Totii.ai is a role-based conversational assistant — a private platform where organisations and individuals turn their own knowledge, documents, voice, and style into a superstar colleague that can be talked to through chat, voice, or a cloned avatar. This policy explains how personal information is handled across every way the platform is used.
We have written this policy to be readable without legal training. If you represent an organisation reviewing Totii for procurement or a cyber-security assessment, our full technical privacy and security documentation — including data-flow diagrams, encryption specifications, and independent certifications — is available on request.
Totii.ai is owned and operated by two Australian-incorporated companies working in partnership. Both are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Mr and Mrs Cloud Pty Ltd — Platform Owner and Data Controller
ABN 77 613 464 136 · Australia
Owns the Totii.ai brand and service. Determines the purposes and means of processing for the platform overall.
Shine Me Pty Limited — Technology Partner and Data Processor
ABN 22 688 961 257 · ACN 688 961 257
Specialist technology partner in artificial intelligence and cloud solutions. Engineers, operates, and maintains the Totii platform on behalf of Mr and Mrs Cloud Pty Ltd.
Throughout this policy, “Totii”, “we”, “us”, and “our” refer collectively to Mr and Mrs Cloud Pty Ltd and Shine Me Pty Limited, acting in their respective capacities. Both companies share responsibility for this policy and the protection of personal information.
Totii is used in four distinct ways. This policy covers every one of them.
This policy also applies to visitors of the Totii.ai website, anyone who contacts us through sales, support, or general enquiries, and anyone whose personal information is shared with us by an organisation using Totii.
Totii’s role under privacy law depends on how the platform is being used. This matters, because it tells you who is responsible for which decisions.
| How Totii is used | Our role | The controller is |
|---|---|---|
| Enterprise, small business, or community deployment | Data processor | The customer organisation. They decide what personal information is uploaded and who can access it. We process it on their instructions under a written agreement. |
| Individual legacy account | Data controller (joint with the individual) | You, the individual account holder. You upload your content, you choose the recipients, you set the privacy tiers. We apply your rules and keep your data secure. |
| Totii.ai marketing website and general enquiries | Data controller | Mr and Mrs Cloud Pty Ltd. We decide what information is collected when you visit our website or contact us. |
| End-user interactions (e.g. a client chatting with a small-business avatar) | Data processor | The deploying organisation. They have their own privacy notice covering that interaction, and we process chat content on their instructions. |
Important: If you are interacting with a Totii-powered assistant that has been white-labelled or deployed by another organisation (for example, “Ask [YourCompany]”), that organisation’s own privacy notice governs that interaction. We handle your information on their behalf. This policy explains the overall platform; the deploying organisation explains their specific use.
| Purpose (Abbreviated) | Description | Legal Ground |
|---|---|---|
| Providing the Services | Process data to deliver avatar deployment and management | Necessary to perform the Terms |
| Communicating with You | Respond to inquiries or send account updates | Necessary to perform the Terms |
| Billing | Handle payments for subscriptions | Necessary to perform the Terms |
| Preventing Fraud | Protect against fraud and misuse | Legitimate interest with consent |
| Safety | Safeguard platform and ensure safety | Legitimate interest |
| Understanding Usage | Analyze trends and improve services | Legitimate interest |
| Administrative and Legal | Address legal issues or enforce contracts | Legal obligation or legitimate interest |
| Compliance | Meet legal or regulatory requirements | Legal obligation |
| Research and Development | Enhance avatar models | Legitimate interest with opt-out |
| Verify Identity | Prevent fraud with consent | Explicit consent (withdrawable) |
Totii is engineered around six non-negotiable principles:
The information Totii handles falls into the categories below. What actually applies to you depends on how you are using the platform.
When you sign up, book a demo, or contact us, we collect name, job title, organisation, email address, phone number, and the content of your enquiry.
When an organisation or individual builds their Totii, they upload knowledge that Totii draws on to answer questions. Depending on the use case, this may include:
This content belongs to the customer who uploads it. We hold it, secure it, and make it searchable — we do not use it for any purpose other than delivering the service.
