1. Purpose and scope
Eplex AI Pty Ltd (ACN 688 724 601) of 81-83 Campbell Street, Surry Hills, NSW 2010, Australia (Eplex AI, we, us) respects your privacy and is committed to safeguarding personal information.
This Privacy Policy explains how we collect, use, disclose, and store personal information when you visit eplex.ai, engage with us, or use the Draft with Eplex Gmail add-on, the Eplex AI Outlook add-in, and related services (together, the Services).
If you are a school customer, our handling of personal information contained in Customer Data is primarily governed by your School Subscription Agreement and its Data Processing Addendum (together, the Customer Contract). Where there is any inconsistency between this Privacy Policy and a Customer Contract, the Customer Contract prevails for Customer Data.
2. Key terms
Personal Information has the meaning given in the Privacy Act 1988 (Cth).
Customer Data means data and content submitted to the Services by or for a school customer, including emails selected via the add-on, prompts, configuration data, and outputs generated by the Services.
Google User Data means data obtained through Google Workspace APIs, including Gmail content, user profile information, and authentication tokens.
Microsoft User Data means data obtained through Office.js APIs when using the Outlook add-in, including email content, sender, recipients, and subject of the currently open message, and authentication tokens obtained via Microsoft Entra ID.
Draft Metadata means the record created when the Services generate an output, including the locale, scenario identifiers, pre-flight classification results, operator intent, word count, and timestamps. Draft Metadata does not include email content or generated text.
3. What personal information we collect
3.1 Website and business operations
We may collect contact details and business information such as your name, role, organisation, email address, phone number, and communications with us (including support requests).
3.2 Customer Data (Services)
When a school customer uses the Services, we process personal information contained in the emails and content the customer chooses to process. This may include information about prospective students and parents or guardians, and may occasionally include sensitive information (for example, health-related details) if included in an email thread. The Services are intended for use by school staff and other authorised business users, not by children.
3.3 Authentication data
When you sign in to the Services via Google OAuth, Google's authentication service (Firebase Authentication) processes your email address, display name, and profile photo URL. When you sign in via the Outlook add-in, Microsoft Entra ID authenticates your organisational account; your Entra identity token is exchanged for a Firebase session token on our backend. In both cases, Firebase Authentication is the identity provider. Eplex AI does not maintain a separate user database or store Microsoft credentials. Your email domain is used at sign-in to determine your school affiliation and role-based access.
4. Google Workspace data access
The Draft with Eplex Gmail add-on requests the following Google Workspace API permissions (OAuth scopes):
| Permission | Classification | What it accesses | Why we need it |
|---|---|---|---|
| gmail.addons.current.message.readonly | Sensitive | The email thread you are currently viewing (subject, senders, recipients, body content, timestamps) | Read the current email thread for draft generation context and Tour Brief extraction |
| gmail.addons.execute | Non-sensitive | Gmail sidebar context | Run the add-on interface in the Gmail sidebar and respond to your interactions |
| gmail.addons.current.action.compose | Non-sensitive | Gmail compose window | Insert generated drafts into the compose window for your review |
| script.external_request | Non-sensitive | Outbound HTTPS calls | Call our backend API securely over HTTPS |
| userinfo.email | Non-sensitive | Your email address | Authenticate your identity and determine school affiliation based on email domain |
| userinfo.profile | Non-sensitive | Your display name and profile photo | Display your name in the admin panel and identify you within your school |
4.1 What we read
We access email content only when you actively use the add-on. For draft generation, we read the email thread you are currently viewing. We read email subjects, senders, recipients, body content, timestamps, and thread structure.
4.2 What we do not read
We do not scan, index, or read your emails in the background. We do not access emails outside the thread you are working with. We do not access deleted, archived, or draft emails that you have not selected.
4.3 How email data flows
- You select an email thread and click a button in the add-on (Draft, Coach, Call, Message, or Tour).
- The email content is sent over HTTPS to our backend on Google Cloud Run (asia-southeast1 region).
- Our backend sends the content to Google Cloud Vertex AI (Gemini 2.5 Flash) for processing.
- The generated output is returned to the add-on and displayed for your review.
- Draft Metadata (not including email content or generated text) is stored in Google Firestore and automatically deleted after 30 days.
