Cloudo AgentsCloudo Agents

Privacy Policy

Last updated 2026-06-04. Version 2026-06-04.

This policy explains what personal information Cloudo collects, how we use it, and the rights you have under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Who we are

In plain English: We’re the operator of Cloudo and the data controller for what you give us.

Legally: Cloudo is an independently operated service based in Australia (“we”, “us”, “our”). Privacy enquiries can be directed to [email protected].

2. What we collect

In plain English: Your contact info, your billing info (no card numbers — those go straight to the payment processor), your Agent’s configuration, and the messages that flow through it. If you join the referral program, we also store the PayPal email you give us for payouts.

Legally: We collect: (a) account data — name, email, country; (b) billing metadata such as payment processor customer and subscription IDs, last-four digits of cards as supplied by the processor, and invoice records (full payment card numbers are processed by the payment processor and are not stored by us); (c) Agent configuration, including instructions, parameters, integrations, and connected accounts; (d) message content sent to and from Agents through Channels you connect; (e) usage telemetry, including timestamps, request counts, costs, error logs, and Agent-state changes; (f) network metadata such as IP address and user-agent at signup and on sensitive actions; (g) support correspondence; and (h) referral and payout data, including referral codes, the referrals attributed to you, accrued and paid reward amounts, and the PayPal payout email you nominate.

3. How we collect it

In plain English: Directly from you at signup, automatically while you use the Service, and from the third-party services you connect.

Legally: We collect personal information directly from you at signup and through your use of the Service, automatically through usage of the Service, from payment processor webhooks, and from Channels you connect (for example, the Telegram or WhatsApp account associated with your Agent and the messages received by that account).

4. Why we collect it

In plain English: To run the Service, bill you, keep the platform safe, support you, and meet legal obligations.

Legally: We collect and use personal information for: (a) providing, operating, and improving the Service; (b) billing and account administration; (c) fraud detection, abuse prevention, and security; (d) customer support and communications about the Service; (e) compliance with legal and regulatory obligations; and (f) producing aggregate or de-identified analytics that do not identify individuals.

5. Who we share it with

In plain English: AI providers (to answer Agent requests), our payment processor, our infrastructure provider, the channels you connect, and PayPal when you cash out referral rewards. PayPal transaction lines may show “Vico Systems Limited” (a Hong Kong entity used to operate the PayPal Business account on behalf of Cloudo) as the sender — this is not a separate party from Cloudo. We don’t sell your data.

Legally: We disclose personal information only as needed to provide the Service: (a) AI Providers process Agent prompts and return responses; (b) our payment processor handles card details and subscription billing; (c) our infrastructure provider hosts compute, storage, and networking; (d) Channels you connect carry messages between your Agent and end users; (e) where you cash out referral rewards, our payout provider (PayPal) processes the transfer to the PayPal account you nominate; (f) authorised contractors and service providers who help us run the business under confidentiality obligations; and (g) legal, regulatory, or law-enforcement authorities where required. We do not sell personal information.

6. How we store and protect it

In plain English: Encrypted in transit and at rest where supported, with strict access controls.

Legally: We protect personal information using technical and organisational measures appropriate to its sensitivity, including encryption in transit (TLS) and encryption at rest where supported by the underlying storage. BYOK provider keys are encrypted using envelope encryption and are not stored as plain text anywhere in the system. Access to production data is restricted to authorised personnel on a need-to-know basis.

7. Cross-border transfers

In plain English: Your data may be processed outside Australia by our AI providers and hosting provider.

Legally: AI Providers, our infrastructure provider, and certain Channels may store or process personal information in countries other than Australia, including the United States and the European Union. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient handles the information in a manner consistent with the Australian Privacy Principles, as required by APP 8.

8. How long we keep it

In plain English: While your account is active. Cancelling destroys your agent and its messages right away; your account and billing history are kept so you can resume, until you fully delete your account — after which we erase your data within 90 days, minus anything tax or law requires us to keep.

Legally: We retain personal information for as long as your account is active. When you cancel your subscription, we promptly destroy the virtual machine running your Agent — including the Agent’s working data and the message content stored on it — but we retain your account, billing, usage, and referral records so the account can be reactivated and to meet our legal, taxation, and accounting obligations. When you delete your account entirely, we erase the personal information we hold about you within ninety (90) days, except where we are required by law (for example, taxation, anti-money-laundering, or in response to legal process) to retain certain records for longer.

