SG1 Consulting logo

Privacy Policy

Last updated: 25 May 2026

Introduction

SG1 Consulting ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

Information We Collect

Personal Information

We may collect personal information that you provide to us, including:

  • Name and job title
  • Company name and address
  • Email address and phone number
  • Information you provide in forms or consultations
  • Communication preferences

Automatically Collected Information

When you visit our website, we may automatically collect:

  • IP address and browser type
  • Device information
  • Pages visited and time spent
  • Referring website addresses

How We Use Your Information

We use the information we collect to:

  • Provide and improve our AI automation consulting services
  • Respond to inquiries and consultation requests
  • Send relevant information about our services
  • Comply with legal obligations
  • Analyze website usage to improve user experience
  • Protect against fraudulent or illegal activity

Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • With your explicit consent
  • To comply with legal obligations or court orders
  • With trusted service providers who assist our operations
  • To protect our rights, privacy, safety, or property

Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes:

  • Encryption of data in transit and at rest
  • Regular security assessments
  • Access controls and authentication
  • Employee training on data protection

Your Rights

Under Australian privacy law, you have the right to:

  • Access your personal information we hold
  • Request correction of inaccurate information
  • Request deletion of your information
  • Opt-out of marketing communications
  • Lodge a complaint about our privacy practices

Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

  • Email: privacy@sg1consulting.com.au
  • Phone: 1300 SG1 (1300 741)
  • Mail: SG1 Consulting, Sydney, Australia

Australian Privacy Principles

This Privacy Policy is designed to comply with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth). For more information about privacy rights in Australia, visit the Office of the Australian Information Commissioner at www.oaic.gov.au.

The Everything — SaaS Service & Office Add-in

In addition to our consulting services, SG1 Consulting operates The Everything, an AI assistant subscription service delivered as a Microsoft Teams app and Microsoft Word add-in. This section describes how that service handles your data; it supplements (and does not replace) the general privacy practices described above.

What the service accesses

When you use The Everything inside Microsoft Word, the add-in reads:

  • The text and structure of the open document (paragraphs, headings, tables, comments, currently-selected text), only while the side pane is open and only in response to your instructions
  • The instruction you type in the side pane
  • Your Microsoft 365 identity (email, display name, group memberships) via Office Single Sign-On for authentication

When you use The Everything inside Microsoft Teams, the bot reads:

  • Messages you send to it directly and (where authorised) channel/group messages it is mentioned in
  • Read-only metadata from your tenant (calendar, mailbox, OneDrive files, CRM, accounting) as authorised by your tenant administrator during onboarding

Where your data is processed

Document content and instructions transmitted to The Everything are processed by:

  • SG1 Consulting servers hosted in Microsoft Azure (Australia East region) — for orchestration, audit logging, and routing
  • Anthropic PBC (United States) — for AI inference via the Claude language model API. Anthropic does NOT use Claude API data to train its models; see Anthropic Commercial Terms
  • Supabase Inc. (Sydney region) — encrypted persistent storage of conversation history, audit logs, and customer configuration
  • Microsoft Corporation (Australia East) — for Office Single Sign-On, Microsoft Graph API access (subject to your tenant’s consent), and Microsoft Teams Bot Framework messaging

Training disclosure

We do not train AI models on your data. Your document content, chat messages, and business data are used only to generate the response you requested and to maintain conversation context. We do not fine-tune, train, or sell AI models using customer content. Our AI provider (Anthropic) is contractually prohibited from training on Claude API inputs and outputs.

Retention

  • Chat / conversation history: retained for the life of your subscription, plus 90 days after cancellation, then deleted
  • Audit logs: retained for 7 years for compliance purposes
  • Document content sent to the AI: not separately stored beyond the in-flight processing and the audit log entry (which retains the first ~2,500 characters of each request and response for support and debugging)
  • OAuth refresh tokens for Microsoft 365 access: retained until revoked by you or your tenant administrator, or until your subscription ends

Encryption

  • All transit: TLS 1.2 minimum (TLS 1.3 preferred)
  • At rest: AES-256-GCM for Microsoft 365 OAuth credentials and tenant secrets; AES-256 for Supabase-stored chat history
  • Keys are managed by SG1 Consulting; we plan key rotation but do not currently support per-customer customer-managed keys (CMK)

Sub-processors

We engage the following sub-processors to deliver The Everything. We are responsible for ensuring each sub-processor maintains appropriate security and privacy controls.

  • Microsoft Corporation — Azure hosting, Microsoft Graph API, Microsoft Teams Bot Framework, Office Single Sign-On
  • Anthropic PBC — AI inference (Claude)
  • OpenAI L.L.C. — AI inference for utility tasks (classification, extraction) only; not used for primary document drafting
  • Supabase Inc. — encrypted database hosting (Sydney region)
  • Stripe Inc. — subscription billing (no customer document content shared)

Microsoft 365 data handling

When your tenant administrator authorises The Everything during onboarding, the service is granted scoped access to specific Microsoft Graph APIs. Each functional capability (email, files, calendar, directory, security, communication) uses a separate per-tenant Entra ID app registration created in your own tenant under least-privilege scopes. Your administrator retains full ability to inspect, modify, or revoke these registrations at any time via the Microsoft Entra admin portal. We never use a single all-powerful app registration.

Data deletion on cancellation

Within 30 days of cancellation, you may request complete deletion of your tenant’s data from our systems. Audit logs may be retained beyond this period where required by law. Microsoft 365 OAuth credentials are revoked immediately on cancellation; the per-tenant Entra ID app registrations created during onboarding are deprovisioned from your tenant.

Contact for The Everything privacy queries

For questions or requests specifically about The Everything service, contact everything@sg1consulting.com.au.

Have questions about our privacy practices? Contact us