Outset — Privacy Policy

Last updated: 2026-05-26 Version: 1.0

This page describes how Outset Pty Ltd ("Outset", "we", "our") handles personal information in the Outset platform. Outset is a legal-technology product sold to Australian law firms. The information we process is client information held by a law firm for the purposes of providing legal services, and is governed by:

• the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in Schedule 1 — this document maps to each APP below; and
• the Legal Profession Uniform Law and the solicitors' rules of professional conduct, including the duty of confidentiality and the management of client legal privilege — which the law firm (not Outset) is bound by directly, with Outset bound contractually to maintain equivalent confidentiality.

Some intake fields may incidentally include health information about an injury (relevant for personal-injury matters) or other sensitive information. We handle that information under the same controls as all other client data — there is no separate "health-provider" framing; Outset is not a health service.

If you are an individual who has interacted with a law firm that uses Outset (you submitted a claim form, gave intake details on a call, or received an email from us on their behalf), this policy explains what happens to your information.

If you are a law firm considering or using Outset, you'll find the commercial terms at /terms, the sub-processor list at /subprocessors, and the data-processing agreement template at /dpa.

At a glance

• Data residency: All personal information is stored and processed in AWS Sydney (ap-southeast-2). We do not ship personal information overseas.
• AI provider: Claude via AWS Bedrock ZDR (Sydney). No prompts or completions are retained by the AI provider after the request.
• Encryption: Personal-information columns are encrypted at rest with AES-256-GCM in addition to AWS-KMS disk encryption.
• Retention: Law firms (the data controllers) own the retention decision under their Legal Profession Uniform Law obligations. Outset does not auto-delete client data.
• Right of access / correction / deletion: Contact the law firm whose intake you used. They control the data and can fulfil your request via the Outset dashboard.

APP 1 — Open and transparent management of personal information

Outset is a legal-technology platform — specifically, an intake and matter-management tool sold to Australian law firms. The law firm is the data controller and Outset is the data processor under each firm's engagement. The information we process is the law firm's client information; Outset has no independent relationship with the individuals the firm represents.

You can reach us at nathan@outsetlegal.com for questions about how Outset handles personal information. For requests about a specific matter or enquiry, contact the law firm directly — they hold the relationship with you and the access controls on the data.

This policy is maintained in the repository at docs/PRIVACY.md. Material changes are announced to firms via the sub-processor change- notification process described in SUBPROCESSORS.md.

APP 2 — Anonymity and pseudonymity

Outset's intake flows ask for the personal information the law firm needs to open and assess a matter — typically name, contact details, the matter narrative, and matter-type-specific facts the firm configures. By the nature of legal practice, anonymous intake is not practical: the firm needs to be able to contact you and run a conflict-of-interest check before accepting the matter.

You can decline to provide information; the firm will tell you which fields are required for them to take the matter further.

APP 3 — Collection of solicited personal information

We collect personal information through two surfaces:

1. The intake widget — embedded on a law firm's website. The firm configures which questions to ask; typical fields are contact details, the matter narrative, the parties involved, any other firm previously engaged, and preferred callback time.

1. The guided-intake (calls) workspace — staff at the law firm take notes on phone calls with prospective clients. Those notes may include any information the caller volunteers.

The data category is client information collected for the purpose of providing legal services. Some fields may incidentally fall within the Privacy Act's definition of sensitive information — for example, health information about an injury in a personal-injury matter, or information about criminal record in a criminal-law matter. Where that is the case, we rely on the consent inherent in your contacting the law firm about that matter (APP 3.3(a)), and on the firm's professional obligations under the Legal Profession Uniform Law to handle the information appropriately.

We do not collect personal information from third parties about you.

APP 4 — Dealing with unsolicited personal information

If we receive personal information we did not solicit (e.g. an unexpected attachment uploaded to the widget), we route it to the law firm. If the firm cannot legitimately retain it, they can delete it through the Outset dashboard.

APP 5 — Notification of the collection of personal information

This policy is the notification under APP 5. The law firm's widget includes a link to this page at the point of collection, plus a link to the firm's own privacy notice.

APP 6 — Use or disclosure of personal information

Outset uses personal information only to provide the service to the law firm. Specifically:

• AI inference — call notes and widget answers are sent to AWS Bedrock in Sydney for matter-type classification and structured data extraction. Bedrock's terms commit to zero data retention and no use of the data for model training.
• Email and SMS verification — sent through AWS SES (Sydney) and Twilio (carrier-billed AU numbers) for the verification step of the widget submission.
• PMS integration — when the firm has connected a Practice Management System (LEAP, Smokeball, Actionstep, Clio, etc.), we push the captured matter into their system on the firm's instruction.
• Calendar integration — for booked consultations only, calendar metadata is shared with the firm's chosen calendar provider.