9. Your rights

In plain English: You can ask to see, correct, or delete your data. You can also complain to us or to the OAIC.

Legally: Subject to the exceptions in the Privacy Act 1988 (Cth), you may request access to or correction of the personal information we hold about you, ask us to delete your data, or withdraw consent to specific processing. Contact [email protected] to make a request. We will respond within thirty (30) days. If you are not satisfied with our handling of your enquiry or complaint, you may escalate it to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Cookies and tracking

In plain English: We use the bare minimum cookies to keep you signed in and to understand site usage at an aggregate level.

Legally: Our marketing site and portal use cookies and similar technologies for essential functions (session authentication, security, load balancing) and for aggregate usage analytics. You can disable cookies in your browser, though doing so may break certain features such as staying signed in. We do not deploy advertising or cross-site tracking cookies.

11. Children

In plain English: The Service is not for under-18s.

Legally: The Service is not directed at, and we do not knowingly collect personal information from, children under the age of 18. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

12. Changes to this policy

In plain English: If we change this policy, we’ll let you know.

Legally: We may update this Privacy Policy from time to time. Material changes will be notified by email and through the portal at least fourteen (14) days before they take effect, except where the change is legally required or security-critical.

13. Contact

In plain English: Reach our Privacy Officer at the address below.

Legally: For privacy enquiries, email [email protected]. Complaints not resolved with us may be referred to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

14. Google API Services and Google user data

In plain English: When you connect a Google account, we ask for the narrowest scope we can to make your Agent work — for example, calendar access if your Agent schedules meetings. We use that data only to run the feature you asked for, never to train models, never to show ads, and never to sell. You can disconnect at any time from the portal.

Legally: Cloudo's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. When you authorise a Google integration, Cloudo requests OAuth scopes scoped to the specific feature the Agent provides (for example, https://www.googleapis.com/auth/calendar.events for Agents that read or write calendar events). The refresh token and any cached access tokens are encrypted at rest using envelope encryption (see section 6) and are accessed only by the Agent acting on your behalf. We do not use Google user data to develop, improve, or train generalised or non-personalised artificial intelligence or machine-learning models; we do not transfer Google user data to third parties except as necessary to provide or improve the user-facing feature, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you; we do not use Google user data for advertising; and we do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, we need it for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations and only with data that has been aggregated and anonymised. You may revoke Cloudo's access at any time from /account/integrations in the portal or from your Google Account permissions page at myaccount.google.com/permissions; on revocation we delete the stored refresh token within thirty (30) days.

15. Microsoft 365 and Microsoft account data

In plain English: When you connect a Microsoft 365 account, your Agent asks only for the permissions the feature needs — for example, sending mail from Outlook, reading your calendar, or saving a file to OneDrive. We use that access only to run the feature you set up — never to train AI models, never for advertising, and never to sell. You can disconnect at any time from the portal.

Legally: When you authorise a Microsoft integration, Cloudo requests Microsoft Graph (OAuth 2.0) permissions scoped to the specific feature the Agent provides — currently Calendars.ReadWrite (view and edit Outlook calendar events), Mail.Read (read and search Outlook mail), Mail.Send (send mail on your behalf), and Files.ReadWrite (read and manage OneDrive files), together with offline_access so the Agent can refresh its access without prompting you each time. The integration uses an OAuth application you create in your own Microsoft account, so the consent screen is yours; Cloudo stores the resulting refresh and access tokens encrypted at rest using envelope encryption (see section 6) and accesses them only as the Agent acting on your behalf. We do not use Microsoft account data to develop, improve, or train generalised or non-personalised artificial intelligence or machine-learning models; we do not transfer it to third parties except as necessary to provide the user-facing feature you configured, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you; we do not use it for advertising; and we do not allow humans to read it unless we have your affirmative agreement for specific items, we need it for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations and only with data that has been aggregated and anonymised. You may revoke Cloudo’s access at any time from /account/integrations in the portal or from your Microsoft account security settings; on revocation we delete the stored tokens within thirty (30) days. Your use of Microsoft services remains subject to Microsoft’s own terms and privacy statement.

Privacy Policy — Cloudo