4A. Microsoft Outlook Add-in data access
When used as a Microsoft Outlook add-in, Eplex AI accesses data through Office.js APIs (not Microsoft Graph API). The add-in does not access your mailbox, calendar, contacts, or any data beyond the currently open message.
| API | Data accessed | Purpose |
|---|---|---|
| Office.context.mailbox.item.body | Body of the currently open email | AI generation input (Draft, Coach, Call, Message, Tour, Translate) |
| Office.context.mailbox.item.from | Sender of the currently open email | Cultural context identification |
| Office.context.mailbox.item.subject | Subject line of the currently open email | Enquiry classification |
| Office.context.mailbox.item.to/cc | Recipients of the currently open email | Context for draft generation |
| Office.context.mailbox.item.body.setAsync | Compose window body | Insert generated draft into reply for your review |
4A.1 Authentication
The Outlook add-in authenticates via Microsoft Entra ID using Nested App Authentication (NAA) or a dialog-based fallback for older clients. Your Microsoft identity token is exchanged for a Firebase session token on our backend. No Microsoft credentials are stored by Eplex AI. Only organisational (work/school) accounts are accepted; personal Microsoft accounts are rejected.
4A.2 How email data flows
- You open an email in Outlook and click the Eplex AI button in the ribbon.
- The add-in reads the currently open message via Office.js APIs.
- The email content is sent over HTTPS to our backend on Google Cloud Run (asia-southeast1 region).
- Our backend sends the content to Google Cloud Vertex AI (Gemini) for processing.
- The generated output is returned to the add-in and displayed for your review.
- Draft Metadata (not including email content or generated text) is stored in Google Firestore and automatically deleted after 30 days.
4A.3 What we do not access
The Outlook add-in does not use Microsoft Graph API. It does not access your mailbox, calendar, contacts, files, or any data beyond the currently open message. It does not scan, index, or read emails in the background.
5. What we store
Eplex AI stores only Draft Metadata. When the Services generate an output, a metadata record is written to Google Firestore. This record includes the locale, scenario identifiers, pre-flight classification results, operator intent, word count, and timestamps. Draft Metadata does not include email content or generated text. Draft Metadata is automatically deleted after 30 days.
Eplex AI does not maintain a separate database of users, schools, email addresses, or authentication credentials. Authentication is handled entirely by Firebase Authentication. For the Gmail add-on, session tokens are cached in per-user property storage (managed by Google). For the Outlook add-in, session tokens are managed via Microsoft Entra ID and exchanged for Firebase tokens. Neither platform's credentials are stored on Eplex AI's infrastructure.
Email content and generated text are processed transiently: email content is sent to Vertex AI, a response is generated and returned to the add-on or add-in, and neither the email content nor the generated text is retained by Eplex AI.
6. How we use personal information
We use personal information for the following purposes. Where we process personal data of individuals in the European Economic Area (EEA) or the United Kingdom (UK), the legal basis under the General Data Protection Regulation (GDPR) is indicated.
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide, operate, maintain, secure, and support the Services | Contractual necessity (Art 6(1)(b)) |
| Authenticate users via Firebase Authentication and enforce school-scoped access control | Contractual necessity (Art 6(1)(b)) |
| Generate AI-assisted draft communications and coaching outputs | Contractual necessity (Art 6(1)(b)) |
| Administer accounts, respond to enquiries, and provide customer support | Contractual necessity (Art 6(1)(b)) |
| Prevent, detect, and address technical or security issues | Legitimate interests (Art 6(1)(f)) |
| Communicate with you about the Services and our business (including product updates) | Legitimate interests (Art 6(1)(f)) |
| Internal business operations (for example, invoicing and record-keeping) | Legal obligation (Art 6(1)(c)) |
| Comply with legal obligations and enforce our agreements | Legal obligation (Art 6(1)(c)) |
7. AI processing and model training
7.1 How AI is used
The Services use Google Cloud Vertex AI (Gemini 2.5 Flash) to generate draft communications, reception feedback, call preparation guides, messaging adaptations, and tour briefings. Email content you select is sent to Vertex AI for processing and is subject to Google Cloud's data processing terms.
7.2 No model training on your data
We do not use Customer Data or Google User Data to train or fine-tune general-purpose AI models, or to build or improve models for other customers. Vertex AI does not use customer data to train its models under Google Cloud's standard terms.
7.3 De-identified analytics
We may create and use aggregated and de-identified usage and performance metrics to operate and improve the Services, provided those metrics do not identify a customer or an individual.
7.4 Human access
Human access to Customer Data by Eplex AI personnel is restricted and permitted only where reasonably necessary: for example, when a user gives affirmative consent, for security purposes, or for legal compliance. Personnel with access are bound by confidentiality obligations.
