Effective Date: 1 December 2025
Version: 3.0
Issuing Entity
Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.app
Parent Governance Entity
Strategic Global Holdings Pty Ltd (ACN 693 256 503), Queensland, Australia
Governing Law
As specified in the main service agreement. For Australian customers, Queensland law applies.
Review Cycle
Reviewed at least annually or earlier where required by law or material operational change.
1. PURPOSE
This document supplements the Platform Terms and Privacy Policy between the Customer and Superspeed.ai Pty Ltd.
It governs the processing of Personal Information where Cushi.app acts on behalf of a Customer.
Cushi.app operates primarily under Australian law, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Where services involve individuals located outside Australia, additional contractual safeguards may apply where legally required.
2. DEFINITIONS
2.1 Customer
The organisation entering into a service agreement with Cushi.app.
2.2 Customer Data
Personal Information uploaded to or processed through the Services on behalf of the Customer.
2.3 Cushi Data
Account information, billing information, operational logs, platform analytics, security telemetry, and system metadata generated in operating the Services.
2.4 Personal Information
Information or an opinion about an identified individual or an individual who is reasonably identifiable under applicable law.
2.5 Processing
Any collection, use, storage, disclosure, or deletion of Personal Information.
2.6 Controller
An entity that determines the purposes and means of Processing.
2.7 Processor
An entity that processes Personal Information on behalf of a Controller.
2.8 Subprocessor
A third party engaged by Cushi.app to support service delivery involving Processing.
3. ROLES AND RESPONSIBILITIES
3.1 Processor Role
Cushi.app acts as a Processor when handling Customer Data in accordance with Customer instructions under the service agreement.
3.2 Controller Role
Cushi.app acts as a Controller in relation to:
- Account administration data
- Billing and payment information
- Security and operational monitoring data
- Platform performance analytics
Cushi.app processes Customer Data only:
- On documented Customer instructions
- As required by applicable law
The Customer is responsible for:
- Determining the lawful basis for collecting and using Customer Data
- Providing required privacy notices
- Obtaining necessary consents
- Configuring the Services in compliance with applicable law
- Securing its own systems and credentials
4. SUBJECT MATTER AND DURATION
Processing continues for the duration of the Customer agreement.
Upon termination, Customer Data will be deleted or made available for export in accordance with contractual terms, subject to legal retention obligations.
5. SECURITY OF PROCESSING
Cushi.app implements technical and organisational measures proportionate to the nature of the data and risks involved.
These measures may include:
- Encryption of data in transit
- Encryption of stored data
- Role based access controls
- Multi factor authentication for administrative access
- Secure software development practices
- Network controls and segmentation
- Logging and monitoring of system activity
- Vulnerability management processes
- Backup and disaster recovery procedures
No system can guarantee absolute security. Cushi.app takes reasonable steps consistent with industry practice to protect Personal Information against misuse, interference, loss, unauthorised access, modification, or disclosure.
References to alignment with recognised standards describe internal control design and do not constitute certification unless expressly stated elsewhere.
6. CONFIDENTIALITY
Personnel authorised to access Personal Information are subject to confidentiality obligations and appropriate training.
7. SUBPROCESSORS
Cushi.app may engage Subprocessors to support the Services.
Subprocessors are engaged under written agreements requiring confidentiality and appropriate data protection safeguards.
Cushi.app remains responsible for the performance of its Subprocessors in accordance with applicable law and contractual obligations.
A current Subprocessor list is available upon request.
8. INTERNATIONAL PROCESSING
Personal Information may be processed outside Australia where infrastructure or Subprocessors operate in other jurisdictions.
Where required by applicable law, Cushi.app will implement appropriate safeguards designed to provide protections substantially similar to Australian privacy standards.
9. ASSISTANCE TO CUSTOMER
Where Cushi.app acts as Processor, it will provide reasonable assistance to the Customer, to the extent practicable and proportionate, in relation to:
- Data subject access requests
- Regulatory inquiries relating to Customer Data
- Privacy impact assessments where required
Cushi.app is not responsible for responding directly to data subject requests relating to Customer Data unless legally required.
10. PERSONAL INFORMATION BREACH
Cushi.app maintains documented incident response procedures.
Where Cushi.app becomes aware of a breach affecting Customer Data, it will notify the Customer without undue delay after confirmation of the incident and provide information reasonably available to assist assessment.
For Australian Customers, obligations under the Notifiable Data Breaches scheme remain with the entity legally required to notify.
11. DATA RETENTION AND DELETION
Customer Data is retained for the duration of the service agreement unless otherwise instructed by the Customer or required by law.
Following termination:
- Customer Data will be deleted or made available for export
- Backup data will be removed in accordance with standard system lifecycle processes
Cushi.app may retain limited information where required for legal compliance, dispute resolution, or enforcement of contractual rights.
12. AUDIT AND INFORMATION RIGHTS
Cushi.app maintains documentation describing its data protection and security practices.
Upon reasonable written request, Cushi.app may provide information sufficient to demonstrate compliance with its Processor obligations.
Audit rights are limited to documentation review and reasonable information requests. Physical access audits are not permitted unless required by law or expressly agreed in writing.
13. LIABILITY
Liability relating to data protection is governed by the main service agreement.
Cushi.app is responsible for compliance with its obligations as described in this document.
The Customer remains responsible for:
- Lawful collection of Customer Data
- Accuracy of instructions
- Compliance with applicable laws relating to its use of the Services
14. SURVIVAL
Confidentiality, liability, and data deletion obligations survive termination to the extent required by law or contract.
CONTACT
Privacy Officer
Superspeed.ai Pty Ltd
Brisbane, Australia
privacy@cushi.app
security@cushi.app
VERSION CONTROL AND GOVERNANCE
Version 3.0
Effective 1 December 2025
Approved by Chief Executive Officer, Superspeed.ai Pty Ltd© 2025 Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.app
Part of the Strategic Global Holdings Pty Ltd group (ACN 693 256 503)