Privacy Policy

1. Who we are and how to contact us

Controller / APP entity

For the purposes of the Privacy Act and APPs, Youe Labs is an APP entity and is responsible for your personal information. For the purposes of the GDPR/UK GDPR, where it applies, Youe Labs is the data controller of your personal data.

Contact details

If you have any questions about this Privacy Policy or our handling of your personal information, you can contact us at:

Where required under the GDPR/UK GDPR, we may appoint a representative in the EU/EEA or the UK. If we do so, we will publish the representative's contact details in an updated version of this Privacy Policy and/or on our website.

2. Scope of this Privacy Policy

This Privacy Policy applies to personal information we collect in connection with:

• your use of youl (web, mobile, integrations and other interfaces);
• your communications and interactions with us (online or offline); and
• our marketing, events, research and business operations.

It does not apply to third‑party websites, apps or services that are linked to or integrated with youl. Those services are governed by their own privacy policies, and we are not responsible for their privacy practices.

3. Key concepts

3.1 Personal information / personal data

In this Privacy Policy:

• “personal information” has the meaning given in the Privacy Act, and includes information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not.
• “personal data” has the meaning given in the GDPR/UK GDPR and includes any information relating to an identified or identifiable natural person.

For simplicity, we refer to both as personal information in this Privacy Policy.

3.2 Sensitive information / special category data

Sensitive information is a subset of personal information that receives higher protection under the Privacy Act, and includes information such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal history and certain biometric information. Under the GDPR/UK GDPR, similar concepts are referred to as special category data.

We do not intentionally seek to collect sensitive information / special category data through youl. If you choose to provide such information (for example, in a free‑text field, support request or user‑generated content), we will handle it in accordance with this Privacy Policy and applicable law, and we may ask you not to provide such information unless it is strictly necessary.

4. The information we collect

The types of personal information we collect about you depend on how you use the Services and interact with us. They may include:

4.1 Identity and contact data

• name and contact details (email address, phone number, postal address);
• username, profile photo, handle or display name;
• country or region and time zone.

4.2 Account and profile data

• account login details (such as username and hashed password);
• organisation name, job title, industry, and seniority;
• learning preferences, goals and interests (e.g. “I want to learn prompt engineering for marketing”).

4.3 Learning and usage data

Because youl is a micro‑learning platform, we collect and generate data about how you learn and use AI, including:

• which modules, lessons or paths you enrol in, start, complete or drop;
• your responses to quizzes, assessments, exercises and reflections;
• prompts, questions or instructions you type into our AI features;
• your interactions with our AI‑powered coach or other AI tools;
• progress metrics (time spent, completion rates, scores) and learning streaks;
• feedback you give on lessons, AI responses and the platform.

Where this information is linked to you or your device, we treat it as personal information.

4.4 Transaction and payment data

• billing address and transaction history;
• partial payment card details (processed via PCI‑compliant payment providers);
• information required to process refunds or credits.

We do not store your full card number or CVV; those are handled by our payment processors.

4.5 Support, communications and marketing data

• records of emails, chat messages and other communications with us;
• responses to surveys, feedback forms, contests, beta programs or promotions;
• your marketing preferences and opt‑in/opt‑out choices.

4.6 Technical and usage data

When you access our websites, apps or Services, we automatically collect:

• device information (device type, operating system, browser type and version);
• IP address, time zone, and approximate location based on IP;
• log information (pages viewed, links clicked, features used, session duration, crash reports);
• cookie IDs, advertising identifiers (where applicable) and similar tracking identifiers.

We may collect this information using cookies, pixels, SDKs, server logs and similar technologies (see Section 11 – Cookies and analytics).

4.7 Single sign‑on (SSO) and third‑party accounts

If you choose to sign up or log in using a third‑party account (e.g. Google, Apple, LinkedIn or similar), we may receive:

• your name, email address and profile photo;
• your unique identifier with that provider;
• any other information you authorise that provider to share with us.

We use this information to create and manage your youl account.

4.8 Information we receive from others

We may receive personal information about you from:

• your employer or organisation, if they provide youl to you as part of a corporate or education program;
• third‑party partners who help us onboard, support or integrate youl into your tools;
• publicly available sources (for example, LinkedIn) where relevant to delivering our Services.

5. How we collect personal information

We collect personal information in the following ways:

• Directly from you – when you register, complete forms, answer questions, upload content, interact with our AI features, contact support, participate in surveys or events, or otherwise communicate with us.
• Automatically – when you use the Services, through cookies, pixels, SDKs, analytics tools and similar technologies.
• From third parties – including SSO providers, payment processors, analytics providers, marketing partners, and your employer or organisation (where they provide youl to you).
• From publicly available sources – where permitted by law, for example to enrich your profile or verify professional information relevant to our Services.

