Effective: 10 February 2026 · Last updated: 10 February 2026
This Privacy Policy explains how Corey McIvor trading as ZYNTHIO™ (ABN 31 314 627 918) (“we”, “us”, “our”) collects, uses, discloses, and protects personal information through:
CoreyAI — coreyai.ai (community AI safety laboratory and SaaS platform)
ZYNTHIO™ — zynthio.ai (AI remediation professional services)
CoreIntent — coreintent.dev
We are committed to protecting your privacy in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
1. Information We Collect
Information you provide directly
Account and contact details: name, email address, company name, job title when you sign up, contact us, or subscribe.
Payment information: processed securely by Stripe. We do not store credit card numbers.
Competition submissions: incident reports, evidence data, and contributor information submitted to the AI Disaster Olympics or through bot channels (Discord, Telegram, web form).
Client engagement data: information provided during ZYNTHIO remediation engagements, including system documentation and assessment findings.
Communications: emails, support requests, form submissions (via Formspree), and messages through bot channels.
Information collected automatically
Usage data: API call logs, pages visited, features used, timestamps.
Technical data: IP address, browser type, device information, operating system.
Cookies: essential cookies only (session management, security). No advertising or tracking cookies. See Section 8.
Information from third parties
Public data sources for our evidence database (AI Incident Database, OECD AIM, NVD/CVE, etc.) — public data, not personal information.
2. How We Use Your Information
Purpose
Legal basis (APP reference)
Provide and maintain our services (CoreyAI SaaS, ZYNTHIO engagements)
APP 6 — primary purpose
Process payments and subscriptions
APP 6 — primary purpose
Send service notifications, security alerts, threat briefings you subscribed to
APP 6 — primary purpose
Administer the AI Disaster Olympics competition
APP 6 — primary purpose
Improve our services and develop new features
APP 6 — related secondary purpose
Respond to support requests and communications
APP 6 — primary purpose
Comply with legal obligations
APP 6 — required by law
Produce anonymised research and community resources
APP 6 — related secondary purpose
We will not use your personal information for direct marketing without your consent. You can opt out of any non-essential communications at any time.
3. How We Share Your Information
We do not sell your personal information. We may share information with:
Email service: Amazon SES (transactional emails only).
Form processor: Formspree (web form submissions).
Hosting: Cloudflare (website hosting and CDN).
Legal requirements: where required by Australian law, court order, or regulatory authority.
We do not share client-specific findings, assessment reports, or engagement data with any third party without explicit written consent.
4. Competition Submissions (AI Disaster Olympics)
Your contributor name (or chosen alias) may be published on coreyai.ai.
Your submission content may be incorporated into our evidence database in anonymised form.
Your email address is used for prize notification and competition administration only.
You retain ownership of your submission. By submitting, you grant us a non-exclusive licence to use the content for research, evidence database development, and community resources.
5. Client Data (ZYNTHIO Engagements)
ZYNTHIO client data is handled under the specific terms of each Statement of Work (SOW). Generally:
Client data retained for 90 days after delivery of final deliverables, then securely destroyed.
Clients may request earlier destruction in writing.
We may use anonymised, non-attributable data for methodology development. No data that could identify the client is used without explicit written consent.
6. Data Storage and Security
Website hosting: Cloudflare Pages (global CDN).
Payment data: Processed by Stripe (PCI DSS compliant). We do not store card details.
Client engagement data: Stored on secured, access-controlled infrastructure. Encrypted in transit (TLS).
Email: Amazon SES (AWS infrastructure).
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure (APP 11). No method of electronic transmission or storage is 100% secure.
7. Cross-Border Disclosure
Some service providers (Stripe, Cloudflare, AWS) process data outside Australia, including the United States. Before disclosing personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs (APP 8).
8. Cookies
Our websites use essential cookies only: session management, security (CSRF protection), Cloudflare performance/security. We do not use advertising cookies, tracking pixels, or third-party analytics. We do not use Google Analytics.
9. Your Rights
Under the Australian Privacy Principles, you have the right to:
Access your personal information (APP 12).
Correction of inaccurate information (APP 13).
Opt out of marketing communications at any time.
Request deletion of your account and associated data.
Complain if you believe we have breached the APPs (see Section 11).
In the event of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme within 30 days of becoming aware (or sooner where practicable).