Privacy Policy

1. About This Policy

By accessing or using Sabiya, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

This policy applies to personal information collected through our website (sabiya.com.au), the Sabiya platform, our AI chat widget (Connect), and all related services.

2. Information We Collect

a. Information you provide

• Name, email address, and account credentials
• Business name, ABN, billing address, and contact details
• Content, prompts, files, or documents submitted through the platform
• Payment information — processed by Stripe; we do not store card details

b. Information collected automatically

• IP address, browser type, and device information
• Usage data — pages viewed, features used, session duration
• Chat widget interactions on your website (visitor data you collect via Connect)
• Cookies and session tokens (see Section 9)

c. Visitor data (Connect users)

If you use Sabiya Connect on your website, visitor data — including conversation transcripts, contact details captured through chat, and behavioural signals — is collected on your behalf and stored in your Sabiya account. You are the data controller for this visitor data. We act as a data processor.

3. How We Use Your Information

• To provide, operate, and improve the Services
• To personalise your experience and generate AI-driven insights
• To manage subscriptions, billing, and plan entitlements
• To communicate about account matters, updates, and support
• To monitor platform performance, security, and usage trends
• To comply with legal obligations

We do not use your business data or your customers' data to train AI models. All AI processing runs through AWS Bedrock under the AWS Customer Agreement, which contractually prohibits the use of API inputs or outputs for model training.

4. Overseas Disclosure & AI Processing

Sabiya uses third-party AI providers to power the Advisor and Connect features. This requires disclosing personal information to overseas recipients. Under APP 8, we have taken reasonable steps — including signed Data Processing Agreements (DPAs) or equivalent contractual safeguards — to ensure these providers handle your information in a manner consistent with the APPs.

By using Sabiya, you acknowledge that your information — including business context and conversation content — may be transmitted to these overseas recipients for processing purposes only.

5. Connected Google Integrations

When you connect a Google account to Sabiya, we request only the OAuth scopes needed to provide the features you have enabled:

• Google Analytics (analytics.readonly) — read-only access to the GA4 property you select. We retrieve aggregate metrics (sessions, channels, top pages, traffic sources) to display in your Sabiya analytics dashboard and generate plain-English insights via the Advisor.
• Google Search Console (webmasters.readonly) — read-only access to the verified site you select. We retrieve search performance data (impressions, clicks, queries, pages) for the same dashboard and insights.
• Google Calendar (calendar.events) — create, update, and cancel events on the single calendar you select, when your customers book through Sabiya's booking widget. We never read or modify other calendars.

Limited Use

Sabiya's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only to provide the user-facing features above. It is never sold, shared with third parties for advertising, or used to train AI or machine learning models.

Storage

Google API data is cached in your Sabiya workspace (Supabase, Sydney) for performance. Access tokens are encrypted at rest.

Revoking access

You can disconnect any Google integration at any time from the Integrations page in your Sabiya workspace, or revoke access directly at myaccount.google.com/permissions. Disconnection deletes cached Google API data within 30 days.

6. Healthcare-Aware Mode

Sabiya offers a Healthcare-Aware Mode for clinics and allied health businesses. When enabled, the AI assistant is configured not to provide medical, clinical, or treatment advice and will direct users to consult a qualified practitioner. This mode is designed to reduce liability for clinic operators and align with the Privacy Act 1988 and applicable state-based health records legislation.

Data handling under Healthcare-Aware Mode follows the same Australian-resident processing path described in Section 4. Patient data captured through Sabiya's chat widget (name, contact details, booking enquiries) is stored encrypted in our Sydney-hosted database and processed for AI inference within Australian AWS regions only.

Sabiya is not a clinical record system and is not intended for the storage of detailed clinical notes or medical history. Clinics should use a dedicated practice management system (such as Cliniko, Halaxy, or Nookal) for clinical record-keeping.

7. Data Storage & Security

Your primary data is stored in Supabase, hosted in Sydney, Australia (AWS ap-southeast-2). We apply industry-standard security measures including encryption in transit (TLS), encryption at rest, row-level security policies, and access controls.

No system is 100% secure. In the event of a data breach that is likely to cause serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

8. Sharing of Information

We do not sell your personal data.

We may share information with:

• Service providers listed in Section 4 (AI, hosting, payments)
• Legal authorities if required by Australian or New Zealand law
• A successor entity in the event of a business transfer or acquisition — you will be notified in advance

9. Cookies & Tracking

We use cookies and similar technologies for:

• Essential cookies — authentication sessions (Supabase), CSRF protection. Required for the platform to function.
• Preference cookies — theme (light/dark mode) and UI settings stored locally.
• Product analytics — anonymised usage patterns on Sabiya itself, separate from Google Analytics data you connect under Section 5. No personally identifiable data is shared with third-party analytics providers.

You can control non-essential cookies through your browser settings. Disabling essential cookies will prevent you from logging in.

10. Your Rights

Under the Privacy Act 1988 (Cth) and Privacy Act 2020 (NZ), you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or outdated information
• Request deletion of your data (subject to legal retention obligations)
• Withdraw consent for optional processing
• Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at support@sabiya.com.au. We will respond within 30 days.

11. Data Retention

We retain personal information only as long as necessary to provide the Services and comply with legal obligations. When you close your account, your data is deleted within 90 days unless retention is required by law.

Visitor data collected through Connect on your website is retained for as long as your Sabiya subscription is active. You may request deletion at any time.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and posted on this page with an updated date. Continued use of the Services after changes constitutes acceptance.

13. Contact & Complaints

For privacy questions or to exercise your rights:

Email: support@sabiya.com.au

If you are not satisfied with our response, you may lodge a complaint with:

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
• New Zealand: Office of the Privacy Commissioner — privacy.org.nz