top of page

Privacy Policy

CLOA PRIVACY POLICY
Cloa Privacy Policy
Last updated: 29th June 2026
This policy explains how Nue Labs Pty Ltd (ACN 692 840 412) (“Nue Labs”, “we”, “us”, “our”), the company behind Cloa, handles your personal information.


This Privacy Policy explains what personal information we collect when you use Cloa (the “Service”), how we use and share it, how we keep it safe, and the choices and rights you have. It applies to people in Australia, and includes specific sections for people in the United Kingdom and Europe, and in the United States. The Service includes the Cloa website at cloaapp.ai, the Cloa browser extension, and the Cloa mobile web app.


1. Information we collect


1.1 Information you give us
When you create an account or contact us, we collect information such as your name, email address, profile details, and the contents of messages you send us, for example support requests and feedback. If you subscribe to a paid plan, our payment provider collects your payment details, and we receive limited billing information such as confirmation of payment. We do not store your full card details.


1.2 Content you put into Cloa
When you save content from other platforms, we store a low-resolution thumbnail and information about the post, such as its title, caption, the creator's handle where available, and the link to the original, as described in our Terms of Use. When you save using the Cloa browser extension, the extension captures metadata from the page you are saving, such as its title, description and source link, and sends it to us. When you upload your own content, we store that content so we can provide the Service to you. This content can include personal information, and you must only upload content you have the right to upload and store.


1.3 Information we collect automatically
When you use the Service, we collect information about how you use it, such as the features you use and actions you take, your device and browser information, and approximate location derived from your IP address. Our infrastructure also records technical log data, including request paths, status codes, request identifiers, timing information and IP addresses. We use cookies and similar technologies to keep you signed in, remember your preferences, and understand and improve how the Service is used. You can control cookies through your browser settings, though some features may not work properly without them.


1.4 Information from third parties
If you sign in to Cloa using a third-party sign-in such as Google, we receive basic profile information from that provider, such as your name, email address and profile picture, and confirmation that your email is verified. We do not receive your password, and these sign-in providers do not share your date of birth or age with us.


2. How we use your information
We use the information we collect to:

  • Provide and operate the Service, including signing you in, storing and displaying your saved and uploaded content, and giving you and the people you invite access to your workspaces and boards.

  • Power Cloa's features, including using AI to enrich and tag content you save and to power search and organisation, as described in the AI section below.

  • Maintain, improve and develop the Service, including through analytics and troubleshooting.

  • Communicate with you, including sending service and account messages, responding to your requests, and, where you have not opted out, sending you updates and offers about Cloa.

  • Keep the Service safe and secure, prevent and investigate fraud, abuse and breaches of our Terms.

  • Meet our legal, regulatory and record-keeping obligations.

3. AI and your content
Cloa uses AI to enrich and tag content at the point you save it, and to power search and organisation across your saved content. To do this, the content and information in your account is processed by us and by the AI services we use. We currently use AWS Bedrock for this, with Amazon Nova 2 Lite as the primary model and Claude Haiku 4.5 as a fallback. According to AWS, your prompts and the outputs are not shared with the model providers and are not used to train their base models. The primary model uses a global inference profile, which means this AI processing may take place outside Australia. This processing happens on the content within your Cloa account. Cloa does not access or scan your private messages, direct messages or comments on the third-party platforms you save from.
Cloa's AI features may develop over time, which may include features that learn from your saved content to improve search, or that suggest relevant content and ideas to you based on what you save and how you tag it. Where we introduce features that materially change how your content is used by AI, we will update this policy to describe them and let you know before they take effect. 
Automated decisions. Cloa’s AI tags, enriches and organises your content and powers search. We do not use your personal information to make decisions that produce legal effects for you, or that could otherwise reasonably be expected to significantly affect your rights or interests, by automated means. If we introduce any feature that uses your personal information to make, or to substantially assist in making, a decision of that kind, we will update this policy to explain the kinds of personal information used and how those decisions are made, consistent with our obligations under the Privacy Act 1988 (Cth).


4. Analytics
We do not currently use a separate product analytics provider. We rely on the operational logs described above to keep the Service running and to understand how it is used. We may introduce a product analytics tool such as Mixpanel in future, and will update this policy if we do. Any such analytics is usage and activity data, collected to improve the Service, not to read or interpret the meaning of your content.