If you provide personal information about someone else, you must ensure that you have their permission to do so and that they are aware of this Privacy Policy.

6. Why we collect, use and disclose personal information (purposes and lawful bases)

6.1 Australian law (APPs)

Under the APPs, we collect, hold, use and disclose personal information for purposes that are reasonably necessary for, or directly related to, our functions and activities, and as otherwise permitted or required by law.

6.2 GDPR/UK GDPR lawful bases

Where the GDPR/UK GDPR applies, we rely on one or more of the following lawful bases to process your personal information:

• Performance of a contract – to create and manage your account and provide the Services you have requested.
• Legitimate interests – to operate, improve and secure our Services, communicate with you, and run a sustainable business, where these interests are not overridden by your rights and interests.
• Consent – for certain optional activities such as some marketing, non‑essential cookies, and processing of sensitive information where applicable.
• Compliance with legal obligations – to comply with tax, accounting, regulatory and other legal obligations.
• Establishment, exercise or defence of legal claims – in connection with disputes, investigations or litigation.

6.3 Purposes of processing

We use your personal information for the following purposes:

1. Providing and operating the Services
   • to register you as a user and create your account;
   • to deliver micro‑learning content, AI‑powered coaching and other features;
   • to personalise content, difficulty and recommendations to your level, interests and goals;
   • to provide integrations or SSO as requested.
2. Improving and developing the Services
   • to understand how users engage with lessons, AI tools and features;
   • to test and roll out new features, content formats and AI capabilities;
   • to perform analytics and research on learning patterns and outcomes (often in de‑identified or aggregated form).
3. Communicating with you
   • to send service‑related messages (onboarding, updates, security alerts, changes to terms or policies);
   • to respond to your enquiries, support requests and feedback.
4. Marketing and promotions
   • to send you updates, news, events, offers or content we think may interest you, consistent with your preferences;
   • to run surveys, beta programs, promotions and referral programs.
5. Security, fraud prevention and compliance
   • to monitor suspicious activity and protect the security of accounts, systems and data;
   • to enforce our terms of use and other agreements;
   • to comply with legal and regulatory obligations and respond to lawful requests by public authorities.
6. Business operations
   • to manage billing, accounting and financial reporting;
   • to manage vendor, partner and customer relationships;
   • in connection with corporate transactions (e.g. merger, acquisition, restructuring).

Where we rely on consent, you can withdraw your consent at any time (see Section 10 – Your rights and choices). Withdrawal of consent will not affect the lawfulness of processing carried out before you withdrew consent.

7. Direct marketing and your choices

We may use your personal information to send you emails or in‑product messages about:

• new and updated youl features;
• learning content and events;
• surveys, promotions and beta programs;
• news and insights about learning and applying AI.

You can opt out of marketing communications at any time by:

• clicking the “unsubscribe” link in any marketing email; or
• contacting us using the details in Section 1.

We may still send you service‑related communications (e.g. security alerts, important changes, transactional emails) even if you opt out of marketing.

8. Use of Artificial Intelligence (AI) and automated decision‑making

8.1 Overview

We use artificial intelligence and machine learning technologies (AI Technologies) to power parts of youl, including personalised learning, AI coaching and other features. We use AI in ways that are consistent with the APPs and GDPR/UK GDPR principles of fairness, transparency, data minimisation and accountability.

8.2 How we use AI

We may use AI Technologies to:

• analyse learning behaviour to personalise lesson recommendations, difficulty and pacing;
• generate explanations, examples, suggestions and practice scenarios;
• provide an AI‑powered coach to answer questions and help you apply AI tools;
• detect and prevent abuse, spam, fraud or misuse;
• generate or assist with content (for example, prompts, templates or coding examples);
• improve our Services and AI models over time.

We may use third‑party AI providers (for example, infrastructure, large language models or analytics providers) under contract, subject to confidentiality and data protection obligations.

8.3 Training and model use

We treat AI outputs and inferences about you as personal information where they relate to an identified or identifiable individual.

• We do not allow third‑party AI providers to use your personal information to train or improve their general‑purpose foundation models in a way that would make your information available to other customers, unless we have a lawful basis and have clearly informed you and obtained consent where required.
• We may use de‑identified or aggregated data derived from your use of the Services (for example, statistics about lesson completion or generic prompt patterns) to improve our models and Services.

8.4 Human oversight and fairness

Where AI is involved in making recommendations or taking actions that could significantly affect you (for example, assessing your proficiency level), we aim to:

• maintain human oversight over important decisions;
• validate AI outputs for quality and consistency;
• regularly review models to identify and mitigate bias, errors or unfair impacts.

