Privacy Policy for Zhare.ai

Last Updated: 30 November 2025

1. Introduction

Welcome to Zhare.ai ("we," "us," or "our"). We are committed to protecting your personal information and your right to privacy in accordance with:

  • 🇦🇺 Australian Privacy Principles (APPs) - Privacy Act 1988 (Cth)
  • 🇪🇺 General Data Protection Regulation (GDPR) - EU Regulation 2016/679
  • 🇬🇧 UK GDPR - Data Protection Act 2018
  • 🇺🇸 California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • 🏥 Health Insurance Portability and Accountability Act (HIPAA) - for health-related data (infrastructure ready)

If you have any questions or concerns about this privacy notice, or our practices with regards to your personal information, please contact us at privacy@zhare.com.

This privacy notice describes how we collect, use, store, and disclose your information when you visit our website at zhare.com or use our services (collectively, the "Services").

By using our Services, you consent to the collection and use of your information as described in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide to Us

We collect personal information that you voluntarily provide to us when you:

  • Register for an account
  • Use our Services
  • Participate in the Zharer Programme (resource sharing)
  • Make purchases or request payouts
  • Contact us for support
  • Participate in user surveys or promotions

The personal information we collect may include:

  • Identity Information: Full name, date of birth (for age verification), email address, username
  • Authentication Data: Passwords (encrypted), Google account information (if using Google Sign-In)
  • Payment Information: Debit/credit card numbers (processed securely via Stripe - we do not store card details)
  • Business Information: Australian Business Number (ABN), ACN, business name, business address, business phone number (for business accounts)
  • Payout Information: Bank account details (BSB and account number), Driver's Licence or other identity documents (processed via Stripe Connect for verification)
  • Technical Information: Hardware specifications (CPU, GPU, RAM), browser type, IP address, device information
  • Usage Data: AI prompts, task history, resource sharing statistics, credit balance and transactions
  • Location Data: Approximate location (city/suburb level) based on IP address or user-provided location (for geolocation features)
  • User Content: Files uploaded for AI processing, marketplace listings, Coffee Worthy posts, profile information

2.2 Information Collected Automatically

When you access our Services, we automatically collect certain information, including:

  • Log Data: IP address, browser type and version, pages visited, time and date of visits, time spent on pages
  • Device Information: Hardware model, operating system, unique device identifiers
  • Cookies and Tracking: We use cookies and similar tracking technologies to track activity on our Services and store certain information (see Section 8)

2.3 Sensitive Information

We collect the following sensitive information only with your explicit consent:

  • Date of Birth: To verify you are at least 16 years old (Australian law requirement)
  • Identity Documents: Driver's Licence or Passport (only for business payout verification via Stripe Connect)

This information is handled in accordance with APP 3 (Collection of Solicited Personal Information) and the Privacy Act 1988 (Cth).

2.4 Desktop Application Data

If you use our desktop applications built with cross-platform frameworks, we may collect additional information including:

  • System Information: Operating system version, CPU/GPU models, RAM capacity, available storage
  • Resource Usage: CPU usage, GPU usage, memory consumption, idle state detection
  • Local Model Data: Names and sizes of AI models stored locally (but not the model files themselves)
  • Application Logs: Error logs, crash reports, performance metrics
  • Auto-Update Information: Current version, update history, installation path

This data is collected to optimize resource sharing, provide technical support, and improve desktop application performance. Most processing occurs locally on your device.

2.5 Peer-to-Peer Communication Data

When you use peer-to-peer communication features (direct messaging, voice/video calls, scene synchronization), we collect:

  • Connection Metadata: Connection timestamps, duration, participants, connection quality metrics
  • Signaling Data: Session descriptions, ICE candidates (including IP addresses) for connection establishment
  • Media Settings: Camera/microphone permissions, selected devices, video/audio quality preferences

Important: The actual content of peer-to-peer communications (messages, voice, video) is transmitted directly between participants and is protected by advanced post-quantum encryption algorithms. We do not store or access the content of encrypted peer-to-peer communications.

2.6 IoT and SDK Data

If you use our IoT/Robotics SDKs (JavaScript, Node.js, Python) or Widget SDK, we may collect:

  • SDK Version: SDK name, version number, platform information
  • API Usage: Endpoint calls, request/response times, error rates
  • Device Information: Device type, firmware version, connectivity status (for IoT devices)
  • Widget Data: Website URL, visitor interactions, widget configuration (for Widget SDK)

We do not collect sensor data, camera feeds, or control commands from IoT devices unless explicitly configured for cloud-based processing.

