Privacy Policy

Effective date: 18 December 2025

This Privacy Policy describes how McQuillen Interactive Pty Ltd ABN 77 605 496 268 ("Validibot", "we", "our", or "us") handles personal information when you use the Validibot services, websites, and applications (collectively, the "Services"). We are an Australian company and store all primary data on infrastructure located in Australia.

1. Scope and Responsibility

Validibot acts as the data controller for information we collect through the Services. When we process Customer Data (as defined in our Terms of Service) on behalf of our customers, we do so as a data processor solely under the customer's instructions.

2. Information We Collect

  • Account information. When you create an account, we collect your email address, name, and authentication credentials. If you sign up via Google OAuth, we receive your basic profile information from Google.
  • Payment information. When you subscribe to a paid plan, our payment processor Stripe collects your payment card details, billing address, and related information. We do not store complete card numbers on our servers; we receive only a masked card reference and billing details from Stripe.
  • Customer Data. Files you upload and data you submit for validation, including building energy models and related technical information.
  • Usage information. We collect information about how you use the Services, including workflow launches, validation results, feature usage, and timestamps.
  • Communications. Messages you send to support@validibot.com and any information you choose to include.
  • Operational logs. Google Cloud Platform, our hosting provider, records device information, IP addresses, URLs requested, and error details in application logs to help us troubleshoot issues and maintain security.
  • Analytics. We use PostHog Cloud EU to understand aggregated website usage. PostHog sets first-party cookies or local storage identifiers and receives usage metadata (such as page views, approximate location derived from IP address, and device type). PostHog operates on infrastructure located in the European Union.

3. How We Use Information

  • Provide, operate, and maintain the Services, including processing your validations and delivering results;
  • Manage your account and subscription, process payments, and send billing-related communications;
  • Send service announcements, product updates, and support messages;
  • Monitor, analyse, and improve the Services, including reviewing aggregated usage patterns;
  • Detect, prevent, and address security incidents, fraud, and abuse;
  • Respond to questions, support requests, and feedback; and
  • Comply with legal obligations and enforce our agreements.

4. How We Share Information

We do not sell personal information. We share information only with trusted service providers that help us deliver the Services:

  • Cloud infrastructure. Google Cloud Platform provides hosting, database, storage, and compute services. Our primary infrastructure is located in the australia-southeast1 (Sydney) region.
  • Payment processing. Stripe, Inc. processes subscription payments and stores payment card details on our behalf. Stripe is certified to PCI-DSS Level 1.
  • Email delivery. Postmark (Wildbit LLC) sends transactional messages such as account notifications and receipts on our behalf.
  • Analytics. PostHog Cloud EU (PostHog, Inc.) processes pseudonymised usage data under our instructions, on infrastructure in the European Union.

We may also disclose information if required by law, to protect rights or safety, or in connection with a business transaction such as a merger or acquisition. Each provider is bound by agreements that limit their use of the data to what is necessary to support us.

5. Data Location and Transfers

Our primary application database, file storage, and compute infrastructure are located in Australia (Google Cloud's Sydney region). Some service providers we use may process data in other jurisdictions:

  • Stripe processes payment data in the United States;
  • PostHog processes analytics data in the European Union;
  • Postmark sends emails from infrastructure in the United States.

By using the Services, you consent to these transfers. We only work with providers that agree to safeguard the information we share with them.

6. Data Retention

We retain your account information and Customer Data for as long as your account is active or as needed to provide the Services. If you cancel your subscription or request account deletion, we will delete or anonymise your data within 90 days, except where we are required to retain it for legal, accounting, or fraud prevention purposes.

Operational logs are retained for up to 30 days. Analytics data is aggregated and retained by PostHog according to its EU service commitments.

7. Security

We implement appropriate technical and organisational measures to protect personal information, including:

  • Encryption of data in transit (TLS) and at rest;
  • Access controls limiting data access to authorised personnel;
  • Regular security reviews and monitoring;
  • Use of managed security services provided by Google Cloud Platform.

No internet service can be completely secure. We encourage you to use strong, unique passwords and enable two-factor authentication where available.

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law.

8. Your Rights and Choices

You may request access to, correction of, or deletion of your personal information by emailing privacy@validibot.com. You can update your account information through your account settings. You can unsubscribe from marketing emails at any time using the link in the message or by contacting us directly.

Depending on your location, you may also have rights to object to or restrict certain processing, request data portability, or lodge a complaint with a supervisory authority.

9. Australian Privacy Obligations

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles when handling personal information. This includes taking reasonable steps to inform you why we collect data, keeping it secure, and allowing access or correction on request.

As described in Section 5, some data may be processed overseas by our service providers. By using the Services, you consent to these disclosures. We take reasonable steps to ensure overseas recipients handle your information in accordance with the Australian Privacy Principles.

If you have concerns about our handling of personal information, please contact us first so we can work to resolve the issue. You also have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au/ or by calling 1300 363 992.

10. Cookies and Analytics Controls

PostHog uses first-party cookies or browser storage to measure how visitors engage with the Services. These cookies do not power advertising or track you across unrelated sites. You can block or delete cookies through your browser settings or contact us to opt out of analytics for your device.

We honour Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will not load analytics tracking for your session.

11. Third-Party Links

The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

12. Children's Privacy

The Services are not directed to children under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice in the Services and adjust the effective date. Your continued use of the Services after the changes take effect means you accept the revised Policy.

14. Contact Us

For questions or concerns about this Privacy Policy, email us at privacy@validibot.com or write to:

McQuillen Interactive Pty Ltd
Unit 7, 3 Bolinda Street
Bentleigh, Victoria 3204
Australia