Privacy Policy

Loon Shoot Pty Ltd
ABN: 85 638 743 932
Last updated: 25 March 2026

Who We Are

Outrun and AIRank are products of Loon Shoot Pty Ltd (ABN 85 638 743 932), a company registered in Victoria, Australia. We provide an AI-powered data platform that helps businesses manage, analyse, and act on their data.

For the purposes of applicable data protection law, Loon Shoot Pty Ltd is the data controller for personal information we collect about you directly (e.g., when you visit our website or create an account). When we process data on behalf of our customers through the Platform, we act as a data processor — this is governed by our DPA.

What Personal Information We Collect

We collect the following categories of personal information:

Information you provide

• Name, email address, and contact details (when you create an account or contact us)
• Company name and job title
• Billing and payment information
• Communications you send us (support requests, feedback)

Information collected automatically

• IP address and approximate location
• Browser type, device type, and operating system
• Pages visited, time spent, and navigation patterns on our website
• Platform usage data (features used, frequency, performance metrics)

Information from third parties

• Information from authentication providers if you use single sign-on
• Publicly available business information

Why We Collect It

We use your personal information to:

• Provide, maintain, and improve our services
• Create and manage your account
• Process payments and manage billing
• Send service-related communications (account notifications, security alerts, updates)
• Provide customer support
• Analyse usage to improve the Platform
• Comply with legal obligations
• Protect against fraud and abuse

We do not sell your personal information. We do not use your personal information for automated decision-making that produces legal or similarly significant effects on you.

Legal Basis for Processing (UK/EU)

If you are in the UK or EU, our legal bases for processing your personal information are:

• Contract: Processing necessary to provide the services you've signed up for
• Legitimate interests: Improving our services, securing our platform, and understanding how our services are used — where these interests are not overridden by your rights
• Legal obligation: Where we need to comply with applicable law
• Consent: Where you have given specific consent (e.g., marketing communications) — you can withdraw consent at any time

Customer Data on the Platform

Where Your Data Is Stored & Processed

Your personal information and Customer Data is stored and processed in the following locations:

• Data at rest: Hetzner Online GmbH, Falkenstein, Germany (EU) — all Customer Data is currently stored in the EU
• AI processing: Google Vertex AI europe-west3, Frankfurt, Germany (EU)
• Transactional email: Amazon SES, us-east-1, Virginia, USA — email addresses and notification content only. No email content is stored after delivery.

Outrun operates a Global data residency model by default, with all data currently stored in the EU region. As additional regions become available, data under the Global model may be distributed to the nearest region. Customers may opt for a Region-Locked EU plan to guarantee data remains in the EU regardless of future region availability.

Transactional email is the only component that processes personal data outside the EU, and this is limited to email addresses and notification content. This transfer is covered by appropriate transfer mechanisms (EU Standard Contractual Clauses / UK International Data Transfer Addendum). See our DPA for full details.

Who We Share Your Information With

We share your personal information only with:

• Service providers who help us operate the Platform (listed in our DPA, Annex 3), under strict data processing agreements
• Professional advisors (legal, accounting) under confidentiality obligations
• Law enforcement or regulators where required by law
• A successor entity in connection with a merger, acquisition, or sale of assets, with appropriate protections

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

Cookies and Tracking

We use cookies and similar technologies to:

• Keep you signed in
• Remember your preferences
• Understand how our website and Platform are used
• Ensure security

You can control cookie settings through your browser. Disabling certain cookies may affect the functionality of our services.

Security

We protect your personal information with:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Multi-factor authentication for administrative access
• Role-based access controls and least-privilege principles
• Point-to-point encrypted tunnels (WireGuard) for internal communications
• In-house monitoring and logging
• Regular vulnerability scanning
• Tenant isolation — your data is not accessible to other customers

Data Retention

We retain your personal information for as long as necessary to:

• Provide our services to you
• Comply with legal, tax, and accounting obligations
• Resolve disputes and enforce our agreements

When your account is terminated, Customer Data is handled per the DPA (30-day export period, then deletion). Account information may be retained for up to 7 years for legal and compliance purposes, after which it is securely deleted.

Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Rectification: Request correction of inaccurate information
• Erasure: Request deletion of your personal information (subject to legal requirements)
• Portability: Request transfer of your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request limitation of processing in certain circumstances
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner where required by law). We may ask for identification to verify your identity before processing your request.

Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.

Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or through the Platform. The "Last updated" date at the top of this page indicates when this policy was last revised. Your continued use of our services after notification constitutes acceptance of the updated policy.

Complaints & Contact

If you have questions, concerns, or complaints about this privacy policy or how we handle your personal information, contact us at:

We will investigate any complaint and respond as soon as practicable.

If you are not satisfied with our response, you may contact the relevant regulatory authority:

• Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• European Union: Your local Data Protection Authority