Legal
Privacy policy
Last updated: May 2026
1. Who we are
nimbleworx operates the AI Strategy Workbook at strategy.nimbleworx.com.au (“the Service”). We are the data controller for personal information collected through the Service. Questions about this policy: privacy@nimbleworx.com.au
2. What we collect and why
Account information
Your work email address, collected when you sign in via magic link. Used to authenticate you and deliver the Service.
Organisation context
Your organisation’s name, industry, size, geography, primary driver, constraints, and success definition. Collected during setup and used to personalise the AI consultant’s guidance.
Conversation data
Your exchanges with the AI consultant during module sessions. Stored to maintain session continuity and generate your strategy timeline. Conversation transcripts are sent to Anthropic’s API to generate responses — see Section 5.
Strategy timeline data
Timeline items, notes, and status updates you create or accept. Stored to build your strategy roadmap.
3. Legal basis for processing
We process your personal information on the basis of contractual necessity (to deliver the Service you signed up for) and legitimate interests (to improve the Service and prevent misuse). For Australian users, we comply with the Australian Privacy Act 1988 and the Australian Privacy Principles.
4. How we store and protect your data
Your data is stored in Supabase (PostgreSQL), encrypted at rest using AES-256 and in transit using TLS 1.2+. We do not use your data to train AI models. Access is restricted to authenticated users via row-level security policies.
Data residency: Please contact us to confirm the current data residency region for your data before onboarding if this is a compliance requirement for your organisation.
5. Third-party sub-processors
Anthropic
AI language model — conversation transcripts are sent to Anthropic to generate consultant responses. Anthropic does not use API data to train models.
Supabase
Database and authentication hosting.
Vercel
Application hosting and edge delivery.
Organisations requiring a Data Processing Agreement covering these sub-processors may request one here.
6. Data retention
We retain your data for as long as your account is active. If you close your account, your personal data will be deleted within 30 days, except where we are required to retain it by law.
7. Your rights
You have the right to access, correct, or delete your personal information. To exercise these rights, contact us at privacy@nimbleworx.com.au.
8. Changes to this policy
We may update this policy from time to time. We will notify account holders of material changes by email. Continued use of the Service after changes constitutes acceptance of the revised policy.