Privacy Policy
This Privacy Policy explains how IndexLabs ("IndexLabs", "we", "us", "our") collects, uses, holds, discloses and protects personal information. It applies to indexlabs.io and any related services (the "Service").
We are bound by the Privacy Act 1988 (Cth) (the "Privacy Act") and the Australian Privacy Principles ("APPs"). Where applicable to visitors located outside Australia, we also acknowledge obligations under the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA/CPRA").
By using the Service, you consent to the collection, use and disclosure of your information as described in this Policy.
1. About IndexLabs and the Service
IndexLabs operates an Agent Experience (AX) audit platform. The Service evaluates how well publicly accessible websites function for AI agents (such as ChatGPT, Google Gemini, Perplexity Comet, and Claude). Users may submit a website URL and, in some cases, view aggregated results in our public benchmark leaderboard.
For privacy enquiries, contact: hello@indexlabs.io
2. Information we collect
2.1 Information you provide
- Submitted URLs — the website addresses you submit for audit.
- Account information (if you create an account) — email address, name, password (hashed), and any optional profile information.
- Communications — messages you send us, including support requests and feedback.
- Payment information (for paid reports) — processed by our third-party payment provider; we do not store full card details.
2.2 Information collected automatically
- Technical data — IP address, browser type and version, device identifiers, operating system, referrer URL, and pages visited.
- Usage data — actions taken in the Service, timestamps, audit history, and feature interactions.
- Cookies and similar technologies — see Section 9.
2.3 Information generated by the Service
- Audit results — scores, diagnostic data, screenshots, screen recordings, and agent task completion logs generated when we run an audit.
- Aggregated benchmark data — derived from audits across many websites for industry comparisons.
2.4 Information we do not knowingly collect
We do not knowingly collect sensitive information (as defined in the Privacy Act) including health, biometric, racial, political or religious information. Do not submit URLs whose content you know to contain such information about identifiable individuals.
3. How we use your information
We use information for the following purposes:
| Purpose | Legal basis (where GDPR applies) |
|---|---|
| Performing audits and delivering results | Performance of contract |
| Operating, securing, and improving the Service | Legitimate interests |
| Building and refining our AX benchmark methodology | Legitimate interests |
| Publishing aggregated industry data and the public leaderboard (see Section 7) | Legitimate interests |
| Communicating with you (service updates, responses to enquiries) | Performance of contract / Legitimate interests |
| Marketing communications (where you have opted in) | Consent |
| Complying with legal obligations | Legal obligation |
| Detecting and preventing fraud, abuse, and security incidents | Legitimate interests |
4. Automated decision-making and AI processing
The Service uses automated systems, including AI agents and large language models, to score, classify and rank websites. Specifically:
- Submitted URLs are fetched and rendered, and their content is processed by AI models operated by third-party providers (see Section 5).
- AI agents are instructed to attempt standardised tasks on the submitted website, and their performance is recorded and scored.
- Scores, rankings and recommendations produced by the Service are generated wholly or substantially by automated means.
These outputs are intended for informational purposes and do not, by themselves, make decisions that produce legal or similarly significant effects on individuals. If you believe an automated output has materially affected you, contact us at hello@indexlabs.io to request human review.
This section will be updated to reflect the automated decision-making disclosure obligations under the Privacy and Other Legislation Amendment Act 2024 (Cth), which take effect on 10 December 2026.
5. Disclosure of information
We disclose information to the following categories of recipient:
5.1 Service providers and processors
We use the following third parties to operate the Service. Each is contractually required to handle information consistent with this Policy and applicable law:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | United States |
| Vercel | Hosting and content delivery | United States |
| Anthropic | AI model and agent processing (Claude) | United States |
| OpenAI | AI model and agent processing (ChatGPT) | United States |
| AI model and agent processing (Gemini) | United States | |
| Perplexity | AI agent processing (Comet) | United States |
| Browser automation providers | Running agent tasks against submitted URLs | United States |
We may add or change service providers from time to time. Material changes will be reflected in updates to this Policy.
