infrastructure or subprocessors
Improvements to clarity or transparency

If changes are material, we will notify clients via email or a notice on our website.

The "Last updated" date at the top of this page indicates when the latest version took effect.

13.Contact Us

If you have questions about this policy or how we handle data, or if you want to exercise your privacy rights, please contact:

Nucleotto Pty Ltd

Newcastle / Sydney, Australia

Email: hello@nucleotto.com

Data Security, Privacy & Retention Policy

1.Scope

2.What Data We Collect

2.1 Website & Marketing

2.2 Contact and Discovery Enquiries

2.3 Client Project Data

3.How We Use Your Data

Provide and Improve Services

Communicate With You

Operate Our Business

4.Legal Basis & Jurisdiction

5.Data Security

5.1 Access Control & Least Privilege

5.2 Encryption

5.3 Infrastructure

5.4 Logging, Monitoring & Audit Trails

5.5 Kill-Switch & Rollback

5.6 Internal Governance

6.Use of AI & Agentic Workflows

6.1 Human-in-the-Loop by Default

6.2 RAG & Explainability

6.3 Training & Model Usage

7.Data Retention & Deletion

7.1 Website & Marketing

7.2 Discovery & Proposals

7.3 Client Project Data (Build & Pilot)

7.4 Backups

7.5 Your Rights to Deletion

8.Data Sharing & Third Parties

9.Cookies & Tracking

10.Your Rights

11.Client Responsibilities

12.Changes to This Policy

13.Contact Us

Data Security, Privacy & Retention Policy

1.Scope

2.What Data We Collect

2.1 Website & Marketing

2.2 Contact and Discovery Enquiries

2.3 Client Project Data

3.How We Use Your Data

Provide and Improve Services

Communicate With You

Operate Our Business

4.Legal Basis & Jurisdiction

5.Data Security

5.1 Access Control & Least Privilege

5.2 Encryption

5.3 Infrastructure

5.4 Logging, Monitoring & Audit Trails

5.5 Kill-Switch & Rollback

5.6 Internal Governance

6.Use of AI & Agentic Workflows

6.1 Human-in-the-Loop by Default

6.2 RAG & Explainability

6.3 Training & Model Usage

7.Data Retention & Deletion

7.1 Website & Marketing

7.2 Discovery & Proposals

7.3 Client Project Data (Build & Pilot)

7.4 Backups

7.5 Your Rights to Deletion

8.Data Sharing & Third Parties

9.Cookies & Tracking

10.Your Rights

11.Client Responsibilities

12.Changes to This Policy

13.Contact Us