Privacy Policy
Last updated: February 16, 2026
ThinkFoundry.ai Pty Ltd (“we”, “us”, or “our”) operates the OpenAgent Core platform, a Financial Data Infrastructure-as-a-Service for AI Agent developers. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our platform, website, and services (collectively, the “Services”). By using our Services, you agree to the practices described in this policy.
1Who We Are
ThinkFoundry.ai Pty Ltd is an Australian technology company providing the OpenAgent Core platform — a Model Context Protocol (MCP) ecosystem that enables AI Agent developers to integrate banking and financial data into their applications via Basiq.io's Open Banking infrastructure.
We are subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we handle Consumer Data under the Consumer Data Right (CDR) framework, we comply with the applicable CDR rules.
Privacy Contact: privacy@thinkfoundry.ai
2Information We Collect
2.1 Account and Identity Information
When you register for an account, we collect:
- Full name and email address
- Company or organisation name
- Password (stored as a secure hash — never in plain text)
- Billing address and payment details (processed by Stripe — we do not store raw card data)
2.2 API Credentials and Integration Data
To provide the Services, we collect and store:
- Platform API keys — generated by us, stored as PBKDF2 hashes with a random salt (600,000 iterations). The plain-text key is displayed once at generation and never stored.
- Basiq.io API keys — provided by you. Stored encrypted at rest using AES-256-GCM encryption. Decrypted only when needed to make authorised API calls on your behalf.
2.3 Financial Data (via Basiq.io)
Our platform acts as a conduit to Basiq.io's Consumer Data Right (CDR) accredited infrastructure. When your end-users connect their bank accounts via our MCP tools, the following data may be retrieved and temporarily processed:
- Bank account details (account names, BSBs, masked account numbers, balances)
- Transaction history (amounts, descriptions, merchant information, dates)
- Financial health scores and categorisation enrichment data
This data is retrieved in real-time from Basiq.io on behalf of the authenticated tenant and is not persistently stored in our systems beyond what is required to fulfil the immediate API request. You remain responsible for how your application handles and stores this data.
2.4 Usage and Technical Data
We automatically collect technical data to operate and improve the Services:
- MCP request counts, Basiq API call counts, and AI token consumption per tenant
- IP addresses, browser type, operating system, and device identifiers
- Log data including request timestamps, error codes, and response times
- Cookies and similar tracking technologies (see Section 8)
2.5 Communications
If you contact us, we retain:
- Email correspondence and support tickets
- Feedback, survey responses, and feature requests
3How We Use Your Information
We use the information we collect to:
| Purpose | Legal Basis (Australian Privacy Act) |
|---|---|
| Provision and operation of the Services | Contractual necessity |
| Account management and authentication | Contractual necessity |
| Billing and subscription management via Stripe | Contractual necessity |
| Usage tracking, rate limiting, and quota management | Legitimate interest |
| Security monitoring, fraud prevention, and incident response | Legitimate interest / Legal obligation |
| Customer support and communications | Legitimate interest |
| Product improvement and analytics | Legitimate interest |
| Marketing and service updates (opt-out available) | Consent |
| Compliance with legal and regulatory obligations | Legal obligation |
4How We Share Your Information
We do not sell your personal information. We may share it in the following circumstances:
4.1 Third-Party Service Providers
- Supabase Inc. — Database infrastructure and authentication. Data is stored in PostgreSQL with row-level security (RLS) enforcing strict multi-tenant isolation. Supabase operates data centres compliant with SOC 2 Type II.
- Stripe Inc. — Payment processing. Stripe is PCI DSS Level 1 compliant. We do not store raw credit card data.
- Basiq.io (Illion Australia Pty Ltd) — Open Banking data provider and CDR Accredited Data Recipient. Financial data requests are passed through Basiq.io infrastructure under their own CDR obligations and privacy policy.
- Vercel Inc. — Hosting and deployment infrastructure for the web application.
