serge
· Legal

Privacy Policy

Privacy Policy

Last updated: 19 April 2026

1. Who we are

Serge is a WhatsApp-based AI travel companion for tourists in Australia. This policy is issued by Serge Pty Ltd (in formation) ("Serge", "we", "us", "our"), an Australian company being incorporated with the Australian Securities and Investments Commission.

  • ABN: [TODO: confirm post-ASIC registration]
  • Registered office: [TODO: confirm post-ASIC registration]
  • Primary domain: askserge.com.au
  • Privacy contact: privacy@askserge.com.au

We are based in Australia, our customer-facing service operates in Australia, and we handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

If you are a visitor from the European Union or United Kingdom, we acknowledge the rights you have under the GDPR and UK GDPR: access, rectification, erasure, objection, restriction and portability. In practice the Australian Privacy Principles described below give you substantively similar protections, and we will honour reasonable requests on either basis. Contact us at privacy@askserge.com.au.

2. What this policy covers

This policy explains what personal information Serge collects, how we collect it, why we use it, who we share it with, where it is stored, how long we keep it, and the rights you have over it.

It covers:

  • Your conversations with Serge over WhatsApp
  • Booking referrals we receive from distribution partners (starting with RatPack, a campervan rental operator)
  • Your visits to askserge.com.au and any sub-domain we operate

It does not cover third-party services you reach through links we share, tour operators you book with, or the WhatsApp platform itself. Those third parties are governed by their own privacy policies.

3. Information we collect

We try to collect only what we need to give you a useful travel service. That typically includes:

  • WhatsApp messages. The text content of messages you send us, and the text of messages we send you, together with WhatsApp metadata (message timestamps, message identifiers supplied by Twilio, your WhatsApp profile name, any images or locations you send us).
  • Your phone number. Your phone number in E.164 international format. This is our primary identity key. It is how we recognise you when a referral arrives from a partner and when you start a WhatsApp conversation.
  • Name, nationality and language. Your first and last name, nationality (as an ISO country code), preferred language, and date of birth if a partner shares it or you tell us. We use these to personalise recommendations and match the right tone.
  • Trip details. Your trip dates, pickup and return locations, vehicle type, group composition, route plans, current location (when you share it or when we can infer it from a booking), and interests, budget and dietary requirements you mention.
  • Booking and payment records. The tours and experiences you book through Serge, participant names, activity dates, the amount paid, the payment status, and the identifier assigned by our payment provider. We do not store your card number, CVV, or bank account details. Those are held only by the regulated payment processor handling the transaction.
  • Technical data from the website. When you visit askserge.com.au we log standard server information (your IP address, approximate location, browser and device type, referring URL, and the pages you view) and set the minimum cookies needed to run the site. See our Cookie Policy for detail.

If you tell us something in conversation that we don't need, we try not to keep it. If you send us content we can't lawfully hold (for example, sensitive health information we didn't ask for), we will delete it.

4. How we collect it

We collect personal information in three ways:

  • Directly from you, when you text Serge on WhatsApp, visit our website, or fill in a form we publish.
  • From distribution partners, when a partner you have booked with (starting with RatPack) sends us a referral so Serge can introduce themselves. The partner's booking terms will tell you that this hand-off happens. The referral includes the contact and trip details described in section 3.
  • From the website itself, through the normal server logs and minimal cookies described in our Cookie Policy.

We do not buy personal information from data brokers, and we do not scrape public profiles to enrich what we hold about you.

5. Why we use it

We use your personal information to:

  • Deliver the Serge service. Recognise you on WhatsApp, hold a useful conversation, remember preferences across a 14 to 28 day trip, and help you plan day to day.
  • Process bookings. Hold a tour slot, generate a payment link, confirm the booking with the operator, send you pickup details and reminders, and handle cancellations or refunds.
  • Recommend experiences. Search a catalogue of enriched tour metadata to find options that suit your interests, budget, group and timing.
  • Operate and improve the service. Debug problems, monitor quality, spot abuse, review Serge's own responses to make them more helpful, and measure how often recommendations turn into satisfied bookings.
  • Meet legal and tax obligations. Keep booking and commission records for the period Australian tax and consumer law require, and respond to lawful requests from regulators.
  • Communicate with you about your trip. Proactive check-ins, activity-day reminders, and post-activity feedback requests related to bookings you have made.

