Privacy Policy
Last updated: 23 June 2026
Effective date: 23 June 2026
Version: 2.0
Data controller / entity: Flyweel.co Pty Ltd (ABN 59 685 487 754) ("Flyweel", "we", "us", "our")
Website: www.flyweel.co
Privacy contact: team@flyweel.co (Attn: Privacy Officer)
1. About this policy
This Privacy Policy explains how Flyweel collects, uses, discloses, stores and protects personal information when you visit www.flyweel.co, use the Flyweel platform and apps, connect Flyweel to third-party services (including AI assistants), or otherwise interact with us.
Flyweel is an Australian company. We handle the personal information of customers and users located in Australia, the United States, Canada and other countries. We aim to meet the standards of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and — where they apply to you — comparable laws including the California Consumer Privacy Act as amended (CCPA/CPRA) and other U.S. state privacy laws, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25, and the EU/UK General Data Protection Regulation (GDPR). Region-specific rights are set out in Sections 11–13.
In this policy, "personal information" means information about an identified or reasonably identifiable individual. In some regions equivalent terms are used (e.g. "personal data"); we treat them as having the same meaning here.
2. The personal information we collect
We collect the following categories of personal information.
| Category | Examples | Source |
|---|---|---|
| Identity & contact data | Name, business email address, business name, role, phone number | You, when you sign up or contact us |
| Account & profile data | Username, password (stored hashed/encrypted), account settings, preferences | You / generated when you use the platform |
| Authentication / single sign-on data | If you sign in using a third-party provider (such as Google), your email address and basic profile (name, profile picture) | You, via the sign-in provider (e.g. Google OAuth) |
| Billing & transaction data | Billing contact, plan, subscription status, and payment-method details processed by our payment processor (we do not store full card numbers) | You / our payment processor |
| Connected-platform data | Account names and identifiers, connection status, and the data made available by the platforms you connect — which may include advertising, campaign, performance, customer, financial or analytics data, depending on the integration | The third-party platforms you authorise (such as advertising, CRM, accounting, analytics and similar services), via your authorisation |
| Usage & device data | IP address, device and browser type, log data, pages viewed, feature usage, timestamps | Automatically, when you use our website and platform |
| Cookie & analytics data | Cookie identifiers, analytics events, approximate (coarse) location derived from IP | Automatically (see Section 9) |
| Communications data | Emails, support tickets, survey and form responses, and records of your requests | You |
We collect only what we reasonably need to provide and improve the services (data minimisation). We do not require, and try not to collect, sensitive information (such as health, biometric, government identifiers, or precise GPS location). Please do not submit sensitive information to us unless we specifically request it.
Data from your connected platforms may include personal information of third parties (for example, your customers or leads) that appears in your campaign, customer, financial or other connected data. Where you provide us with personal information about other people, you confirm you are entitled to do so and that they have been told how their information will be handled.
3. How we collect personal information
We collect personal information:
- directly from you — when you register, subscribe, contact us, complete a form or survey, or use the platform;
- automatically — through cookies and similar technologies and server logs when you use our website and platform (see Section 9);
- from connected services you authorise — when you link a third-party account (for example a sign-in provider, or an advertising, CRM, accounting or analytics service), we receive data from that service under the scopes you approve; and
- from service providers — such as our payment processor, hosting and analytics providers, acting on our behalf.
4. Why we use your personal information (purposes)
We use personal information for the following purposes:
- Provide the services — create and manage your account, authenticate you, connect and sync the third-party platforms you authorise, display dashboards and reporting, and provide reconciliation and related features.
- Operate AI and automated features — process your requests through our AI agent and automated reporting/analytics features. See Section 8 (Automated processing and AI).
- Billing and payments — process subscriptions and payments and maintain financial records.
- Communicate with you — send service notices, security and transactional messages, respond to enquiries and support requests, and (with your consent or as permitted by law) marketing communications you can opt out of at any time.
- Improve and develop — analyse usage to maintain, secure, troubleshoot and improve the services and develop new features. We use aggregated or de-identified data for this where practicable.
- Security, fraud prevention and integrity — detect, investigate and prevent fraud, abuse, security incidents and breaches of our terms.
- Comply with law — meet our legal, regulatory, tax and accounting obligations and respond to lawful requests.
We do not use your personal information for purposes that are incompatible with those above without telling you or obtaining your consent where required.
Google user data — specific limits. Where the Service connects to Google services (for example Google sign-in or a Google advertising connection) and we receive Google user data, our use complies with the Google API Services User Data Policy, including its Limited Use requirements. We do not use Google user data for personalised or interest-based advertising, do not sell it, do not transfer it except to provide or improve the relevant features, to comply with law, or as part of a merger/acquisition with appropriate notice, and do not use it for human review except with your consent, for security/abuse/legal reasons, or on de-identified/aggregated data.