The questions users ask and the responses Totii returns. Kept only as long as the service requires — see Section 12.
Where a customer chooses to create a voice clone or avatar, we process voice recordings, photographs, and video provided by the person being cloned. This is covered in detail in Section 9.
Roles, departments, permissions, identity verifications (especially for family-tier access in Individual accounts), and a log of access attempts. This is how Totii decides who can see what, and how it demonstrates to the customer’s auditors that the rules were followed.
IP address (truncated where practical), browser type, device category, language preference, request timestamps, error logs, and performance telemetry. Used for security, reliability, abuse prevention, and audit.
Where a customer connects third-party services (for example, Google Drive or Salesforce), we receive only the data the customer has authorised the integration to share, and only for the purpose of answering that customer’s queries. See Section 8.
For small-business customers, Totii can auto-generate email or SMS conversation summaries and provide shareable URLs or QR codes for clients. Recipients of those summaries or URLs are subject to the sending customer’s privacy notice; we process the delivery on the customer’s behalf.
We use personal information only for the purposes set out below. We do not repurpose it without fresh consent or a clear legal basis.
What we will never do. We do not sell personal information. We do not share personal information with advertisers. We do not build behavioural profiles. We do not use your content to train our AI models or anyone else’s. These are absolute commitments, not preferences.
We disclose personal information only to the parties listed below, and only to the extent necessary for their role.
Totii runs on enterprise cloud infrastructure (primarily Microsoft Azure, with the option to deploy on AWS, Google Cloud, or customer-owned infrastructure where required). These providers act as our sub-processors and are contractually bound by confidentiality and security obligations. Australian deployments use regions that are IRAP-assessed at PROTECTED level.
We use AI models from reputable enterprise providers (including Google and Anthropic), accessed through enterprise-grade managed services. All model providers are contractually bound not to train their models on our customer content.
Where a customer enables avatar mode, we work with a specialist real-time avatar-rendering partner to deliver the live video and voice experience. This partner is SOC 2 Type 2 certified, GDPR-aligned, and independently audited. Voice streams pass through the partner in real time for speech processing; they are not stored after the session ends. We are happy to disclose the specific partner and their certifications to customers as part of a procurement or security review, under non-disclosure.
Email and SMS summaries are sent through reputable transactional-messaging providers under contract. Content is transmitted for delivery only and not used for any other purpose.
Our accountants, auditors, and legal advisers may access personal information where strictly necessary, under professional confidentiality obligations.
We will disclose personal information where required by Australian law, including in response to a valid subpoena, court order, or regulatory request from the Office of the Australian Information Commissioner (OAIC).
If Mr and Mrs Cloud Pty Ltd is sold, merged, or restructured, personal information may transfer to the successor entity, subject to this policy continuing to apply or being replaced with a policy that provides equivalent protection.
Totii can connect to third-party services to bring your existing knowledge into your Brain. Integrations are always opt-in, configured by the customer, and authorised through the third party’s own consent flow (typically OAuth).
Commonly supported integrations include:
For each integration:
Each third-party service has its own privacy policy, which governs how that service handles your data once it is inside it. We recommend customers review those policies before enabling an integration.
Some Totii deployments include a cloned voice, avatar, or persona of a specific real person. Because this involves biometric-style data and the right to one’s own image and voice, we apply heightened controls.
For Australian customers using the platform in its default configuration, all data remains within Australian data centres — with one narrow exception. Where avatar mode is enabled, the live audio stream passes through our avatar-rendering partner in real time for speech processing. It is transmitted over encrypted WebRTC, processed on the fly, and not stored. No identifying information is attached to the stream beyond what the customer has chosen to collect.
Where a customer has chosen a non-Australian deployment region, data is handled in that region under the same principles.
Cross-border disclosures are made in accordance with Australian Privacy Principle 8. Before disclosing personal information overseas, we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information, through a combination of:
Security is engineered into the platform at every layer. Key controls include:
No security control is perfect, and we do not claim otherwise. We are committed to the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988, and will notify affected individuals and the OAIC where required.
