PushBackLog Pty Ltd (ABN 74 698 154 148)
Level 7, 616 St Kilda Road, Melbourne VIC 3004
privacy@pushbacklog.app
1. Introduction and Who We Are
PushBackLog Pty Ltd ABN 74 698 154 148 of Level 7, 616 St Kilda Road, Melbourne VIC 3004 (PushBackLog, we, us, our) operates the PushBackLog platform — an AI-assisted software project management service accessible at pushbacklog.ai and via our mobile application (together, the Platform).
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) set out in Schedule 1 of that Act. This Privacy Policy explains how we collect, hold, use, and disclose personal information, and how you can access and correct information we hold about you.
Privacy contact: privacy@pushbacklog.app
2. Personal Information We Collect
We collect personal information that is reasonably necessary for us to provide the Platform and related services.
2.1 Account information
When you create an account, we collect your full name, email address, and profile photo (if you sign in via a social provider such as Google or GitHub). Authentication is managed by Clerk, Inc., a US-based identity provider. We do not store passwords. We also record your account creation date and last sign-in date.
If you sign in using a social identity provider, that provider shares only the limited fields described above. We do not receive your password or any other credentials held by the social provider.
2.2 Billing and payment information
When you purchase AI credits:
- The name on your payment card, your card’s last four digits, and your billing country are held exclusively by Stripe, Inc. under PCI-DSS compliance. We do not hold this information.
- Your Stripe Customer ID (an internal reference token) — held by us.
- Your ABN (if you provide it for GST purposes) — held by us.
- Your payment history: top-up amounts, dates, credit deductions, invoice numbers — held by us.
We do not store full card numbers, CVV codes, or card expiry dates.
2.3 Usage and activity data
In the ordinary course of delivering the Platform, we collect:
- AI feature usage records: which features were used, when, and on which backlog items.
- Token consumption records: input and output token counts, model used, and resulting cost per AI call.
- Credit balance history: all deductions, top-ups, complimentary credit issuances, and forfeiture events.
- Session data: IP address at login, browser type, device type, and session timestamps.
- In-application behaviour: pages visited and features accessed via our own server-side event logging.
- Terms and marketing consent records: which version of our Terms you accepted and when; your marketing communications consent status and its full change history (immutable audit trail).
- Notification preferences: your configured routing preferences for email, in-application inbox, Slack, and mobile push.
2.4 Customer content data
Content you create within the Platform includes:
- Backlog items: titles, descriptions, acceptance criteria, effort estimates, comments, tags, and other fields you populate.
- Project and workspace data: project names, settings, iteration configurations, and associated metadata.
- Team data: email addresses of members you invite to your workspace.
- AI inputs and outputs: backlog content submitted to AI features and the outputs returned by LLM providers.
- Decisions and documentation: architectural decisions, notes, and documentation you create within the Platform.
Your content may contain personal information about third parties. You are responsible for ensuring you have appropriate grounds under applicable privacy law to share such information with PushBackLog.
2.5 File attachments
You may upload files to backlog items. These are stored in AWS S3. Attachments may contain personal information. We do not inspect attachment content except as required for security or in response to a specific legal or safety concern.
2.6 GitHub integration data
If you install the PushBackLog GitHub App, we collect:
- Your GitHub installation ID and the list of repositories you grant access to.
- Short-lived installation access tokens — ephemeral, not stored beyond the immediate API call.
- For codebase analysis: repository file content fetched at the time of the request and transmitted to the configured LLM provider. This content is not stored beyond the processing request unless you explicitly save an AI output to your account.
2.7 Slack integration data
If you connect a Slack workspace, we collect the Slack Bot Token for your workspace, a mapping of PushBackLog user email addresses to Slack user IDs, configured channel IDs, and notification event content transmitted to deliver in-Platform notifications to your team.
2.8 AI Persona training data
You may create AI Personas using information such as CV content, LinkedIn profile text, skills descriptions, and interview transcript excerpts that may relate to identifiable individuals. This data is transmitted to the configured LLM provider when a persona is invoked. See clause 8.5 of our Terms of Service for your obligations in respect of persona data.
2.9 Waitlist data
If you registered interest via our public waitlist, we collected your email address, name (optional), industry (optional), motivation (optional), IP address, browser user agent, and approximate geographic location (country, region, city — derived from IP at the time of submission).
