1. Introduction and scope
This Privacy Policy explains how IdonAI (“IdonAI,” “we,” “us,” or “our”) collects, uses, discloses, stores, and otherwise processes personal information when you interact with our products and services. It is effective as of July 9, 2026 and was last updated on July 9, 2026.
This Policy applies to personal information processed in connection with:
- Our website at https://idonai.com and related marketing or informational pages
- Quark, our AI assistant product available at quark.idonai.com
- Origin and NextGen models as made available through Quark or other IdonAI interfaces
- Developer documentation, playgrounds, and related technical resources
- API access and API keys, including features that are under development or offered in preview
- Communications with us (including support, sales, security, and privacy inquiries)
- Events, newsletters, waitlists, and other marketing activities we operate
By using the Services, you acknowledge that you have read this Policy. Where consent is required by law for a particular processing activity, we will seek it in the manner described in this Policy or at the point of collection.
2. Controller / who we are
IdonAI is the organisation responsible for determining the purposes and means of processing personal information described in this Policy (the “controller” under GDPR-style frameworks, and the APP entity under the Australian Privacy Principles where applicable).
| Item | Details |
|---|---|
| Organisation | IdonAI |
| Website | https://idonai.com |
| Privacy contact | privacy@idonai.com |
| Legal contact | legal@idonai.com |
| Security contact | security@idonai.com |
| Support contact | support@idonai.com |
| Governing law reference | the laws of New South Wales, Australia |
For privacy requests, complaints, or questions about this Policy, contact us at privacy@idonai.com. For product support that is not primarily a privacy matter, use support@idonai.com.
If you use Quark or related Services on behalf of an organisation (for example, under an enterprise arrangement), that organisation may be an independent controller for certain account or workspace data. In those cases, we process personal information as described in this Policy and any applicable customer agreement.
3. Information we collect
We collect personal information that you provide directly, information generated through your use of the Services, and information from limited third-party sources. The categories below describe the types of information we may process, depending on how you interact with us.
Account and identity information. When you create or manage an account, we may collect:
- Name, display name, or username
- Email address and authentication credentials (or tokens from a supported sign-in provider)
- Organisation or workspace name, role, and related profile fields you choose to provide
- Account preferences, settings, and communication choices
Contact and correspondence information. When you fill out forms, join a waitlist, request enterprise information, report a security issue, or otherwise contact us, we may collect:
- Name, email address, company, and job title
- Message content, attachments you choose to send, and related metadata
- Records of our responses and follow-up communications
Usage and product analytics. We collect information about how you interact with the Services, such as:
- Feature usage, navigation paths, session duration, and approximate engagement metrics
- Model selection or routing signals within Quark (for example, Origin vs NextGen where applicable)
- Error events, performance metrics, and diagnostic telemetry needed to operate and improve reliability
- Referral URLs and campaign parameters associated with visits to our marketing site
Device, network, and log information. When you access the Services, our systems automatically process technical data such as:
- IP address, approximate location derived from IP (city/region level where available), and network type
- Browser type and version, operating system, device type, and language settings
- Timestamps, request paths, status codes, and security-related log events
- Identifiers associated with sessions, cookies, or similar technologies
Cookies and similar technologies. We use cookies, local storage, and similar technologies as described in our Cookie Policy at /legal/cookies. That policy explains categories of cookies, purposes, and how you can manage preferences where controls are available.
Payment and billing information. If you purchase paid plans or enterprise services, we (or our payment processors) may process:
- Billing name, billing email, and business address
- Subscription plan, invoice history, and payment status
- Limited payment method metadata returned by the processor (for example, card brand and last four digits)
AI inputs, outputs, and related content. When you use Quark or other AI features, we process content you submit and content the Services generate, which may include:
- Prompts, messages, files, code snippets, and other inputs you provide
- Model outputs, completions, and intermediate system messages needed to deliver the response
- Feedback you provide (for example, ratings, reports, or free-text comments about a response)
- Safety, abuse, and integrity signals associated with inputs or outputs
API credentials and developer metadata (when available). API keys and related developer tooling are under development. When offered, we may process key identifiers, creation/revocation events, usage quotas, request metadata, and associated account ownership information. Treat API keys as secrets.
