Privacy Policy — Supersonic Agency

00

Overview

Supersonic Agency ("Supersonic", "we", "us", or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you visit our website, engage with us, or use our services.

This Policy applies to:

Visitors to our website at supersonic.agency
Prospective clients who submit enquiries or participate in our assessment tools
Current and past clients engaging our AI automation and agency services
Any individual whose personal data is processed by Supersonic in connection with service delivery

Short version: We collect only what we need. We don't sell your data. We don't use it to target you with ads. We use it to run our business and serve you better. You have rights over your information and we make them easy to exercise.

By using our website or engaging our services, you consent to the practices described in this Policy. If you do not agree with this Policy, please do not use our website or services.

01

Who We Are

Supersonic Agency is an AI automation and workflow consultancy. We design and deploy AI agents, workflow automations, CRM systems, conversational AI, and document intelligence solutions for businesses.

For the purposes of applicable data protection law, Supersonic Agency is the data controller in respect of personal information collected through our website and during the client engagement process. For personal data processed on behalf of our clients as part of service delivery, we act as a data processor.

To contact us about privacy matters: privacy@supersonic.agency

02

Information We Collect

We collect information in the following ways:

Information you provide directly:

Type	Examples	How Collected
Identity & Contact	Name, email address, phone number, business name, job title	Contact forms, quiz submissions, email enquiries, onboarding
Business Information	Company size, industry, revenue range, current tools/stack	AI Readiness Quiz, discovery calls, proposal process
Communications	Emails, meeting notes, support queries, feedback	Direct communication with our team
Financial	Billing address, payment method details (handled by payment processor)	Invoice and payment processing (we do not store card details)
Client Data	Business data, customer records, operational data provided for service delivery	Shared by clients as part of project engagement

Information collected automatically:

Type	Examples	Purpose
Usage Data	Pages visited, time on site, click paths, referring URL	Analytics, understanding how visitors use our site
Device & Technical	IP address, browser type, operating system, device type	Security, fraud prevention, site optimisation
Cookies & Tracking	Session cookies, analytics identifiers	Site functionality, analytics (see Cookies section)

We do not knowingly collect personal information from individuals under the age of 16. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

03

How We Use Your Information

We use the information we collect for the following purposes:

Providing our services — To deliver, operate, maintain, and improve the AI automation and workflow services you have engaged us for.
Communication — To respond to enquiries, send project updates, provide support, and communicate with you about your engagement.
Proposals and sales — To prepare tailored proposals, conduct discovery, and assess your business's AI readiness based on quiz responses or direct conversations.
Billing and administration — To issue invoices, process payments, maintain accounts, and comply with financial record-keeping obligations.
Legal compliance — To comply with applicable laws, regulations, court orders, and to protect our legal rights.
Security — To detect and prevent fraud, abuse, and security incidents, and to protect the integrity of our systems and services.
Improving our services — To analyse how clients and visitors interact with our website and services, and to develop better offerings.
Marketing — With your consent, to send you content, case studies, and information about our services that may be relevant to your business.

We rely on the following legal bases for processing personal data (where applicable under GDPR or similar frameworks):

Contract — Processing necessary to perform our contract with you (service delivery, billing)
Legitimate Interests — Processing necessary for our legitimate business interests (security, fraud prevention, analytics, direct marketing to clients), where these are not overridden by your rights
Consent — Where you have given clear, informed consent (e.g. email marketing to non-clients)
Legal obligation — Where we are required to process data to comply with the law

04

How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

Service providers and subprocessors — We share data with trusted third-party service providers who assist in operating our business (cloud hosting, email delivery, analytics, CRM, payment processing). These providers are contractually bound to handle data securely and only as instructed by us.
AI and automation platforms — In delivering services, we may process data through platforms including OpenAI, Anthropic, Google Cloud, Make, n8n, and similar providers. These platforms have their own privacy policies and are chosen based on security and compliance standards.
Professional advisors — With lawyers, accountants, and insurers in connection with professional services they provide to us, under binding confidentiality obligations.
Legal requirements — When required by law, court order, or government authority; or when necessary to protect the rights, property, or safety of Supersonic, our clients, or the public.
Business transfers — In connection with a merger, acquisition, or sale of substantially all of our assets, subject to the acquiring party agreeing to protect personal data in accordance with this Policy.

When we process client data through third-party AI platforms, we take steps to minimise the personal data shared and use data minimisation and anonymisation where appropriate. Clients are responsible for reviewing the privacy policies of third-party platforms specified in their SOW.

05

Cookies & Tracking

Our website uses cookies and similar tracking technologies to improve your experience and understand how visitors use the site. Cookies are small data files stored on your device by your browser.

We use the following types of cookies:

Category	Purpose	Required?
Essential	Required for the website to function correctly. These cannot be disabled.	Yes
Analytics	Helps us understand how visitors interact with our site (e.g. page views, sessions). We use privacy-first analytics tools that anonymise IP addresses and do not build individual user profiles.	No — consent required
Marketing	Used to track conversions and measure the effectiveness of our advertising. We do not currently use cross-site advertising cookies.	No — consent required

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when cookies are set. Note that disabling some cookies may affect website functionality.

Where required by applicable law (e.g. for visitors from the EU/UK), we will present a cookie consent banner before placing non-essential cookies.