2.10 Inbound email
The Platform can receive email replies to outbound notifications. When you reply to such an email, the sender address, subject line, and message body are extracted and stored as a structured reply record. Raw MIME files are deleted within 7 days of receipt. We also maintain an email suppression list of addresses that have hard-bounced or submitted a spam complaint.
2.11 API keys and intake tokens
Only a hashed version of each API key or intake token is stored. The plaintext credential is displayed once at creation and is not recoverable from our systems.
2.12 Mobile application
Our mobile application uses the same authentication system as the web application. Data transmitted by the mobile app follows the same categories described in this section.
3. How We Use Personal Information
| Purpose | Personal information used | Legal basis |
|---|---|---|
| Creating and managing your account | Account information | Contract performance |
| Delivering AI features | Content data, AI inputs/outputs | Contract performance |
| Processing payments and issuing tax invoices | Billing information, ABN | Contract performance; legal obligation |
| Accounting and financial records | Name, email, billing amounts, invoice numbers | Legal obligation |
| Sending billing and operational emails | Email, billing information | Contract performance |
| Delivering notifications (email, Slack, in-app, mobile push) | Email, Slack mapping, notification content | Contract performance |
| Managing email suppression | Email address, SES event metadata | Legitimate interest |
| Marketing communications (where you have opted in) | Email address | Consent |
| Recording T&C acceptance and consent evidence | Account information, consent records, timestamps | Legal obligation / legitimate interest |
| GitHub integration (codebase analysis, PR tracking) | GitHub installation data, repository content | Contract performance |
| Slack integration (notification delivery) | Slack workspace data, notification content | Contract performance |
| Platform security monitoring | Usage data, IP address | Legitimate interest |
| Improving the Platform | Aggregated, de-identified usage data | Legitimate interest |
| Responding to support requests | Information you provide | Legitimate interest |
| Waitlist management | Waitlist data | Legitimate interest |
We do not use your Customer Data to train AI models. We do not sell, rent, or trade personal information to third parties.
4. Disclosure of Personal Information
We disclose personal information to:
- Sub-processors — listed in section 5 below — who process data on our behalf under data processing agreements.
- Professional advisers (lawyers, accountants, auditors) subject to duties of confidentiality.
- Law enforcement and government authorities where required by law, court order, or regulatory obligation, including under the Notifiable Data Breaches scheme.
- Successors in the event of a merger, acquisition, or sale of assets; any acquiring entity will be bound by this Privacy Policy.
- Customer-configured endpoints — when you configure outbound webhooks or grant OAuth access to a third-party application, data is transmitted to destinations you control and authorise. Once delivered, we are not responsible for how it is handled.
We do not otherwise disclose personal information to third parties without your consent, unless required by law.
5. International Data Transfers and Sub-Processors
| Sub-processor | Purpose | Information shared | Country |
|---|---|---|---|
| Clerk, Inc. | Authentication and identity | Name, email, OAuth tokens | United States |
| Stripe, Inc. | Payment processing | Name, email, payment details (Stripe only), ABN | United States |
| Anthropic, PBC | AI — Claude (default) | Customer Data submitted for AI processing | United States |
| OpenAI, LLC | AI — GPT (default) | Customer Data submitted for AI processing | United States |
| Google LLC | AI — Gemini (optional; tenant opt-in) | Customer Data submitted for AI processing | United States |
| DeepSeek (Beijing Deep Seek Artificial Intelligence Co., Ltd) | AI — DeepSeek (optional; tenant opt-in) | Customer Data submitted for AI processing | People’s Republic of China — see note below |
| Amazon Web Services, Inc. | Cloud infrastructure, database, S3, SES, secrets | All categories of personal information | Australia (ap-southeast-2 primary); some US services |
| GitHub, Inc. | Source code repository integration | Installation ID, repository metadata and file content | United States |
| Slack Technologies, LLC | Notification delivery | Bot Token, email-to-Slack-ID mappings, notification content | United States |
| Xero Ltd | Accounting — invoicing and financial records | Name, email, ABN, payment amounts, invoice numbers | New Zealand / global |
| Revolut Business | Business banking | No customer personal information shared directly | Australia / United Kingdom |
Transfers to the United States
Clerk, Stripe, Anthropic, OpenAI, Google, GitHub, Slack, and some AWS services are US-based. Transferring personal information to these providers constitutes a cross-border disclosure under APP 8. We select providers that offer appropriate data protection commitments including contractual protections and SOC 2 certification or equivalent.