5. How we share your information
We share personal information in the following ways:

  • Service providers. We share information with trusted third parties who help us run the Service, such as hosting, content embedding, error monitoring, payments, email and sign-in. They may only use it to provide their service to us, and must protect it consistently with this policy.

  • Within your organisation and shared spaces. If you are part of an organisation, workspace or board, your activity and the content you contribute may be visible to others in those spaces, according to their roles, as described in our Terms of Use.

  • Legal and safety. We may disclose information where we reasonably believe it is necessary to comply with the law or a lawful request, to enforce our Terms, or to protect the rights, property or safety of Cloa, our users or others.

  • Business transfers. If we are involved in a merger, acquisition, financing or sale of assets, your information may be transferred as part of that transaction. We will let you know if it becomes subject to a materially different privacy policy.

We do not sell your personal information, and Cloa does not display advertising or share your personal information with advertising networks.


6. Service providers we use
We currently use the following service providers, and will update this list as our stack changes. 

  • Hosting and infrastructure: Amazon Web Services (AWS), hosted in Sydney (ap-southeast-2), with disaster-recovery backups in Singapore (ap-southeast-1). This includes AWS services such as S3 and CloudFront to store and serve saved media, Cognito for sign-in, Amazon SES for transactional email, and CloudWatch and API Gateway for logging.

  • Content embedding and previews: Iframely. Where Iframely is unavailable, our backend fetches the source page directly to retrieve metadata.

  • Payments: Stripe (planned, not yet in use). When introduced, Stripe will process payments and we will not store your card details.

  • Email and communications: Amazon SES for transactional emails such as invitations and notifications, and Mailchimp for waitlist and marketing emails.

  • Error monitoring: Sentry, which receives error reports, user identifiers and technical context.

  • Product analytics: not currently in use. We may add a product analytics tool such as Mixpanel in future, as noted under Analytics above.

  • Sign-in and location and address services: Google, for Google sign-in (via AWS Cognito) and Google Places for address and location search.

  • Website: Wix, which hosts our marketing website.

  • AI processing: AWS Bedrock, using Amazon Nova 2 Lite as the primary model and Claude Haiku 4.5 as a fallback. According to AWS, prompts and outputs are not shared with the model providers and are not used to train their base models. The primary model uses a global inference profile, so this processing may occur outside Australia.


7. Cookies and similar technologies
We and our providers use cookies and similar technologies to operate the Service, keep you signed in, remember your settings, and measure and improve how the Service is used. You can control or delete cookies through your browser settings. Some features of the Service may not work properly if you disable them. If you are in the United Kingdom or the European Economic Area, we will seek your consent to non-essential cookies and similar technologies, through a cookie banner or similar tool, before they are set. Cookies and similar technologies that are not strictly necessary to operate the Service are most likely to be set by third-party content embedded in the Service, such as our content-embedding provider. Where this is the case, we will obtain consent before those technologies are set to the extent the law requires.


8. Where your information is stored and transferred
We are based in Australia, and your information is primarily stored in Australia, on Amazon Web Services in the Sydney region (ap-southeast-2). Disaster-recovery backups are held in Singapore (ap-southeast-1). In addition, our primary AI model uses a global inference profile, so AI processing may occur outside Australia, and some of our service providers operate overseas. As a result, your personal information may be transferred to, stored or processed in countries outside the one you are in, including Singapore, the United States and others. Where we transfer personal information across borders, we take reasonable steps to ensure it remains protected in line with this policy and applicable law. For people in Australia, where we disclose personal information to an overseas recipient we take reasonable steps under Australian Privacy Principle 8 to ensure the recipient handles it consistently with the Australian Privacy Principles, including through our contracts with our service providers. For transfers of personal information from the United Kingdom or the European Economic Area to a country without an adequacy decision, we rely on appropriate safeguards, including the European Commission’s standard contractual clauses and, for UK data, the UK International Data Transfer Agreement or Addendum.


9. How we keep your information safe
We use reasonable technical and organisational measures designed to protect personal information from unauthorised access, loss, misuse or disclosure. You are responsible for keeping your account credentials secure. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.


