Privacy Policy

How Flux Systems Pty Ltd handles personal information.

Last updated: 20 May 2026

1. Our Role

Flux Systems may process data in different roles depending on the context.

For account, business, website, marketing, billing, and direct support data, Flux Systems generally acts as an independent controller or business responsible for deciding how that information is used.

For customer-controlled operational data, including device data, sensor data, telemetry, workflow data, customer content, AI prompts, and information submitted by or on behalf of a customer through the Services, Flux Systems generally acts as a processor, service provider, or similar role on behalf of the customer, unless a written agreement or applicable law provides otherwise. In that case, the customer is responsible for its own notices, consents, lawful bases, instructions, configurations, and end-user requests.

2. Information We Collect

We may collect the following categories of information, depending on how the Services are configured and used.

Account and Contact Information

We may collect names, email addresses, phone numbers, job titles, company names, account credentials, authentication information, user roles, permissions, and other contact or profile information.

Customer and User Content

We may collect information submitted to or generated through the Services, including documents, files, notes, messages, configurations, workflow data, commands, queries, prompts, outputs, support materials, and other content provided by customers, users, devices, or integrations.

Device, Telemetry, Sensor, and Operational Data

Our Services may collect or process information relating to connected devices, embedded systems, industrial systems, IoT deployments, edge devices, cloud-connected equipment, or software agents. This may include device identifiers, hardware identifiers, firmware versions, operating system information, software versions, network status, diagnostic data, configuration data, performance metrics, sensor readings, status events, command history, logs, error reports, uptime, location or site metadata where enabled, environmental or machine data, and other operational or technical data.

AI and Machine Learning Data

If you use features that involve artificial intelligence, machine learning, automation, inference, predictive maintenance, natural language processing, or similar functionality, we may collect and process prompts, instructions, context, inputs, outputs, feedback, metadata, model interaction logs, evaluation data, and related information. This may include information sent to third-party AI providers (which may include Anthropic and others from time to time) when those providers are used to deliver or support the Services.

Integration Data

If you connect the Services to third-party platforms, cloud services, customer systems, data sources, APIs, identity providers, communication tools, analytics systems, or enterprise applications, we may collect information from those integrations as permitted by your settings, instructions, authorizations, and applicable agreements.

Usage, Log, and Technical Information

We may automatically collect IP addresses, browser type, device type, operating system, pages viewed, features used, timestamps, referring pages, session identifiers, crash logs, audit logs, authentication logs, API usage, latency metrics, security events, and similar technical or usage information.

Communications and Support Information

We may collect information when you contact us, request support, complete forms, respond to surveys, participate in sales discussions, provide feedback, or otherwise communicate with Flux Systems.

Payment and Commercial Information

If applicable, we or our payment processors (including Airwallex Pty Ltd) may collect billing details, transaction records, subscription information, order history, invoices, payment status, tax information, and related commercial data. We do not store full payment card details ourselves where a payment processor is used.

Cookies and Similar Technologies

We may use cookies, pixels, SDKs, local storage, analytics technologies, and similar tools to operate the Services, remember preferences, understand usage, improve performance, secure accounts, support analytics, and conduct marketing where permitted by law.

Sensitive Information

"Sensitive information" has the meaning given in section 6 of the Privacy Act, and includes information about racial or ethnic origin, political opinions, religious beliefs, sexual orientation, health information, biometric information, and biometric templates.

Flux Systems does not require customers or users to submit sensitive information unless a particular deployment, feature, or customer configuration requires it. Some deployments may involve data that could be considered sensitive under the Privacy Act or comparable laws, such as biometric information, precise location, health-related information, government identification, workplace monitoring data, safety data, or information about protected characteristics.

Where a customer configures the Services to collect or process sensitive information, the customer is responsible for providing all required notices, obtaining required consents or authorisations, setting appropriate retention periods, and complying with laws that apply to its use of that information. Flux Systems may process such information as Customer Data and as permitted by the applicable agreement, customer instructions, this Privacy Policy, and applicable law.