We currently do not use AI for fully automated decisions that produce legal effects or similarly significant effects about you. If we introduce such functionality, we will inform affected users and describe the safeguards and your rights (including the right to obtain human review) in an updated version of this Privacy Policy.

9. Disclosures of personal information

We may disclose your personal information (excluding sensitive information, unless we have your consent or are permitted by law) to the following categories of recipients:

• Our personnel – employees, contractors and related entities who need access to do their jobs and are bound by confidentiality obligations.
• Service providers (processors) – including hosting providers, infrastructure, analytics, AI providers, customer support tools, email and SMS providers, payment processors, identity verification providers, marketing and advertising providers.
• Business partners and resellers – where they help us deliver or support youl (for example, if your company purchases youl for you).
• Professional advisers – lawyers, accountants, insurers, auditors and bankers.
• Corporate transactions – actual or potential buyers, investors and their professional advisers in connection with any merger, acquisition, financing or sale of all or part of our business or assets (subject to confidentiality).
• Regulators, law enforcement and courts – where required or authorised by law, or to establish, exercise or defend legal rights.
• Other third parties – where you have specifically requested or consented to the disclosure.

Where we disclose sensitive information, we will do so with your consent or as otherwise permitted or required by law.

10. Overseas disclosures and international data transfers

We are based in Australia and store personal information primarily in Australia. Some of our service providers and partners may be located in, or store or access personal information from, other countries (including the EU/EEA, the UK, the United States and other jurisdictions).

10.1 Compliance with Australian law (APP 8)

Before disclosing personal information overseas, we take reasonable steps to ensure that the recipient will handle the information in a manner consistent with the APPs, for example by:

• using contractual clauses that impose privacy and security obligations;
• selecting reputable providers with appropriate certifications and controls;
• limiting the information disclosed to what is necessary.

10.2 International transfers under the GDPR/UK GDPR

Where we transfer personal data from the EU/EEA or the UK to a country outside those regions, we rely on:

• an adequacy decision by the European Commission or UK Government (where applicable); or
• standard contractual clauses or equivalent safeguards; or
• another lawful transfer mechanism under Articles 45–49 of the GDPR/UK GDPR.

You can contact us (see Section 1) if you have questions about the safeguards we use for international transfers relevant to you.

11. Data retention

We retain personal information only for as long as reasonably necessary to:

• provide the Services to you or your organisation;
• fulfil the purposes set out in this Privacy Policy;
• comply with legal, tax, accounting or reporting obligations;
• resolve disputes and enforce our agreements.

When we no longer need personal information for these purposes, we will take reasonable steps to de‑identify or securely destroy it, unless we are required by law to keep it for a longer period.

Criteria we use to determine retention periods include:

• the nature of the information;
• legal and regulatory requirements;
• the risk of harm from unauthorised use or disclosure;
• whether the information is needed to maintain accurate business and financial records.

12. Cookies and analytics

We use cookies, tracking pixels and similar technologies to operate and improve the Services, perform analytics and support our marketing efforts.

12.1 What are cookies and similar technologies?

• Cookies are small text files stored on your browser or device by a website.
• Tracking pixels are small code snippets or images embedded in web pages or emails.
• SDKs and similar tools may be embedded in mobile apps to collect usage data.

These technologies allow us and our partners to:

• remember your preferences and settings;
• keep you logged in between sessions;
• understand how users navigate and use youl;
• measure the performance of content and campaigns;
• show more relevant content or ads on other sites or platforms.

12.2 Types of cookies we use

• Strictly necessary cookies – required for core site and app functionality (e.g. authentication, security, network management). You cannot opt‑out of these in our systems.
• Analytics cookies – help us understand usage patterns and improve the Services.
• Functional cookies – remember your preferences (e.g. language, region).
• Marketing/advertising cookies – used by us and our partners to deliver, measure and improve advertising.

Where required by law (for example in the EU/EEA and UK), we will obtain your consent before placing non‑essential cookies or similar technologies, and you can withdraw your consent at any time through your cookie settings.

You can also adjust your browser settings to block or delete cookies, though this may affect your ability to use some parts of the Services.

12.3 Third‑party analytics and advertising

We may use third‑party tools such as analytics, advertising and social media pixels to help us understand usage and reach users. These third parties may collect or receive information from our Services and use it to provide measurement services and targeted ads, subject to their own privacy policies.

You can often opt‑out of certain third‑party tracking via:

• the tools provided in our cookie banners or settings (where available);
• your browser or device settings;
• relevant third‑party opt‑out pages (e.g. Google, Meta, industry opt‑out tools).

