← Back to Legal

Privacy Policy

Last updated: 23 April 2026

Multi-Tenant Knowledge Management Platform

Effective Date: 23 April 2026
Entity: KnowledgeScout Pty Ltd
ABN: 24 696 430 627
Location: Sydney, Australia

1. Introduction

KnowledgeScout Pty Ltd (ABN 24 696 430 627) ("we", "us", "our", or "KnowledgeScout") operates a multi-tenant, cloud-hosted knowledge management platform available at knowledgescout.io and through client-specific subdomains.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal information. We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. In some circumstances, additional privacy rights or obligations may apply under other laws depending on where individuals are located, where services are provided, or how personal information is processed.

This policy applies to all users of KnowledgeScout, including Client administrators, editors, agents, end users of client-facing widgets, and website visitors. This Privacy Policy should be read alongside our Terms of Service and Data Processing Agreement, which together govern your use of the platform.

1.1 Scope

We process personal information in the following capacities:

  • As a Data Controller: When we collect and process data about Clients, their authorised users, website visitors, and prospective customers for our business purposes (account management, billing, marketing, platform improvement).
  • As a Data Processor: When we process personal information contained in Client Content on behalf of and under the documented instructions of Clients. In this capacity, the Client is the Data Controller.

Where we process personal information contained in Client Content on behalf of a Client, that Client is generally responsible for its own privacy notices, permissions, consents where required, and compliance obligations relating to that information, subject to our obligations under applicable law and any separate agreement with that Client.

1.2 Definitions

TermDefinition
ClientAn organisation with a subscription agreement to use the platform
Authorised UserAn individual authorised by a Client to access the platform (administrator, editor, agent, etc.)
End UserA customer or member of the public who interacts with a Client's widget or public knowledge base
Personal InformationInformation about an identified individual, or an individual who is reasonably identifiable, as defined under applicable data protection law
Client ContentData created, uploaded, or generated by a Client within the platform (articles, documents, search logs, conversation logs, interaction data)
Sub-processorA third-party service provider that processes personal information on behalf of KnowledgeScout

2. Information We Collect

2.1 Information We Collect as Data Controller

Account and Registration Data

When a Client signs up, we collect:

  • Full name and email address of the account holder
  • Organisation name and details
  • Payment information (processed via Stripe; we do not retain full card numbers)
  • Data region preference (Australia, United Kingdom, or United States)

When Users are provisioned by a Client administrator, we collect:

  • Full name and email address

Authentication Data

Users may authenticate via username and password, email code, or single sign-on (SSO) using Microsoft or Google. When using SSO, we receive identity confirmation (name and email) to verify the user against their existing account. No additional personal data is collected from SSO providers beyond what is necessary for authentication.

Website Visitor Data

We use Plausible Analytics to collect aggregate, anonymised website statistics (configured to minimise the collection of personal information and intended to collect limited aggregate / technical usage data). Data collected includes:

  • Approximate geographic location (country level only)
  • Browser type and operating system
  • Referring URL and pages visited
  • Goal conversions (e.g. contact form submissions)

IP addresses are not stored in identifiable form.

Website Chat

Our website may feature an AI chat assistant. If available, conversations may be recorded and retained for up to 30 days to help us understand visitor questions and improve our content. No personal information is collected unless you voluntarily provide it in the conversation.

Communication Data

When you contact us via email, support tickets, or other channels, we collect your contact details, message content, and any attachments.

Platform Usage Data

To support service delivery and improvement, we collect:

  • Searches, queries, and content interactions
  • Features used and functionality interactions
  • Analytical events (searches performed, workflows completed, etc.)
  • Error logs and diagnostic data

2.2 Information We Process as Data Processor

In our capacity as a data processor, we process Client Content that may contain personal information:

  • Knowledge base articles (which may reference customer names, identifiers, or similar)
  • Uploaded documents (PDFs, spreadsheets, guides, etc.)
  • Search queries and interaction metadata
  • AI conversation logs (when enabled and configured)
  • Quiz and workflow responses
  • Progress and completion tracking data

Important: The platform is designed for business knowledge management (articles, guides, FAQs, procedures, training materials). Clients should not systematically store personal data such as customer records, health information, financial account details, or government identifiers. Clients are responsible for ensuring their use complies with applicable data protection laws.