We do not sell personal information. We do not share personal information with anyone other than the law firm and the named sub-processors in SUBPROCESSORS.md.

We do not use personal information for direct marketing.

APP 7 — Direct marketing

Outset does not run direct-marketing campaigns to individuals on behalf of itself. The law firm may use Outset to send follow-up emails or SMS regarding a specific matter; these are service communications, not direct marketing.

APP 8 — Cross-border disclosure of personal information

Outset does not transfer personal information overseas. All storage and processing is in AWS Sydney (ap-southeast-2):

• Database: RDS Postgres, Sydney, encrypted at rest with KMS and at the column level (see "Encryption" below).
• Inference: AWS Bedrock, Sydney, with Zero Data Retention.
• Logs and observability: CloudWatch, Sydney. No third-party observability vendor (e.g. Sentry, Datadog) sits in the data path.
• Email: AWS SES, Sydney.

Twilio carrier infrastructure for SMS uses Australian carriers; SMS content (the verification code) is destroyed after delivery.

If your firm has additionally configured a third-party PMS or calendar integration, that destination is named on the sub-processor list and any cross-border movement is governed by the firm's agreement with that vendor.

APP 9 — Adoption, use or disclosure of government related identifiers

Outset does not use government-related identifiers as identifiers in our systems. If a Medicare card number, drivers licence number or TFN is mentioned in intake notes, it is treated as ordinary content, stored under the same encryption as all other notes, and is not used to look up or cross-reference other data.

Our PII redactor strips ID-shaped digit runs (8–10 digits) from notes before they are sent to the AI classifier for matter-type detection, as a defence-in-depth measure.

APP 10 — Quality of personal information

Personal information is collected directly from you, and you can correct it through the law firm at any time.

APP 11 — Security of personal information

We take the following steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure:

• Disk encryption — RDS Postgres uses AWS KMS encryption at the EBS layer with a per-instance key.
• Column-level encryption — fields containing personal information (notes, contact details, extracted values, verification targets, PMS credentials) are additionally encrypted with AES-256-GCM before being written to disk, using an application-managed key (APP_ENCRYPTION_KEY) separate from the AWS infrastructure keys.
• In-transit encryption — TLS 1.2+ on all network paths.
• Access controls — staff access is gated through Clerk SSO with role-based scopes; API access uses scoped OAuth tokens audited via the MCP audit log.
• Network segmentation — the database is in a private subnet, reachable only from the API servers; no public access.
• Sub-processor diligence — we only use sub-processors that meet APP-equivalent obligations. The current list is at SUBPROCESSORS.md.

Retention — Outset is the data processor. The law firm (the controller) sets retention windows for client information under the Legal Profession Uniform Law file-retention rules — typically 7 years post-matter-closure for client files, with longer periods for some matter types (e.g. children's matters, deceased estates) per the firm's professional-conduct obligations. Outset does not auto-delete client data. We do auto-purge expired one-time verification codes, which carry no business value past their expiry.

Firms can delete specific enquiries, sessions or partial submissions at any time through the Outset dashboard. Deletion is permanent and logged in the audit trail.

APP 12 — Access to personal information

Individuals can request access to the personal information held about them by contacting the law firm whose intake they used. The firm can retrieve and export the relevant data from the Outset dashboard at any time.

Where the law firm refers an access request to us, we will respond within 30 days. There is no fee for access requests.

APP 13 — Correction of personal information

Corrections follow the same path as access requests — contact the law firm. Corrections take effect immediately in the Outset dashboard.

Notifiable Data Breaches

If we become aware of an unauthorised disclosure or loss of personal information that is likely to result in serious harm, we will:

1. Notify the affected law firm within 72 hours of becoming aware, so they can meet their own 30-day OAIC notification obligation under Part IIIC of the Privacy Act.
2. Provide the firm with the information they need to assess and respond to the breach, including the nature of the breach, the personal information involved, and the remediation steps we are taking.
3. Cooperate with the firm and (if relevant) the OAIC throughout the incident.

Contact

For privacy questions about Outset: nathan@outsetlegal.com

For questions about your data specifically (held by a law firm using Outset): contact the law firm directly. They control the data and the access decisions.

For complaints you can't resolve with us, the Office of the Australian Information Commissioner (OAIC): <https://www.oaic.gov.au/privacy/privacy-complaints>