Privacy Policy
1. Overview
This Privacy Policy explains how Everest Group handles personal information in connection with our website, enquiries, products, prototypes, services and communications, including Consouer. We aim to handle personal information in a way that is clear, secure and consistent with the Australian Privacy Principles, and with the European Union General Data Protection Regulation and the United Kingdom General Data Protection Regulation where they apply.
2. Contact Details
For privacy questions, access requests, correction requests, deletion or export requests, or complaints, contact us at contact@everestgroupau.com. We aim to acknowledge requests within five business days and to respond substantively within thirty days.
3. Personal Information We Collect
The kinds of personal information we may collect include:
- name, email address, phone number, company name and role;
- information you send through email, forms, calls, meetings or project briefs;
- business context, workflow information, documents, prompts, outputs and files you choose to provide;
- technical information such as device information, browser type, IP address, pages visited, approximate location and usage analytics;
- billing, proposal and contract information where we enter a commercial relationship; and
- information from connected tools or accounts where you authorise a connection, such as Google Workspace, Microsoft 365, GitHub, Notion, HubSpot, Slack, APIs, cloud services or internal systems.
4. How We Collect Information
We collect information directly from you when you contact us, use our website, request a proposal, provide a brief, use a prototype, connect a tool, upload information or communicate with us. We may also collect information from authorised team members, service providers, public sources, analytics tools and third-party platforms you choose to connect.
5. Why We Use Information
We use personal information to:
- respond to enquiries and communicate with you;
- prepare proposals, contracts, strategy documents and product recommendations;
- provide, operate, improve and support our products and services;
- build AI operating structures, workflow maps, connected context layers and reporting systems;
- manage accounts, authentication, access, security and support;
- process invoices, payments and commercial administration;
- monitor website and product performance;
- comply with legal obligations and protect our rights, users and systems; and
- send business updates or marketing communications where permitted, with the ability to opt out.
6. AI and Product Data
Where you use Consouer or another Everest Group AI product, information you provide may be used to generate structures, summaries, recommendations, workflow maps, agent roles, reports and other outputs. Some prototype features may run locally in your browser. Live deployments may involve third-party AI model providers, cloud services or connected business systems, depending on the implementation agreed with you.
Our products are designed to support business planning, workflows and operational visibility. They are not intended to make fully automated decisions that significantly affect a person's legal rights, employment, access to services or similar important interests without appropriate human review. If we introduce features of that kind, we will update this policy and the relevant product controls.
We do not sell personal information. We do not use customer content to train foundation models. Where we use AI model providers, we contract for arrangements that do not allow your content to be used to train their models. Tenant data is logically isolated by company so that one customer's content is not used to serve another customer.
You should not provide sensitive information unless it is necessary and you have authority to do so. Sensitive information can include health information, biometric information, racial or ethnic origin, political opinions, religious beliefs, criminal record information and similar categories protected by law.
7. Disclosure of Information
We may disclose personal information to:
- our personnel, contractors, advisers and related business operators;
- hosting, cloud, analytics, email, security, payment and software providers;
- AI model providers, integration partners and tool providers where required to deliver a product or service;
- professional advisers such as lawyers, accountants and insurers;
- regulators, courts, law enforcement or government authorities where required or authorised by law; and
- a buyer, investor or successor if we restructure, merge, sell or transfer part of the business, subject to appropriate confidentiality controls.
8. Sub-Processors
We use carefully selected third-party providers ("sub-processors") to operate our website, products and services. Each is bound by written terms requiring appropriate security and confidentiality, and is used only for the purposes set out in this policy. The current categories and providers are:
| Category | Provider(s) | Purpose |
|---|---|---|
| AI model providers | Anthropic (Claude), OpenAI (GPT), Google (Gemini) | Generation of AI outputs in product features |
| Cloud hosting and infrastructure | Amazon Web Services, Cloudflare | Hosting, storage, content delivery, edge security |
| Database and managed services | Neon or equivalent managed Postgres provider | Application database with tenant isolation |
| Authentication | Better Auth (self-hosted) | Account sign-in and session management |
| Email and transactional messaging | Postmark or equivalent | Account and operational email |
| Analytics and product telemetry | Plausible or equivalent privacy-respecting analytics | Aggregate usage analytics |
| Payment processing | Stripe (where commercial billing is in use) | Subscription and invoice processing |
| Customer-authorised integrations | Google Workspace, Microsoft 365, GitHub, Notion, HubSpot, Slack and similar tools | Used only when you explicitly connect them |
The list may change as our products evolve. The current list is published here and we will update it ahead of material additions. Customers on a written agreement may request advance notice of new sub-processors and may object on reasonable grounds.
9. Overseas Disclosure
Some providers we use may store or process information outside Australia. The countries may vary depending on the provider and configuration, but may include the United States, countries in the European Economic Area, the United Kingdom, Singapore and other locations where our service providers operate. Where practical, we use reputable providers and take reasonable steps to protect personal information, including contractual safeguards such as Standard Contractual Clauses where required.