8. Google API Services: Limited Use disclosure
The Draft with Eplex add-on's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We limit our use of Google User Data to providing and improving user-facing features of the Services that are prominent in the add-on's interface.
- We do not transfer Google User Data to third parties except as necessary to provide or improve the Services, to comply with applicable law, or as part of a merger or acquisition with the user's prior consent.
- We do not use Google User Data for serving advertisements, including retargeting, personalised, or interest-based advertising.
- We do not allow humans to read Google User Data unless we have your affirmative consent, it is necessary for security purposes, it is necessary to comply with applicable law, or the data is aggregated and anonymised for internal operations.
9. Disclosure of personal information
We may disclose personal information to our employees, contractors, and professional advisers where reasonably necessary for the purposes described in this Privacy Policy.
We may also disclose personal information to the service providers (subprocessors) listed in section 10, subject to contractual and security safeguards.
We do not sell personal information. We do not share personal information for advertising purposes.
10. Subprocessors and data processing locations
All Services infrastructure runs in the Google Cloud asia-southeast1 (Singapore). We use the following third-party service providers:
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Google Cloud Run | Application hosting (backend API and admin panel) | Email content in transit during generation; API requests and responses | asia-southeast1 |
| Google Cloud Firestore | Draft Metadata storage (30-day auto-deletion) | Locale, scenario IDs, operator intent, word count, timestamps (no email content or generated text) | asia-southeast1 |
| Google Cloud Vertex AI (Gemini 2.5 Flash) | AI processing for draft generation and coaching outputs | Email content submitted for generation (processed transiently, not retained by Vertex AI) | asia-southeast1 |
| Firebase Authentication (Google) | User authentication, identity tokens, and role-based access (Google-managed service) | Email address, display name, profile photo URL, custom claims (role, school affiliation) | Google-managed (US) |
| Google Workspace APIs | Gmail integration (reading emails, composing drafts) | Email content accessed via OAuth scopes listed in section 4 | Per customer's Workspace data region |
Where personal information is handled overseas on our behalf, we take reasonable steps to ensure it is handled with appropriate protections, including contractual requirements and security measures consistent with the Customer Contract where applicable. For EEA/UK individuals, see section 17.1 for details on international transfer mechanisms.
We may update this subprocessor list from time to time. For school customers, changes are notified in accordance with the Data Processing Addendum.
11. Data retention and deletion
11.1 Draft Metadata
Draft Metadata records are stored in Firestore and automatically deleted after 30 days. Draft Metadata does not include email content or generated text. This is the only data that Eplex AI persists on its own infrastructure.
11.2 Authentication data
Authentication data (email address, display name, profile photo URL, and school affiliation) is held by Firebase Authentication, a Google-managed service. Eplex AI does not separately store or replicate this data. If you revoke the add-on's access or your school administrator removes your account, your authentication session is terminated and no residual data remains on Eplex AI's infrastructure.
11.3 Email content
Email content and generated text are processed transiently during generation. Email content is sent to Vertex AI, a response is generated and returned to the Gmail add-on, and neither the email content nor the generated text is retained by Eplex AI. Draft Metadata (which does not include email content or generated text) is automatically deleted after 30 days.
11.4 Website and business operations data
Enquiries, support correspondence, and similar business operations data are retained for as long as reasonably necessary for the purposes described in this Privacy Policy and to meet legal, accounting, and operational requirements.
12. Managing and deleting your data
You can manage and delete your data in the following ways:
Request data deletion: Contact support@eplex.ai to request deletion of any Draft Metadata associated with your account. Because Draft Metadata is automatically deleted after 30 days, a deletion request will result in immediate removal of any records still within the 30-day window.
Request data export: Contact support@eplex.ai to request a copy of Draft Metadata associated with your account.
Revoke access: You can revoke the add-on's access to your Google account at any time via your Google Account permissions page. Revoking access stops the add-on from accessing your Gmail data. No residual data remains on Eplex AI's infrastructure beyond existing Draft Metadata, which will auto-delete within 30 days.
School-administered accounts: If your account is managed by a school administrator, contact your school's admin to request changes. We will provide reasonable assistance to the school to fulfil your request.
If you are an individual whose information is included in Customer Data (for example, a parent, guardian, or prospective student), please contact the relevant school in the first instance.