2.3 Information We Do Not Collect

KnowledgeScout does not intentionally collect government-issued identification numbers, financial account details, health records, biometric data, or information about children under the age of digital consent in their jurisdiction through its own direct collection activities. However, such information may be included by Clients within Client Content, for which the Client is responsible.

2.4 Providing Personal Information

You are not obliged to provide personal information to us. However, if you do not provide certain personal information, we may not be able to provide the platform, respond to your enquiries, or otherwise supply our services to you.

2.5 Anonymity and Pseudonymity

Where lawful and practicable, you may choose to deal with us anonymously or using a pseudonym (for example, when making a general enquiry). However, for most interactions with the platform, including account creation and use of the services, it will be necessary for you to identify yourself.

3. How We Use Information

3.1 As Data Controller

Where applicable law requires us to identify a legal basis for processing personal information that we control directly, we generally rely on the following bases:

PurposeData UsedLegal Basis
Providing and maintaining the platformAccount details, usage dataPerformance of contract
Billing and payment processingBilling address, payment informationPerformance of contract
Customer support and communicationsContact details, support correspondencePerformance of contract / Legitimate interests
Platform improvement and analyticsAggregated usage data, error logsLegitimate interests
Marketing and optional communicationsName, email, companyConsent
Security, fraud prevention, abuse detectionIP addresses, access logs, session dataLegitimate interests
Legal compliance and dispute resolutionAs required by applicable lawLegal obligation

3.2 As Data Processor

When processing Client Content, we process personal information only in accordance with the Client's documented instructions, our Data Processing Agreement, and applicable law. Our processing activities include:

  • Hosting and storing Client Content in the Client's chosen data region
  • Indexing content for search functionality
  • Transmitting data to third-party services where Client has configured integration (e.g. AI features)
  • Generating analytics and usage reports for the Client
  • Performing backups and disaster recovery
  • Maintaining audit logs of administrative actions

4. Artificial Intelligence and Third-Party Data Processing

4.1 AI Features

KnowledgeScout offers optional AI-powered features including conversational assistance, content suggestions, and automated generation. These features are available on all plans and can be disabled via System Settings.

4.2 Default AI Provider

When a Client uses the default AI features, KnowledgeScout transmits to the AI provider:

  • The user's search query or question
  • Relevant content excerpts from the knowledge base (as context)
  • Conversation history within the current session (to maintain context)

KnowledgeScout does NOT transmit user account details, billing information, or personal information unrelated to the specific query.

We may use one or more third-party AI service providers to support optional AI features. Where we do so, we take reasonable steps to ensure those providers are subject to appropriate contractual, technical, and organisational protections having regard to the nature of the processing and applicable law. Processing locations may differ from the Client's chosen data region depending on the AI feature used and the provider selected. A current list of relevant service providers is available in our Sub-processor List. Clients with specific data sovereignty or procurement requirements should contact us to discuss available configurations, including disabling AI features or using supported BYOK options.

4.3 Bring Your Own API Key (BYOK)

KnowledgeScout supports clients connecting their own API key from supported AI providers. When using BYOK:

  • The Client has a direct contractual relationship with the chosen provider (KnowledgeScout is not a party)
  • Data is transmitted under the Client's own API key and the Client's own terms with that provider
  • KnowledgeScout does not store the Client's API key in plain text
  • KnowledgeScout makes no representations regarding the provider's data handling, security, or compliance

Clients using BYOK should independently review their chosen provider's privacy and data processing terms.

When a Client uses BYOK, KnowledgeScout acts on the Client's instruction in facilitating that connection, and the Client remains responsible for its relationship with the selected provider and that provider's handling of personal information.

4.4 AI Conversation Logging

AI interactions (queries, responses, source content, and timestamps) may be logged and stored within the Client's tenant. Retention is configured by the Client administrator, separately for internal and public-facing AI interactions, with a range of 0 days (logging disabled) through to 2555 days. The default retention is 30 days for each. Logs are stored in the Client's chosen data region and are accessible to the Client's administrators.

