Legal

Privacy Policy

How we collect, use, and protect your information.

Last updated: June 2025

1. Introduction

Praxiss ("we", "us", "our") is an Australia-based company that operates the Praxiss platform - a business-to-business (B2B) software-as-a-service application for continuous employee feedback, performance reviews, pulse checks, peer recognition, and strengths assessments.

This Privacy Policy explains how we collect, use, store, and protect personal information when you use our platform at praxiss.io and app.praxiss.io. It applies to all users of the Praxiss platform, including organisation administrators and their employees.

We are committed to complying with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and - where applicable - the European Union General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Account & Profile Information

When an organisation subscribes to Praxiss and provisions user accounts, we collect the following personal information:

  • Full name
  • Email address
  • Job title and department (if provided by the organisation)
  • Profile photo (if uploaded)

2.2 Platform Usage Data

As users interact with the Praxiss platform, the following data may be collected:

  • Feedback responses (360° reviews, performance reviews, upward feedback)
  • Pulse check mood responses
  • Peer recognition messages
  • Strengths assessment data
  • Performance review content and ratings

This data is provided by users in the normal course of using the platform and is owned by the subscribing organisation.

2.3 Authentication Data

When users log in, we process authentication tokens and session identifiers. Where Single Sign-On (SSO) is used, authentication is handled by the organisation's identity provider (Google Workspace, Microsoft Entra ID, or Okta). We receive only the information necessary to identify the user - typically name, email, and a unique identifier.

2.4 Technical Data

We automatically collect limited technical data to ensure service reliability and security:

  • IP address (for security monitoring and rate limiting)
  • Browser type and version
  • Device type
  • Server access logs (retained for a limited period)

3. How We Use Your Information

We use personal information to:

  • Provide and operate the Praxiss platform
  • Authenticate users and manage sessions
  • Deliver feedback cycles, pulse checks, recognition, and performance reviews as configured by the organisation
  • Send transactional emails (e.g., review invitations, notifications)
  • Monitor for security threats and prevent abuse
  • Provide customer support
  • Improve the platform (in aggregate, de-identified form only)

We do not use personal information for advertising, profiling, or any purpose unrelated to operating the Praxiss platform.

4. AI Processing & Bring Your Own Key (BYOK)

Praxiss offers AI-native features such as review summarisation and feedback analysis. These features operate under a Bring Your Own Key (BYOK) model:

  • Each organisation provides its own API key for their chosen AI provider (OpenAI, Anthropic, or Google Gemini).
  • When AI features are used, data is sent directly from the Praxiss platform to the organisation's configured AI provider using the organisation's own API key.
  • Praxiss does not store, cache, or retain any data sent to or received from AI providers.
  • The organisation's relationship with their AI provider is governed by that provider's own terms of service and privacy policy.
  • Organisations that do not configure an AI key will not have AI features enabled - no data will be sent to any AI provider.

This architecture ensures that organisations retain full control over their AI data processing and can select a provider that meets their own compliance requirements.

5. Data Storage & Security

We take the security of your data seriously and implement multiple layers of protection:

  • Encryption at rest: Sensitive data is encrypted using AES-256-GCM.
  • Encryption in transit: All connections use TLS encryption. HSTS is enforced across all domains.
  • Multi-tenant isolation: Each organisation's data is stored in a logically isolated database. A separate master database manages tenant routing. Data is never co-mingled between organisations.
  • Infrastructure: Praxiss is hosted on Amazon Web Services (AWS), benefiting from AWS's SOC-certified data centres, physical security, and compliance programs.
  • Access controls: Strict role-based access controls with 16 granular permission flags. API endpoints are validated, rate-limited, and protected by security headers.
  • Authentication: JWT tokens with short expiry, refresh token rotation, and support for SSO-enforced login.

6. Data Sharing & Sub-processors

We do not sell, trade, or rent personal information to third parties. We share data only with the following categories of sub-processors, solely to operate the platform:

  • Amazon Web Services (AWS) - Cloud infrastructure and hosting.
  • Resend - Transactional email delivery (e.g., review invitations, notifications).
  • Organisation's chosen AI provider - Only when BYOK is configured, and only for AI feature requests initiated by the organisation.

Each sub-processor is bound by contractual obligations to protect the data they process. We do not share personal information with any other third parties unless required by law.

7. Cookies

Praxiss uses a minimal set of cookies, strictly necessary for the operation of the platform:

  • Session cookies: Used to maintain your authenticated session. These expire when you log out or after a defined period of inactivity.
  • CSRF tokens: Used to protect against cross-site request forgery attacks.

We do not use advertising cookies, tracking cookies, or any third-party analytics cookies. We do not participate in ad networks or cross-site tracking.

8. Data Retention

Data retention periods are controlled by the subscribing organisation. Organisation administrators can configure retention settings within the platform.

When an organisation terminates its subscription, all associated data - including user accounts, feedback responses, reviews, and recognition messages - will be permanently deleted within 30 days of the termination date, unless a longer retention period is required by applicable law.

Server access logs and security logs are retained for a maximum of 90 days for security monitoring purposes.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Under the Australian Privacy Act

  • Access your personal information held by us
  • Request correction of inaccurate or outdated information
  • Make a complaint about our handling of your information

Under the GDPR (EU/EEA residents)

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / right to be forgotten (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)

Because Praxiss operates as a data processor on behalf of subscribing organisations, requests related to platform usage data should generally be directed to your employer (the data controller). We will assist the organisation in fulfilling such requests.

For requests related to your Praxiss account itself, or to exercise any of the rights listed above, please contact us at hello@praxiss.io.

10. Right to Deletion

You may request the deletion of your personal information at any time. Upon receiving a valid deletion request:

  • We will verify the request and confirm the scope of deletion with the subscribing organisation.
  • Personal information will be permanently removed from our active systems within 30 days.
  • Information may persist in encrypted backups for a limited period (up to 90 days) before being automatically purged.
  • We will confirm deletion to the requester once complete.

11. International Data Transfers

Praxiss is based in Australia and our primary infrastructure is hosted on AWS. Data may be stored or processed in regions where AWS operates.

Where personal information is transferred outside of Australia or the EU/EEA, we ensure appropriate safeguards are in place, including reliance on AWS's compliance certifications and, where applicable, Standard Contractual Clauses (SCCs) as approved by the European Commission.

12. Children's Privacy

Praxiss is a business-to-business platform designed for use by organisations and their employees. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child's information has been collected, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify subscribing organisations via email and update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about how we handle personal information, please contact us:

Praxiss
Email: hello@praxiss.io
Australia

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).