This Privacy Policy explains how Vissibl collects, uses, discloses and protects personal data when you visit our websites, contact us, attend a demo, or hold an account on the Vissibl platform. It also explains your rights and how to exercise them.
We have written this policy in plain English. Where the law requires specific terminology we use it, but our aim is that you can actually read this document.
1. Who we are
Vissibl operates through two companies. The company responsible for your personal data (the controller) depends on where you are and which entity you deal with.
Vissibl Australia Pty Ltd
ABN 21 696 556 180, ACN 696 556 180. Registered office: Peregian Beach, Queensland, Australia.
The controller for personal data of individuals in Australia and for customers who contract with Vissibl Australia Pty Ltd. Regulated by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), with direct marketing governed by the Spam Act 2003 (Cth).
Vissibl Technology Limited
Unit 147, Innovation Hub, Gate Avenue, South Zone, DIFC, Dubai, UAE. DIFC Licence CL8648.
The controller for personal data of individuals in the UAE, the wider GCC and the rest of the world, and for customers who contract with Vissibl Technology Limited. Regulated by the DIFC Data Protection Law, DIFC Law No. 5 of 2020 (DIFC DPL).
Where we handle personal data of individuals located onshore in the United Arab Emirates outside the DIFC, the UAE Federal Personal Data Protection Law, Federal Decree Law No. 45 of 2021 (UAE PDPL), may also apply, and we apply equivalent standards.
If you are unsure which entity is your controller, contact us at privacy@vissibl.com and we will tell you.
In this policy, "Vissibl", "we", "us" and "our" refer to the relevant controller above.
2. What this policy covers, and what it does not
This policy covers personal data we collect as a controller. That means:
- Visitors to vissibl.ai and our other websites
- People who book a demo, complete a form, or contact us
- Prospects and contacts in our sales and marketing systems
- Account holders and administrative users of the Vissibl platform at app.vissibl.ai (names, work emails, login and account details)
This policy does not cover the compliance content our customers store and process inside the Vissibl platform, such as policies, audit evidence, risk registers, training records and vendor records. For that data, our customer is the controller and Vissibl is a processor acting on the customer's instructions. That processing is governed by the agreement between Vissibl and the customer, including the Data Processing Addendum.
If you are an employee, contractor or vendor of a Vissibl customer and have questions about data that customer holds about you in the platform, contact that customer directly. They control that data.
3. Personal data we collect
Data you give us
- Name, work email address, phone number, company, job title
- Content of enquiries, demo bookings, support requests and partner applications
- Billing and contracting contact details for customer accounts
Data we collect automatically
- IP address, browser type and version, device identifiers, operating system
- Pages visited, time and date of visit, time on page, referring source
- Cookie and similar identifiers, subject to your consent choices (see section 6)
Data from third parties
- Business contact information from publicly available sources, used for business to business outreach
- Scheduling data when you book a demo through our booking provider
We do not collect sensitive or special category personal data through our websites, and we ask that you do not submit it through our forms.
We do not take payments through our websites or the platform. All fees are invoiced. We never collect or store payment card details.
4. How we use personal data, and the lawful basis
| Purpose | Lawful basis (DIFC DPL) | Australian basis |
|---|---|---|
| Providing and operating the websites and platform accounts | Contract performance; legitimate interests | APP 6, primary purpose |
| Responding to enquiries, demos and support requests | Contract performance; legitimate interests | APP 6, primary purpose |
| Invoicing, account administration and contract management | Contract performance; legal obligation | APP 6, primary purpose |
| Sending service communications, such as security and product notices | Contract performance; legitimate interests | APP 6, primary purpose |
| Direct marketing to business contacts, subject to opt out | Legitimate interests; consent where required | APP 7 and Spam Act 2003 consent rules |
| Website analytics and improving our websites and product | Consent (via cookie banner); legitimate interests | APP 6, reasonably expected secondary purpose |
| Security, fraud prevention and protecting our legal rights | Legitimate interests; legal obligation | APP 6, permitted general situations |
| Complying with law, regulators and valid legal process | Legal obligation | APP 6, required or authorised by law |
We do not sell personal data. We do not use personal data collected through our websites for purposes unrelated to those above without telling you first.
5. AI and automated processing
Vissibl is an AI native platform. In the context of this policy, that means:
- AI features in the platform operate on customer compliance content, where Vissibl acts as processor and the customer controls the data. Our AI service providers are Anthropic, OpenAI and Google (Gemini), engaged under terms that prohibit the use of customer data to train their models. Full details are set out in the Data Processing Addendum and our subprocessor list, available on request.
- We do not use personal data collected through our websites to train AI models.
- We do not make automated decisions about you that have legal or similarly significant effects. Autonomous actions within the platform always have a logged human accountable. That is a requirement of the audit frameworks our customers operate under, and we hold ourselves to it.
6. Cookies and tracking
We use cookies and similar technologies on our websites. On your first visit you are shown a consent banner where you can accept or decline non essential cookies. Non essential cookies do not run unless you consent.
Categories we use:
- Strictly necessary: required for the site to function, including storing your consent choices. Always on.
- Analytics: help us understand how visitors use the site, through Google Analytics managed via Google Tag Manager.
- Marketing: support our advertising and measurement where we run campaigns.
You can change your choices at any time through the cookie settings link on our website, or through your browser settings. Our websites do not respond to browser Do Not Track signals; we rely on the consent banner instead.
7. Who we share personal data with
We share personal data only as described below.
Service providers
Companies that host our infrastructure and provide tools we use to run the business, under contracts that restrict their use of the data:
- Cloud hosting and infrastructure: Amazon Web Services, Microsoft Azure, Google Cloud, Cloudflare
- CRM and marketing: HubSpot
- Scheduling: Cal.com and Google Calendar
- Workflow automation: Zapier
- Analytics and tag management: Google Analytics, Google Tag Manager
- Consent management: Cookiebot
- Email and productivity: Google Workspace
A current list of the subprocessors that handle customer platform data is maintained in the Data Processing Addendum and available on request to privacy@vissibl.com.
Within the Vissibl group
Between Vissibl Australia Pty Ltd and Vissibl Technology Limited, for the purposes in this policy, under an intra group data transfer arrangement.
Professional advisers
Lawyers, accountants, auditors and insurers, where necessary.
Business transfers
In connection with a merger, acquisition, financing or sale of assets, with notice before your personal data becomes subject to a different privacy policy.
Law and regulators
Where required by law, court order or a valid request from a regulator or public authority, including the OAIC and the DIFC Commissioner of Data Protection.
We do not share personal data with third parties for their own marketing.
8. International transfers
Vissibl operates from Australia and the DIFC, and our service providers process data in other jurisdictions.
Customer platform data is hosted in the customer's home region, in Australia or the United Arab Emirates, with AWS as the default provider. Customers may request a specific cloud provider and region. The data that this policy covers, such as website, marketing and account contact data, may be processed in other jurisdictions by the service providers listed in section 7.
Where personal data is transferred internationally, we use a lawful transfer mechanism:
From the DIFC
Transfers are made to jurisdictions recognised as adequate by the DIFC Commissioner of Data Protection, or under appropriate safeguards such as standard contractual clauses, in accordance with Articles 26 and 27 of the DIFC DPL.
From Australia
Before disclosing personal data overseas we take reasonable steps to ensure the recipient handles it consistently with the APPs, in accordance with APP 8, or we rely on another permitted ground.
Details of transfer mechanisms for specific providers are available on request.
9. Security
We protect personal data with technical and organisational measures including encryption in transit and at rest, access controls, logging, and vendor due diligence. Vissibl is certified to ISO/IEC 27001 and operates the same information security management system we help our customers run.
No method of transmission or storage is completely secure, but we apply the same standards to our own data that our platform exists to enforce for our customers.
10. Retention
We keep personal data only as long as needed for the purposes in this policy, then delete or de identify it.
| Data | Retention |
|---|---|
| Enquiry and demo records | 2 years from last contact |
| Marketing contacts | Until opt out, or 2 years of inactivity |
| Account, contract and invoicing records | Duration of the contract, plus the period required by applicable corporate and tax law: at least 7 years in Australia and at least 5 years in the UAE |
| Website analytics | 14 months |
| Platform customer content | Controlled by the customer; returned or deleted in accordance with the agreement on termination |
11. Your rights
If you are in Australia (Privacy Act 1988)
You have the right to access the personal information we hold about you and to ask us to correct it. You may also complain about how we have handled your personal information. We will respond within a reasonable period, and in any case within 30 days. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
If you are in the DIFC or dealing with Vissibl Technology Limited (DIFC DPL)
You have the right to:
- Access your personal data and information about how we process it
- Rectify inaccurate or incomplete personal data
- Erase your personal data in certain circumstances
- Restrict or object to processing, including objecting to direct marketing at any time
- Receive your personal data in a portable format
- Withdraw consent where processing is based on consent
- Object to decisions based solely on automated processing that produce legal or similarly significant effects
You can lodge a complaint with the DIFC Commissioner of Data Protection at dp.difc.ae.
If you are in the UAE outside the DIFC (UAE PDPL)
You have equivalent rights of access, correction, erasure, restriction, objection and portability under the UAE PDPL, and we honour them on the same basis.
If you are in the European Union or United Kingdom (GDPR or UK GDPR)
If we process your personal data and the GDPR or UK GDPR applies, you have the equivalent rights listed above and the right to complain to your local supervisory authority.
Exercising your rights
Email privacy@vissibl.com. We may need to verify your identity. We do not charge for requests unless they are manifestly unfounded or excessive. If you are an individual whose data sits inside a customer's platform environment, we will refer your request to that customer, who controls the data.
12. Direct marketing
We send business to business marketing about Vissibl products and services. Every marketing email includes a working unsubscribe link, and we honour opt outs promptly. For Australian recipients we comply with the Spam Act 2003, including consent and sender identification requirements. You can opt out at any time by using the unsubscribe link or emailing privacy@vissibl.com.
Opting out of marketing does not affect service communications we need to send you as a customer, such as security notices.
13. Data breaches
We maintain a data breach response process. Where a breach is likely to result in serious harm to Australian individuals, we will notify affected individuals and the OAIC under the Notifiable Data Breaches scheme. Where the DIFC DPL applies, we will notify the DIFC Commissioner of Data Protection and, where required, affected individuals. Where we act as processor for a customer, we will notify that customer without undue delay in accordance with the Data Processing Addendum.
14. Children
Our websites and services are for businesses and are not directed at anyone under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact us and we will delete it.
15. Links to other websites
Our websites may link to third party sites we do not operate. We are not responsible for their content or privacy practices. Review their privacy policies before providing personal data.
16. Changes to this policy
We may update this policy from time to time. We will post the updated version on this page and update the date at the top. For material changes affecting customers, we will provide notice in accordance with our agreement with you.
17. Contact and complaints
Privacy contact: privacy@vissibl.com
Vissibl Australia Pty Ltd, ABN 21 696 556 180, Peregian Beach, Queensland, Australia
Vissibl Technology Limited, Unit 147, Innovation Hub, Gate Avenue, South Zone, DIFC, Dubai, UAE
If you are not satisfied with our handling of a complaint:
- Australia: Office of the Australian Information Commissioner, oaic.gov.au
- DIFC: Commissioner of Data Protection, dp.difc.ae