3. How We Use Information

We use information for the following purposes, where permitted by applicable law and applicable customer agreements:

• To provide, operate, maintain, configure, and improve the Services.
• To create, administer, secure, and authenticate accounts.
• To process device data, telemetry, sensor data, operational data, logs, alerts, commands, workflows, analytics, and integrations.
• To provide AI, machine learning, automation, predictive maintenance, analytics, cloud offloading, edge computing, and related product features.
• To monitor performance, availability, reliability, latency, accuracy, quality, and security.
• To detect, prevent, investigate, and respond to fraud, abuse, security incidents, unauthorised access, misuse, service violations, or unlawful activity.
• To debug, troubleshoot, repair, and improve the Services.
• To develop, test, evaluate, benchmark, validate, and enhance products, services, models, algorithms, analytics, documentation, and internal tools, subject to the limits in Section 5.
• To create aggregated, anonymised, de-identified, statistical, or derived information.
• To provide customer support, professional services, training, onboarding, and technical assistance.
• To communicate with you about products, updates, security notices, administrative messages, events, offers, and other information.
• To process payments, subscriptions, invoices, renewals, taxes, and account administration.
• To comply with legal obligations, regulatory requirements, court orders, subpoenas, lawful requests, sanctions rules, export controls, tax obligations, and compliance processes.
• To enforce agreements, policies, and legal rights.
• To protect the rights, property, safety, security, and interests of Flux Systems, our customers, users, partners, service providers, and the public.
• To evaluate or conduct a merger, acquisition, financing, investment, reorganisation, bankruptcy, sale of assets, corporate transaction, or similar business event.
• For any other purpose disclosed at the time of collection, authorised by you or the relevant customer, compatible with the context in which the information was collected, or permitted by applicable law.

4. AI Processing

Flux Systems may use artificial intelligence, machine learning, large language models, predictive models, classifiers, automation systems, and related technologies to provide and improve the Services.

When you use AI-enabled features, relevant data may be included in prompts, context windows, embeddings, retrieval systems, model inputs, model outputs, evaluation pipelines, logs, or safety systems. This data may include Customer Data, operational data, technical logs, user instructions, documents, telemetry, and metadata, depending on the feature and configuration.

Flux Systems may use third-party AI providers (which may include Anthropic and others from time to time) to process AI inputs and outputs. We may also use cloud providers and infrastructure vendors, including Amazon Web Services and Microsoft Azure, to support AI-related processing, storage, logging, analysis, inference, monitoring, and security.

Subject to Section 5, Flux Systems may use AI-related data to operate, secure, monitor, evaluate, and support the Services, including by reviewing outputs for safety and quality, analysing performance, detecting misuse, improving prompts and workflows, testing features, and creating de-identified or aggregated datasets.

You should not submit sensitive, confidential, regulated, or third-party personal information into AI features unless you are authorised to do so and your use complies with applicable law and any agreement with Flux Systems. AI outputs may be incomplete, inaccurate, or inappropriate for certain uses. Customers and users are responsible for reviewing outputs before relying on them, especially in safety-critical, legal, employment, financial, medical, or similarly significant contexts.

5. Model Training and Customer-Specific Models

Flux Systems takes a tiered approach to using data for model training and development.

Aggregated and de-identified data. Flux Systems may use aggregated, anonymised, de-identified, statistical, or derived information to train, fine-tune, evaluate, benchmark, develop, and improve our products, models, algorithms, analytics, and related features. This is not subject to the opt-in requirements below.

Operating and improving the Services. Flux Systems may use Customer Data and related information as reasonably necessary to operate, secure, monitor, support, debug, and improve the Services, including by performing quality and safety reviews of AI outputs, investigating incidents, and tuning system performance. These activities do not constitute "model training" for the purposes of this Section.