We retain personal information only for as long as it is needed, or for as long as the law requires.
| Information type | Retention period |
|---|---|
| Customer-uploaded content (the Brain) | For the duration of the customer’s active account. On termination, returned to the customer on request and then destroyed, ordinarily within 30 days. |
| Conversation transcripts (where storage is enabled) | For the period the customer has configured. Default: 90 days. |
| Conversation context (where storage is disabled) | Cleared at session end. Never written to permanent storage. |
| Voice and likeness models | For the term of the consent and licensing agreement. Destroyed on withdrawal of consent, ordinarily within 30 days. |
| Access logs and security audit records | 12 months minimum, or longer where required by contract or law. |
| Business contact information | For the duration of the customer relationship, plus seven years for tax and corporate record-keeping obligations. |
| Legacy-mode content (Individuals) | For as long as the account is funded and active, and per the instructions left by the account holder for their estate. |
If we hold personal information about you, you have the following rights under the Privacy Act 1988:
To exercise any of these rights, contact us using the details in Section 19. We aim to respond within 30 days.
If your personal information is held on our behalf of a customer: Where we hold information about you as a processor on behalf of an organisation (for example, because you are an employee of a Totii-using enterprise, or a client of a small business that uses Totii), please direct access and correction requests to that organisation first. They are the data controller for that information. We will assist them in responding to your request.
Totii for Individuals is a deeply personal product. It holds the stories, voice, and guidance an account holder wants their family and chosen recipients to be able to access — now and, if they choose, after their death. Because of the sensitivity of this data, additional protections apply.
Every piece of content you upload can be tagged at one of four tiers: Public, Family, Inner Circle, or Secret (named individuals only). Totii enforces these tiers automatically on every query. You can change a tier at any time while you are alive.
For Family, Inner Circle, and Secret tiers, invited recipients must verify their identity before accessing content. We retain only what is necessary to demonstrate that verification happened — we do not collect more identity data than we need.
While you are alive, you control everything — adding content, revising content, changing tiers, inviting or removing recipients, and deleting the account. We act on your instructions and your instructions alone.
Legacy Mode is engaged after the account holder’s death. It operates under the written instructions the account holder left in their account settings, which may include:
We verify evidence of death (for example, a death certificate) before engaging Legacy Mode. We do not act on the request of family members alone unless they are the designated executor.
You can delete your Individual account at any time. On deletion, all content, voice models, and avatar data are destroyed within 30 days, except where we are required by law to retain a limited record.
Totii is frequently deployed in educational, community, and family settings where learners or members are under 18. In those contexts, we apply the following additional protections:
Totii for Individuals is designed for adult account holders. Where a minor is invited as a recipient (for example, a grandchild invited into a grandparent’s legacy account), the inviting adult is responsible for the invitation, and our standard minor-protection controls apply.
The Totii.ai marketing site uses a small number of strictly necessary cookies to make the site function, and a limited set of privacy-respecting analytics cookies to understand how visitors find us. We do not use cross-site advertising cookies.
The Totii platform itself uses a short-lived session token, cleared when the session ends. No persistent tracking cookies are used inside the platform.
We may update this policy from time to time to reflect changes to the platform, the law, or our practices. When we make a material change, we will update the version number and effective date above, and — where appropriate — notify customers directly. Earlier versions are retained and available on request.
Under the Australian Privacy Act 1988, you have the right to lodge a complaint if you believe we have interfered with your privacy or mishandled your personal information. We are committed to resolving your concerns directly and encourage you to contact us first at [email protected] with details of your issue. We will investigate and respond within a reasonable timeframe (typically 30 days) in accordance with APP 1.3.
If your concern remains unresolved, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) via their website here or by calling 1300 363 992. The OAIC will assess your complaint and may investigate further if it falls within their jurisdiction. Please note that lodging a complaint with the OAIC does not prevent you from seeking other legal remedies, such as through the courts, if applicable.
For all privacy enquiries, access or correction requests, complaints, or security matters relating to Totii.ai, contact our Privacy Officer using the details below.
Privacy Officer, Totii.ai
Operated by Mr and Mrs Cloud Pty Ltd, with technology delivered in partnership with Shine Me Pty Limited.