5. Who we share personal information with (recipients)
We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising (as those terms are used under U.S. state privacy laws). We disclose personal information only to the following categories of recipients:
- Service providers / sub-processors acting on our behalf under contract and confidentiality/data-protection obligations, in these categories: cloud hosting and infrastructure; payment processing; product analytics and monitoring; email and customer communications; and customer support and CRM tooling.
- Connected platforms you authorise — we exchange data with the third-party platforms you connect (such as advertising, CRM, accounting and analytics services) to provide the integration you requested.
- Third-party AI assistants you connect — when you choose to query Flyweel through a third-party AI assistant (e.g. ChatGPT, Claude, or other MCP-compatible clients), data responsive to your request is provided to that assistant. See Section 7.
- Professional advisers — lawyers, accountants, auditors and insurers, where reasonably required.
- Authorities — regulators, courts or law-enforcement where required or authorised by law, or to protect our rights, users or the public.
- Corporate transactions — an actual or prospective buyer, investor or successor in connection with a merger, acquisition, financing, reorganisation or sale of assets, subject to confidentiality and to this policy.
A list of our material service providers is available on request at team@flyweel.co.
6. International data transfers
Flyweel is based in Australia and uses service providers located overseas, including in the United States. This means your personal information may be stored or processed outside your home country, including outside Australia.
Where we transfer personal information across borders, we take reasonable steps to ensure it is handled consistently with this policy and applicable law — including putting in place contractual data-protection terms with recipients (such as standard contractual clauses where relevant) and assessing the recipient's protections. For Australian individuals, this is done in accordance with APP 8. For individuals in the EEA/UK, see Section 13.
7. AI integrations and third-party AI services
Flyweel can be connected to third-party AI assistants, including OpenAI's ChatGPT and Anthropic's Claude, and other platforms that support the Model Context Protocol (MCP). These connections are initiated and controlled by you. When you query Flyweel through an AI assistant, Flyweel responds by returning the data responsive to your request, which is then processed by the AI service you chose.
Data that may be included in responses to a connected AI assistant: information from the third-party platforms you have connected — for example account names and identifiers, connection status, data-sync status, and performance, campaign, customer or financial data — depending on what you have connected and what you ask for; and temporary OAuth authorization URLs used to set up a connection.
Data never included in responses to a third-party AI service: your Flyweel password or authentication credentials; OAuth access or refresh tokens for connected platforms; payment or billing details; and data belonging to other Flyweel users.
Our limits. We return only data responsive to your request; we do not request your full conversation history, chat transcripts, or broad contextual fields, and we do not include diagnostic identifiers or telemetry unless strictly necessary to fulfil your request.
Outside our control. We do not control how a third-party AI service processes, stores or uses data once you share it through that service. Each service is governed by its own terms and privacy policy. We recommend reviewing them:
- OpenAI (ChatGPT): https://openai.com/policies/privacy-policy
- Anthropic (Claude): https://www.anthropic.com/privacy
Your control. You decide whether to connect any AI service, choose which platforms and accounts to make available, and can disconnect at any time (through that service's settings) or revoke a connected platform at any time in Flyweel's app settings. Data is only shared when you actively make a request — Flyweel does not proactively send your data to any AI service.
8. Automated processing and AI features
Flyweel uses automated processing to deliver features such as analytics, reporting, reconciliation and AI-assisted answers. These features assist you; we do not currently use automated processing to make decisions that produce legal or similarly significant effects about you without human involvement.
If we introduce any feature that makes a decision that could reasonably be expected to significantly affect your rights or interests, we will update this policy to describe the kinds of decisions, the types of personal information used, and how you can seek human review or object, as required by applicable law (including transparency obligations under the Privacy Act 1988 (Cth) from 10 December 2026, the CCPA's automated decision-making technology rules, and Article 22 GDPR where it applies).
9. Cookies and tracking technologies
We use cookies and similar technologies to operate the site, keep you signed in, remember preferences, measure usage and improve the services. We use:
- Strictly necessary cookies (required for the site to function);
- Functional cookies (preferences); and
- Analytics cookies (usage measurement).
We do not use cookies for cross-context behavioural advertising. You can control non-essential cookies through your browser settings, and through our cookie preference controls where provided. Where you are in a region whose law requires it (e.g. EEA/UK), we obtain your consent before setting non-essential cookies. We honour recognised opt-out preference signals, including Global Privacy Control (GPC), as an opt-out of sale/sharing where that right applies to you.
10. Data security, retention and breach notification
10.1 Security
We take reasonable technical and organisational measures to protect personal information against misuse, interference, loss, and unauthorised access, modification or disclosure, including: encryption of data in transit and at rest; access controls and authentication (including multi-factor authentication for administrative access); network and application security controls; logging and monitoring; vendor due diligence; and staff access on a least-privilege basis. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
10.2 Retention
We keep personal information only for as long as we need it for the purposes in this policy, or as required by law, after which we delete or de-identify it.
