🏢 Who We Are
The VDI Developmental Lab is operated by the Vertical Development Institute (VDI), an Australia-based organisation. This policy applies to all users, including adult professionals and young people aged 13 - 18 using the Young Minds Lab.
📝 What We Collect
What we collect depends on how you access the Lab:
Access code users (corporate programs)
- No personal information is collected. Your conversations are associated with the code, not a named identity.
Email account users
- Email address and a securely hashed password. If you sign up via a trial, we also store a verification token until your email is confirmed.
Google sign-in users
- Email address, name, and Google user ID, received from Google's identity service. Google sign-in is only available for existing accounts.
All users
- Conversations - stored encrypted so you can return to them. VDI does not have routine access to your conversation content.
- Usage data - the computational cost of your AI interactions (for fair-use limits), linked to your account but containing no conversation content.
- Session information - a session record is created on sign-in for session management. Records are deleted on sign-out or account deletion.
- Uploaded files - processed in memory and deleted immediately after text extraction. No copies are retained on our servers.
Young Minds Lab users (ages 13 - 18)
- Saved reflections - journal entries you choose to save, encrypted at rest.
- Developmental observations - thematic summaries of patterns across developmental domains. These are not transcripts of what you said.
- Safety classifications - an automated safety system evaluates the AI's responses (not your messages) and stores a classification. Your messages are never included in safety reviews.
We do not use your data for advertising, profiling, or marketing. We do not sell your data.
🔐 Data Encryption
All data is protected both in transit and at rest:
- In transit: All connections are encrypted via HTTPS with strict transport security enforced. Unencrypted requests are automatically redirected.
- At rest: Conversation content and saved reflections are encrypted using industry-standard authenticated encryption. Each message is encrypted individually. Encryption keys are stored securely and separated from the data.
- Backups: Database backups are encrypted and retained on a rolling schedule.
🤖 AI Privacy
We use Anthropic's Claude API for AI-powered coaching and mentoring. Your data is protected under Anthropic's API terms of service:
- Conversations are not used to train AI models.
- Uploaded transcripts are processed in memory only and deleted immediately after analysis. No copies are retained on our servers.
- Each conversation is processed independently and is never shared across conversations or users.
- No personal identifiers (email, name) are included in AI processing requests. Only conversation content and system instructions are sent.
🔑 Access Control
Individual accounts (email & password)
- Passwords are protected using industry-standard hashing - passwords are never stored in plain text.
- Account lockout: Accounts are temporarily locked after repeated failed login attempts.
- Rate limiting: Login endpoints are protected against automated attacks.
- Google SSO is available as an alternative to password-based authentication.
- Users can change their password at any time. Secure password recovery is available via email.
Corporate program access (code-based)
- Each code grants access to a specific participant for a defined program and duration.
- Logging in with a code invalidates any previous active sessions for that code.
- Codes can be set to auto-expire on a specific date.
- Participants can only access the sandbox modes assigned to their program.
Administrative access
- Administrator accounts are isolated from user accounts by design, preventing privilege escalation.
- Multi-factor authentication is available for administrative access.
All access types
- Sessions expire automatically and can be revoked immediately when a user logs out or access is removed.
🛡️ Application Security
- Input validation: All user inputs are validated and sanitised server-side.
- Rate limiting: Tiered rate limits protect all endpoints, with stricter limits on sensitive operations.
- Security headers: Content security policies, strict transport security, and other browser protections are enforced to prevent common web attacks.
- Error handling: Only generic error messages are returned to clients. Detailed errors are logged server-side with automatic redaction of sensitive information.
- Bot and abuse prevention: Multi-layered defences protect registration and authentication endpoints against automated attacks.
🧠 Young Minds Lab Safeguards
The Young Minds Lab is designed for users aged 13 - 18 and includes additional protections:
- Parental awareness: The Terms of Use require that a parent or guardian has read and accepted the terms before a young person uses the Lab.
- Content moderation: An independent automated safety system evaluates every AI response. This system reads only the AI's output, not the user's messages, and operates without access to conversation context.
- Crisis resources: The AI provides Australian helpline numbers (Kids Helpline, Lifeline, headspace) when conversations indicate distress. Crisis alerts are sent to VDI staff.
- Anti-dependency monitoring: Automated monitoring tracks patterns that could indicate over-reliance on the AI, with tiered responses.
- Minimal data collection: Access code users provide no personal information. Developmental observations store thematic patterns, not conversation transcripts.