10. Security
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. Security measures include access controls, encryption in transit and at rest, secure cloud infrastructure, logging, monitoring, application-layer protections such as CSRF protection and rate limiting, secret management, and limiting access to people who need it. No system is completely secure, and you should only provide information you are comfortable sharing through the relevant channel.
11. Data Breach Notification
If we become aware of an eligible data breach that is likely to result in serious harm to affected individuals, we will assess the incident, contain it, and notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable, consistent with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).
Where the EU or UK General Data Protection Regulation applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach where required, and will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Customers with a written agreement that includes a Data Processing Addendum will be notified of any breach affecting their data without undue delay, with enough information to meet their own notification obligations.
12. Retention
We keep personal information only for as long as reasonably necessary for the purpose for which it was collected, to provide services, maintain business records, meet legal obligations, resolve disputes and protect our rights. Indicative retention windows are:
| Category | Indicative retention window |
|---|---|
| Website enquiry and contact form submissions | 24 months from last contact |
| Active account, workspace and product data | For the life of the account, plus 30 days in soft-deleted state before permanent deletion |
| AI prompts, outputs and run logs | 12 months by default; configurable down to 30 days for paying customers under a written agreement |
| Audit and security logs | 12 months |
| Billing and invoicing records | 7 years to meet Australian tax and corporate record-keeping obligations |
| Backups | Up to 35 days, on a rolling basis, after which deleted data is overwritten |
| Marketing contact data | Until you unsubscribe, plus a suppression record to honour the opt-out |
When personal information is no longer needed, we delete or de-identify it. Deletion from primary systems is generally completed within 30 days of an account closing or a successful deletion request; deletion from backups occurs as part of the standard backup rotation noted above.
13. Your Rights — Access, Correction, Deletion and Export
You may make any of the following requests at any time by emailing contact@everestgroupau.com:
- Access — ask for a copy of the personal information we hold about you;
- Correction — ask us to correct information that is inaccurate, out of date, incomplete, irrelevant or misleading;
- Deletion — ask us to delete your personal information, subject to records we are required to keep by law (for example, billing records);
- Export / portability — ask for a copy of your information in a structured, commonly used, machine-readable format;
- Restriction or objection — ask us to restrict or stop certain processing, where applicable law gives you that right; and
- Withdrawal of consent — withdraw any consent you previously gave, without affecting earlier lawful processing.
We may need to verify your identity before responding, and may refuse access, deletion or other action where permitted or required by law. We will explain our reasons in writing where required. There is no fee for routine requests; we may charge a reasonable fee for repeated or excessive requests, as permitted by law.
14. EU and UK Users (GDPR / UK-GDPR)
If you are located in the European Economic Area, the United Kingdom or Switzerland, this section applies in addition to the rest of this policy. Where it conflicts with another section, this section prevails for those users.
Controller
Everest Group is the data controller for personal information we collect from you directly. Where we process personal information on behalf of a customer (for example, content uploaded by a customer's end users into a Consouer workspace), we act as a processor for that customer, who is the controller.
Legal bases for processing
We rely on one or more of the following legal bases under Article 6 GDPR:
- Contract — to provide products and services you or your organisation have requested;
- Legitimate interests — to operate, secure, support and improve our products, including product analytics, fraud prevention and direct B2B communications, balanced against your rights;
- Consent — for marketing where required, and for optional cookies;
- Legal obligation — to meet tax, accounting, regulatory and law-enforcement obligations.
International transfers
Where personal information is transferred outside the EEA or the UK, we rely on adequacy decisions where they exist and, where they do not, on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), together with supplementary measures as required.
Your GDPR rights
You have the rights of access, rectification, erasure, restriction, portability and objection set out in Articles 15 to 22 GDPR, as well as the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. You may exercise these rights by contacting us at contact@everestgroupau.com.
Complaints to a supervisory authority
You have the right to lodge a complaint with your local data protection supervisory authority. UK users may complain to the Information Commissioner's Office (ICO).
15. Cookies and Analytics
Our website may use cookies, local storage, analytics and similar technologies to understand usage, improve performance and maintain security. You can control cookies through your browser settings, although some features may not work correctly if disabled. Where required by law, we will request your consent for non-essential cookies.
16. Complaints
If you believe we have mishandled your personal information, contact us at contact@everestgroupau.com. We will review the complaint and aim to acknowledge within five business days and respond substantively within thirty days. If you are not satisfied, you may contact the Office of the Australian Information Commissioner, or your local data protection supervisory authority if the EU or UK GDPR applies.
17. Marketing
We may send occasional updates about Everest Group, Consouer, AI products or related services. You can opt out of marketing communications at any time by using the unsubscribe method provided or contacting us.
18. Changes
We may update this Privacy Policy when our practices, products, services or legal obligations change. The updated version will be published on our website with a new "Last updated" date. Material changes will be highlighted at the top of this page for a reasonable period, and, where required by law, we will seek fresh consent.