We do not use your personal information to build advertising profiles, we do not sell it, and we do not share your booking history with partners beyond what is needed to fulfil a specific booking.

6. Legal basis

Under Australian law we rely on a mix of grounds to handle your personal information:

  • Performance of our service to you. Most of what we do is because you have started a conversation with Serge and asked us to help plan or book travel. Handling your messages, trip details and booking information is necessary to provide that service.
  • Legitimate interests. Improving Serge's quality, protecting the service from abuse, and meeting operational and security requirements. We only rely on this where the impact on your privacy is proportionate.
  • Consent. For anything that is not necessary to provide the service, such as marketing messages outside of an active trip. You can withdraw consent at any time by replying STOP on WhatsApp or emailing privacy@askserge.com.au.
  • Legal obligation. For tax, accounting, anti-fraud and regulatory record-keeping.

If you are in the EU or UK, the equivalent GDPR lawful bases are contract (Article 6(1)(b)), legitimate interests (Article 6(1)(f)), consent (Article 6(1)(a)) and legal obligation (Article 6(1)(c)).

7. Where your information is stored

Serge is built to keep your personal information in Australia.

  • Firebase (Google Cloud), region `australia-southeast1` (Sydney) is our primary data store. Your customer record, message history, referral, booking records and itinerary events all live there. This is where the personal information described in section 3 is held.
  • Pinecone Serverless, region `us-east-1` holds a vector index used to search a catalogue of tours and experiences. This index contains no personal information. It stores embeddings and metadata about tour products (not people), like supplier names, categories, price bands, seasonality, and sentiment summaries, so Serge can find options that match what you have told us. Your name, phone number, message content and booking history are never written to Pinecone.
  • Supporting services. A small number of operational services we rely on are hosted in the United States or Europe (for example our AI model provider and our workflow orchestration service). When we send your information to them we only send what they need to perform the service, and we rely on contractual protections and their own certifications. These disclosures are listed in section 8.

When we disclose personal information overseas we comply with Australian Privacy Principle 8 (cross-border disclosure). We take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to your information, by selecting reputable providers and entering into appropriate data processing agreements. Where personal information is sent outside Australia, it may be accessible to the authorities of the country it is held in.

8. Who we share it with

We share personal information only with the service providers we need to run Serge, and with the tour operator fulfilling a booking you have chosen to make. We do not sell your information to anyone. The current list is:

  • Anthropic, PBC. Provides the Claude large language model that powers Serge. Your message content and a summary of your current trip context are sent to Anthropic for inference so Serge can respond. Anthropic processes this data under its published data handling policy and does not use Serge's API traffic to train its general-purpose models.
  • Twilio, Inc. Delivers messages between you and Serge over the WhatsApp Business API. Twilio handles WhatsApp metadata, phone numbers and message content in transit.
  • Viator (Tripadvisor LLC). Our experience catalog and booking platform. When you open a booking link that Serge shares, you leave Serge and complete the transaction on Viator's own site. Viator receives whatever information you provide to them directly (name, contact details, payment details, participant details). Serge does not forward your PII to Viator; the referral link carries only a partner tracking identifier so we earn a commission if you book. Viator's own privacy policy governs what they collect on their site.
  • Tour operators (suppliers). The business that actually runs the tour receives, from Viator, the information they need to deliver the experience (lead participant name, contact number, headcount, pickup preferences). Serge does not share your information with operators directly.
  • Inngest, Inc. Orchestrates the workflows that run Serge (incoming messages, booking holds, proactive reminders). Inngest sees event payloads which may include your phone number, message IDs and booking references.
  • Google LLC (Firebase / Google Cloud). Hosts our primary database in `australia-southeast1`. Personal information at rest lives here.
  • Pinecone Systems, Inc. Hosts the product search index described in section 7. Pinecone does not receive personal information about you.
  • Payoneer. Used for partner commission payouts. Payoneer does not receive customer personal information. Only partner and commission data.