Identifiable Customer Data — opt-in only. Flux Systems will not use identifiable Customer Data to train or fine-tune general-purpose models that are made available to other customers, except where the relevant customer has expressly opted in through a written agreement, order form, or configuration setting. Where a customer opts in, Flux Systems may use the identifiable Customer Data only for the model-training purposes described in that opt-in.

Customer-specific models — opt-in only. Flux Systems may offer features that use identifiable Customer Data to train, fine-tune, adapt, configure, or improve models that are specific to a particular customer, deployment, account, workspace, device fleet, workflow, or use case. These customer-specific models may be used to provide customised, personalised, adaptive, or optimised Services for that customer, including improved recommendations, predictions, automations, workflows, alerts, classifications, responses, diagnostics, and user experiences. Training or fine-tuning customer-specific models using identifiable Customer Data is enabled only with the customer's express opt-in. The customer is responsible for ensuring that it has provided any required notices, obtained any required consents or authorisations, and has a lawful basis for enabling such training.

Customer-specific model artefacts. Unless otherwise agreed in writing, customer-specific models, configurations, weights, embeddings, memories, personalisation layers, evaluation data, and related model artefacts may be hosted, maintained, monitored, updated, and improved by Flux Systems and its service providers as necessary to provide the applicable customised or personalised Services. Flux Systems may retain and use such artefacts for the applicable customer's benefit, subject to the customer's agreement with Flux Systems, applicable law, and any applicable opt-out or deletion rights.

Nothing in this Section limits Flux Systems' ability to use data that has been aggregated, anonymised, de-identified, or otherwise modified so that it is no longer reasonably capable of identifying a customer, user, device, or individual, except where restricted by applicable law or a written agreement with Flux Systems.

6. Aggregated, De-Identified, and Derived Data

Flux Systems may create, use, retain, and disclose aggregated, anonymised, de-identified, statistical, or derived information for any lawful business purpose, including analytics, benchmarking, product development, research, model evaluation, security, performance monitoring, business intelligence, and publication.

Where required by law, we will maintain and use de-identified information without attempting to re-identify it, except as permitted by law, such as to test de-identification methods, comply with legal obligations, or investigate misuse.

7. Feedback

If you provide comments, suggestions, ideas, feature requests, bug reports, or other feedback, Flux Systems may use that feedback without restriction or compensation, including to improve, develop, and market our products and services. Any personal information contained in feedback will be handled in accordance with this Privacy Policy.

8. How We Disclose Information

We may disclose information to the following categories of recipients.

Customers and Account Administrators

If your account is provided by or associated with a company, organisation, team, or customer, that customer and its administrators may access, control, export, delete, monitor, or configure information associated with your use of the Services.

Service Providers and Subprocessors

We may disclose information to vendors, service providers, contractors, and subprocessors who help us provide, host, secure, support, analyse, develop, or improve the Services. These may include cloud hosting providers, storage providers, database providers, infrastructure providers, AI providers, analytics providers, monitoring tools, payment processors, communication providers, customer support tools, security providers, identity providers, and professional service providers.

Current or anticipated providers may include Amazon Web Services, Microsoft Azure, Anthropic, Airwallex Pty Ltd, and Xero Australia Pty Ltd, along with other providers we may add, replace, or remove as our business evolves.

Cloud and AI Providers

We may disclose information to Amazon Web Services for infrastructure, hosting, storage, databases, logging, security, backup, disaster recovery, analytics, and related cloud services.

We may disclose information to Microsoft Azure for cloud services, IoT services, edge or cloud processing, analytics, integrations, development, customer-selected deployments, backup, monitoring, AI-related functionality, or related services.

We may disclose information to third-party AI providers (which may include Anthropic and others from time to time) for AI and large language model processing, including prompts, context, inputs, outputs, metadata, safety analysis, logging, debugging, monitoring, and related services.

Customer-Configured Integrations

If you enable or use third-party integrations, we may disclose information to those third parties as necessary to provide the integration or as directed by the customer or user. Third-party services are subject to their own terms and privacy practices.

Affiliates and Corporate Group Members

We may disclose information to our affiliates, subsidiaries, parent entities, and related companies for purposes consistent with this Privacy Policy.