4. Sources of information
We obtain personal information from the following sources:
- Directly from you — when you create an account, use Quark, submit forms, upload content, or communicate with us
- Automatically — through cookies, logs, analytics, and product telemetry when you visit or use the Services
- Your organisation — if an administrator invites you, provisions access, or manages a workspace on your behalf
- Service providers — such as authentication, hosting, analytics, email delivery, and payment processors that provide us with operational data
- Publicly available sources — where relevant to security investigations, fraud prevention, or business contact enrichment consistent with applicable law
- Referrals and integrations — if you connect a third-party service or arrive via a partner campaign that shares limited attribution data
If you provide personal information about another person (for example, inviting a teammate), you represent that you have authority to do so and have provided any notices required by law.
5. How we use information
We use personal information for the purposes below. Where GDPR-style legal bases apply, we rely on the bases indicated. Multiple bases may apply to the same activity depending on context and jurisdiction.
| Purpose | Examples | Primary legal bases |
|---|---|---|
| Provide the Services | Account creation, authentication, Quark conversations, model inference, support | Contract; legitimate interests |
| Operate and secure systems | Monitoring, abuse prevention, fraud detection, incident response, debugging | Legitimate interests; legal obligation; contract |
| Improve products | Reliability, UX, model routing quality, documentation clarity (subject to Section 6) | Legitimate interests; consent where required |
| Communicate with you | Transactional emails, security notices, product updates you request | Contract; legitimate interests; consent for marketing |
| Billing and administration | Invoices, plan management, tax records, enterprise contracting | Contract; legal obligation; legitimate interests |
| Comply with law | Responding to lawful requests, retaining required records, enforcing terms | Legal obligation; legitimate interests |
| Marketing (where permitted) | Newsletters, event invitations, product announcements | Consent; legitimate interests (with opt-out) |
More specifically, we process personal information to:
- Deliver, maintain, personalise, and improve Quark, Origin, NextGen, documentation, and related features
- Authenticate users, manage sessions, and enforce access controls
- Detect, investigate, and prevent spam, abuse, security incidents, and violations of our Terms of Service
- Provide customer support and respond to privacy, legal, and security requests
- Analyse aggregated or de-identified trends to understand product performance (where feasible and lawful)
- Send service-related notices (for example, outages, policy updates, or credential security alerts)
- Conduct marketing with appropriate consent or soft opt-in where permitted, and honour unsubscribe requests
- Establish, exercise, or defend legal claims and meet accounting, tax, and regulatory obligations
Legitimate interests. Where we rely on legitimate interests, those interests include operating a secure AI platform, improving service quality and reliability, communicating about products you use, preventing misuse, and growing our business in ways that do not override your rights and freedoms. You may object to processing based on legitimate interests as described in Section 11.
Consent. Where we rely on consent (for example, certain cookies or marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
6. AI-specific processing
IdonAI provides AI systems, including Quark (our assistant at quark.idonai.com) and models such as Origin and NextGen. This section explains how we handle AI-related content.
Prompts and outputs. To generate responses, we must process your inputs (prompts, messages, files, and related context) and produce outputs. This processing is necessary to provide the Service you request.
Customer API content and training (default). When API access becomes available, we do not use customer API request content (prompts and outputs submitted via authenticated API) to train our foundation models by default. Any change to that default for a particular product tier or feature would be disclosed in product documentation, an order form, or updated terms, and would be subject to applicable law and any required consent or contractual agreement.
Quark and consumer/product surfaces. Content submitted through Quark may be processed to provide the assistant experience, enforce safety policies, prevent abuse, debug failures, and improve product quality and reliability. Where we use Quark content to improve models or product features beyond immediate delivery of your request, we do so under fair-use and product-improvement practices consistent with our Terms, applicable law, and any in-product notices. You should not treat Quark as a confidential enterprise vault unless you have a written agreement stating otherwise.
- Safety and abuse: We may review or automatically analyse inputs/outputs that appear to involve malware, exploitation, child sexual abuse material, violent crime facilitation, or other prohibited uses
- Quality and reliability: We may use limited samples, aggregated metrics, or de-identified signals to fix bugs, reduce hallucinations in product behaviour, and improve routing between Origin and NextGen
- Human review: In limited cases (for example, abuse reports or safety escalations), authorised personnel may review content under access controls
- Retention of AI content: Conversation and log retention periods vary by product surface and are described generally in Section 9
Sensitive data. Our Services are not designed for unrestricted processing of special-category or highly regulated data (such as health records, government identifiers, or children’s data) unless expressly agreed in writing. If you choose to submit such data, you do so at your own risk and must ensure you have a lawful basis.
