AI & Data Privacy for Australian Businesses
How to use AI-powered automation with confidence — even when handling medical, financial, or other protected data under Australian privacy law.
The core distinction: storage vs. processing
When people ask "is my data safe with AI?", they're usually conflating two different things: where the data is stored and where it gets processed.
With Awesomate's platform, your business data is stored on Australian servers. It's encrypted at rest and encrypted in transit. It doesn't leave Australian infrastructure.
The question gets more interesting when AI enters the picture. If you use a cloud-based AI model — such as ChatGPT, Gemini, or Claude — to search, summarise, or generate content from your data, a snippet of that data is sent to the model's servers for processing. These servers are typically located overseas (usually the United States).
The AI model does not store or learn from your data. API-based AI calls are stateless — the model processes your request and returns a response. The major providers (OpenAI, Anthropic, Google) explicitly state that API inputs are not used for model training.
However, the data does technically transit offshore for that moment of processing. For many business use cases, this is perfectly manageable. For the most sensitive data — identifiable patient health records, for example — there are stronger options available.
What Australian law says
The relevant legislation is the Privacy Act 1988 and the Australian Privacy Principles (APPs). There is no direct Australian equivalent to the US HIPAA regulation, but the Privacy Act provides robust and in some ways broader protections for personal information, including health information.
The key principle here is APP 8 — Cross-border disclosure of personal information. Under APP 8, if your business discloses personal information to an overseas recipient, you must take reasonable steps to ensure that recipient handles the information in accordance with the APPs. Your business remains accountable for the overseas recipient's handling of that data.
Important note APP 8 applies when personal information is made accessible to an organisation outside Australia — even when the transfer is automated, indirect, or part of an application workflow. Sending personal data to an offshore AI model for inference can constitute a cross-border disclosure under APP 8.
This means that for general business data, aggregated information, or non-identifiable data, using offshore AI models is straightforward. But for personal or sensitive information, you need to consider how your workflows are designed.
How we protect your data at Awesomate
Our approach gives you control over where your data goes, based on how sensitive it is. There are three tiers.
Tier 1 — General business automation
For workflows involving non-personal data — things like content generation, business research, document summarisation, or internal process automation — you can use offshore AI models via OpenRouter or direct API connections. This is cost-effective and raises no privacy concerns because no personal information is involved.
Tier 2 — Smart workflow design
Many businesses can still use offshore AI models even when working alongside personal data — as long as the workflow is designed so that personal information never actually reaches the AI model. For example, you can send metadata like counts and summaries to the AI rather than individual records. The AI processes aggregated or de-identified information, and the personal data stays on the Australian server.
This is where workflow architecture matters most. A well-designed n8n workflow can get enormous value from AI without ever exposing a single personal record.
Tier 3 — Local AI on Australian servers
For the most restrictive requirements — where personal or health information must be processed by AI and cannot leave Australian soil under any circumstances — we install a local large language model (LLM) directly on the same server as your n8n automation instance. The data never leaves the server. Not even for a moment.
This is achieved using open-source AI inference tools (such as Ollama) running locally on dedicated hardware. Your n8n workflows connect to the AI model over a private, internal network connection on the same machine. No external API calls, no offshore data transit, no third-party involvement.
The platforms we use and how they handle data
n8n (workflow automation)
n8n is our workflow automation engine. It is self-hosted on Australian infrastructure managed by Awesomate. Your data, workflows, credentials, and business logic are all hosted in Australia. When a workflow calls an AI model, n8n is the orchestration layer — it controls exactly what data gets sent and where. Self-hosted n8n provides full control over data residency, encryption, and access controls.
OpenRouter (AI model routing)
OpenRouter is a routing layer that connects to various AI model providers. By default, OpenRouter does not store your prompts or responses. It offers Zero Data Retention (ZDR) settings that can be enforced at the account level or per individual request. When ZDR is enabled, requests are only routed to model endpoints that also have zero data retention policies.
For the most sensitive workloads, we recommend either bypassing OpenRouter entirely and connecting direct to the AI provider's API, or using local models so no external service is involved at all.
AI model providers (Anthropic, OpenAI, Google)
When accessed via their APIs (as opposed to free consumer chat interfaces), the major AI providers have clear data handling policies. API inputs are not used for model training. Data is typically retained for a short period (for example, Anthropic retains API data for 7 days for safety monitoring, then deletes it). Enterprise customers can negotiate Zero Data Retention agreements for even stricter handling.
Our hosting options
Your n8n instance hosted on Australian infrastructure with triple-redundant databases and three servers for 99.99% uptime. Suitable for general business automation using cloud-based AI models. Data encrypted at rest and in transit.
Your own dedicated Kubernetes environment with the same triple-redundant databases and three-server architecture as our standard plan — plus local large language models (LLMs) installed alongside your n8n automation. Data never leaves the server — not even for AI processing. Designed for businesses handling medical, financial, or other protected information that must remain fully onshore. The local LLM runs via Ollama, connecting to n8n over a private internal network with no external API calls. Includes a $2,000 setup fee — we work with you to spec the exact hardware and model configuration for your requirements.
Compliance and certification
Our infrastructure is designed to meet the requirements of the Australian Privacy Act 1988 and the Australian Privacy Principles. For the dedicated server option with local AI, the architecture supports compliance with privacy obligations for handling health and financial information — data stays on Australian soil, is encrypted, and access is controlled.
If your business requires formal compliance certification (such as ISO 27001 or equivalent), the infrastructure we provide is built to support that. The certification process itself is undertaken by your organisation, but we ensure everything on our side is configured to meet the necessary standards.
Common questions
Does the AI "learn" from my business data?
No. When using AI via API (which is how all our workflows operate), the major providers do not use your inputs for model training. API calls are stateless — the model processes your request, returns a response, and does not retain your data in any lasting way.
Can I use AI without any data leaving Australia?
Yes. Our dedicated server option with local LLMs means all AI processing happens on the same server as your data, hosted in an Australian data centre. Nothing leaves the server.
What's the difference between the free ChatGPT interface and the API?
The free consumer chat interfaces (like chatgpt.com) may use your conversations to improve their models. The API — which is what our workflows use — has different terms: your data is not used for training, and retention periods are much shorter.
Is HIPAA relevant in Australia?
HIPAA is a US regulation and does not apply in Australia. The Australian equivalent is the Privacy Act 1988 and the Australian Privacy Principles (APPs). If your business deals with US patients or partners, you may need to be aware of HIPAA in that specific context, but for Australian operations, the Privacy Act is what matters.
What is APP 8 and why does it matter for AI?
Australian Privacy Principle 8 governs cross-border disclosure of personal information. If you send personal data to an AI model hosted overseas, that can constitute a cross-border disclosure, and your business remains accountable for how that data is handled. This is why workflow architecture — controlling what data reaches the AI — is so important.
What is Zero Data Retention (ZDR)?
ZDR is a policy offered by AI providers and routing platforms (like OpenRouter and Anthropic) where your inputs and outputs are not stored after the response is returned, except where legally required or for abuse prevention. It provides the strongest data handling guarantees short of running models locally.