- Account and profile data — kept for the life of your account, then deleted or de-identified after your account is closed, unless we need to keep it longer to meet a legal obligation or resolve a dispute.
- Connected-platform / ad / reconciliation data — kept while the connection is active, and deleted or de-identified after you disconnect the platform or close your account.
- Billing and transaction records — kept for up to 7 years to meet Australian tax and accounting obligations.
- Support and communications — kept for as long as needed to handle your matter and for a reasonable period afterwards.
- Server logs and analytics — kept for a limited period, then deleted or aggregated.
- Marketing contact data — kept until you unsubscribe or after a sustained period of inactivity.
Where we do not state a fixed period, we determine how long to keep information by reference to the purpose for which it was collected, our legal obligations, and the resolution of any disputes.
10.3 Breach notification
If a data breach occurs that is likely to result in serious harm, we will assess it and notify affected individuals and the relevant regulator(s) as required by law — including the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) and equivalent obligations in other regions.
11. Your choices and rights (all users)
Subject to verification and to legal limits, you can:
- Access the personal information we hold about you and request a copy;
- Correct information that is inaccurate, out of date or incomplete;
- Delete your personal information (subject to records we must keep by law);
- Opt out of marketing at any time (via the unsubscribe link or by contacting us); and
- Disconnect any connected platform or AI assistant at any time in your app settings.
To make a request, email team@flyweel.co. We will respond within the timeframe required by applicable law (generally within 30 days; we will tell you if we need longer). We will not charge a fee except where permitted, and we will not discriminate against you for exercising your rights.
If you are not satisfied with our response, you can contact the relevant regulator (Section 14).
12. United States state privacy rights
This section applies if you are a resident of California or another U.S. state with a comprehensive privacy law (e.g. Virginia, Colorado, Connecticut, Texas, and others). Some of these laws apply to a business only above certain thresholds; we extend the core rights below to U.S. users as a matter of practice.
In the preceding 12 months, we have collected the categories of personal information described in Section 2, for the purposes in Section 4, from the sources in Section 3, and disclosed them to the categories of recipients in Section 5. We have not sold personal information and have not shared it for cross-context behavioural advertising, and we do not knowingly sell or share the personal information of consumers under 16.
If you are a California resident, you have the right to: know/access the categories and specific pieces of personal information we collected, the sources, purposes and categories of recipients; delete personal information we collected from you; correct inaccurate personal information; opt out of any sale or sharing (we do neither); and limit the use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right). Residents of other states have comparable rights under their own laws.
To exercise these rights, email team@flyweel.co. You may use an authorised agent. We will verify your request and respond within the statutory timeframe (generally 45 days, extendable once). We honour GPC opt-out preference signals. We do not discriminate against you for exercising your rights.
13. Canada, EEA/UK and other regions
Canada (PIPEDA / Quebec Law 25). We collect, use and disclose personal information with your knowledge and consent (express or implied as appropriate), for the purposes in this policy. You may access and correct your personal information and withdraw consent (subject to legal/contractual limits) by contacting team@flyweel.co. We will respond generally within 30 days. You may complain to the Office of the Privacy Commissioner of Canada, or to the Commission d'accès à l'information du Québec if you are in Quebec.
EEA / UK (GDPR). Where the GDPR applies, our legal bases for processing are: performance of a contract (to provide the services), legitimate interests (to secure, improve and market our services, balanced against your rights), consent (e.g. for non-essential cookies and certain marketing — which you can withdraw at any time), and legal obligation. You have rights of access, rectification, erasure, restriction, portability and objection, and the right not to be subject to solely automated decisions with legal/significant effects. International transfers rely on appropriate safeguards (e.g. standard contractual clauses). You may lodge a complaint with your local supervisory authority.
14. Children
The Flyweel platform is a business product intended for users aged 18 and over. It is not directed to children, and we do not knowingly collect personal information from anyone under 18 (and never from children under 13). If you believe a child has provided us with personal information, contact team@flyweel.co and we will delete it.
15. Third-party services and links
Our services integrate with, and may link to, third-party services (for example sign-in providers, and the advertising, CRM, accounting, analytics and other platforms you connect). Those services are governed by their own privacy policies, and we encourage you to review them. We are not responsible for the privacy practices of third parties.
16. Changes to this policy
We may update this policy from time to time. We will post the updated policy here and change the "Last updated" date. If changes are material, we will provide additional notice (e.g. by email or in-app) where required. Your continued use of the services after an update means you accept the updated policy.
17. Contact us and complaints
Questions, requests or complaints about privacy:
Email: team@flyweel.co (Attn: Privacy Officer)
Mail: Flyweel.co Pty Ltd, Queensland, Australia
If you are not satisfied with how we handle a privacy matter, you can complain to:
- Australia — Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
- United States (California) — California Privacy Protection Agency / California Attorney General
- Canada — Office of the Privacy Commissioner of Canada (or the Commission d'accès à l'information du Québec in Quebec)
- EEA/UK — your local data protection authority