10. How long we keep your information
We keep your personal information for as long as your account or organisation exists in the Service, and for a reasonable period afterwards where we have a valid purpose, such as providing the Service, resolving disputes, and meeting our legal, audit and record-keeping obligations. We do not currently operate an automated account-closure or data-deletion workflow, so deletion of an account or organisation and its data is handled manually on request. When you ask us to delete your information, or we otherwise no longer need it, we will delete or de-identify it. Following deletion, residual copies may persist in our system backups and point-in-time recovery for up to 35 days before they are overwritten, after which they are no longer recoverable. We may retain information for longer where we are required to do so by law. 


11. Your choices and rights
You can access and update much of your account information directly in the Service. You can ask us to access, correct or delete the personal information we hold about you by contacting us at hello@cloaapp.ai, and we will respond as required by law. You can opt out of marketing messages at any time using the unsubscribe link in those messages or by contacting us, while still receiving essential service messages such as billing and security notices. Where we rely on your consent, you can withdraw it at any time.


12. Australian privacy rights
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This includes being open about how we handle personal information, collecting only what we need, keeping it secure, and giving you access to and correction of your information. We comply with the Notifiable Data Breaches scheme, and where an eligible data breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner as required. If you have a privacy concern or complaint, contact us at hello@cloaapp.ai. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner. If we suspect an eligible data breach, we will carry out a reasonable and expeditious assessment and act within the timeframes the scheme requires.


13. For users in the United Kingdom and Europe
If you are in the United Kingdom, the European Economic Area or Switzerland, this section applies to you. For the purposes of the GDPR and UK GDPR, Nue Labs Pty Ltd is the controller of your personal information.

Legal bases. We process your personal information where it is necessary to provide the Service to you under our agreement (contract), where it is in our legitimate interests to operate and improve the Service in a way that is not overridden by your rights, where you have given consent (which you can withdraw at any time), and where we need to comply with a legal obligation.

Your rights. You have the right to access, correct, delete, restrict or object to our processing of your personal information, and to data portability. You can exercise these rights by contacting us at hello@cloaapp.ai. You also have the right to complain to your local data protection authority.
Transfers. Where we transfer your information outside the UK or EEA to a country without an adequacy decision, we use appropriate safeguards such as standard contractual clauses. Retention. We keep your personal information only for as long as we need it for the purposes described in this policy, and you may ask us to erase it where the law requires. Representative. We have not appointed a representative in the European Union or the United Kingdom, on the basis that our processing of personal information of people in those regions is currently occasional and limited in scale. If our activities in those regions expand, we will appoint a representative under Article 27 of the EU GDPR and the UK GDPR where required, and update this policy.


14. For users in the United States
If you are in the United States, you may have rights under your state's privacy laws, which can include the right to access, correct or delete the personal information we hold about you, and to opt out of the sale or sharing of personal information for targeted advertising. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. To exercise your rights, contact us at hello@cloaapp.ai, and we will verify and respond to your request as required by law. At our current size, most US state privacy laws do not yet apply to us under their thresholds, but we will honour the rights described above as a matter of practice. Where a state law applies to us and requires it, we will treat a recognised universal opt-out signal, such as the Global Privacy Control, as a valid request to opt out of any sale or sharing of personal information.


15. Children
Cloa is intended for people aged 18 and over and is not directed at children. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from someone under 18, we will take steps to delete it. If you believe a minor has provided us with personal information, please contact us at hello@cloaapp.ai.


16. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to the Service, our practices or the law. When we do, we will update the date at the top. If we make material changes, we will let you know through the Service or by email to the address linked to your account.


17. How to contact us
If you have questions about this Privacy Policy or how we handle your personal information, or you want to make a request or complaint, contact us at hello@cloaapp.ai, or write to Nue Labs Pty Ltd, Sydney, New South Wales, Australia.

Cloa is a product of Nue Labs Pty Ltd   ·   Sydney, NSW, Australia   ·   hello@cloaapp.ai

Cloa is a product of Nue Labs Pty Ltd   ·   Sydney, NSW, Australia   ·   hello@cloaapp.ai

bottom of page