4.2 Legal Requirements
We may disclose your information where required by law, court order, or government authority, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your data becomes subject to a different privacy policy.
4.4 With Your Consent
We may share your information with third parties where you have given your explicit consent to do so.
5Data Security
We implement industry-standard and banking-grade security controls to protect your data:
- Encryption at rest: Sensitive credentials (Basiq API keys) are encrypted using AES-256-GCM before storage.
- Hashing: Platform API keys are hashed with PBKDF2-SHA256 at 600,000 iterations — the OWASP recommended minimum. Plain-text keys are never stored or logged.
- Multi-tenant isolation: All database tables have Row Level Security (RLS) policies enforced at the database level, ensuring no tenant can access another tenant's data.
- Transport security: All data in transit is encrypted using TLS 1.2 or higher.
- Access control: Internal access to production data is restricted and audited.
- Webhook security: All inbound webhooks (e.g., from Stripe) are verified using HMAC signature validation before processing.
6Data Retention
We retain your data for as long as:
- Account data — for the duration of your account plus 30 days following deletion, after which it is permanently purged.
- Usage and billing data — for up to 7 years to comply with Australian financial record-keeping requirements.
- API request logs — for up to 90 days for security and debugging purposes.
- Encrypted API keys — deleted immediately upon key revocation or account deletion.
You may request early deletion of your data subject to our legal retention obligations (see Section 10).
7International Data Transfers
Our Services are primarily operated from Australia. However, some of our sub-processors (including Supabase and Vercel) may store or process data in the United States or other jurisdictions. Where data is transferred internationally, we ensure appropriate safeguards are in place, including contractual protections that meet the standards required under the Privacy Act 1988 (Cth) APP 8.
8Cookies and Tracking
We use the following types of cookies and similar technologies:
- Strictly necessary cookies — Required for authentication sessions and security. These cannot be disabled.
- Functional cookies — Remember your preferences such as theme settings.
- Analytics cookies — Used to understand how users interact with our platform (aggregate, anonymised data only).
You can manage cookie preferences through your browser settings. Disabling cookies may affect the functionality of the platform.
9Consumer Data Right (CDR)
Our platform is built on Basiq.io's CDR-accredited infrastructure. Where your end-users share their banking data through our MCP tools, that data is governed by:
- The Consumer Data Right Act 2019 (Cth) and associated rules
- Basiq.io's CDR Consumer Policy (available at basiq.io)
- Your own consent agreement with your bank (Data Holder)
As a developer using our platform, you are responsible for ensuring your application handles CDR data in accordance with applicable laws and the terms of any consent provided by your end-users. You must not use CDR data for any purpose beyond what was disclosed to and consented to by the data subject.
10Your Rights
Under the Australian Privacy Act 1988 and the APPs, you have the right to:
- Access — Request a copy of the personal information we hold about you.
- Correction — Request correction of inaccurate or incomplete information.
- Deletion — Request deletion of your personal data, subject to our legal retention obligations.
- Opt-out of marketing — Unsubscribe from marketing communications at any time via the unsubscribe link in any email or by contacting us.
- Data portability — Request a machine-readable copy of your usage data.
- Complaint — Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au if you believe we have mishandled your information.
To exercise any of these rights, contact us at privacy@thinkfoundry.ai. We will respond within 30 days.
11Children's Privacy
Our Services are intended for use by businesses and developers aged 18 or over. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.
12Third-Party Links
Our website and documentation may contain links to third-party websites, including Basiq.io, Stripe, and others. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party services you use.
13Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Send a notification to your registered email address
- Display a prominent notice on our platform for at least 30 days
Your continued use of the Services after any changes constitutes acceptance of the updated policy.
14Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal information, please contact our Privacy Officer:
Company: ThinkFoundry.ai Pty Ltd
Product: OpenAgent Core
Privacy enquiries: privacy@thinkfoundry.ai
General support: support@thinkfoundry.ai
Regulator: Office of the Australian Information Commissioner (OAIC)