🗓️ Data Retention
| Data Type | Retention Period |
|---|
| Conversations and messages | Until you delete them, your account is deleted, or your access expires and the configured retention period ends |
| Account data (email, name) | Until account deletion |
| Free trial accounts | 21 days from trial start, then access revoked |
| Access code data | Configurable per program; automatic cleanup after expiry plus retention period |
| Uploaded transcript files | Zero retention - processed in memory, deleted immediately |
| Database backups | Rolling retention window; encrypted |
Administrators can manually delete all data for a specific program at any time. Participants can delete individual conversations from within the app.
🍪 Cookie & Storage Policy
We use only essential browser storage required for the platform to function - no tracking, no analytics, no third-party cookies.
- One session cookie is set on login and cleared on logout. It contains no personal data and is used solely for authentication. It is secured with industry-standard browser protections (not accessible to scripts, not sent with cross-site requests, HTTPS-only in production).
- A small amount of local browser storage is used to maintain your session and display preferences. All local data is cleared when you sign out.
We do not use any advertising, analytics, social media, or third-party tracking cookies. No data is shared with ad networks or data brokers. Because we use only strictly necessary cookies, no cookie consent banner is legally required under GDPR/ePrivacy Directive.
👤 Your Data Rights
You have full control over your personal data:
- Access & export: You can download all your data (account details, conversations, messages) as a file from the account menu in the app.
- Erasure: You can permanently delete your account and all associated data from the account menu. This removes your account, all conversations, usage data, developmental profiles, saved reflections, and subscription records. This action is immediate and irreversible.
- Correction: You can update your password from within the app at any time. To update other account details, contact us.
- Delete individual conversations at any time from the sidebar.
- Request deletion - if you accessed the Lab via an access code, contact us or the person who provided the code.
- Data minimisation: We collect only the minimum data needed to provide the service.
These rights apply to all users regardless of location. For users in the EU/UK, these rights are aligned with GDPR Articles 15 - 20. For any data request, contact us.
🔗 Third-Party Services
We use a small number of trusted third-party services to deliver the platform:
| Service | Purpose | Data Processed | Location |
|---|
| Anthropic |
AI inference |
Conversation messages and system prompts. No personal identifiers sent. |
United States |
| Hosting provider |
Application and database hosting |
All application data (encrypted at rest) |
European Union |
| Payment provider |
Subscription and payment processing |
Email, billing address, payment method. VDI does not store card numbers. |
United States |
| Google |
Identity verification (sign-in) |
Token verification only. VDI sends no user data to Google. |
United States |
| Email provider |
Transactional email delivery |
Recipient email, email content (verification links, notifications). No conversation data. |
United States |
For enterprise clients requiring a detailed sub-processor list or a formal Data Processing Agreement (DPA), contact us.
🌍 International Data Transfers
VDI is based in Australia. Our application and database are hosted in the European Union. Your data at rest - conversations, account information, developmental profiles, and encrypted backups - is stored in the EU.
Some data is transferred outside the EU for processing:
- AI inference: Conversation content is sent to Anthropic (United States) for processing. No personal identifiers are included, and content is not retained for model training.
- Payment processing: Billing data is processed by our PCI DSS Level 1 compliant payment provider (United States). VDI does not store card numbers.
- Email delivery: Transactional emails are routed through a US-based provider.
For users in Australia, cross-border transfers are governed by Australian Privacy Principle 8. VDI takes reasonable steps to ensure that overseas recipients handle personal information in accordance with the Australian Privacy Principles.
☁️ Infrastructure
- Hosted on a managed cloud platform in the European Union.
- All connections are encrypted with automatic certificate management.
- Regular encrypted backups with automated recovery capabilities.
📋 Audit Trail
- Administrative actions are logged for accountability and compliance.
- Audit logs are retained independently of conversation data and contain no personal information.
⚖️ When We May Disclose Your Information
We may disclose your information if required by law or if we have a good-faith belief that disclosure is necessary to comply with a legal obligation, protect VDI's rights, or protect the safety of any person. We will notify affected users before disclosure where legally permitted.
We do not disclose your information to third parties for commercial purposes.
📊 Compliance
- Data handling complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
- The platform implements measures aligned with the EU General Data Protection Regulation (GDPR).
- If you believe your privacy has been breached, you may lodge a complaint with the Office of the Australian Information Commissioner.
🔄 Changes to This Policy
We may update this policy to reflect changes in our practices, legal requirements, or the services we offer. When we make significant changes, we will update the "Last updated" date below and notify users as appropriate.