2.7 Multi-User and Gaming Data

When you participate in multi-user features (Guilds, games, streaming), we collect:

  • Guild Data: Guild membership, roles, permissions, collaborative task history
  • Game Data: Game scores, achievements, player positions, multiplayer interactions
  • Streaming Data: Broadcast metadata, viewer counts, stream duration, chat messages (if moderation is enabled)
  • Social Interactions: Friend lists, blocked users, reported content

3. How We Use Your Information

We use personal information collected via our Services for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests, in order to enter into or perform a contract with you, with your consent, and/or for compliance with our legal obligations.

  • To facilitate account creation and logon process, including age verification.
  • To manage user accounts and provide customer support.
  • To send administrative information to you, such as information regarding changes to our terms, conditions, and policies.
  • To fulfil and manage your orders, payments, returns, and exchanges for AI credits and marketplace redemptions.
  • To process payments and prevent fraud (securely handled by Stripe).
  • To facilitate payouts to Zharers (securely handled by Stripe Connect).
  • To personalise and improve your experience on our Services.
  • To respond to legal requests and prevent harm.

4. Sharing Your Information

We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfil business obligations. We may share your data with third-party vendors, service providers, contractors or agents who perform services for us or on our behalf and require access to such information to do that work.

4.1 Backend and Infrastructure Providers

Depending on configuration, we may use various cloud backend service providers for database, authentication, storage, and cloud functions. Your data is processed and stored in accordance with the selected provider's terms and privacy policies.

4.2 Analytics Providers

We may use third-party analytics services to understand user behavior and improve our Services. These services may track user engagement, app performance, behavioral analytics, and conversion tracking. You can opt out of non-essential analytics tracking in your account settings.

4.3 Error Logging and Monitoring

To identify and fix bugs, we may use third-party error logging and monitoring services for real-time error tracking, crash reporting, and performance monitoring. These services receive error messages, stack traces, and context information but do not receive sensitive personal information.

4.4 Payment Processing

All payment processing and identity verification is handled securely by our PCI DSS compliant payment service provider for credit card processing, subscription management, identity verification, business verification, and payout processing. We do not store your full credit card details or identity documents on our servers.

4.5 Business Transfers

We may share or transfer information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5. Children's Privacy

In compliance with Australian law (including the amended Online Safety Act, effective 10 December 2025), our Services are not intended for, and we do not knowingly collect data from, anyone under the age of 16. If we become aware that we have collected Personal Data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers.

6. Data Security and Compliance Certifications

6.1 Security Measures

We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process, including:

  • Encryption at Rest: Sensitive data (financial, health, biometric) encrypted using industry-standard encryption algorithms
  • Encryption in Transit: All data transmitted over HTTPS with strong TLS protocols
  • Post-Quantum Cryptography: Advanced post-quantum encryption algorithms for AI agent communications, resistant to quantum computing attacks
  • Field-Level Encryption: TFN, bank details, ID documents encrypted individually
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)
  • Audit Logging: Comprehensive tamper-evident audit trails with 7-year retention for all data access and modifications
  • HIPAA-Ready Infrastructure: Meets technical safeguards under 45 CFR § 164.312

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We cannot guarantee absolute security but we maintain industry-leading practices.

6.2 Compliance Certifications

We maintain comprehensive compliance with international security and privacy standards:

  • ISO 27001: Information Security Management System framework with controls for cryptographic protection, access control, malware protection, and information backup
  • SOC 2 Type II: Service Organization Control compliance covering Trust Services Criteria (Security, Availability, Privacy)
  • GDPR: Full compliance with EU General Data Protection Regulation including Article 32 security requirements
  • CCPA/CPRA: California privacy law compliance with enhanced security provisions
  • HIPAA: Infrastructure ready for Protected Health Information with Business Associate Agreements available

6.3 Data Privacy Impact Assessments (DPIA)

We conduct regular Data Privacy Impact Assessments as required by GDPR Article 35 for high-risk processing activities, including:

  • AI processing of voice data and biometric information
  • Large-scale processing of personal data
  • Automated decision-making and profiling
  • Processing of special category data (health information, if applicable)

Our DPIAs assess risks to your privacy and implement appropriate mitigation measures to minimize those risks.

6.4 Vendor Risk Management

We maintain a comprehensive vendor risk management program for all third-party service providers handling your data:

  • All vendors undergo security and privacy risk assessments before engagement
  • Vendors must maintain appropriate certifications (ISO 27001, SOC 2, GDPR, CCPA compliance)
  • Data Processing Agreements (DPAs) are executed with all data processors
  • Regular vendor audits and compliance reviews are conducted
  • Vendor security incidents are tracked and managed

6.5 Data Mapping and Inventory

We maintain a comprehensive data inventory and mapping system that tracks:

  • All personal data assets and their locations
  • Data flows between systems and third parties
  • Cross-border data transfers and applicable safeguards
  • Data retention periods and deletion schedules
  • Legal basis for processing each data category

This enables us to quickly respond to your data rights requests and maintain transparency about how your data is processed.

7. Your Privacy Rights (Australian Privacy Principles)

Under the Australian Privacy Principles (APPs), you have the following rights regarding your personal information:

7.1 Right to Access (APP 12)

You have the right to request access to the personal information we hold about you. To request access, please contact us at privacy@zhare.com. We will respond within 30 days.

7.2 Right to Correction (APP 13)

You have the right to request correction of inaccurate or incomplete personal information. You can update most information directly through your account settings, or contact us for assistance.

7.3 Right to Deletion

You may request deletion of your personal information by contacting us. Please note that we may be required to retain certain information for legal or regulatory purposes, or to complete transactions you initiated.

7.4 Right to Complain

If you believe we have breached the Australian Privacy Principles, you have the right to lodge a complaint with us at privacy@zhare.com. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Email: enquiries@oaic.gov.au

7.5 Right to Opt-Out

You have the right to opt out of:

  • Marketing communications (via unsubscribe link in emails)
  • Resource sharing (disable in account settings)
  • Data analytics and tracking cookies (via browser settings)

7A. Additional Rights for EU/EEA Users (GDPR)

If you are a resident of the European Union or European Economic Area, you have additional rights under GDPR:

Right to Access (Article 15)

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and access to that data.

Right to Rectification (Article 16)

You have the right to obtain rectification of inaccurate personal data and to have incomplete data completed.

Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to obtain erasure of your personal data under certain circumstances, including where the data is no longer necessary or you withdraw consent.

Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your personal data in certain situations.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your EU member state.

Legal Basis for Processing: We process your data based on:

  • Consent: For optional features, marketing, and analytics
  • Contract: To provide our Services as agreed
  • Legal Obligation: For compliance with laws (e.g., tax, AML)
  • Legitimate Interests: For fraud prevention, security, and service improvement

7B. Additional Rights for UK Users (UK GDPR)

If you are a resident of the United Kingdom, you have rights under the UK GDPR (Data Protection Act 2018) that mirror the EU GDPR rights listed above, with enforcement through the UK Information Commissioner's Office (ICO):

  • Website: www.ico.org.uk
  • Phone: 0303 123 1113
  • Email: casework@ico.org.uk

7C. Additional Rights for California/US Users (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know (Section 1798.100)

You have the right to know what personal information we collect, use, disclose, and sell.

Right to Access (Section 1798.110)

You have the right to request that we disclose what personal information we have collected about you.

Right to Delete (Section 1798.105)

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

Right to Opt-Out of Sale (Section 1798.120)

You have the right to opt-out of the sale of your personal information. We do not sell your personal information.

Right to Non-Discrimination (Section 1798.125)

You have the right not to receive discriminatory treatment for exercising your CCPA rights.

Right to Correct (CPRA)

You have the right to request correction of inaccurate personal information.

Right to Limit Use of Sensitive Personal Information (CPRA)

You have the right to limit the use and disclosure of sensitive personal information.

Categories of Personal Information We Collect:

  • Identifiers (name, email, IP address)
  • Commercial information (purchase history, credits)
  • Internet activity (browsing behavior, task history)
  • Geolocation data (approximate location)
  • Biometric information (voice samples - with consent)
  • Professional information (ABN, business details - for business users)

Do Not Sell My Personal Information: We do not sell personal information. You can manage your data sharing preferences in your account settings.

7D. HIPAA Compliance for Health Information

While our platform is not primarily a healthcare service, we have implemented HIPAA-ready infrastructure to handle Protected Health Information (PHI) if needed:

Technical Safeguards (45 CFR § 164.312)

  • Access Control: Unique user identification, encryption, automatic logoff
  • Audit Controls: Hardware, software, and procedural mechanisms to record and examine activity
  • Integrity Controls: Mechanisms to ensure ePHI is not altered or destroyed
  • Transmission Security: Encryption of ePHI in transit

Administrative Safeguards (45 CFR § 164.308)

We maintain policies for risk assessment, workforce training, and incident response.

Physical Safeguards (45 CFR § 164.310)

Our infrastructure providers (AWS, Google Cloud, Firebase) maintain physical security controls including facility access, workstation security, and device controls.

Note: If you intend to store health information on our platform, please contact us to execute a Business Associate Agreement (BAA).

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience on our Services. Cookies are small data files stored on your device.

8.1 Types of Cookies We Use

  • Essential Cookies: Required for the Services to function (e.g., authentication, session management)
  • Analytics Cookies: Help us understand how users interact with the Services
  • Preference Cookies: Remember your settings and preferences (theme, language, resource sharing settings)
  • Performance Cookies: Monitor application performance, error rates, and loading times

8.2 Third-Party Cookies

Our analytics and error logging service providers may set their own cookies for tracking user sessions, behavioral analytics, and error tracking across sessions.

8.3 Cookie Control

You can control cookies through:

  • Browser settings (most browsers allow you to block or delete cookies)
  • Account settings (opt out of non-essential analytics)
  • Privacy preference center (if available in your region)

Note: Disabling essential cookies may limit your ability to use certain features of the Services.

8.4 Local Storage and IndexedDB

In addition to cookies, we use browser local storage and IndexedDB to:

  • Cache AI model data for faster inference
  • Store chat history and AI task results (if offline sync is enabled)
  • Save user preferences and application state
  • Enable offline functionality for desktop applications

This data is stored locally on your device and is not transmitted to our servers unless you enable cloud sync.

9. International Data Transfers

Your information may be transferred to and processed in countries other than Australia, including the United States (where our cloud infrastructure providers are located). We take steps to ensure that your personal information receives adequate protection and is handled in accordance with the Australian Privacy Principles, including:

  • Using service providers that comply with international data protection standards
  • Implementing appropriate safeguards such as encryption and access controls
  • Entering into data processing agreements with third-party providers

10. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods vary depending on the type of information:

  • Account Information: Retained while your account is active, plus 7 years after account closure (for tax and legal purposes)
  • Transaction Records: 7 years (Australian tax law requirement)
  • Marketing Data: Until you opt-out or request deletion
  • Chat History and AI Tasks: You control retention through sync settings; otherwise deleted after 90 days
  • Peer-to-Peer Connection Metadata: 30 days (for troubleshooting and quality improvement)
  • Error Logs and Crash Reports: 90 days (for debugging and security analysis)
  • Analytics Data: Varies by provider (typically 14-26 months); you can request deletion
  • Desktop Application Logs: Stored locally on your device; you can delete at any time
  • Guild and Collaboration Data: Retained while Guild is active; deleted 30 days after Guild deletion
  • Game Progress and Achievements: Retained while account is active; deleted with account closure
  • Streaming Metadata: 90 days after broadcast; you can delete immediately from your dashboard

Important: Peer-to-peer encrypted communications (messages, voice, video) are not stored on our servers and exist only during the active session.

11. Automated Compliance Reporting

We provide automated compliance reporting capabilities to demonstrate our commitment to data protection:

11.1 Available Reports

  • ISO 27001 Status Report: Control implementation status and compliance score
  • SOC 2 Readiness Report: Trust Services Criteria assessment and evidence collection
  • DPIA Summary Report: Privacy impact assessments for high-risk processing
  • Data Inventory Report: Personal data assets, flows, and cross-border transfers
  • Vendor Risk Report: Third-party vendor assessments and compliance status

11.2 Compliance Dashboard

Our compliance dashboard provides real-time visibility into:

  • Overall compliance score across all frameworks
  • ISO 27001 control implementation progress
  • SOC 2 Trust Services Criteria effectiveness
  • DPIA status and critical risk assessment
  • Data asset inventory and cross-border transfer monitoring
  • Vendor risk assessment schedules and incident tracking

11.3 Transparency and Accountability

We are committed to transparency in our data processing practices. Upon request, authorized users (such as enterprise customers or regulators) may access compliance reports demonstrating our adherence to privacy and security standards.

12. Contact Us and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

  • Email: privacy@zhare.ai
  • Data Protection Officer: privacy@zhare.ai
  • Postal Address: [To be configured - registered business address]
  • Phone: [To be configured]

We aim to respond to all privacy-related inquiries within 30 days (72 hours for data breach notifications as required by GDPR).

Supervisory Authorities

You also have the right to lodge a complaint with relevant data protection authorities:

  • Australia: Office of the Australian Information Commissioner (OAIC) - www.oaic.gov.au, 1300 363 992
  • EU: Local Data Protection Authority in your member state
  • UK: Information Commissioner's Office (ICO) - www.ico.org.uk, 0303 123 1113
  • US/California: California Privacy Protection Agency - www.cppa.ca.gov

13. Changes to This Policy

We may update this privacy notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated version will be indicated by an updated "Last Updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. For material changes, we will provide notice through the Services or via email.

Continued use of the Services after changes constitutes your acceptance of the updated Privacy Policy.