5.2 Public disclosure
Where you submit a URL belonging to a publicly accessible website, audit results may be published on our benchmark leaderboard or in industry reports. See Section 7.
5.3 Legal disclosure
We may disclose information where required by law, court order, or to enforce our Terms of Service, prevent fraud, or protect the rights, property or safety of IndexLabs, our users, or the public.
5.4 Business transfers
In the event of a merger, acquisition, or sale of assets, information may be transferred, subject to confidentiality and continuing privacy protections.
6. Overseas transfers (APP 8 / GDPR Chapter V)
Several of our service providers store and process information in the United States and other jurisdictions outside Australia. By using the Service, you consent to your information being transferred to and processed in these jurisdictions.
We take reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with the APPs, including through written contractual arrangements. For transfers from the European Economic Area or United Kingdom, we rely on Standard Contractual Clauses or equivalent safeguards where required.
7. The IndexLabs benchmark leaderboard
The leaderboard publishes audit scores and rankings for publicly accessible websites, identified by domain name and, where applicable, the operating organisation's name.
- Leaderboard data is derived from publicly accessible information (the contents of public websites).
- Scores are point-in-time and reflect our methodology at the time of audit.
- We do not knowingly include personal information about identifiable individuals in leaderboard entries beyond the operating organisation's name.
If you are an authorised representative of an organisation listed on the leaderboard and wish to request review, correction, right of reply, or removal, see Section 8 and our Terms of Service.
8. Your rights
Subject to applicable law, you have the right to:
- Access the personal information we hold about you;
- Correct inaccurate or incomplete personal information;
- Request deletion of your personal information (subject to legal retention obligations);
- Withdraw consent where processing is based on consent;
- Object to processing based on legitimate interests (GDPR);
- Data portability for information you have provided (GDPR);
- Opt out of marketing communications at any time;
- Lodge a complaint with a regulator (see Section 11).
To exercise any of these rights, contact hello@indexlabs.io. We will respond within 30 days. We may need to verify your identity before actioning a request.
9. Cookies and similar technologies
We use cookies and similar technologies to operate the Service, remember your preferences, and analyse usage. Categories used:
- Strictly necessary — required to operate the Service (cannot be disabled).
- Functional — remember preferences such as theme.
- Analytics — measure usage patterns to improve the Service.
You can control cookies through your browser settings. Disabling some cookies may affect functionality.
10. Data security and retention
10.1 Security (APP 11)
We take reasonable technical and organisational measures to protect personal information against loss, misuse, unauthorised access, modification or disclosure. These include encrypted transmission (HTTPS/TLS), access controls, authentication requirements for our service providers, and regular review of our security practices.
No system is completely secure. We cannot guarantee absolute security of information transmitted to or stored by the Service.
10.2 Retention
We retain personal information only as long as necessary for the purposes described in this Policy, or as required by law:
| Category | Retention period |
|---|---|
| Account information | For the life of the account, plus 12 months |
| Audit results (account-linked) | For the life of the account, plus 24 months |
| Audit results (anonymous submissions) | Up to 12 months |
| Leaderboard and aggregated benchmark data | Indefinitely (de-identified or organisation-level only) |
| Technical/usage logs | Up to 12 months |
| Communications | Up to 7 years for legal and tax purposes |
Where retention is no longer required, we will destroy or de-identify the information.
10.3 Notifiable data breaches
If we become aware of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner ("OAIC") in accordance with the Notifiable Data Breaches scheme.
11. Complaints and contact
If you have a complaint about how we handle personal information, contact us first at hello@indexlabs.io. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.
If you are not satisfied with our response, you may lodge a complaint with:
- Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — 1300 363 992
- Your local data protection authority (if you are in the EU/UK)
- California Privacy Protection Agency (if you are a California resident)
12. Children
The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact hello@indexlabs.io and we will take steps to delete it.
We will update our practices to comply with the Children's Online Privacy Code when it is finalised by the OAIC.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated by updating the "Last updated" date and, where appropriate, by notice in the Service or by email. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.
14. Contact
IndexLabs Email: hello@indexlabs.io Web: indexlabs.io