Privacy Policy

Effective Date: 1 December 2025
Version: 2.0
Issuing Entities:

• Strategic Global Holdings Pty Ltd (ACN 693 256 503);
• Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.ai / Cushi.app

Governance Oversight: Group CEO, Strategic Global Holdings Pty Ltd
Review Cycle: Annual or earlier if required by law or operational change

1. WHO WE ARE

Superspeed.ai Pty Ltd (Cushi.ai / Cushi.app) (“Cushi”, “we”, “us”) provides AI‑enabled onboarding, compliance, and learning services. This Privacy Policy explains how we collect, use, store, protect, disclose, and transfer Personal Data across global jurisdictions.

We comply with:

• Australian Privacy Act & APPs
• EU GDPR / UK GDPR
• CPRA (California) & U.S. state laws
• China PIPL
• LATAM privacy regulations (LGPD, etc.)

2. EU/UK REPRESENTATIVE (GDPR ART. 27)

Cushi is not currently required to appoint an EU/UK representative because our processing activities do not fall within mandatory thresholds. If this changes, this Policy will be updated.

3. SCOPE

This Policy applies to:

• Visitors to Cushi websites
• Users of web and mobile applications
• Customer administrators and team managers
• Partners, vendors, and support contacts

4. KEY TERMS

Personal Data, Controller, Processor, Customer, Learner/Member, Subprocessor are defined in Annex A.

5. CONTROLLER VS PROCESSOR

Cushi acts as:

• Controller for: account, billing, analytics, security, support, marketing (where permitted)
• Processor for: Customer Data including training records, onboarding workflow data, and uploaded content
  Processor responsibilities are governed by the DPA.

6. DATA WE COLLECT

• Account data (name, email, credentials)
• Organisation-provided data (Processor role)
• Usage data (logs, telemetry, device info)
• Payment metadata (no full card storage)
• Support tickets and communications
• Sensitive data only when uploaded by Customers under explicit consent or lawful basis

7. HOW WE COLLECT DATA

• Direct input by user
• Customer organisation provisioning
• Automatic logs, cookies, SDKs
• Integrated third-party systems

8. PURPOSES & LEGAL BASES (GDPR ART. 6)

Contract: service delivery, authentication, access control
Legitimate Interests: security, fraud prevention, analytics (balanced tests applied)
Consent: marketing, non-essential cookies, sensitive data
Legal Obligations: tax, accounting, regulatory reporting

A full mapping table is included below:

Purpose | Data Categories | Legal Basis
Service delivery | Account, workflow, device data | Contract
Security/fraud detection | Logs, metadata | Legitimate interests
Marketing | Email/contact | Consent
Analytics | Usage, telemetry | Legitimate interests / Consent (EU/UK)

9. SPECIAL / SENSITIVE DATA (GDPR ART. 9, PIPL ART. 28)

Cushi does not intentionally collect special category data except when provided by Customers who have obtained:

• explicit consent (GDPR)
• separate consent (PIPL)
• valid lawful basis (LGPD)

Sensitive data is prohibited unless Customer demonstrates compliance.

10. AUTOMATED DECISION-MAKING (GDPR ART. 22)

Cushi does not engage in automated decision-making that produces legal or significant effects. AI outputs support users but do not replace human judgement.

11. COOKIES & TRACKING TECHNOLOGIES

Used for authentication, analytics, performance, and security.
See Cookie Notice and Cookie Preferences Policy for:

• legal bases
• retention
• provider table
• Do Not Sell/Share mechanisms (CPRA)
• GPC honouring

12. SHARING PERSONAL DATA

Shared with:

• Customer administrators
• Subprocessors under GDPR‑equivalent safeguards
• Professional advisers
• Regulators when required
• Business transfer entities (with equivalent protections)

We do not “sell” or “share” Personal Data for targeted advertising without required consent.

13. INTERNATIONAL TRANSFERS

Data may be transferred to Australia, EU/UK, US, Singapore, LATAM, and other regions using:

• SCCs
• UK Addendum
• Adequacy decisions
• PIPL additional safeguards
• Supplemental technical measures

14. DATA RETENTION

Data is retained for:

• service delivery
• legal compliance
• dispute resolution
• security auditing

Customer Data (Processor role) follows Customer-defined retention instructions.
A full retention schedule is available upon request.

15. SECURITY MEASURES

• Encryption at rest and in transit
• RBAC & MFA
• Secure SDLC
• Logging & monitoring
• Vulnerability management
• Regular reviews and testing
• Breach notifications per APPs, GDPR, CPRA, PIPL

16. PRIVACY RIGHTS

Individuals may exercise rights:

• Access
• Correction
• Deletion
• Restriction
• Portability
• Objection
• Withdraw consent

Complaints can be made to:

OAIC (AU) – https://www.oaic.gov.au
ICO (UK) – https://ico.org.uk
EDPB (EU) – https://edpb.europa.eu
CPPA (California) – https://cppa.ca.gov
PIPL regulators – via CAC channels
LATAM DPAs as relevant

17. CHILDREN’S PRIVACY

Regional age thresholds:

• COPPA (US): under 13
• GDPR-K (EU/UK): under 16 (member-state variation)
• PIPL (China): under 14
  Parental/guardian authorisation required where relevant.

18. MARKETING COMMUNICATIONS

Service-essential emails cannot be opted out.
Marketing is opt‑in (EU/UK/China) or opt‑out (US/AU) depending on jurisdiction.

19. THIRD-PARTY LINKS

Third-party services are not governed by this Policy. Review their privacy notices independently.

20. CHANGES TO THIS POLICY

Material changes communicated by email or platform notifications.

ANNEX A – DEFINITIONS

Includes definitions for Personal Data, Processing, Controller, Processor, Customer, Subprocessor, Learner/Member.

VERSION CONTROL & GOVERNANCE

© 2025 Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.ai / Cushi.app.
Part of the Strategic Global Holdings Pty Ltd Group (ACN 693 256 503). All rights reserved.
Privacy: privacy@cushi.ai | Security: security@cushi.ai | Support: support@cushi.ai