Privacy Policy

SBA Engage Pty Ltd trading as rubica (ABN 49 673 132 682) ("rubica", "we", "us", "our") is committed to protecting your privacy and handling personal information in a transparent and secure way, in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and our obligations as a service provider to Australian Prudential Regulation Authority (APRA) regulated entities under CPS 234. This policy applies to the rubica.au website and the rubica AI platform (the "Platform").

1. Information we collect

• Contact and account information: name, email address, mobile number, company name, job title.
• Authentication data: hashed credentials, multi-factor authentication tokens, session identifiers.
• Platform usage data: conversations you have with the Platform (prompts, AI responses, conversation history), files you upload, prompt templates you create, agent and connector configurations you create or install.
• Third-party integration data: when you authorise a Model Context Protocol ("MCP") connector (for example, Microsoft 365, Dynamics 365, HubSpot, Salesforce), the Platform handles data you direct it to retrieve from, or write to, those systems under your own credentials.
• Technical data: IP address, browser type, device identifiers, log data, and cookies (see our Cookie Policy).
• Commercial information: billing contact details, subscription tier, and usage metrics for commercial reporting.

2. Why we collect your information

We collect personal information to:

• provide and operate the Platform, including generating AI responses to your prompts;
• authenticate users and enforce access controls within your organisation;
• administer subscriptions, billing, and customer support;
• monitor security, detect fraud or misuse, and investigate incidents;
• improve the Platform's reliability, performance, and user experience;
• comply with our legal, regulatory, and contractual obligations.

We only collect personal information that is reasonably necessary for these purposes.

3. How we use AI, and what we don't do with your data

• The Platform generates responses using third-party large language models (LLMs), primarily hosted through AWS Bedrock in the Asia Pacific (Sydney) region.
• Your prompts, files, and conversation history are sent to these models only to generate responses for you.
• We do not use your prompts, responses, uploaded files, or conversation history to train our own AI models or the underlying third-party models. Our AWS Bedrock configuration excludes customer data from model-training pipelines, and our commercial agreements with model providers reflect the same.
• The Platform may use AI to assist with features such as conversation summarisation, file search, and tool selection. These features operate on data you have already submitted and do not make autonomous decisions about you.

4. AI-assisted decisions (APP 1, in force from 10 December 2026)

rubica does not use AI to make, or to do a thing substantially and directly related to making, decisions that significantly affect your rights or interests (for example, credit, employment, or eligibility decisions). The Platform is a tool that assists users with their own work; it does not issue automated decisions about individuals. If this changes, we will update this policy and notify affected users before any such use commences.

5. How we store and protect your information

• Platform data (account records, conversation history, uploaded files, connector credentials) is stored in Australia, in AWS ap-southeast-2 (Sydney), using MongoDB and S3.
• Credentials for third-party connectors are encrypted at rest using AES-256-GCM with keys held in AWS Secrets Manager.
• Access within rubica is restricted to a small number of authorised engineers on a need-to-know basis, audited, and secured with multi-factor authentication.
• We apply reasonable technical and organisational security measures consistent with APP 11 and APRA CPS 234, including network segregation, least-privilege IAM, logging and monitoring, and incident response procedures.
• Data in transit is protected using TLS 1.2 or higher.

6. Disclosure of personal information

We may disclose personal information to:

• Authorised personnel and contractors of rubica, bound by confidentiality obligations.
• Infrastructure providers: Amazon Web Services (Sydney region) for hosting, storage, and AI model access via AWS Bedrock.
• Third-party services you authorise via connectors: for example, Microsoft (Graph API, Dataverse), HubSpot, Salesforce, Google Workspace, or others you install. Data shared with these services is handled under your own account credentials and under the terms of each third party's own privacy policy.
• Operational service providers: transactional email, error monitoring, analytics, and support systems used to run the Platform.
• Authorities: where required by Australian law, court order, or to protect the rights, property, or safety of rubica, our users, or others.

We do not sell personal information.

7. Cross-border data transfers (APP 8)

The majority of your data stays in AWS ap-southeast-2 (Sydney). Some disclosures involve cross-border transfers:

• AWS Bedrock — when you use models that are only available in other AWS regions, your prompt content is sent to that region for the purpose of generating a response. We prefer ap-southeast-2-resident models where available.
• Microsoft Graph, Dataverse, and other connector integrations — data routed to these third parties may be processed in regions outside Australia depending on how the third party operates its services (for example, the United States or the European Union).
• Operational tooling — some support, monitoring, and communications providers process metadata outside Australia.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs, consistent with APP 8.1. Where this is not practicable, we will obtain your consent or rely on another permitted ground under APP 8.2.

8. Multi-tenant data isolation

The Platform is a multi-tenant service. Each customer organisation is isolated by organisation identifier enforced at the application, database query, and credential level. Users cannot read, write, or list data belonging to another organisation. Organisation-scoped credentials (such as shared connectors configured by an organisation administrator) are only accessible within that organisation.

9. Retention and deletion

We retain personal information only for as long as required to fulfil the purposes in section 2, or as required by law. Typical retention windows:

• Account records — for the life of the account, plus up to 7 years after account closure where required for tax, audit, or legal reasons.
• Conversation history and uploaded files — retained while your account is active. You can delete individual conversations or files from within the Platform at any time. Deleted items are removed from active systems immediately and purged from backups within 35 days.
• Connector credentials — retained until you revoke the connector or close your account. Revocation removes credentials from active systems immediately.
• System logs and security audit trails — up to 18 months.

On account closure, we delete or de-identify your personal information within 90 days, except where retention is required for a legal, regulatory, or legitimate business purpose.

10. Your rights (access, correction, deletion, complaints)

Under the APPs you can request to:

• access the personal information we hold about you;
• correct information that is inaccurate, out-of-date, or incomplete;
• delete your personal information, subject to our legal retention obligations;
• complain about how we have handled your personal information.

Most of these rights can be exercised directly from within the Platform. For anything that cannot, contact us using the details in section 13. We will respond within 30 days.

If you are not satisfied with our response, you can make a complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

11. Data breach notification

We maintain a data breach response process consistent with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. Where an eligible data breach occurs and is likely to result in serious harm, we will notify affected individuals and the OAIC as soon as practicable.

12. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be available at rubica.au/privacy. Material changes will be notified in-product and by email where appropriate.

13. Contact us

If you have questions, requests, or complaints about this Privacy Policy or how we handle personal information, please contact: