Legal

Privacy Notice

XRAYAI Pty Ltd ACN 695 780 173 (“XRAYAI”, “we”, “us” and “our”)

Last updated: 13 April 2026 (amended April 2026)

This privacy notice provides an overview of how XRAYAI handles personal information.

We are not currently subject to the Privacy Act 1988 (Cth). This privacy notice is provided for general reference purposes only.

We may notify you about changes to how we handle personal information by posting an updated version of this privacy notice on our website.

What personal information do we collect?

The kinds of personal information we collect and hold about you will depend upon the nature of our relationship with you and the circumstances of collection. For example:

  • if you are a customer, we will generally collect your name, contact details and any other information you provide to us when you make an enquiry, use our services, provide feedback or correspond with us; and
  • if you deal with us in some other capacity, we will collect personal information you provide to us that is relevant to your interaction with us.

We generally collect personal information from you directly (such as when you use our platform or interact with us in writing, electronically or by telephone), but we may also collect information from publicly available sources including but not limited to social media.

Where you create an Account on the Platform, we collect the following additional categories of personal information:

  • account registration data: your display name, email address, other information you disclose, and (where you choose email plus password authentication) a password stored in hashed form;
  • third-party authentication data: where you choose to sign in with Google, we receive a Google account identifier and basic profile information (name and email address) from Google;
  • session data: when you log in, we record your IP address, browser and device type, and session timestamps for security and fraud prevention purposes; and
  • platform usage data: scan history, report access history, subscription status, and email preference settings.

We generally hold personal information electronically, including in cloud-based services provided by our service providers.

Why do we collect, hold, use and disclose personal information?

We collect, hold, use and disclose personal information for a range of purposes, including:

  • to supply our services;
  • to respond to your enquiries about our services;
  • to process payments made to us;
  • for our administrative purposes and internal record keeping;
  • to provide you with customer service or technical support and deal with any complaints or feedback you have;
  • to perform research and analysis and improve or develop our services;
  • to manage our relationships with our customers, suppliers and contractors;
  • to consider job applicants for current and future employment;
  • to create and manage user Accounts and verify Account ownership;
  • to authenticate users and maintain secure sessions; and
  • to detect and prevent unauthorised access to Accounts and the Platform.

We may use and disclose your personal information for other purposes required or authorised by or under law (including purposes for which you have provided your consent).

Do we use personal information for direct marketing?

We may use your personal information so we can contact you with information about our products and services, special offers, promotions and events that may be of interest to you.

We may contact you by email, mail or telephone. You can let us know at any time if you no longer wish to receive these communications by contacting us using the contact details at the end of this notice, or by using the opt-out or unsubscribe facility in our communications.

Why do we disclose personal information to third parties?

In conducting our business, we may disclose your personal information to third parties for the purposes outlined above.

These third parties may include:

  • our related companies (including XRAYAI Holdings Pty Ltd);
  • third party AI service providers, in connection with the provision of our services to you and the generation of a report for you through our platform;
  • financial institutions for payment processing;
  • our service providers, including IT service providers, and marketing service providers, as well as our external business advisers (such as auditors and lawyers); and
  • in the case of a sale of our business (in whole or in part) to the purchaser (as an asset of the business).

We have engaged Stripe as a service provider for processing payments. Stripe will collect and handle personal information about you when you make a payment through our website. More information about how Stripe collects, uses, discloses and otherwise handles your personal information is accessible at https://stripe.com/au/privacy.

We use Google Sign-In as an optional authentication method for user Accounts. Where you choose to sign in with Google, Google will handle your authentication in accordance with Google’s privacy policy, accessible at https://policies.google.com/privacy. XRAYAI receives only the information described above (Google account identifier, name, and email address) from Google as part of the authentication process.

Cookies and session management

When you are logged in to your Account, the Platform uses a server-set session cookie to maintain your authenticated session. This cookie is set as httpOnly, meaning it is not accessible by browser-side scripts. Session cookies expire after a defined period of inactivity. You can end your session at any time by logging out from the Profile screen, which invalidates the session cookie. The Platform does not use tracking cookies or third-party advertising cookies.

Account deletion and data retention

You may delete your Account at any time from the Profile screen. On deletion, we will delete or de-identify your personal Account data (including your name, email address, authentication credentials, and session data) within a reasonable period, typically 30 days. Scan results and scoring data associated with your Account may be retained in anonymised or aggregated form for product improvement purposes; this data cannot be used to identify you after de-identification. Where we are required by law to retain certain records, we will do so for the minimum required period and then delete them. Please note: deleting your Account does not automatically cancel any active subscription. You should cancel your subscription before deleting your Account, or contact us to confirm cancellation.

Some of our service providers may be located outside Australia. As a result, personal information collected and held by us may be transferred to, and stored in, countries other than Australia.

How to contact us for more information

If you would like more information about how we handle personal information, please contact us at:

Email — support@xrayai.com

Post — XRAYAI Pty Ltd, c/- 40 Lime St SYDNEY NSW 2000

This privacy notice was last updated on 13 April 2026 (amended April 2026).

Terms and ConditionsBack to home