LEGAL · PRIVACY

Privacy Policy

What we collect, what we do not, and the commitments we make about both.

Last updated ·

1. Who this covers

This policy describes how Phyllis AI Pty Ltd (ACN pending, "Phyllis", "we", "us", or "our") handles personal information when you visit phyllis.app, request a demo, contact us, or use the Phyllis product. It applies to all visitors and users globally. Where you have a signed enterprise agreement with us, that agreement and its Data Processing Addendum govern in any conflict with this policy.

2. Information we collect

  • Information you give us — name, business email, company, role, and anything you include in a form, a demo request, or a message to our team.
  • Account and authentication data — credentials and session data needed to sign you in and keep your account secure. Enterprise plans support SSO; we never store third-party passwords.
  • Customer Data you submit through the product — prompts, ServiceNow metadata Phyllis reads to plan or build a change, and the approval trail around it. This data is processed on your behalf under the DPA; we treat it as confidential and do not use it to train shared models.
  • Product telemetry — operator actions, timestamps, feature usage, error traces, and the approval audit log. We use this to operate, secure, and improve the service.
  • Website analytics — aggregated, IP-anonymised page-view metrics. We do not run third-party advertising pixels on our marketing site.
  • Communications — email correspondence, support tickets, and records of calls you elect to have with us.

3. What we do not do

  • We do not sell personal information.
  • We do not use Customer Data to train our models or any third-party foundation models. Under our enterprise agreement with our LLM provider, prompts and completions are not retained by the provider and are not used for their training.
  • We do not share personal information with advertisers.
  • We do not scan your ServiceNow instance beyond the scope you grant through OAuth.

4. How we use information

  • To provide, secure, and improve the product and the website.
  • To respond to sales, support, or partnership enquiries.
  • To send service notices, security alerts, and operational updates (transactional — you cannot unsubscribe from these while your account is active).
  • To send marketing communications where you have opted in. Every marketing email includes a one-click unsubscribe.
  • To meet legal, tax, and regulatory obligations, and to exercise or defend legal claims.

5. Legal bases (EEA/UK/similar regimes)

Where the GDPR or equivalent law applies, we rely on: (i) performance of a contract with you; (ii) our legitimate interests in operating and securing the service, provided those interests are not overridden by your rights; (iii) your consent, where required (for example, marketing communications); and (iv) compliance with legal obligations.

6. Sharing

We share personal information only with: (i) sub-processors who provide infrastructure or tooling under written contracts that require equivalent protection; (ii) professional advisors bound by confidentiality; (iii) acquirers or successors in a corporate transaction (with notice); and (iv) authorities where legally compelled, where we will narrow the disclosure and notify you unless prohibited by law.

7. International transfers

Phyllis is an Australian company. Where personal information is transferred outside your region, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent mechanisms, and we apply additional safeguards such as application-layer encryption of credentials.

8. Retention

Account data is kept for the life of your account and for a reasonable period after (typically up to 24 months) to support audit, tax, and dispute needs. Customer Data retention is governed by your order form and the DPA — on termination, we delete or return it within the agreed window. Website analytics are kept in aggregate only.

9. Security

We apply encryption in transit (TLS 1.2+) and at rest, application-layer encryption of credentials, role-based access controls, mandatory MFA for staff access to production systems, single-tenant logical isolation between customer workspaces, and continuous audit logging. See the Security page for our current posture and how to request our Trust Pack.

10. Your rights

Depending on where you live, you have rights to access, correct, delete, port, object to, or restrict processing of your personal information, and to withdraw consent at any time. To exercise them, email privacy@phyllis.app. We respond within 30 days and will tell you if we need longer under applicable law. You may also lodge a complaint with your local supervisory authority — in Australia, the Office of the Australian Information Commissioner (OAIC).

11. Cookies

We use first-party cookies required to keep you signed in and to measure site performance in aggregate. We do not use advertising cookies. Where consent is required by law, we request it at first visit.

12. Children

Phyllis is a B2B product not directed to anyone under 16. We do not knowingly collect personal information from children.

13. Changes

We will post material changes on this page and update the "last updated" date. For enterprise customers, we will give advance notice of material changes via email to the billing contact.

14. Contact

Phyllis AI Pty Ltd · 388 George Street, Sydney, Australia · privacy@phyllis.app.

Implement now.

Book a demo
Phyllis
ServiceNow Registered Partner — Build ServiceNow Registered Partner — Consulting & Implementation
Capabilities
Plan
Develop
Monitor
Manage
Deploy
Solutions
Platform Teams
MSPs, SIs & Partners
Resources
Blog
Security & trust
Company
About
Contact
Book a demo
© 2026 Phyllis AI Pty Ltd
Privacy security.txt