1. About Sovereign AI Infrastructure (SAII)

Sovereign AI Infrastructure (SAII) (ABN [to be confirmed]) (we, us, our) is an Australian sovereign AI infrastructure company. We build and operate secure, onshore, air-gap-capable AI infrastructure for regulated and mission-critical organisations across government, defence, financial services, energy and critical infrastructure. Our services include sovereign model training and fine-tuning, agentic AI deployment, AI red-team testing, AI governance validation and cybersecurity simulation, delivered within environments we own and physically control. Our registered office is 447 Nepean Highway, Brighton East, Victoria 3187.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, use, disclose, store and protect personal information in the course of operating our business.

If you have any questions about this policy or how we handle your personal information, please contact our Privacy Officer at privacy@saii.com.au.

2. What Personal Information We Collect

2.1 Client and Prospect Information

•     Names, job titles, employer names, business contact details (email, phone, address).

•     Information provided in proposals, statements of work, and project communications.

•     Billing and payment information for invoicing purposes.

•     Meeting notes, correspondence, and engagement records.

2.2 Personnel of Client Organisations

•     Names and contact details of client personnel involved in engagements.

•     Work-related information necessary to perform contracted services (e.g. role, department, system access requirements).

•     Where a client engagement involves processing employee data (e.g. workforce AI tools), information as specified in the relevant Statement of Work and limited to what is necessary for the services.

2.3 Job Applicants and Personnel

•     Resumes, cover letters, references, and employment history.

•     Identity verification documents where required.

•     Payroll and superannuation information for employees and contractors.

2.4 Website and Marketing

•     Names and email addresses collected through contact forms or event registrations.

•     Analytics data (aggregated and de-identified where possible) relating to website usage.

2.5 Sensitive Information

We only collect sensitive information (as defined in the Privacy Act) where it is reasonably necessary for our functions and with your consent, or where otherwise permitted by law. In the context of client engagements, we may encounter sensitive information (including health information, biometric data such as voice recordings, or financial information) through documents provided by clients. We handle such information in accordance with the specific data handling requirements agreed with that client.

3. How We Collect Personal Information

We collect personal information:

•     Directly from you -- when you contact us, engage our services, apply for a role, or attend our events.

•     From your employer -- where your employer is our client and your details are provided in the context of an engagement.

•     From publicly available sources -- such as LinkedIn, company websites, and corporate registers, for business development purposes.

•     Through our AI platforms -- where documents or data containing personal information are provided to us for processing as part of a contracted engagement.

Where we collect personal information through AI platforms in the course of a client engagement, that collection is governed by the relevant Statement of Work and any applicable data processing addendum.

4. How We Use Personal Information

4.1 Primary Purposes

•     To provide AI services and deliver contracted engagements.

•     To manage our client and supplier relationships.

•     To communicate with clients, prospects, and partners about our services.

•     To process invoices and manage payments.

•     To recruit, onboard and manage our personnel.

•     To comply with our legal and regulatory obligations.

4.2 AI-Specific Use

Where personal information is provided to us as part of a client engagement for processing through AI systems, we use that information solely for the purpose specified in the relevant Statement of Work. We do not:

•     Use client data to train our own proprietary AI models without the express written consent of the client.

•     Share client data with third-party AI providers for training purposes.

•     Retain personal information beyond the period required for the engagement, unless required by law or agreed in writing.

AI TRAINING

We will never use your personal information or your organisation's data to train AI models without your express written consent. This applies to all client data processed through any AI platform we use in the course of our services.

5. Disclosure of Personal Information

We may disclose personal information to:

•     Our employees, contractors and subcontractors involved in the relevant engagement, on a need-to-know basis.

•     Third-party platforms or sub-processors only where a specific engagement requires it and with the client's authorisation. SAII's default is to process client data within its own sovereign, onshore infrastructure; any use of an external platform for a non-sovereign engagement is documented in the relevant Statement of Work. See Section 6 for how we manage any overseas disclosures.

•     Professional advisers (lawyers, accountants, insurers) where necessary.

•     Regulatory authorities where required by law.

•     Prospective buyers of our business, subject to appropriate confidentiality obligations.

We do not sell personal information to third parties. We do not disclose personal information for direct marketing purposes without consent.

6. Overseas Disclosure (APP 8)

SAII is built to keep personal information onshore. As an Australian sovereign AI infrastructure provider, our default is to collect, process and store personal information within Australia, in infrastructure we own and physically control, including air-gapped environments for the highest-security engagements. We do not routinely disclose personal information to overseas recipients.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient is subject to privacy protections that are substantially similar to the Australian Privacy Principles, including through contractual data processing agreements with each provider.

Where an engagement involves personal information subject to Australian Privacy Principle 8, we document the overseas disclosure and the safeguards in place in the relevant engagement records. We will inform clients of overseas disclosure arrangements on request.

7. Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

•     Encryption of data at rest and in transit for all client engagement data.

•     Access controls limiting access to personal information to authorised personnel only.

•     Multi-factor authentication on all systems used to store or process client data.

•     Processing within sovereign, onshore infrastructure that SAII owns and physically controls, including air-gapped environments where required.

•     Contractual data processing obligations with all sub-processors.

•     Regular review of security practices as our technology platforms evolve.

In the event of a data breach involving personal information, we will respond in accordance with our Data Breach Response Procedure, notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme, and notify affected clients within 72 hours of becoming aware of the breach.

8. Retention and Deletion

We retain personal information for as long as necessary for the purpose for which it was collected, or as required by law. For client engagement data, our default retention periods are:

•     Client contact and engagement records -- seven years from the end of the engagement.

•     Personal information processed through AI platforms as part of an engagement -- as specified in the relevant Statement of Work; where not specified, deleted within 30 days of engagement completion.

•     Job applicant records (unsuccessful applicants) -- 12 months from the date of application.

•     Employee and contractor records -- seven years from the end of the employment or engagement.

On expiry or termination of a client engagement, we delete or return client data in accordance with the data handling obligations in the relevant agreement.

9. Your Rights

Under the Australian Privacy Principles, you have the right to:

•     Request access to personal information we hold about you.

•     Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant or misleading.

•     Make a complaint about how we have handled your personal information.

To exercise these rights or make a complaint, contact our Privacy Officer at privacy@saii.com.au. We will respond to access and correction requests within 30 days. If you are not satisfied with our response to a complaint, you may refer the matter to the OAIC at www.oaic.gov.au.

10. Cookies and Analytics

Our website may use cookies and analytics tools to understand how visitors use our site. Analytics data is aggregated and de-identified where possible. You can manage cookie preferences through your browser settings. We do not use cookies to track individuals across third-party websites.

11. Changes to this Policy

We may update this Privacy Policy from time to time. The current version is published at saii.com.au/privacy. We will notify clients of material changes by email or through our engagement communications. The version date at the top of this policy indicates when it was last reviewed.

12. Contact

Privacy Officer

Sovereign AI Infrastructure (SAII)

447 Nepean Highway, Brighton East, Victoria 3187

privacy@saii.com.au

Sovereign AI Infrastructure (SAII) ABN [to be confirmed]  |  Privacy Policy v1.0  |  June 2026  |  This policy should be reviewed annually or when material changes occur to our data handling practices.