Privacy Policy

Last updated: 1 December 2025

Pocket Mentor AI Pty Ltd ACN (688 328 163) (Pocket Mentor, we, us or our) is committed to protecting your personal information.

This Privacy Policy explains how we manage personal information and how to contact us if you have any further queries about how we do this. This Policy does not apply to how we handle personal information about our employees.

Background

We provide a platform (Platform) for our clients (Clients) via the Pocket Mentor mobile application (App) or our website. A Client is a person who signs up to or joins our Platform through a registration process via the App or via our website. The Platform gives our Clients empowering values-based guidance that fosters personal growth, emotional clarity, and self-leadership (Services).

In undertaking our functions and activities we may handle personal information about Clients and other individuals (together, you). We comply with the thirteen Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (the Act) except where the Act does not require this. The APPs regulate how to handle personal information throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal.

Personal information is information or an opinion, in any form and whether true or not, about an identified individual or an individual who is reasonably identifiable. Special rules apply for collecting personal information which is sensitive information. This includes health information and information about a person's race, ethnic origin, political opinions, membership of political, professional or trade associations, religious or philosophical beliefs, sexual orientation or practices and criminal history.

The kind of personal information we collect and hold

If you are not a Client, the personal information we collect and hold will depend on why we are dealing with you.

If you are a Client, we will generally collect one or more of the following items of personal information:

  • Personal Identifiers: your name and contact details including postal and email address and telephone number.
  • Coaching Inputs: information you share with the Platform (e.g., journal entries, reflections, goals).
  • Survey or Feedback Data: if you voluntarily participate in surveys or provide feedback.
  • Your position.

If you access our website, we will collect usage data that may or may not constitute personal information. That data includes device type, browser, IP address, pages visited, and actions taken on the site.

How we collect and hold personal information

To the extent required by the Act:

  • we will not collect personal information about you unless that information is reasonably necessary for one or more of our functions or activities; and
  • we will collect personal information only by lawful and fair means.

When we collect personal information directly from you, we will take reasonable steps at or before the time of collection to ensure that you are aware of certain key matters, such as the purposes for which we are collecting the information, the organisations (or types of organisations) to which we would normally disclose information of that kind, the fact that you are able to access the information and how to contact us.

The purposes for which we handle personal information

General

In general, if we use or disclose your personal information for a purpose (the "secondary purpose") other than the main reason for which it was originally collected (the "primary purpose"), to the extent required by the Act, we will ensure that:

  • the secondary purpose is related to the primary purpose of collection (and directly related in the case of sensitive information), and you would reasonably expect that we would use or disclose your information in that way;
  • you have consented to the use or disclosure of your personal information for the secondary purpose;
  • the use or disclosure is required or authorised by or under law; or
  • the use or disclosure is otherwise permitted by the Act (for example, as a necessary part of an investigation of suspected unlawful activity or if it is unreasonable or impracticable to obtain your consent and the use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety).

The purpose for which we use your personal information depends on why we have collected your personal information.

If you are Client, we will use your personal information to give you access to the Platform and provide the Services. This includes:

  • providing and personalising coaching insights and Platform interactions;
  • improving our Services based on user engagement and feedback;
  • communicate with you regarding updates, new features, or support; and
  • maintaining the security and integrity of our systems.

Use of Generative AI and other automated decision-making

Generative AI

We use generative artificial intelligence technology (AI) to deliver certain aspects of our Services, including facilitating Platform interactions. The AI functionality that we use is provided by our service providers, including by OpenAI, L.L.C., (OpenAI) which provides us with OpenAI's ChatGPT Enterprise service for businesses (ChatGPT Enterprise).

When you interact with our Platform, including through written messages, voice conversations or video conversations, the applicable data (Input) will be handled by OpenAI and its contractors to generate responses and insights tailored to your needs (Output). Under our agreement with OpenAI as of 1 December 2025, OpenAI states that it will only use Input and Output as necessary to provide us (and you as our end user) with its services that we in turn use to provide you with the Services, comply with applicable law, enforce OpenAI policies, and prevent abuse.

OpenAI has indicates that it handles your personal information for the purpose of providing and supporting the services that it provides to us (which in turn enables us to provide Services), in a manner that provides no less than the level of privacy protection required of it under applicable data privacy and data protection laws.

However, ChatGPT Enterprise's data handling practices are subject to change from time to time. While we will monitor these changes, please note that we may be required to accept updated terms in order to continue providing the Services to you. In this event, we will update our privacy policy.

WARNING:

Given the potential sensitivity of the Input that you will generate in the use of the Platform, we strongly recommend that you avoid including information in the Input from which you (or any other person) will be reasonably identifiable. This includes:

  • Full names of yourself or others;
  • Dates of birth;
  • Specific addresses or location details from which you or a third person are reasonably identifiable;
  • Workplace names or identifiable business information;
  • Health information about you or a third person in a form that enables that information to be linked with you or the third person, as applicable; and
  • Any other information from which you or another person will be reasonably identifiable.

This does not mean that you can't speak about your health or other issues, or those of another person. Rather, we're cautioning you to refrain from linking those issues to your name or the name of the other person. Please described your emotions or feelings in general terms.

Automated decision-making

This section of the policy applies if:

  • we have arranged for a computer program to make, or do a thing that is substantially and directly related to making, a decision; and
  • the decision could reasonably be expected to significantly affect the rights or interests of an individual; and
  • personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.