06

Data Retention

We retain personal information only for as long as necessary to fulfil the purposes outlined in this Policy, or as required by law. Our general retention approach is:

Data Category	Retention Period	Reason
Client project data and communications	7 years after engagement ends	Legal and contractual record-keeping obligations
Financial and billing records	7 years	Tax and accounting compliance (ATO requirements)
Prospect enquiries (non-converted)	2 years from last contact	Legitimate interest in potential future engagement
Marketing consent records	Until consent withdrawn + 1 year	Proof of consent for marketing communications
Website analytics data	26 months	Year-on-year trend analysis
Security and access logs	12 months	Security monitoring and incident response

When data is no longer required, we securely delete or anonymise it. Backups may retain data for a short additional period per our backup rotation schedules.

07

Data Security

We implement technical and organisational measures to protect your personal information against unauthorised access, loss, alteration, or disclosure. Our security practices include:

Encryption — Data in transit is encrypted using TLS 1.2+. Sensitive data at rest is encrypted using AES-256 or equivalent standards.
Access controls — We apply the principle of least privilege: employees and contractors access only the data they need for their specific role. Access to client data is role-based and logged.
Vendor security — We evaluate the security practices of third-party service providers before engaging them, and require appropriate contractual protections.
Incident response — We maintain procedures to detect, contain, and respond to data security incidents. Where required by applicable law, we will notify affected individuals and regulators of significant breaches within required timeframes.
Employee training — Our team receives regular training on data protection and privacy obligations.

No method of transmission over the internet or electronic storage is 100% secure. While we take commercially reasonable steps to protect your information, we cannot guarantee absolute security. If you have reason to believe your information has been compromised, please contact us immediately.

08

International Data Transfers

Supersonic Agency is based in Australia. If you are located outside Australia, your personal data may be transferred to and processed in Australia and other countries where our service providers operate (including the United States, United Kingdom, and European Union).

Where personal data is transferred outside your country of residence, we take steps to ensure appropriate safeguards are in place, including:

Transferring to countries recognised as providing adequate data protection by relevant authorities
Using standard contractual clauses (SCCs) or equivalent mechanisms approved by relevant data protection authorities
Ensuring service providers are certified under recognised privacy frameworks (e.g. EU-US Data Privacy Framework) where applicable

For clients subject to GDPR, we are happy to provide information about the specific transfer mechanisms and safeguards applicable to their data upon request.

09

Your Privacy Rights

Depending on your location and applicable law, you may have the following rights in relation to your personal data:

Access

Request a copy of the personal information we hold about you and information about how we process it.

Correction

Request correction of inaccurate or incomplete personal information we hold about you.

Deletion

Request deletion of your personal information where we no longer have a lawful basis to retain it.

Portability

Request a machine-readable copy of your data that you provided to us, to transfer to another provider.

Objection

Object to processing based on our legitimate interests, including direct marketing.

Restriction

Request that we restrict processing of your data in certain circumstances while a dispute is resolved.

Withdraw Consent

Where processing is based on consent, withdraw that consent at any time without affecting prior processing.

Opt Out of Marketing

Unsubscribe from marketing communications at any time via the unsubscribe link in emails or by contacting us.

To exercise any of these rights, contact us at privacy@supersonic.agency. We will respond to all requests within 30 days. We may ask you to verify your identity before processing the request.

If you are based in the EU/UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. If you are based in Australia, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10

AI & Automated Processing

Supersonic builds and deploys AI systems as part of our services. We want to be transparent about how AI is used in connection with personal data:

AI Readiness Quiz — The quiz on our website uses your responses to provide a personalised readiness assessment. This is an automated process, but recommendations are subsequently reviewed by our team before any outreach.
Client service delivery — AI models may be used to process Client Data as part of service delivery (e.g. document extraction, conversation analysis). This processing is governed by the relevant SOW and any applicable DPA.
Profiling — We do not use your personal data for automated decision-making that produces legal or significant effects without human review and, where required, your consent.
AI model training — We do not use personal data collected through our website for training AI models without explicit consent. Client Data used in bespoke model training is governed by the relevant SOW and requires specific written agreement.

Where AI processing involves personal data and you have rights to human review or explanation under applicable law (including GDPR Article 22), we will facilitate those rights upon request.

11

Third-Party Links & Services

Our website and Deliverables may contain links to third-party websites, tools, and services. This Privacy Policy does not apply to those third parties. We encourage you to read the privacy policies of any third-party sites or services you visit.

Common third-party platforms whose services may be utilised in Supersonic's Deliverables include Make, n8n, Zapier, HubSpot, Salesforce, OpenAI, Anthropic, Google Cloud, Twilio, and others. Each of these platforms has its own privacy policy and data processing practices that clients should review.

12

Children's Privacy

Our website and services are directed to businesses and professionals. We do not knowingly collect personal information from individuals under the age of 16. If you are under 16, please do not submit any personal information to us. If we become aware that we have collected personal data from a child under 16, we will take steps to delete it promptly. If you believe we may have inadvertently collected such data, please contact us at privacy@supersonic.agency.

13

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify active clients by email at least 30 days before significant changes take effect
Post a notice on our website for a reasonable period following the update

Your continued use of our website or services after the effective date of any changes constitutes your acceptance of the updated Policy. If you object to any changes, you should stop using our services and contact us to discuss alternatives.

We recommend reviewing this Policy periodically to stay informed about how we protect your information.