Privacy Policy

Last updated: 26 March 2026

1. Introduction

Dynamic Consultancy Pty Ltd (ABN 19 167 039 250) ("we", "us") operates WIDEN Law (widenlaw.com.au). This policy explains how we collect, use and protect your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

2. Information We Collect

• Account information: name, email address, password (hashed), company or firm name
• Usage data: legal research queries, answers received, project names
• Technical data: IP address, browser type, device information, session data
• Payment data: processed by Stripe — we do not store your credit card details

3. How We Use Your Information

• Provide the WIDEN Law service
• Process your legal research queries via Anthropic's Claude AI
• Manage your subscription and billing
• Send service-related communications
• Improve our product

4. Third Party Services

• Anthropic (Claude API): processes AI-powered features including Quick Ask, Deep Research, IRAC Analysis, Precedent Finder, and Client Intake summaries. See section 5A below for detailed cross-border disclosure.
• Stripe: processes payments. We do not store credit card details.
• Railway: hosts our application infrastructure. Server location is determined by Railway's infrastructure and may not be in Australia.

5. Data Storage & Security

• Account data stored on encrypted servers
• Passwords hashed using bcrypt
• Sessions encrypted
• We use industry-standard security measures

5A. AI Processing and Cross-Border Data Transfer

WIDEN Law uses Anthropic's Claude AI to power its research, intake summary, and analysis features. When you submit information through any AI-powered feature — including Quick Ask, IRAC Analysis, Precedent Finder, and Client Intake — that information is transmitted to Anthropic, PBC, a United States-based company, for processing.

This includes:

• Questions and prompts submitted through any AI feature
• Client intake responses submitted through intake portals you create
• Any documents or text pasted into the platform for AI processing

Anthropic processes this data on servers located in the United States. We do not guarantee that all processing occurs within Australia. By using AI features, you consent to this cross-border disclosure under Australian Privacy Principle 8.

Anthropic's data handling: Anthropic does not use API data submitted through commercial accounts to train its models by default. For Anthropic's privacy policy and data handling commitments, see anthropic.com/legal/privacy.

Account data (subscription details, login, billing) is stored on Railway infrastructure used by WIDEN Law. Railway server location is determined by Railway's infrastructure and may not be in Australia.

IMPORTANT FOR LEGAL PRACTITIONERS: Information you submit through AI features may include details of client matters. Sending client communications or instructions to a third-party AI processor may have implications for legal professional privilege. You are responsible for assessing whether to submit any particular information and for obtaining any necessary client consent before doing so.

6. Your Rights

You have the right to:

• Access your personal information
• Request correction of inaccurate data
• Request deletion of your account and data
• Withdraw consent for marketing
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

7. Cookies

We use session cookies for authentication. We do not use third-party tracking cookies.

8. Data Retention

Queries are retained while your account is active. Data is deleted within 30 days of an account deletion request.

8A. Uploaded Documents and Photos

WIDEN Law allows operators on Centre and Group plans to upload documents (policies, procedures, QIPs) and photos (premises, equipment, signage) for compliance research. The following applies to every upload:

• Encrypted at rest: Every uploaded file is encrypted with AES-256-GCM the moment it reaches our server. The encryption key lives in environment configuration that is separate from the database. Unencrypted file contents are never written to disk.
• Used only to produce your analysis: The file is read once, used to generate the gap-analysis output (which we send back to you and persist to your account history for audit), and never used to train any model.
• Auto-deleted after 30 days: A scheduled job removes the encrypted file from disk 30 days after upload. The analysis text and metadata (filename, file size, hash, what citations were used) are kept as an audit record, but the source file itself is gone.
• You can delete sooner: Contact us to delete any upload immediately, before the 30-day window. Email keshab@widenlaw.com.au with the upload ID.

8B. Photos of Children — Automatic Refusal

WIDEN Law processes premises and equipment photos only. Every uploaded photo passes through an automatic classifier that checks for depictions of children before any compliance analysis runs.

• Hard refusal: If the classifier detects any children's faces, bodies, or identifying features (including from behind, at distance, or in displayed photos and artworks), the upload is refused. The encrypted file is still subject to the 30-day auto-delete; the analysis step is skipped.
• Conservative bias: The classifier errs on the side of refusal. If it is uncertain whether children are present, it refuses. False refusals are expected; false acceptances are not.
• Why: Storing or processing identifiable children's images creates Privacy Act 1988 and state-regulator exposure for both your centre and us, even with consent collected at the centre level. We cannot verify consent and therefore decline to process those images at all. Re-take the photo with children out of frame.

8C. AI Output and Compliance Certification

WIDEN Law is a research assistant, not a compliance certifier. Its outputs surface what the National Quality Framework, Education and Care Services National Law, and Education and Care Services National Regulations say about a topic, with inline citations to the source. They are not:

• A formal compliance assessment
• Legal advice or migration advice
• A substitute for a site visit by a qualified compliance professional
• A defence against regulator action

You and your compliance lead remain responsible for interpretation and decisions.

9. Changes

We may update this policy from time to time. Changes will be posted on this page.

10. Contact

If you have questions about this privacy policy, contact us at keshab@widenlaw.com.au.