4.5 Opting Out

Clients may disable AI features at the tenant level through the administration panel. When disabled, no Client Content is transmitted to AI providers.

5. Data Storage and Sovereignty

5.1 Multi-Region Architecture

Clients may select a preferred data region (for example, Australia, the United Kingdom, or the United States) when provisioning their account.

Client Content is generally stored in the Client's chosen region. However, limited processing, access, support, security, backup, routing, or service functionality may involve handling outside that region where described in this Policy, required to provide the services, or otherwise agreed with the Client.

5.2 Infrastructure and Backups

We use industry-standard cloud infrastructure providers for hosting and storage (current providers are listed in our Sub-processor List). Backups are encrypted at rest with AES-256 and stored in Cloudflare R2 within the same geographic region.

Backups are encrypted and retained in accordance with our internal retention practices, legal obligations, and contractual arrangements. Residual copies may remain in backups for a limited period and will be overwritten or deleted in the ordinary course, subject to technical limitations and any agreed arrangements with the relevant Client.

5.3 Platform and Account Data

Certain platform-level data (account authentication, subscription management, billing, aggregated analytics, system logs) is stored centrally and may not reside in the Client's chosen data region. This is necessary to operate the platform. This data is separate from Client Content stored in tenant databases. This may include account, authentication, subscription, billing, support, security, abuse-prevention, and limited technical telemetry data relating to use of the platform, even where the underlying Client Content remains primarily stored in the Client's chosen region.

5.4 Database Encryption

Tenant databases are encrypted at rest with AES-256 using per-tenant keys. Data in transit is encrypted with TLS 1.2 or higher. Each Client tenant has its own isolated database.

6. Data Sharing and Disclosure

We do not sell, rent, lease, or trade personal information to third parties. We may share personal information in limited circumstances:

6.1 Sub-processors

We engage third-party service providers and sub-processors to help provide and support the platform. We take reasonable steps to ensure those providers are subject to appropriate privacy, confidentiality, security, and data handling obligations. A current list of relevant sub-processors and service providers is available in our Sub-processor List.

Note: When Clients use BYOK to connect their own AI provider, that provider is not a sub-processor of KnowledgeScout. The Client has a direct contractual relationship with the provider.

6.2 Legal Requirements

We may disclose personal information where required by law, regulation, court order, or enforceable governmental request. We will, to the extent permitted by law, notify the affected Client before disclosing Client Content.

6.3 Business Transfers

In the event of merger, acquisition, reorganisation, bankruptcy, or asset sale, personal information may be transferred to the successor entity. We will provide advance notice before personal information becomes subject to a different privacy policy.

6.4 User Consent

Other than as described in this Policy, we do not disclose personal information without explicit consent.

7. International Data Transfers

7.1 Transfers from UK/EEA

Where personal information is transferred internationally and applicable law requires additional safeguards, we take reasonable steps to implement appropriate contractual, technical, and organisational measures having regard to the nature of the transfer and the applicable legal requirements.

7.2 Transfers from Australia

Where we disclose personal information to overseas recipients, we take reasonable steps in the circumstances to ensure the information is handled consistently with applicable privacy requirements, including under APP 8 where relevant:

  • Contractual obligations requiring compliance with the APPs
  • Due diligence assessments of sub-processor practices
  • Technical measures to protect data during and after transfer

7.3 Transfers Involving AI Processing

Where personal information is processed by third-party AI providers and applicable law requires transfer safeguards, we take reasonable steps to implement appropriate contractual, technical and organisational measures.

8. Data Retention

8.1 Client Content

Client Content is retained for the duration of the subscription. Upon cancellation or termination:

  • The account enters a cancelled state for 30 days, during which the Client may log in and download their data
  • After 30 days, Client Content is permanently deleted
  • Backup copies are deleted or overwritten in the ordinary course in accordance with our retention practices, subject to technical limitations, legal obligations, and any agreed arrangements with the relevant Client.

Deletion and recovery timeframes may be subject to technical constraints, backup cycles, legal obligations, and any separate agreement with the relevant Client.

8.2 Account Data

Client account and billing information is retained for 7 years after account closure to comply with Australian tax and accounting obligations.