Legal, Safety, and Compliance

We may disclose information to law enforcement, regulators, courts, government authorities, litigants, auditors, advisors, or other parties when we believe disclosure is required or permitted by law, necessary to protect rights or safety, necessary to enforce our agreements, necessary to investigate misuse or security issues, or appropriate in connection with legal claims or compliance obligations.

Business Transactions

We may disclose or transfer information in connection with an actual or proposed merger, acquisition, financing, investment, reorganisation, bankruptcy, sale of assets, change of control, due diligence process, or similar corporate transaction.

Professional Advisors

We may disclose information to lawyers, accountants, auditors, insurers, bankers, consultants, and other professional advisors.

With Consent or Direction

We may disclose information with your consent, at your direction, at the direction of the relevant customer, or as otherwise described when the information is collected.

9. Data Storage and International Transfers

As of the Last Updated date above, Flux Systems stores primary production Customer Data in Amazon Web Services region us-west-2 (US West, Oregon).

This is a statement of our current architecture, not a guarantee of exclusive data residency unless a written agreement with Flux Systems expressly says so. We may process, access, cache, replicate, back up, support, or transfer information in other regions or countries where necessary or useful to provide, secure, monitor, support, improve, or operate the Services; comply with law; use subprocessors; support customers; respond to incidents; or implement disaster recovery, redundancy, or business continuity measures.

Flux Systems, our customers, service providers, and subprocessors may process information in the United States and other countries that may have data protection laws different from those in your jurisdiction.

Where Flux Systems discloses personal information collected in Australia to an overseas recipient, we take reasonable steps to ensure the recipient handles the information in a manner consistent with the APPs, as required by APP 8. Where the General Data Protection Regulation (EU) 2016/679 ("GDPR") or comparable laws apply, we will use appropriate transfer safeguards, such as standard contractual clauses, data processing agreements, adequacy decisions, transfer risk assessments, or other lawful transfer mechanisms.

10. Legal Bases (GDPR and Comparable Laws)

Where the GDPR or similar laws apply and Flux Systems acts as a controller, we may process personal data based on one or more of the following legal bases:

• Contract: to provide the Services, administer accounts, process payments, deliver support, and perform agreements.
• Legitimate Interests: to operate, secure, improve, develop, market, and analyse the Services; prevent fraud and abuse; protect rights and safety; conduct business operations; and communicate with customers and users, except where overridden by applicable rights and interests.
• Consent: where we request consent, such as for certain marketing communications, cookies, sensitive data processing, customer-specific model training using identifiable information, or optional features.
• Legal Obligation: to comply with laws, regulations, court orders, tax obligations, sanctions, export controls, and lawful requests.

Where Flux Systems processes Customer Data as a processor, service provider, or subprocessor, the customer is generally responsible for identifying and maintaining the applicable legal basis.

11. Data Retention

We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, maintain backups, support business operations, and preserve legal rights.

Retention periods may vary based on the type of information, customer configuration, account status, legal requirements, contractual obligations, security needs, backup cycles, and operational requirements.

We may retain aggregated, anonymised, de-identified, statistical, or derived information for as long as needed for legitimate business purposes.

If information is deleted from active systems, it may remain in backups, archives, logs, or disaster recovery systems for a limited period, unless earlier deletion is legally or technically required. We may also retain information where necessary for legal, compliance, security, fraud prevention, audit, accounting, or dispute-resolution purposes.

12. Security and Data Breaches

We use reasonable administrative, technical, and organisational safeguards designed to protect information against unauthorised access, loss, misuse, disclosure, alteration, and destruction. These safeguards may include access controls, encryption in transit and at rest where appropriate, network segmentation, logging, monitoring, authentication, vendor diligence, security reviews, and incident response processes.

No system, network, cloud service, device, AI system, or transmission method is completely secure. We cannot guarantee that information will always remain secure. Customers and users are responsible for maintaining the security of their own accounts, credentials, devices, networks, configurations, integrations, and endpoints.