8. International transfers
IdonAI operates with a primary legal orientation under the laws of New South Wales, Australia. Personal information may be processed in Australia and in other countries where we or our service providers maintain facilities.
When we transfer personal information internationally, we take steps designed to ensure an appropriate level of protection, which may include:
- Contractual protections such as standard contractual clauses or equivalent transfer mechanisms where required
- Vendor due diligence and data processing agreements
- Technical and organisational measures (encryption in transit, access controls, least-privilege practices)
- Transfer only of data necessary for the stated purpose
By using the Services, you understand that your information may be transferred to and processed in jurisdictions that may have different data protection laws than your home country. Where local law requires additional consent or notices for cross-border transfers, we will address those requirements as applicable.
9. Retention
We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.
Retention considerations include:
- The length of your account relationship and active use of Quark or related Services
- Whether information is needed to provide ongoing features (for example, conversation history you choose to keep)
- Legal, tax, accounting, and dispute-resolution requirements
- Security, fraud-prevention, and abuse-investigation needs
- Backup and disaster-recovery cycles that may retain residual copies for a limited period after deletion
| Data category (illustrative) | Typical retention approach |
|---|---|
| Account profile and authentication | For the life of the account, then deleted or anonymised within a reasonable period after closure unless legally required longer |
| Quark conversation content | Retained to provide product functionality and for limited safety/operations needs; users may delete conversations where the product allows |
| Server and security logs | Retained for operational security and troubleshooting for a rolling period appropriate to risk, then deleted or aggregated |
| Billing and invoice records | Retained as required for tax and financial recordkeeping |
| Marketing preferences | Until you unsubscribe or your consent is withdrawn, plus a short suppression record to honour opt-outs |
| API key metadata (when available) | While keys are active and for a limited period after revocation for security auditing |
When personal information is no longer needed, we delete it, anonymise it, or isolate it from further active use, subject to technical limitations of backup systems.
10. Security overview
We implement technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, alteration, and disclosure. Measures may include encryption in transit, access controls, logging and monitoring, vulnerability management, and employee confidentiality obligations.
No method of transmission or storage is completely secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and for configuring your systems appropriately.
For a fuller description of our security practices, see our Security page at /legal/security. To report a suspected vulnerability or security incident, contact security@idonai.com.
11. Your rights
Depending on your location and applicable law (including the Australian Privacy Principles, GDPR/UK GDPR where applicable, and similar frameworks), you may have rights regarding your personal information. These may include:
- Access — request confirmation of whether we process your personal information and obtain a copy
- Rectification — request correction of inaccurate or incomplete personal information
- Erasure — request deletion of personal information in certain circumstances
- Restriction — request that we limit processing in certain circumstances
- Portability — receive certain personal information in a structured, commonly used, machine-readable format, and request transmission to another controller where technically feasible
- Objection — object to processing based on legitimate interests, and to direct marketing
- Withdraw consent — where processing is based on consent, withdraw it at any time
- Complaint — lodge a complaint with a supervisory authority
To exercise these rights, email privacy@idonai.com with sufficient detail for us to verify your identity and locate the relevant information. We may ask for additional information to confirm your identity before fulfilling a request. We will respond within the timeframes required by applicable law.
We may decline or limit a request where an exemption applies (for example, where disclosure would adversely affect the rights of others, where we must retain information for legal compliance, or where the request is manifestly unfounded or excessive).
Complaints in Australia. If you are in Australia and are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. In the EEA/UK, you may contact your local data protection supervisory authority. We encourage you to contact us first so we can try to resolve your concern.
- Email privacy@idonai.com describing your request or complaint
- Provide the email associated with your account (if any) and enough context for us to investigate
- Allow us a reasonable period to respond before escalating to a regulator, where practical
12. California / CCPA-style notice
This section provides additional information for California residents under the California Consumer Privacy Act (CCPA) as amended by the CPRA, and similar U.S. state privacy laws where applicable. Terms such as “sell,” “share,” and “personal information” have the meanings given in those laws.