Transfer to New Zealand
Xero Ltd is based in New Zealand. The transfer of billing data to Xero is limited to what is necessary for the creation and management of your invoices.
Transfer to the People’s Republic of China — DeepSeek
Important: DeepSeek is operated by a People’s Republic of China entity. The PRC does not have a data protection regime that the OAIC would regard as equivalent to Australia’s Privacy Act 1988 (Cth) or the APPs. This is a material cross-border disclosure under APP 8.
DeepSeek is disabled by default and can only be enabled by a tenant administrator through an explicit opt-in process in Platform settings. By enabling DeepSeek, you acknowledge and accept this cross-border transfer on behalf of your organisation.
6. How We Protect Personal Information
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted using AWS KMS-managed encryption keys (DynamoDB, S3, and other services).
- Authentication is managed by Clerk, with support for multi-factor authentication (MFA). We encourage all users to enable MFA.
- Payment credentials are held by Stripe under PCI-DSS Level 1 compliance. We do not hold payment credentials.
- Access to production data is restricted to authorised PushBackLog personnel on a need-to-know basis.
- Despite these measures, no system is entirely secure. You are also responsible for maintaining the security of your account credentials, API keys, and OAuth grants.
7. Data Retention
| Category | Retention period |
|---|---|
| Account information | Duration of account + 1 year after closure |
| Billing records (invoices, payment history) | 7 years from transaction date |
| Credit ledger (all deductions and top-ups) | 7 years |
| AI usage logs (token counts, feature, cost) | 7 years |
| Customer content data (backlog items, AI outputs) | Duration of account + 90 days after closure |
| File attachments (S3) | Duration of account + 90 days after closure |
| T&C and marketing consent evidence | 7 years from consent event |
| Waitlist data | Until invitation sent + 90 days, or 2 years if never invited |
| Inbound email replies (parsed records) | 90 days from receipt |
| Raw inbound email MIME files | 7 days |
| Email suppression list entries | Indefinite (until you remove them) |
| GitHub integration data | Duration of GitHub App connection |
| Slack integration data | Duration of Slack connection |
| API key and intake token hashes | Duration of key + 90 days after revocation |
| Server and application logs | 90 days rolling |
| Support communications | 3 years from resolution |
8. Marketing Communications and Consent
During account creation, you may opt in to marketing communications from us (product updates, newsletters, feature announcements). This is voluntary.
Your consent decision — and any subsequent change — is recorded as an immutable evidence record with a timestamp, retained for 7 years.
You may withdraw marketing consent at any time via your profile settings, or by clicking the unsubscribe link in any marketing email. Withdrawal does not affect delivery of operational communications (invoices, security alerts, credit expiry warnings, invitation emails).
9. Outbound Webhooks and Connected Applications
Webhooks: You may configure the Platform to send real-time event notifications to a URL you control. Once data is delivered to your endpoint, we are not responsible for how it is handled. Webhook delivery logs are retained for 30 days.
OAuth-connected applications: You may authorise third-party applications to access the Platform on your behalf. We are not responsible for the privacy practices of third-party applications. You may revoke any OAuth grant at any time via Settings → Connected Apps.
10. Cookies and Tracking
- We use session cookies set by Clerk for authentication. These are necessary for the Platform to function.
- We do not use third-party advertising cookies or cross-site tracking pixels.
- We do not embed third-party analytics SDKs (such as Google Analytics or Segment) on the critical path of the Platform. Usage data is collected via our own server-side event logging.
11. Children’s Privacy
The Platform is not directed at individuals under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at privacy@pushbacklog.app.
12. Your Rights Under the Australian Privacy Principles
Access: You may request a copy of the personal information we hold about you. We will respond within 30 days.
Correction: If you believe information we hold is inaccurate, incomplete, or misleading, you may request that we correct it. We will respond within 30 days.
Deletion: You may request deletion of your personal information, subject to our legal retention obligations.
Complaints: If you believe we have interfered with your privacy, please contact us at privacy@pushbacklog.app. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.
13. Notifiable Data Breaches
We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we experience an eligible data breach likely to result in serious harm, we will notify the OAIC and affected individuals as soon as practicable.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address at least 30 days before the updated policy takes effect. The current version is always available at pushbacklog.ai/privacy.
15. Contact Us
Privacy Officer
PushBackLog Pty Ltd
Level 7, 616 St Kilda Road, Melbourne VIC 3004
privacy@pushbacklog.app
We will respond to all privacy enquiries within 5 business days.