Privacy policy

CatalystOS Pty Ltd (ACN 692 605 155, ABN 64 692 605 155) ("we", "us", "our") is committed to protecting the privacy of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use CatalystOS ("the Service").

We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and applicable state and territory privacy legislation. For users located in the European Union, we also provide protections consistent with the General Data Protection Regulation (GDPR).

2.1 Account information

When you create an account, we collect:

• Name and email address
• Professional credentials and coaching certifications (if provided)
• LinkedIn profile data (if you choose to connect your account)
• Subscription tier and billing information (processed by Stripe)

2.2 Practice data

Through your use of the Service, you may provide:

• Client names, contact details, and session notes
• Coaching session recordings and transcriptions
• Knowledge items (voice notes, text notes, URLs)
• Invoices and financial records
• Goals, frameworks, and coaching methodologies

2.3 Usage data

We automatically collect:

• Device information (browser type, operating system)
• IP address and approximate location
• Feature usage patterns (which views you access, how you interact with Kai)
• Performance metrics (page load times, error logs)

• Provide the Service: Power Kai's AI features, generate Morning Briefings, Smart Actions, and session preparation materials.
• Process payments: Manage subscriptions, invoicing, and Stripe Connect payouts.
• Communicate: Send transactional emails (welcome, session reminders, invoice notifications, trial updates).
• Improve the Service: Analyse aggregated, anonymised usage patterns to enhance features and performance.
• Ensure security: Detect and prevent fraudulent or unauthorised access.
• Legal compliance: Meet Australian tax, financial reporting, and regulatory obligations.

4.1 Automatic PII detection & stripping

Our Privacy Controller Agent automatically detects and strips personally identifiable information (PII) from data before it is used in any aggregated or analytical context. This includes coaching-specific sensitive data such as personal disclosures, family information, and health-related topics discussed during sessions.

4.2 k-Anonymity for benchmarking

When we provide aggregated insights — such as market pricing benchmarks from our Market Benchmarking Engine — we enforce k-anonymity (k≥5). No aggregated data point is ever released unless it represents at least 5 coaches, making it statistically impossible to identify any individual coach's pricing, revenue, or business data.

4.3 4-layer data anonymity model

Every piece of coaching data is protected through four layers:

4.4 Professional gate

CatalystOS maintains a verified coaching ecosystem. All coaches undergo credential verification (ICF, EMCC, or equivalent) during onboarding. This Professional Gate ensures that only credentialed practitioners have access to the platform's coaching tools and client data features — protecting the integrity and trust of the entire ecosystem.

CatalystOS uses AI (powered by Anthropic and Google) to provide intelligent features. Regarding your data and AI:

• We do not use your private coaching data to train public AI models.
• Your data is sent to AI providers only to generate responses within the Service (e.g., Kai chat, session analysis).
• AI providers process your data under strict data processing agreements that prohibit training on your content.
• AI-generated insights are derived from your data within the context of your account only.
• You can control AI features through your account settings.
• Human-in-the-Loop: All AI-generated outputs intended for your clients (emails, messages, content) require your explicit approval before being sent. You retain full control — the "Human Signature" — over every client-facing communication.

This approach aligns with the ICF Code of Ethics regarding client confidentiality and the responsible use of technology in coaching.

We share your information only in the following circumstances:

• Service providers: Stripe (payments), Resend (email), Anthropic/Google (AI), Neon (database hosting), Vercel (application hosting).
• Your clients: When you use the Service to send invoices, session reminders, or share content with your coaching clients.
• Legal requirements: When required by law, regulation, or legal process.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice.

We do not sell your personal information to third parties.

• Data is stored on servers located in Australia and the United States (via Neon and Vercel).
• All data is encrypted in transit (TLS 1.2+) and at rest.
• We use industry-standard security measures including access controls, audit logging, and regular security reviews.
• Session cookies use httpOnly, secure, and sameSite attributes.
• We conduct periodic security audits (most recently: Phase 7 of our hardening programme).

• Active accounts: Data is retained for the duration of your subscription.
• Cancelled accounts: Data is retained for 30 days after cancellation to allow reactivation, then permanently deleted.
• Financial records: Invoices, payment records, and tax-related data are retained for 7 years as required by Australian tax law.
• Anonymised analytics: Aggregated, non-identifiable usage data may be retained indefinitely for service improvement.

In the event of a data breach that is likely to result in serious harm, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware of an eligible breach, as required under the Notifiable Data Breaches (NDB) scheme of the Privacy Act 1988.
• Notify affected individuals as soon as practicable with a description of the breach, the types of information involved, and recommended steps.
• For EU/UK users, notify the relevant supervisory authority within 72 hours as required by the GDPR.
• Maintain an internal breach register documenting all incidents, assessments, and remediation actions.

Under the Australian Privacy Principles, you have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information (subject to legal retention obligations).
• Data portability: Export your data at any time using the in-app export feature.
• Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

For EU/UK users (GDPR)

In addition to the above, you have the right to:

• Object to processing of your personal data.
• Restrict processing in certain circumstances.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at support@catalystos.coach.

CatalystOS uses the following cookies:

• Essential cookies: Required for authentication and session management. Cannot be disabled.
• Analytics cookies: Help us understand how the Service is used. Can be disabled in settings.

We do not use third-party advertising cookies. We do not participate in cross-site tracking or ad networks.

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately.

Your data may be transferred to and processed in countries outside Australia (primarily the United States) for hosting and AI processing purposes. We ensure appropriate safeguards are in place, including data processing agreements with our service providers that meet the requirements of the APPs and, where applicable, the GDPR.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us: