Legal corpus · v2.0

digitaldairy.ai Privacy Policy

Version:v2.0 — RATIFIED (counsel sign-off 13/06/2026; nil substantive change from v1.4)

Effective:13/06/2026

Contracting entity:digitaldairy.ai Pty Ltd (ACN: 695 872 383; ABN: 33 695 872 383)

Governing law:Victoria, Australia

1. About this Policy

digitaldairy.ai Pty Ltd (ACN: 695 872 383; ABN: 33 695 872 383) operates the digitaldairy.ai platform, an AI-powered dairy farm management service that converts raw production data into individualised, actionable recommendations for Australian dairy farmers. This Policy explains what personal information and farm-business information we collect, how we use it, who we share it with, where it is stored, and the rights you have over it.

This Policy operates alongside two other documents that, together with the Subprocessor Register, form the contractual relationship between you and us:

the Terms & Conditions, which set out the service-level obligations, subscription terms, and acceptable use of the platform;
the Dairy Farm Data Use & AI Training Licence (available on request — hello@digitaldairy.ai), which sets out the rights you grant us to use Farm Data, including the prohibition on external AI training and the three independent opt-out toggles.

To the extent of any conflict between this Policy and the Dairy Farm Data Use & AI Training Licence on matters concerning Farm Data, the Licence prevails. This Policy prevails on matters concerning Personal Information generally.

we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and voluntarily align with the National Farmers' Federation Australian Farm Data Code (Edition 2, May 2023).

2. Definitions

In this Policy, capitalised terms have the following meanings (consistent across the digitaldairy.ai legal corpus). References in this Policy to "us", "we", or "our" mean digitaldairy.ai Pty Ltd (ACN: 695 872 383; ABN: 33 695 872 383). Where this Policy uses a first-person register and the Dairy Farm Data Use & AI Training Licence or the Terms & Conditions uses a third-person register ("Digital Dairy AI") for the same defined term, the two are equivalent and the substantive definition is identical.

Farmer means the natural person or legal entity that subscribes to the Platform, including authorised users acting under that subscription.
Personal Information has the meaning given in section 6 of the Privacy Act 1988 (Cth).
Sensitive Information has the meaning given in section 6 of the Privacy Act 1988 (Cth).
Farm Data means information about a dairy farm business and its livestock generated, recorded, or derived through the Farmer's use of the Platform or supplied by the Farmer or by authorised third parties to the Platform, in any form. Farm Data includes both Identifying Farm Data and Non-identifying Farm Data.
Identifying Farm Data means Farm Data that identifies a particular Farmer, farm, or both, including through reasonably available linkage to other information.
Non-identifying Farm Data means Farm Data that has been stripped of identifiers to a remote-risk re-identification standard published by us from time to time.
Platform means the digitaldairy.ai software service, including its data ingestion components, model and inference layer, dashboards, Kim AI chat interface, alerts, and recommendations.
Sub-processor means a third party that processes Personal Information or Farm Data on our behalf, including each entity named in our Subprocessor Register.
Subprocessor Register means the live list of Sub-processors published at https://digitaldairy.ai/legal/subprocessors.

3. Identity of the entity and contact details

Entity: digitaldairy.ai Pty Ltd (ACN: 695 872 383; ABN: 33 695 872 383)
Registered office: 5A Hartnett Close, Mulgrave, Victoria, Australia 3170
Privacy contact: privacy@digitaldairy.ai
Postal address: 5A Hartnett Close, Mulgrave, Victoria, Australia 3170
Privacy Officer (acting): Alex Barakat — contact via privacy@digitaldairy.ai

Privacy enquiries are answered by the acting Privacy Officer through the contact channel above. The acting appointment is an interim arrangement; a permanent Privacy Officer appointment may follow and, if made, will be notified by material-change notice under clause 13.

4. Categories of information we collect

we collect the following categories of information from and about you and your farm business:

Account and contact information — name, email address, phone number, role on the farm, language preference, authentication identifiers issued by our authentication provider Clerk, and login metadata such as session timestamps.
Farm-business identifiers — farm name, farm registration number (for example, national farm identifiers), GPS coordinates of farm boundaries, and milking-shed identifiers.
Animal health data — per-cow alert state across the six clinical lactation-period phases; clinical and subclinical mastitis records; lameness; metabolic events (ketosis, displaced abomasum, milk fever); heat stress; retained foetal membranes; reproductive failure; treatment records; withholding-period calculations; and composite four-band risk scores (Critical, High, Medium, Low).
Milk and quality data — per-milking individual milk weight, flow rate, electrical conductivity, milking interval, and AM/PM split; daily totals; rolling averages (3-day and 7-day adjusted means); milk production index; bulk milk composition data from Frontter (24-hour volume, butterfat percentage, protein percentage, daily bulk somatic cell count); and processor-specific quality threshold flags applicable to each Farmer's milk processor (Bega, Coles, United Dairy Power, Lactalis, Saputo, Bulla, and others as added).
Reproduction data — service records, heat observations, pregnancy diagnoses, calving events, AI and embryo-transfer straw identification, and parentage verification consistent with ICAR standards.
Environmental and sensor data — Davis weather station outputs (with Wfield placeholder for the wind-correction field); temperature–humidity index, rainfall, and wind speed; activity and rumination data from collars (NEAP, CowScout, Allflex, MDS) where the Farmer has licensed these systems; FarmBot water-consumption data; and Pasture IO pasture-growth data.
Genomic data — DataGene indices (BPI, ASW) and proprietary multi-provider genomic layouts (Zoetis, CX, and others) where the Farmer has licensed these systems.
Inferred and model-derived data — days in milk; projected yields; rolling averages; milk production index; risk scores; alert states; machine-learning cluster assignments; predicted disease state; per-cow individualised risk profiles; sensitivity classifications; recurring-versus-novel event-pattern history; vector embeddings stored in our Sydney-hosted vector database; orthogonal-coherence-screening confidence bands (High ≥ 0.80, Watching 0.60–0.79, Thin signal < 0.60); and per-feature-class staleness tier outputs.
AI-chat and voice data — plain-English queries that you submit through the Kim AI chat interface and the resulting chat transcripts.
Telemetry and usage analytics — token-consumption metrics per farm for cost control, and service-availability telemetry.
Subscription and billing data — cow counts, contract status, and billing-event records. The payment-processor identity and the specific billing-PII fields are pending finalisation.

Some of these categories (notably items (c) to (h)) are Farm Data; some (notably items (a), (i), (j), and (k)) are Personal Information; and some are both. Where the same information falls into both categories, the more protective treatment applies.

5. How we collect this information

we collect information in three principal ways:

Directly from you — through account setup, configuration of the nine farmer-tunable Basic parameters, manual data entry, the Kim AI chat interface, and direct contact with our team.
From systems that you authorise on your farm — through automated ingestion of raw transactional data from DairyPlan, Frontter, activity collars, DataGene, Pasture IO, FarmBot, Davis weather stations, and processor systems. These systems supply data under your authorisation.
By derivation within the Platform — all calculated outputs (risk scores, alerts, recommendations, projections) are generated internally by our models from the raw data sources above. we do not purchase derived analytics from third parties and do not enrich your data with external commercial datasets.

6. Purposes of collection, use, and disclosure

we collect and use the information described in section 4 for the following purposes:

1. Operating the Platform — providing alerts, recommendations, decision support, dashboards, and the Kim AI chat interface to you and your authorised users.

2. Training, evaluating, and improving our own proprietary models — including the operational-experience filter layer, the physics-model layer, and the machine-learning classifiers, on the terms set out in the Dairy Farm Data Use & AI Training Licence and subject to your opt-out rights described in section 10.

3. Generating de-identified aggregated cross-farm benchmarks — subject to a defined anonymisation standard published by us from time to time. The specific anonymisation methodology is forthcoming and will be available before any external publication of aggregates.

4. Billing, customer support, and account management — including subscription invoicing, payment processing through our payment Sub-processor, and responding to support enquiries.

5. Meeting legal, regulatory, and audit obligations — including responses to lawful requests by Australian regulators or law-enforcement bodies, and audit trails required under the Privacy Act 1988 (Cth).

6. Communicating with you — about the service, security incidents, material changes to terms, and product updates, in each case through the contact information you provide.

we do not sell Personal Information, and we do not use Personal Information for third-party advertising.

7. Sub-processors

we rely on the following Sub-processors to deliver the Platform. Each Sub-processor is named, contractually bound to data-protection commitments, and listed in our live Subprocessor Register at https://digitaldairy.ai/legal/subprocessors. Changes to this list trigger the material-change notice described in section 13.

#	Sub-processor	Capability	Region	Cross-border under APP 8?
1	Supabase	Managed PostgreSQL, Edge Functions, Realtime, row-level security, secondary authentication	Sydney (ap-southeast-2)	No
2	Vercel	Serverless and Next.js frontend, application APIs, edge network	United States	Yes
3	Render	Long-running services, workers, Apex Postgres	Singapore	Yes
4	Clerk	Authentication, JWT issuance, OAuth (Google, Apple)	United States	Yes
5	Anthropic	Foundation models (Claude Opus, Sonnet, Haiku)	United States (direct API)	Yes
6	Pinecone	Vector database for retrieval-augmented generation	Sydney (ap-southeast-2)	No
7	GitHub	Source control and continuous integration	United States	Yes (no Farmer PII)
8	Better Stack	Observability, logs, monitoring	European Union	Yes
9	Figma	Design and prototyping	United States	Yes (no Farmer data in design files)
10	Canva	Marketing and brand-system production	Australia	No (no Farmer data)
11	Google Workspace	Working storage, investor and marketing materials	Australia — Sydney and Melbourne under Assured Workloads — Australia Regions	No (primary)

Planned future Sub-processor (not yet provisioned):

Vendor	Capability	Region	Scope
Voyage AI (MongoDB)	Embedding models for knowledge-base content used in retrieval-augmented generation	MongoDB Atlas Sydney (target)	digitaldairy.ai's own knowledge-base content only — not Farmer Personal Information or Farm Data

Voyage AI is described here for transparency; provisioning is design-only as at the date of this Policy. Any future scope extension beyond knowledge-base content will trigger the material-change consent described in section 13.

The Subprocessor Register at https://digitaldairy.ai/legal/subprocessors is the authoritative current list. Where the Register and this Policy differ on the current set of Sub-processors, the Register governs.

8. Cross-border disclosure (APP 8)

we host primary working data and Farmer-identifying data in Australia where reasonably practicable. Some Sub-processors operate outside Australia. Our posture is safeguards-based rather than strict localisation.

"Where any data is processed outside Australia, sub-processors comply with the Australian Privacy Principles through documented safeguards including encryption, access controls, audit logging, and contractual data-protection commitments."

For working storage and internal documents held in Google Workspace specifically:

"Primary working data (Workspace) is hosted in Australia under the Assured Workloads — Australia Regions package (Sydney and Melbourne). Transient processing may occur in other regions per Google's data-processing terms."

For AI workloads — the basis of our differentiated service — we operate a three-layer safeguard so that raw farm data does not travel to external commercial AI services:

"Raw farm data is not transmitted to external commercial AI services. Inference uses a retrieval pattern that sends only contextual chunks retrieved from the Sydney-hosted vector store. Sub-processors handling AI workloads operate under contractual no-training clauses verified with each vendor. Vector embedding workloads, when provisioned, are scoped to Digital Dairy AI's own knowledge-base content and never to farmer personal information or farm operational data."

The specific contractual section references that anchor the no-training clauses with Anthropic, Pinecone, and Voyage AI are being captured and will be confirmed during counsel review. See clause 6 of the Dairy Farm Data Use & AI Training Licence (available on request — hello@digitaldairy.ai) for the canonical three-layer mechanism.

9. Security safeguards (APP 11)

we protect Personal Information and Farm Data through layered technical and organisational measures, including: encryption at rest and in transit; least-privilege access controls; audit logging; multi-factor authentication via Clerk; role-based access at the farm-tenant boundary; and the vendor security postures inherited from our enterprise-grade hosted Sub-processors (Supabase, Vercel, Render, Clerk, Anthropic, Pinecone, Better Stack, and Google Workspace under Assured Workloads).

Specific platform-level security patterns are documented internally in our Pattern Library entries PAT-040 (least-privilege access) and PAT-041 (cross-tenant isolation) and are subject to regular review.

10. Your rights

You have the following rights in relation to Personal Information and Farm Data we hold about you:

Access — you may request access to the Personal Information we hold about you, subject to the exceptions in the Privacy Act 1988 (Cth).
Correction — you may request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading Personal Information.
Complaint — you may complain to us about how we have handled your Personal Information by writing to the Privacy contact in section 3. We will acknowledge your complaint promptly and aim to substantively respond within thirty (30) days. If you are dissatisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC).
Three independent opt-out toggles — you may exercise each of the following toggles separately, both through the Platform settings and by written request to the Privacy Officer. The wording of these toggles is identical in substance to clause 9 of the Dairy Farm Data Use & AI Training Licence (available on request — hello@digitaldairy.ai); where the two clauses ever diverge in future versions, the clause stated more protectively in your favour prevails.