13. Security
13.1 Security measures
We maintain reasonable technical and organisational safeguards designed to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These include: least-privilege access controls and role-based permissions; encryption in transit (HTTPS/TLS) and encryption at rest (Firestore default encryption); rate limiting (20 requests per minute per user); input validation and sanitisation; Docker image pinning by SHA256 digest; and logging via Google Cloud's native monitoring.
13.2 Data breach notification
If we become aware of a security incident affecting Customer Data, we will take reasonable steps to contain and remediate and will notify the relevant customer as soon as practicable after confirmation. If notification to regulators or affected individuals is required under applicable law, we will cooperate with the relevant customer to support its assessment and notifications.
14. Sensitive information
We do not require or ask users to submit sensitive information (as defined in the Privacy Act 1988 (Cth)). However, sensitive information such as health details may be incidentally included in email threads that a user chooses to process. If sensitive information is present in Customer Data, we handle it with appropriate safeguards.
We do not require or ask customers to submit payment card details to the Services.
15. Children's privacy
The Services are designed for use by school admissions staff and authorised business users, not by children. We do not knowingly collect personal information directly from children. Information about prospective students and their families may be included in email threads processed by school staff; this processing is carried out under the school customer's instructions and responsibility.
16. Access, correction, and complaints
You may request access to or correction of personal information we hold about you by contacting support@eplex.ai. We will respond within a reasonable time.
16.1 Additional rights for EEA and UK individuals
If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the following additional rights under the General Data Protection Regulation (GDPR):
- Right of access (Art 15) — obtain confirmation of whether we process your personal data and request a copy.
- Right to rectification (Art 16) — request correction of inaccurate personal data.
- Right to erasure (Art 17) — request deletion of your personal data in certain circumstances.
- Right to restriction of processing (Art 18) — request that we limit how we use your data.
- Right to data portability (Art 20) — receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art 21) — object to processing based on legitimate interests.
- Rights related to automated decision-making (Art 22) — not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (see section 16.2).
We will respond to rights requests within 30 days. To exercise any of these rights, contact privacy@eplex.ai.
16.2 Automated decision-making
The Services use AI-based pre-flight classification to automatically identify the scenario type of an enquiry (for example, fee enquiry, campus visit request). This classification is used to select the appropriate cultural coaching rules for draft generation. All AI-generated outputs require human review before sending — no communications are sent automatically. We consider this process to fall outside the scope of Art 22 GDPR because it does not produce legal or similarly significant effects on individuals.
16.3 Complaints
If you have a complaint about our privacy practices, please contact us at support@eplex.ai. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner ( oaic.gov.au). If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.
17. International users and data transfers
Eplex AI is based in Australia. Our primary Services infrastructure runs in the Google Cloud asia-southeast1 region (Singapore). If you are located outside Australia, additional privacy rights and obligations may apply depending on your jurisdiction (see section 16.1 for EEA/UK rights).
17.1 International transfer mechanisms
Where personal data is transferred outside the EEA or UK, the following safeguards apply:
- Firebase Authentication processes data in the US under Google's Data Processing Addendum, which includes EU Standard Contractual Clauses (SCCs) as approved by the European Commission.
- Google Cloud Platform services (Cloud Run, Firestore, Vertex AI) are configured in the asia-southeast1 (Singapore) region and are covered by the Google Cloud Data Processing Addendum with EU SCCs.
For more information on Google's compliance framework, see Google Cloud and the GDPR.
18. Website cookies and third-party links
When you visit eplex.ai, we may collect information such as browser type, operating system, and pages visited. This information is used in aggregate to understand and improve our website.
We use Google Analytics (property ID: G-XH4YWBSGTG) for anonymous usage statistics. Google Analytics cookies are blocked by default and only activated after you click "Accept" on our cookie banner. The following cookies may be set:
| Cookie | Purpose | Duration |
|---|---|---|
| _ga | Distinguishes unique visitors (Google Analytics) | 2 years |
| _gid | Distinguishes unique visitors (Google Analytics) | 24 hours |
You can configure your browser to refuse cookies or withdraw consent at any time by clearing your browser cookies and revisiting the site. If you decline cookies, no analytics data is collected.
Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy statements.
19. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will publish the updated version at eplex.ai/privacy and update the "Last updated" date above. If we make material changes, we will take reasonable steps to notify customers where appropriate.
20. Contact
If you have questions about this Privacy Policy or our privacy practices, contact us at:
Eplex AI Pty Ltd
81-83 Campbell Street, Surry Hills, NSW 2010, Australia
Email: support@eplex.ai
Privacy enquiries: privacy@eplex.ai
Website: eplex.ai