If we become aware of an eligible data breach as defined under Part IIIC of the Privacy Act, we will comply with our obligations under the Notifiable Data Breaches scheme, including notifying affected individuals and the Office of the Australian Information Commissioner ("OAIC") where required. Where other data breach notification laws apply, we will comply with those laws.

13. Your Choices and Rights

Depending on where you live and how you interact with Flux Systems, you may have rights to:

• request access to personal information we hold about you (including under APP 12);
• request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (including under APP 13);
• request deletion, portability, restriction, or objection where applicable law provides those rights;
• withdraw consent where processing is based on consent; and
• lodge a complaint with a data protection authority, including the OAIC in Australia.

To exercise privacy rights, contact us at [email protected]. We will acknowledge your request within 5 business days and aim to respond substantively within 30 days. We may need to verify your identity and authority before responding. We may deny or limit requests where permitted by law, including where fulfilling a request would adversely affect others, interfere with security, reveal trade secrets, conflict with legal obligations, or impair our ability to establish, exercise, or defend legal claims.

If your information is processed by Flux Systems on behalf of one of our customers, you should direct your request to that customer. We may refer your request to the relevant customer or process it according to the customer's instructions.

You may unsubscribe from marketing emails by using the unsubscribe link in those emails or contacting us at [email protected]. Even if you opt out of marketing, we may still send transactional, security, legal, support, and administrative communications.

You may control cookies through your browser settings or tools we provide, where applicable. Some cookies and similar technologies are necessary for the Services to function.

Complaints to the OAIC. If you are not satisfied with our response to a privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner:

Website: www.oaic.gov.au Phone: 1300 363 992 Mail: GPO Box 5288, Sydney NSW 2001

14. Sales, Sharing, and Advertising

Flux Systems does not sell personal information. We may disclose information to service providers, subprocessors, affiliates, business partners, and other parties as described in this Privacy Policy.

Some privacy laws define "sale", "sharing", or "targeted advertising" broadly. If our use of advertising, analytics, or similar technologies is considered a sale, sharing, or targeted advertising under applicable law, we will provide any notices and choices required by law.

15. Children

The Services are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us without appropriate authorisation, contact us at [email protected] and we will take appropriate steps.

Customers are responsible for ensuring that their use of the Services does not involve children's data unless permitted by law, supported by the applicable agreement, and accompanied by all required notices, consents, and safeguards.

16. Automated Decision-Making

The Platform includes automated processing features that may have significant effects on individuals, including behavioural analytics, risk scoring, identity matching, anomaly detection, and access-control decisions. These features operate under the direction and control of the relevant Flux customer, who determines how outputs are used and is responsible for providing notice to affected individuals, obtaining any required consents, and complying with laws that govern automated decision-making.

Flux Systems does not itself make solely automated decisions about individuals (based on Website information or otherwise) that produce legal or similarly significant effects, except where we provide notice and comply with applicable legal requirements.

Customers are responsible for how they use outputs, analytics, recommendations, alerts, predictions, or AI-generated information from the Services.

17. Third-Party Services

The Services may contain links to, integrations with, or features provided by third-party services. We are not responsible for the privacy, security, or data practices of third parties that are not acting as our service providers or subprocessors. You should review the privacy notices and terms of those third parties before using them.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, technology, vendors, infrastructure, legal requirements, or business practices. When we update this Privacy Policy, we will revise the "Last Updated" date above. If required by law or if changes are material, we may provide additional notice.

Your continued use of the Services after an updated Privacy Policy becomes effective means that you acknowledge the updated Privacy Policy, except where additional consent is required by law.

19. Contact Us

For questions, requests, or concerns about this Privacy Policy or Flux Systems' privacy practices, contact us at:

Flux Systems Pty Ltd ACN 686 377 373 · ABN 28 686 377 373 Attn: Privacy C5, Level 1, 2 Main Street Point Cook VIC 3030, Australia Email: [email protected]