1. Platform use — you may discontinue use of the Platform. Termination of your subscription is governed by the Terms & Conditions.

2. AI training contribution — you may opt out of having Identifying Farm Data used to train, fine-tune, or evaluate digitaldairy.ai's own proprietary models. The opt-out applies prospectively: from the date of opt-out, no further Identifying Farm Data from your farm is used for training. Identifying Farm Data already used to train models cannot be technically de-influenced from the trained model weights — see clause 10 of the Dairy Farm Data Use & AI Training Licence (available on request — hello@digitaldairy.ai) for the honest disclosure on this point.

3. Research-aggregate contribution — you may opt out of having Non-identifying Farm Data from your farm included in cross-farm aggregates. The opt-out applies prospectively: from the date of opt-out, no further Non-identifying Farm Data from your farm is contributed. Aggregates already published or distributed are not retroactively recomputed.

Each opt-out is independently exercisable. Exercising one does not affect the others. Opting out of (2) or (3) does not require you to discontinue Platform use under (1).

11. Data retention — Schedule

This section is the Data Retention Schedule for each category of information we hold. Retention periods are calibrated to Australian Privacy Principle 11.2 (destruction or de-identification when no longer needed for any purpose for which the information may be used or disclosed) and to Principle 5.5 of the Australian Farm Data Code (Edition 2).

11.1 Account and billing data. Retained for the duration of your Subscription and for seven (7) years after termination, in alignment with the statutory record-retention obligations under Australian tax and accounting law (including section 262A of the Income Tax Assessment Act 1936 (Cth) and Division 70 of the A New Tax System (Goods and Services Tax) Act 1999 (Cth)). At the end of the retention period the data is securely deleted or de-identified.

11.2 Identifying Farm Data. Retained for the duration of your Subscription and for seven (7) years after termination, in alignment with conventional Australian dairy-industry record-keeping practice and ICAR animal-record retention conventions. You may at any time request earlier deletion of Identifying Farm Data under the rights described in section 10 and clause 10 of the Dairy Farm Data Use & AI Training Licence (available on request — hello@digitaldairy.ai); we will action the request within the service window described there, subject to legal-hold and technical-feasibility exceptions.

11.3 Non-identifying Farm Data already contributed to trained model weights. Persists indefinitely as a technical reality of model training. Once de-identified contributions have been merged into model weights through a completed training pass, they cannot be removed without retraining the model from scratch, which is not feasible on a per-Farmer basis. As models are retrained on their standing cadence, the influence of any single Farmer's contribution diminishes over time as new data displaces it. This persistence is disclosed honestly here and in clause 10 of the Dairy Farm Data Use & AI Training Licence (available on request — hello@digitaldairy.ai).

11.4 AI-chat transcripts (conversations with Kim and other Platform-mediated assistants). Retained for the duration of your Subscription for service-quality monitoring, alert tuning, and Platform improvement; deleted within thirty (30) days of termination. You may at any time request earlier deletion under section 10.

11.5 Legal-hold transparency. Where a legal-hold (including audit obligations, statutory tax-record retention, regulatory hold, or law-enforcement preservation order) prevents deletion on request, we will notify you in plain English of the existence of the hold and its expected duration, and we will retain only the legally-required minimum.

11.6 Backup copies. Backup copies retained as part of standard backup-and-recovery operations are deleted in the ordinary course of those operations. Deletion of live data does not result in immediate deletion from backups; deletion from backups follows the standing backup-rotation cadence.

11.7 Review and revision. This Schedule may be updated from time to time to reflect changes in statutory record-retention obligations, dairy-industry practice, or Platform operations. Material changes to the Schedule trigger a material-change notice under section 13 of this Policy.

12. Data-breach notification

we commit to prompt notification of data breaches consistent with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) and with Principle 5.3 of the Australian Farm Data Code (Edition 2). Where a breach is likely to result in serious harm and is not adequately mitigated, we will notify affected Farmers and the OAIC as required by law.

Our internal incident-response runbook is in development as of the date of this Policy. The Farmer-facing notification commitment described in this section is binding regardless of the runbook's status.

13. Material-change notice

we commit to prompt notice of material changes to this Policy, the Dairy Farm Data Use & AI Training Licence, or our data-handling practices, consistent with Principles 1.3 and 1.4 of the Australian Farm Data Code (Edition 2). Where a change is material, we will give you adequate time to consider it and, if you do not consent, to port or delete your Identifying Farm Data without financial penalty.

A change is material if it involves:

any change in the categories of data we collect;
any change in the purposes for which we use or disclose Personal Information or Farm Data;
any new Sub-processor that handles Identifying Farm Data;
any change in the Australian or overseas hosting region of Identifying Farm Data;
any expansion of AI-training scope — including any move of Voyage AI processing from knowledge-base content only to Farm Data embeddings.

Material-change notices will be delivered through the Platform and to the email address held for the Farmer's account.

14. Children and sensitive information

The Platform is intended for use by Farmers operating a dairy business. It is not intended for use by individuals under eighteen (18) years of age, and we do not knowingly collect Personal Information from minors.

Sensitive Information (as defined in section 6 of the Privacy Act 1988 (Cth)) is not collected by design. If we become aware that Sensitive Information has been inadvertently collected, we will review the information and delete it unless retention is required by law. We will notify the affected Farmer of the inadvertent collection and the action taken.

15. Australian Farm Data Code alignment

we voluntarily align with the National Farmers' Federation Australian Farm Data Code (Edition 2, May 2023). The Code is industry guidance, not regulation, and does not displace the Privacy Act 1988 (Cth) or any other applicable law.

In several respects, our practices go beyond the Code's stated principles — including the three-layer external-AI-training prohibition described in section 8, the granular three-toggle opt-out described in section 10, and the safeguards-based cross-border posture described in section 8.

Certification under the NFF Producer Information Protection Arrangement (PIPA) is under consideration. As at the date of this Policy, PIPA certification is not yet pursued.

16. Contact and complaints

Privacy contact: privacy@digitaldairy.ai
Privacy Officer (acting): Alex Barakat
Postal address: 5A Hartnett Close, Mulgrave, Victoria, Australia 3170

If you have a complaint about how we have handled your Personal Information, please write to the Privacy contact above. We will acknowledge your complaint promptly and aim to provide a substantive response within thirty (30) days of receipt.

If you are dissatisfied with our response, you may complain to:

Office of the Australian Information Commissioner (OAIC)
Website: oaic.gov.au
Phone: 1300 363 992

17. Document control

Version	v2.0 — RATIFIED
Status	RATIFIED — 13/06/2026 — v2.0
Ratifying body	Directors of digitaldairy.ai Pty Ltd (`CC-2026-05-18-007`) + external Australian counsel Vance Mercer & Associates — Alister Vance, Senior Partner (written sign-off 13/06/2026, `CC-2026-06-13-002`)
Effective date	13/06/2026
Prepared by	digitaldairy.ai Pty Ltd `(ACN: 695 872 383; ABN: 33 695 872 383)`
Governing law	Victoria, Australia
Forum	Courts of Victoria (and appellate courts having jurisdiction)
Next review	13/12/2026 — six (6) months from effective date, or sooner on material change
Prior versions	v1.0 (15/05/2026 — initial drafting; "[Digital Dairy AI Pty Ltd] (ACN: TBD)" placeholder) → v1.1 (17/05/2026 — Pty Ltd incorporation reflected, ACN 695 872 383 confirmed) → v1.2 (17/05/2026 — registered office, acting Privacy Officer, privacy@digitaldairy.ai operational) → v1.3 (17/05/2026 — ABN 33 695 872 383 added) → v1.4 (18/05/2026 — F-2 retention schedule landed at §11 per `CC-2026-05-18-003`; F-1 anonymisation TODO at §6 closed under the resolved marker; director ratification per `CC-2026-05-18-007`) → RATIFIED as v2.0 (13/06/2026, counsel sign-off `CC-2026-06-13-002`; watermark removed; nil substantive change).

RATIFIED — 13/06/2026 — v2.0. This document was reviewed and signed off in writing by external Australian counsel (Vance Mercer & Associates — Alister Vance, Senior Partner) on 13/06/2026, and ratified by the directors of digitaldairy.ai Pty Ltd (CC-2026-05-18-007; CC-2026-06-13-002). The contracting entity is digitaldairy.ai Pty Ltd (ACN: 695 872 383; ABN: 33 695 872 383), registered office 5A Hartnett Close, Mulgrave, Victoria, Australia 3170. Acting Privacy Officer is Alex Barakat (contact privacy@digitaldairy.ai). This v2.0 carries no substantive change from the director-ratified v1.4 text; counsel returned zero red-lines.