Categories of personal information we may collect (depending on your interactions):
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, IP address, account IDs | Yes |
| Customer records information | Billing contact details, support correspondence | Yes, when you provide them |
| Commercial information | Plan tier, purchase history, usage of paid features | Yes, for paid or trial customers |
| Internet / electronic activity | Browsing on our site, Quark usage events, logs | Yes |
| Geolocation (coarse) | Approximate location from IP | Yes |
| Audio/visual (if you upload) | Files or media you choose to submit to Quark | Yes, if you submit them |
| Inferences | Limited product preference or routing signals | Possibly, for service operation |
| Sensitive personal information | Account credentials; content you choose to submit that may be sensitive | Limited; not sought for profiling |
Business / commercial purposes. We use these categories for the purposes described in Sections 5 and 6, including providing Services, security, debugging, analytics, and communications.
Sale and sharing. Based on our current practices, we do not sell personal information and do not share personal information for cross-context behavioural advertising. We do not knowingly sell or share the personal information of consumers under 16 years of age.
Your California privacy rights may include:
- Right to know / access categories and specific pieces of personal information collected
- Right to delete personal information, subject to exceptions
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing (if we ever engage in such activity, we will provide a clear mechanism)
- Right to limit use of sensitive personal information where required by law
- Right to non-discrimination for exercising privacy rights
To submit a request, email privacy@idonai.com with the subject line “California Privacy Request.” We will verify your identity using information reasonably related to your prior interactions with us. You may use an authorised agent as permitted by law; we may require proof of authorisation.
13. Children
The Services are not directed to children, and we do not knowingly collect personal information from children under 16 years of age (or under 13 where that is the applicable age threshold under U.S. COPPA-style rules).
If you believe a child has provided personal information to us, contact privacy@idonai.com. We will take reasonable steps to delete the information and terminate the associated account where required.
If local law requires a higher age of digital consent for certain processing, we will not knowingly process personal information of individuals below that age for those purposes without appropriate authorisation.
14. Automated decision-making
We use automated systems as part of operating AI products — for example, generating model outputs, routing requests between Origin and NextGen, detecting abuse, and enforcing rate limits. These systems are integral to providing the Services you request.
We do not use solely automated decision-making that produces legal or similarly significant effects about you (within the meaning of GDPR Article 22-style rules) without human involvement, except where necessary to enter into or perform a contract, authorised by law, or based on your explicit consent — and with applicable safeguards.
Safety classifiers and abuse-detection systems may automatically restrict or suspend access when they detect prohibited activity. You may contact us to request review of an automated enforcement action that affects your account.
For questions about automated processing that significantly affects you, contact privacy@idonai.com.
15. Third-party links
The Services may contain links to third-party websites, documentation, open-source projects, social platforms, or tools that we do not operate. This Policy does not cover those third parties. We encourage you to review their privacy policies before providing personal information.
If you integrate third-party services with Quark or future API offerings, those services may receive information according to your configuration and their own terms. IdonAI is not responsible for third-party privacy practices.
16. Changes to this Policy
We may update this Privacy Policy from time to time. The “last updated” date at the top of this page (currently July 9, 2026) reflects the latest revision. Material changes will be posted on this page and, where required by law or appropriate given the significance of the change, notified by email or in-product notice.
Your continued use of the Services after an updated Policy becomes effective constitutes acknowledgment of the updated Policy, except where additional consent is required by law for a specific change.
17. Contact
For privacy questions, requests, or complaints, contact:
| Topic | Contact |
|---|---|
| Privacy | privacy@idonai.com |
| Legal | legal@idonai.com |
| Security / vulnerability reports | security@idonai.com |
| Product support | support@idonai.com |
IdonAI — https://idonai.com. Please include enough detail for us to identify your account or request and to respond effectively.
18. Definitions
For purposes of this Policy:
- “Personal information” (or “personal data”) means information that identifies, relates to, describes, or could reasonably be linked with an identifiable individual, as defined under applicable law.
- “Process” / “processing” means any operation performed on personal information, including collection, storage, use, disclosure, and deletion.
- “Services” means IdonAI’s websites, Quark, models (including Origin and NextGen), documentation, APIs (including those under development), and related offerings we make available.
- “Quark” means the IdonAI assistant product available at quark.idonai.com and any successor interfaces we designate.
- “API” means programmatic interfaces and credentials IdonAI may offer for model or product access; API keys are under development and may be offered in preview before general availability.
- “Controller” means the entity that determines the purposes and means of processing personal information.
- “Processor” / “service provider” means an entity that processes personal information on behalf of a controller pursuant to instructions.
- “De-identified” or “anonymised” information means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual, subject to applicable legal standards.