13. Your rights and choices

You have a range of rights in relation to your personal information. The specific rights available to you depend on where you live and the laws that apply.

13.1 Rights under Australian law

Under the Privacy Act and APPs, you generally have the right to:

• Access – request access to personal information we hold about you.
• Correction – request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading.

If we refuse your request (for example, where we are legally permitted to do so), we will tell you why and how you can complain.

13.2 Rights under the GDPR/UK GDPR

Where the GDPR/UK GDPR applies (for example, if you are in the EU/EEA or UK), you may have the following rights in addition to the above:

• Right of access – to obtain confirmation of whether we process your personal data and, if so, access to that data and related information.
• Right to rectification – to have inaccurate or incomplete personal data corrected.
• Right to erasure (“right to be forgotten”) – to request deletion of your personal data in certain circumstances.
• Right to restriction of processing – to request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability – to receive personal data you provided to us in a structured, commonly used and machine‑readable format, and to request that we transmit it to another controller where technically feasible.
• Right to object – to object to processing based on our legitimate interests (including profiling) and to direct marketing, including any related profiling.
• Right not to be subject to certain automated decisions – to not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, subject to certain exceptions.
• Right to withdraw consent – where processing is based on consent, you can withdraw that consent at any time.

You also have the right to lodge a complaint with your local data protection authority.

13.3 Exercising your rights

To exercise any of your rights, please contact us using the details in Section 1.

We may need to verify your identity before responding to your request, and in some cases we may charge a reasonable fee or refuse the request where permitted by law (for example, if a request is manifestly unfounded or excessive).

14. Anonymity and pseudonymity

Where it is lawful and practicable, you may interact with us anonymously or using a pseudonym (for example, by browsing our website without logging in). However, if you choose not to identify yourself, we may not be able to provide you with some or all of the Services (for example, creating a youl account or tracking your learning progress).

15. Security of your personal information

We implement a range of technical and organisational measures designed to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure, in line with APP 11 and the security principles under the GDPR/UK GDPR.

These measures include, as appropriate:

• encryption in transit and at rest;
• access controls and authentication mechanisms;
• network and application security controls;
• regular security assessments and monitoring;
• staff training and policies on privacy and security.

Despite our efforts, no system or transmission over the internet is completely secure. You are responsible for maintaining the secrecy of your login credentials and for any activity on your account. If you believe your account has been compromised, you should contact us immediately.

Where required by law (for example, under Australia's Notifiable Data Breaches scheme or the GDPR/UK GDPR), we will assess any suspected data breach and, if necessary, notify affected individuals and relevant regulators.

16. Children and minors

The Services are intended for use by adults and older teenagers interested in learning and applying AI, and are not directed to children under 16 (or a lower age as permitted by local law).

We do not knowingly collect personal information from children under the relevant minimum age without appropriate parental or guardian consent. If we become aware that we have collected personal information from a child in violation of this policy or applicable law, we will take reasonable steps to delete that information.

If you believe we may have collected personal information from a child improperly, please contact us.

17. Third‑party links and services

The Services may contain links to, or integrations with, third‑party websites, apps, services or content (including AI tools, learning resources and community platforms). These third parties have their own privacy practices, which may differ from ours.

We do not control and are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with any personal information.

18. Personal information from single sign‑on and social accounts

If you connect your youl account to a social or SSO provider (e.g. Google, Apple, LinkedIn or similar), we will collect personal information from that provider in accordance with the permissions you grant them.

We may use this information to:

• create or update your youl profile;
• help you find and connect with colleagues or peers (where functionality exists);
• personalise your experience on youl.

Where you have connected via a social platform, you may be able to control or remove our access to your information via your settings with that provider.

19. Complaints and disputes

If you have a concern or complaint about how we have handled your personal information, please contact us first using the details in Section 1 and provide full details of your complaint.

We will investigate your complaint and respond in writing within a reasonable time, setting out the outcome of our investigation and any steps we will take in response.

If you are not satisfied with our response, you may have the right to lodge a complaint with:

• the Office of the Australian Information Commissioner (OAIC), if you are in Australia; or
• your local data protection authority in the EU/EEA or UK, if the GDPR/UK GDPR applies.

We will provide further details of relevant authorities on request.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or other factors.

When we make material changes, we will:

• post the updated Privacy Policy on our website and in the Services; and
• update the “Last updated” date at the top of the policy; and
• where appropriate, notify you via email or in‑product notification.

Your continued use of the Services after any changes take effect will constitute your acknowledgement of the updated Privacy Policy.