8.3 Logs and Analytics

System and access logs are retained for 12 months for security and compliance purposes. Aggregated, anonymised analytics data may be retained indefinitely as it does not constitute personal information.

8.4 Marketing and Communications Data

Contact information for opted-in marketing communications is retained until consent is withdrawn or deletion is requested, whichever occurs first.

8.5 Data Export

Clients can export their data at any time through the administration panel or by requesting a complete data export.

9. Your Rights

Subject to applicable law, you may have rights to request access to, and correction of, personal information we hold about you. In some circumstances, additional rights may also apply.

9.1 Rights in All Jurisdictions

  • Access: Request access to personal information we hold about you, subject to applicable law
  • Correction: Request correction of inaccurate, incomplete, or out-of-date personal information
  • Complaint: Contact us with privacy concerns or complaints, and lodge a complaint with a relevant regulator where available under applicable law

9.2 Additional Rights in Other Jurisdictions

Depending on where you are located, additional privacy rights may apply under other laws, including rights relating to deletion, portability, objection, restriction, or opting out of certain forms of processing. Where such laws apply to our processing of your personal information, we will handle requests in accordance with those laws.

9.3 Additional Rights Under Australian Privacy Principles

  • Request access to, and correction of, personal information we hold about you, and request that we delete or de-identify personal information where appropriate and permitted by law.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

9.4 Exercising Your Rights

Contact us using the details in Section 13. We will respond within the timeframe required by applicable law (typically 30 days). We may ask you to verify your identity before processing your request.

Where your request relates to personal information contained in Client Content that we process on behalf of a Client, you should direct your request to that Client first. We may assist our Clients with such requests where required under our contractual arrangements or applicable law.

10. Cookies and Tracking

10.1 Strictly Necessary Cookies

We use cookies for essential platform functionality:

  • Session authentication: Stores an encrypted session identifier only. Expires on browser close or after session timeout. Required for all authenticated functions.
  • Security cookies: Used for CSRF protection and abuse detection via our infrastructure provider.

10.2 Cookie-Free Analytics

We use cookie-free analytics tools configured to operate without setting cookies or storing personal data on your device. These tools are configured to minimise the collection of personal information and are intended to collect limited aggregate, statistical, or technical usage data.

10.3 Cookie Control

Because we currently only use strictly necessary cookies and cookie-free analytics, no cookie consent banner is displayed.

11. Security

11.1 Security Measures

We implement comprehensive measures to protect personal information:

  • Encryption in transit (TLS 1.2 or higher)
  • Encryption at rest (AES-256 for databases and backups)
  • Password hashing with modern algorithms
  • Session hardening with security flags and timeouts
  • Role-based access control with granular permissions
  • Complete data isolation between tenants
  • Input validation and sanitisation
  • CSRF protection on all forms
  • Login rate limiting and account lockout
  • Encryption of sensitive credentials at rest
  • File validation on uploads
  • Comprehensive audit logging of administrative actions
  • Application error monitoring configured not to intentionally capture Client Content

11.2 Limitations

No system is completely immune to security breaches. You are responsible for maintaining login credential confidentiality and notifying us immediately of unauthorised access.

11.3 Data Breach Notification

In the event of an eligible data breach or other security incident affecting personal information, we will assess the incident promptly and provide notifications where required by applicable law.

12. Changes to This Policy

We may update this Policy to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top indicates when it was last revised.

For material changes, we will provide prominent notice on our website or send a notification email. By continuing to use KnowledgeScout after the updated Policy takes effect, you acknowledge the updated Policy to the extent permitted by applicable law.

13. Contact Us

If you have questions or requests regarding this Privacy Policy, please contact us:

KnowledgeScout Pty Ltd
ABN: 24 696 430 627
Email: privacy@knowledgescout.io
Address: Sydney, Australia

We aim to resolve privacy concerns promptly. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

  • Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au

We will acknowledge privacy complaints promptly and aim to respond within a reasonable period, usually within 30 days. We will take reasonable steps to investigate your complaint and, where appropriate, implement measures to resolve the issue.

Before responding to a request or complaint, we may take reasonable steps to verify your identity.

Individuals in other jurisdictions may also have the right to complain to a relevant privacy or consumer protection regulator where applicable.

Version: 3.1