We may also disclose personal information where the law requires it (for example, in response to a valid warrant, subpoena, or regulator request), where it is necessary to protect the safety of a person, or in the context of a corporate transaction such as a merger or acquisition. In that case we would require the recipient to honour this policy.

9. How long we keep it

We keep personal information only as long as we need it.

  • WhatsApp messages. 24 months from the date of the message. After that, message content is deleted from our primary store. We may keep aggregate, de-identified statistics for longer to improve the service.
  • Customer profile and trip records. For the duration of your trip and a reasonable period after, so we can handle post-trip refunds and feedback. Purged within 24 months unless you have an active booking or have opted into longer retention.
  • Booking records (including financial data). 7 years, as required by Australian taxation and consumer-protection record-keeping rules.
  • Referral records from partners. Up to 60 days after the trip end date if unclaimed, at which point they expire and are deleted.
  • Payment card details. Never stored by Serge. Held only by the payment processor under their own retention rules.
  • Website logs. Up to 12 months, for debugging and security.

You can ask us to delete your information earlier. See section 10. Some records (for example completed bookings) may need to be retained for the full legal period even after a deletion request, in which case we will restrict further use.

10. Your rights

Under the Australian Privacy Principles you have the right to:

  • Access the personal information we hold about you. Just ask and we will provide it in a readable form.
  • Correct information that is inaccurate, out of date, incomplete or misleading.
  • Ask us to delete your information, subject to the retention requirements in section 9.
  • Withdraw consent to marketing or non-essential uses at any time.
  • Object to a particular use of your information, or ask us to restrict it.
  • Complain to us directly, and if you are unsatisfied with our response, to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

To make any of these requests, email privacy@askserge.com.au from the address we have on file, or send us a WhatsApp message with the words "privacy request" and we will verify your identity before responding. We will respond within 30 days, and usually much faster.

If you are in the EU or UK you have equivalent GDPR rights and may lodge a complaint with your local data protection authority.

11. Cookies

The Serge website uses a small set of cookies to keep the site working and to help us understand how it is used. We do not use advertising cookies. Full detail is in our Cookie Policy.

12. Security

We take reasonable steps to protect your personal information. That includes:

  • Encryption of data in transit (TLS) and at rest.
  • Access controls on our internal systems. Only the people who need access have it, and access is logged.
  • Hosting on reputable cloud providers (Google Cloud, with Firebase security rules) in the Australian region.
  • Secrets held in Google Cloud Secret Manager, not in code or configuration files.
  • Monitoring and alerting for unusual activity.

No system is perfectly secure, and we do not claim otherwise. In the event of a data breach likely to result in serious harm, we will notify affected individuals and the OAIC as required by Australia's Notifiable Data Breaches scheme.

13. Children

Serge is designed for adult travellers and is not intended for children. We do not knowingly collect personal information from anyone under 16. If you believe a child has sent us information, please contact privacy@askserge.com.au and we will delete it.

14. Changes to this policy

We may update this policy from time to time as the product evolves or the law changes. When we do we will update the "Last updated" date at the top of the page. If a change is material we will tell you over WhatsApp or by notice on the website before it takes effect.

15. Contact

Questions, requests or complaints about privacy:

  • Email: privacy@askserge.com.au
  • Post: Serge Pty Ltd (in formation), [TODO: confirm post-ASIC registration]

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner at www.oaic.gov.au, 1300 363 992.

Serge Pty Ltd (in formation) · askserge.com.au

Text Serge