My Plan BFF Join the waitlist

Privacy Policy

Last updated: 16 June 2026

This policy explains how Always Building AI Pty Ltd ("we", "us", "our") collects, uses, stores, and shares personal information when you use the My Plan BFF service ("the service"). It is written to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).


About us

Always Building AI Pty Ltd \ ABN: 32 697 570 344 \ 20 Stratton Terrace, Wynnum, Queensland 4178, Australia \ hello@alwaysbuilding.ai

We operate My Plan BFF, a digital assistant that helps families self-managing NDIS plans handle appointments, invoices, documents, and provider correspondence.


What this policy covers

This policy applies to all personal information we collect through:


Information we collect

Information you give us directly

Information we collect automatically

Information we collect via integrations

When you connect your Google account, we receive:

We use these tokens only to perform the actions you ask the service to perform. We do not browse, index, or scrape your data outside of those actions.

Sensitive information

Some of the information above is sensitive information under the Privacy Act, including:

We collect this information only because it is necessary to deliver the service you have asked us to provide, and we treat it as sensitive throughout its lifecycle. By signing up and forwarding this information to the service, you are giving us your consent under APP 3 to collect and use it for the purposes described in this policy.


How we use your information

We use your information only to:

  1. Deliver the service — read invoices, log them to your Google Sheet, file PDFs to your Google Drive, capture appointments to your Google Calendar, send emails and SMS on your behalf, and respond to your messages.
  2. Operate the AI assistant — pass relevant context to the AI models we use so they can answer your questions and execute the tools you request.
  3. Maintain memory — store summaries of past conversations so the assistant remembers your preferences, your providers, and important context across sessions.
  4. Generate scheduled outputs — produce a daily briefing at the time you choose, and run an overnight memory-consolidation job.
  5. Support and debugging — investigate errors, respond to your support requests, and audit unusual activity.
  6. Billing and cost control — calculate AI and SMS costs incurred per family, and enforce a daily soft cap to prevent runaway spend.
  7. Comply with our legal obligations — including the Notifiable Data Breaches scheme administered by the Office of the Australian Information Commissioner (OAIC).

We do not:


Who we share your information with

We use third-party service providers to deliver the service. Each provider receives only the information necessary for their role. Where a provider is outside Australia, we have considered the requirements of APP 8 (cross-border disclosure) and rely on contractual commitments and our own technical safeguards.

Infrastructure

Provider Location What they handle
Railway United States Hosts our application servers and PostgreSQL database
Cloudflare Global DNS for our domain; offsite storage of encrypted database backups via Cloudflare R2

AI services

We use AI providers to understand your requests and to read the things you ask the assistant to act on. The content sent includes your messages to the assistant, relevant context (family details, participants, recent conversation history, memories), and — where relevant to a request — the contents of emails and attachments in your connected Gmail and documents you send or store. None of these providers use this data to train their models (see "Limited Use" below).

Provider Location What they receive
Anthropic (Claude API) United States The assistant's reasoning calls and the content described above. Anthropic does not train its models on API inputs by default; standard retention is up to 30 days for abuse monitoring.
Google (Gemini via Vertex AI) United States For some families, the same reasoning calls and content — including email bodies, attachments, and documents — are processed by Google's Gemini models on Vertex AI instead of Anthropic. Google does not use Vertex AI inputs to train its models.
OpenAI (Whisper) United States Voice notes you send via Telegram, for transcription. Audio is sent, the transcript is returned, and we do not retain the audio. OpenAI does not train on API inputs by default.
AssemblyAI United States When you record an appointment, the audio is sent to AssemblyAI to produce a transcript. We have executed a Business Associate Addendum with AssemblyAI and activated their model-training opt-out (confirmed 9 June 2026); AssemblyAI does not use your recordings to train its models.
Voyage AI United States Short snippets of text used to compute semantic embeddings for memory and document search. We have enabled Voyage's opt-out-of-training setting, which gives zero-day retention.

Messaging

Provider Location What they handle
Telegram Multiple jurisdictions Routes messages between you and our bot. Telegram retains messages per their own policy.
Twilio United States (HQ) Sends and receives SMS using a dedicated Australian mobile number we provision for each family. Twilio retains message bodies per their own retention settings.

Google Workspace (your own account)

When you connect a Google account, your Google Calendar, Google Drive, Google Sheets, and Gmail data remain on your Google account. We act only on your behalf via OAuth. Google is the data controller for the data stored on your account.

Files we save to your Google Drive (such as invoices, reports, and other documents) are private — they are not shared with anyone and have no public links. When you open a file from your My Plan BFF dashboard, our service fetches it securely from your Google Drive on your behalf and shows it to you — you never need to sign in to the connected Google account yourself. If you ask the assistant for a document in chat, it sends you the file directly. A file is only ever shared with another person when you explicitly ask the assistant to share it or email it to them.

Error monitoring

Provider Location What they receive
Sentry United States Stack traces and contextual metadata when an error occurs in our application. Error events may contain small fragments of user-provided text. Retained for 90 days by default.

We will only disclose your personal information to other parties if we are required to by law, by a regulator with jurisdiction, or in the context of a sale, merger, or insolvency of Always Building AI Pty Ltd (in which case the successor entity will be bound by an equivalent privacy commitment).


Limited Use of Google user data

My Plan BFF's use and transfer of information received from Google APIs (Gmail, Google Drive, Google Calendar, and Google Sheets) adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically:


How we store and protect your information

No system is perfectly secure. If we become aware of unauthorised access to your personal information that is likely to result in serious harm, we will notify you and the OAIC in accordance with the Notifiable Data Breaches scheme.


How long we keep your information


Your rights under the Privacy Act

You have the right to:

To exercise any of these rights, email hello@alwaysbuilding.ai or write to the postal address at the top of this policy.


Children and participants who are minors

Some NDIS participants whose plans are managed through the service are children. We do not collect information directly from minors; the parent or guardian holding the account is responsible for the information they provide and consent to its processing on the child's behalf.

If you become aware that we hold information about a minor and you believe we should not, email us and we will work with you to address it.


Cookies and tracking

The web dashboard sets a single signed session cookie (httpOnly, Secure in production, SameSite=Lax) to keep you signed in. We do not use third-party advertising cookies, behavioural tracking, or analytics that profile you across sites. We use first-party server logs for application performance and security only.


Direct marketing

We do not use your personal information for direct marketing.


Cross-border data transfers (APP 8)

Most of the providers we use are based outside Australia, principally in the United States. By using the service, you consent to your personal information being transferred to and processed in those jurisdictions for the purposes described in this policy. We have considered the protections in place in each provider's jurisdiction and contractually require all providers to maintain confidentiality and appropriate security. Where a provider does not operate under privacy laws substantially similar to the APPs, we are not relieved of our APP obligations and remain accountable for your information.


Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Material changes will be notified to you by email or via the dashboard before they take effect.


Complaints

If you have a privacy concern, the fastest way to resolve it is to email hello@alwaysbuilding.ai with the subject "Privacy complaint". We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner \ GPO Box 5288, Sydney NSW 2001 \ Phone: 1300 363 992 \ Web: www.oaic.gov.au


Contact

Always Building AI Pty Ltd \ 20 Stratton Terrace, Wynnum, Queensland 4178, Australia \ Email: hello@alwaysbuilding.ai