If the above applies, we will update this policy to include information about:

  • the kinds of personal information used in the operation of such computer programs; and
  • the kinds of such decisions made solely by the operation of such computer programs; and
  • the kinds of such decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.

Other service providers

We may disclose your personal information to other service providers over and above OpenAI (for example, MailChimp) to facilitate our provision of the Services or otherwise in connection with our functions and activities.

MailChimp's privacy policy (available at https://www.intuit.com/privacy/statement/) explains more about how it handles personal information that it obtains in the course of providing services to us.

Data quality and security

To the extent required by the Act, we will take reasonable steps to:

  • make sure that the personal information that we collect, use and disclose is accurate, complete, and up to date;
  • protect the personal information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure;
  • destroy or permanently de-identify personal information that is no longer needed for any purpose that is permitted by the Act;

The reasonable steps we take for the purposes of ensuring the security of personal information include both technical and organisational measures.

The steps we (by the use of our service providers) take to fulfil the above obligations include the following technical and organisational measures.

Data Storage

  • We engage Amazon Web Services (AWS) to hold all application data collected via our Pocket Mentor App (including personal information about you) is securely hosted on within the Sydney region. AWS has advised us that it is ISO 27001 compliant and meets the United States' National Institute of Standards and Technology (NIST) standards for information security.
  • Our primary database is an AWS relational database service (RDS) running MySQL. Amazon has advised us that this RDS is deployed within a private Virtual Private Cloud (VPC) and accessible only via whitelisted IP addresses.
  • AWS has advised us that files are stored in Amazon S3, with access permissions managed through AWS Identity and Access Management (IAM) roles.
  • AWS has advised us that AWS CloudWatch is utilised for performance and security monitoring while AWS Secrets Manager securely stores sensitive credentials and encryption keys.

Security Measures

  • Sensitive information such as usernames and passwords are encrypted using RSA and transmitted securely over HTTPS (TLS) to protect data in transit.
  • Passwords are hashed using secure, industry standard algorithm before storage.
  • Access to user data is controlled through Role-Based Access Control (RBAC), ensuring only authorised system components and administrators can access specific data.
  • Verification and authentication processes include rate limiting, device level checks, and signed request mechanisms with expiry to prevent unauthorised or abnormal access attempts.

Data Anonymisation/de-identification

  • To enhance your privacy, we use pseudo-anonymisation methods.
  • Each user is assigned a unique random identifier (UUID) when first using the app.
  • Any history we build for you is tied to the UUID rather than your real identity.

Backup and Retention

  • We perform automated database backups every 7 days.
  • Data retention policies are governed by business and compliance requirements and may be adjusted from time to time.
  • Backup data is stored securely within AWS and protected using the same encryption and access controls applied to live systems.

Security and Monitoring

  • Our systems incorporate continuous monitoring and event tracking to detect anomalies or potential security threats.
  • AWS has advised us that AWS CloudWatch provides real-time logging and alerting, while access patterns and authentication attempts are monitored for abnormal behaviour.
  • These measures, in combination with encryption, access control and data isolation, provide a secure and resilient environment aligned with industry best practices for cloud hosted applications.

Transfer of personal information overseas

We do not presently transfer your personal information to overseas recipients (although our service provider MailChimp may do so). If we transfer personal information to overseas recipients, we will update this policy to include the information required by APP 1. Additionally, we will take reasonable steps to ensure that any overseas recipient does not breach the APPs in relation to the disclosed personal information.

The obligation for us to take reasonable steps will not apply if:

  • we reasonably believe that the recipient of the information is subject to legal obligations that have the effect of protecting the information in a way that, overall, is at least substantially similar to protection under the APPs and there are mechanisms that you can access to enforce that protection;
  • you give us consent to disclose your personal information to an overseas recipient, expressly or by implication, after you are expressly informed by us that if you consent we will not be required to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information; or
  • we are legally authorised to do so.

Access and correction of your personal information

Please contact us at [email protected] if you would like to access or correct the personal information that we hold about you. We will generally provide you with access to your personal information if practicable (although a fee may be imposed) and will take reasonable steps to amend any personal information that is incorrect. In some circumstances, we may not permit access to your personal information, or may refuse to correct your personal information, in which case we will provide you with reasons for this decision.

Questions or complaints

Please contact our Privacy Officer if you have any questions or complaints about the personal information that we hold about you or the way we handle that personal information. We will acknowledge your question or complaint as soon as possible and will seek to address any question or complaint within 14 days after that.

Notifiable data breaches

If there is a loss, or unauthorised access or disclosure of your personal information that is likely to result in serious harm to you, we will investigate and notify you and the Australian Information Commissioner as soon as practicable, in accordance with the Act.

Changes

We may change this Privacy Policy from time to time. You can find our up-to-date Privacy Policy posted on our website from time to time.

Website

When you use our website, we can identify your web browser but we do not identify you. We may use web browser data for website optimisation purposes.

We use "cookies" on our website. A cookie is a text file placed on your computer, to either improve the functionality of the website or help us analyse how users use our website. We do not link back to your identity from the information generated by the cookie about your use of the website (including your device's IP-address). If you do not wish us to use cookies, you can configure the browser settings of your computer or your devices for that purpose.

Contact us

If you have any queries about our Privacy Policy, or about the way we manage your personal information, you can: