Legal

Privacy Policy

Effective date: 7 June 2026 Last updated: 7 June 2026 Version: 1.2

This policy explains how Ortopylot handles personal information when you visit ortopylot.com, use the free assessment tool, sign up to receive emails, or buy a product. It is written to comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and to give visitors from the EU, UK, and the United States the rights they would expect under their own privacy laws.

If anything in this policy is unclear, contact us at hello@ortopylot.com.

1. Who we are

Ortopylot is an Australian business operating from Western Australia. It provides commercial guidance, prompts, templates, and AI-assisted assessments to small business owners and ecommerce founders.

Business details:

• Business name: Ortopylot
• ABN: 77 692 744 053
• Operating jurisdiction: Australia
• Contact email: hello@ortopylot.com
• Postal address: 42 Bluemanna Drive, Wannanup WA 6210, Australia

If you are visiting from the EU or UK, Ortopylot acts as the "data controller" for the personal information described in this policy. Ortopylot does not have a designated EU representative because it does not target the EU market as its primary audience, but it will respond to requests from EU and UK visitors under the rights set out in section 11.

2. Who this policy applies to

This policy applies to anyone who:

• Visits ortopylot.com
• Submits a business idea into the free assessment tool
• Enters their email address to receive the assessment report, the Ecommerce Roadmap, or any other Ortopylot content
• Buys a product or service from Ortopylot
• Otherwise interacts with the website or its tools

It applies regardless of where you are located. We extend GDPR-style rights to visitors from the EU and UK, and CCPA-style rights to visitors from California, even though the Australian Privacy Act is our primary obligation.

3. What we collect and why

We collect only what we need to run the service, deliver what you asked for, and meet our legal obligations.

The business idea you submit. When you use the free assessment tool, you type a description of your business idea into a text box. You may also include a website address. This text is the input the AI model uses to generate your on-screen assessment and (if you submit your email) your full written report. We store this text so we can produce your report and so we can refer back to it if you later purchase a product that uses the same input. We do not use it for anything else.

Your email address. When you submit your email on the assessment results page, or anywhere else on the site, we store it so we can send you the assessment report, the Ecommerce Roadmap, and the follow-up email sequence described in this policy. If you buy a product, your email is also used to deliver the product and any related communications.

Your assessment result. When the AI model produces your on-screen assessment, we store the result alongside your input. This is so we can email you the full version, refer to it in later emails, and (if you purchase a product) use it to tailor what you receive.

Technical data. When you visit the site, our systems automatically collect basic technical information: your IP address, your browser type, your device type, the pages you view, the time of your visit, and similar information. We use this for security, to prevent abuse of the assessment tool, to monitor site performance, and to understand how visitors use the site.

Email engagement data. When we send you an email, our email platform records whether you opened it, which links you clicked, and similar engagement signals. We use this to understand what is useful and to remove people from sequences who are not interested.

Payment details. When you buy a product, your payment is processed entirely by Stripe. We never see or store your full card number, your CVV, or your bank details. We do receive a confirmation that the payment was successful, along with limited information such as your name, billing email, and country.

Purchase information. When you buy a paid product, such as the Commercial Foundation Pack, we store the email address you used to purchase and the transaction record, which is what you bought, when, and the amount. We use this to deliver the product and to meet our accounting obligations.

Information you give us directly. If you reply to an email, send us a message, or otherwise contact us, we keep that correspondence so we can respond.

We do not collect sensitive information (as defined under the Privacy Act) such as health data, racial or ethnic origin, religious beliefs, or sexual orientation. If you choose to include sensitive information in your business idea submission, we will handle it under this policy, but we do not request it and recommend you do not provide it.

4. How automated assessment works

This section is important. Read it carefully before you submit a business idea.

When you submit your idea into the assessment tool, the text is sent to Anthropic, the company that makes the Claude AI model. Anthropic processes the text on our behalf to generate the assessment you see on screen, and (if you provide your email) the longer report you receive by email.

What this means in practical terms:

• Your idea text leaves our systems and is processed by Anthropic in the United States.
• Anthropic is a separate company with its own privacy and data handling commitments.
• Anthropic processes your input under its API terms, which by default do not use API inputs to train its models. We use the Anthropic API in a way that does not contribute your data to model training.
• The assessment is generated automatically by an AI model. No human reviews it before it appears on screen, although we may sample assessments internally for quality and safety review.

You can read Anthropic's privacy policy at https://www.anthropic.com/legal/privacy.

If you do not want your idea text sent to a third-party AI model, do not submit the assessment.

5. The legal basis for processing your information

If you are in the EU or UK, the General Data Protection Regulation (GDPR) requires us to tell you the legal basis on which we process your personal information. The bases we rely on are:

Consent. When you submit your email to receive marketing emails, the legal basis is your consent. You can withdraw this consent at any time by clicking the unsubscribe link in any email or contacting us directly.

Contract. When you buy a product, we process your information to deliver what you have paid for. The legal basis is the contract between you and us.

Legitimate interests. We process technical data (IP address, browser type, etc) for security, abuse prevention, and basic site analytics. The legal basis is our legitimate interest in operating a secure, functional website. You can object to this processing, although doing so may limit your ability to use the site.

Legal obligation. We retain certain records (such as payment records) to meet our tax, accounting, and other legal obligations.

For visitors outside the EU and UK, we rely on equivalent legal bases under the relevant local law.

6. Who we share your information with

We share personal information with the following service providers, each of whom processes the information on our behalf and under their own privacy policy. Most of these providers are based outside Australia.

Anthropic (anthropic.com) Purpose: Generates the AI assessment from your submitted business idea text. Data shared: The business idea text you submit, and any website address you include. Location: United States.

Supabase (supabase.com/privacy) Purpose: Stores the database records that hold your input, your assessment, and your email. Data shared: Your input, assessment, email, and related metadata. Location: Sydney, Australia (our primary database region).

Vercel (vercel.com/legal/privacy-policy) Purpose: Hosts the backend functions that run the assessment and connect to other services. Data shared: All personal information described above, while it transits through our backend. Location: United States (with global edge network).

Klaviyo (klaviyo.com/legal/privacy/privacy-notice) Purpose: Holds your email address, sends the email sequence, and records email engagement. Data shared: Your email, your name (if provided), engagement signals (opens, clicks), and the assessment readiness category produced by the assessment. Location: United States.

Stripe, Inc. (stripe.com/privacy) Purpose: Processes payments when you buy a paid product. Data shared: Your name, billing email, billing address, and the transaction record. Payment card details go directly to Stripe and never touch Ortopylot systems. We store the purchase email and the transaction record for delivery and accounting. Location: United States, with global presence.

Cloudflare (cloudflare.com/privacypolicy) Purpose: Provides bot protection, security, and content delivery for the site and the assessment tool. Data shared: Your IP address, browser type, request data. Location: United States, with global presence.

Framer (framer.com/legal/privacy) Purpose: Hosts the ortopylot.com website itself. Data shared: Your IP address, browser type, technical request data when you visit the site. Location: Netherlands (Framer is headquartered in Amsterdam), with global infrastructure.

We do not sell your personal information to third parties. We do not share it with advertisers. We do not share it with anyone else except where required by law, or where we need to defend a legal claim, or where you have explicitly given us permission to do so.

7. International transfers of personal information

Most of the service providers listed above are located outside Australia, primarily in the United States. When we share your personal information with them, that information is transferred overseas.

Under the Australian Privacy Principles (APP 8), we are required to take reasonable steps to ensure that overseas recipients do not breach the APPs. We do this by using providers who offer contractual data protection commitments (data processing agreements) and who are widely used by Australian businesses for similar purposes.

For visitors in the EU and UK, transfers of your personal information to the United States are protected by Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms entered into with each provider, in line with GDPR Articles 44-49.

By using the Ortopylot website, the assessment tool, or our email service, you acknowledge that your personal information will be processed in the locations listed in section 6.

8. How long we keep your information

We keep your personal information only for as long as we need it.

• Assessment input and output: Retained for as long as you have an active relationship with Ortopylot, or until you ask us to delete it.
• Email address and engagement data: Retained for as long as you remain subscribed to our emails. If you unsubscribe, we keep a suppression record (your email address only) so we can honour your unsubscribe request and not contact you again. Other records are deleted within a reasonable period.
• Payment records: Retained for at least seven years to meet Australian tax and accounting requirements.
• Technical and security logs: Retained for up to 90 days unless we need them longer for a specific security investigation.
• Correspondence: Retained for as long as needed to handle the matter and for a reasonable period afterwards.

You can ask us to delete your personal information at any time. See section 11 for how to make a request.

9. How we keep your information secure

We take reasonable steps to protect your personal information from loss, misuse, and unauthorised access, modification, or disclosure. These steps include:

• Encryption of data in transit (HTTPS across the site)
• Encryption of data at rest in the database
• Access controls limiting who can see personal information
• Bot protection on the assessment form to prevent abuse
• Regular review of our service providers' security commitments
• Secure handling of API credentials

No method of transmission over the internet or storage is completely secure. We cannot guarantee absolute security, but we take the risk seriously and respond promptly to any incident.

If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

10. Cookies and similar technologies

The Ortopylot site uses a small number of cookies and similar technologies. We do not use third-party advertising cookies, and we do not allow third parties to track you across other websites via cookies on our site.

The technologies we do use include:

• Essential cookies that are required for the site to function (for example, session cookies that keep you signed in or maintain form state).
• Security tokens set by Cloudflare to verify that you are a legitimate user and not a bot.
• Basic analytics to understand how people use the site. We use only privacy-respecting analytics that do not build profiles of individual users.

You can disable cookies in your browser settings. Some parts of the site may not work properly if you do.

11. Your rights

You have rights over your personal information. These rights vary slightly depending on where you are located, but we apply the strongest set of them to anyone who asks.

Everyone has the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or out of date.
• Delete your personal information, subject to any legal requirement that we keep it.
• Withdraw consent to marketing emails by unsubscribing from any email or contacting us directly.
• Complain to us about how we handle your personal information.

If you are in the EU or UK, you also have the right to:

• Restrict how we process your personal information.
• Object to processing based on legitimate interests.
• Portability of your personal information in a structured, commonly used, machine-readable format.
• Lodge a complaint with your local data protection authority (in the UK, the Information Commissioner's Office at ico.org.uk; in the EU, your country's supervisory authority).

If you are in California, you also have the right to:

• Know what personal information we collect, use, and disclose.
• Delete your personal information.
• Opt out of the sale or sharing of personal information (we do not sell or share personal information for advertising purposes).
• Non-discrimination for exercising your privacy rights.

To exercise any of these rights, email us at hello@ortopylot.com. We will respond within 30 days, or sooner where required by law.

You can also complain to the Office of the Australian Information Commissioner at any time, regardless of where you are located:

• Website: oaic.gov.au
• Phone: 1300 363 992

12. Children

The Ortopylot service is not directed at children. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, contact us and we will delete it.

13. Marketing emails

When you submit your email through the assessment tool or any other form on the site, you consent to receive emails from Ortopylot. The first emails deliver the content you signed up for (the full assessment, the Ecommerce Roadmap). Subsequent emails over the following weeks introduce relevant products and ideas.

You can unsubscribe at any time. Every marketing email contains an unsubscribe link in the footer. The footer also includes our postal address, in line with US CAN-SPAM requirements.

If you unsubscribe, we will stop sending you marketing emails within a reasonable time (typically within 10 business days, often immediately). We may still send transactional emails relating to a product you have purchased or a request you have made.

14. Automated assessment and your rights

The Ortopylot assessment tool produces a commercial readiness assessment of your business idea using an AI model. The assessment is generated automatically. It is informational and does not constitute financial, legal, or business advice, and it does not make any decision that has legal or similarly significant effects on you.

Even though the assessment is informational rather than a "significant decision" in the legal sense, we want to be transparent about how it works:

• What information goes in: The business idea text you submit, and any website address you include.
• What the assessment looks at: Five commercial dimensions (Market Opportunity, Margin Viability, Competitive Position, Operational Complexity, Digital Readiness), an overall readiness category, the most important risk, what would have to be true for the idea to be commercially sound, and where to test the biggest unknown.
• How it works: An AI model (Anthropic's Claude) generates the assessment based on the text you submit. The model produces the result; no human reviews it before it appears on screen.
• What the result means: The assessment is a structured opinion based on the limited information you provide. It is not a guarantee of success or failure. The final decision is always yours.

If you would like a human to review your assessment or discuss your results, contact us and we will arrange this.

This section meets the spirit of the Australian Privacy Act's automated decision-making transparency requirements (APP 1.7, in effect from 10 December 2026) and Article 22 of the GDPR.

15. Changes to this policy

We may update this policy from time to time. If we make a material change, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a notice on the site. We recommend you review this page periodically.

16. How to contact us

For any question or request relating to your personal information, contact:

Ortopylot ABN 77 692 744 053 Email: hello@ortopylot.com Postal address: 42 Bluemanna Drive, Wannanup WA 6210, Australia

We will respond to all reasonable requests as quickly as we can, and in any case within the timeframes set out in this policy or applicable law.

Ortopylot Privacy Policy — Version 1.2 — 7 June 2026