Marriage Simplified — Technical & Legal Brief

This brief walks through three things: (1) how the technology actually works, (2) the legal and health-information rules in Australia that apply to a product like this, and (3) a clear, honest answer on whether we need a commercial lawyer to sign off before we go public. A copy-ready email to that lawyer is at the bottom.

Important: This document is general information to help us make decisions — it is not legal advice. The regulatory points below are drawn from official Australian government sources (OAIC, eSafety, legislation) but the final call on compliance should be confirmed by a qualified Australian lawyer (that's exactly what the draft email at the end is for).

1Cloudflare worker (the whole app)

Kaithe AI assistant (Karen's AI), on Opus 4.8

1,893of Karen's documents in the knowledge base

Livemarriagesimplified.com.au

1What it is, in plain English

Marriage Simplified is an AI relationship coach named "Kai" — Karen's AI ("K-AI", a warm little play on Karen + AI) — built on Karen's 40 years of written and spoken material. A couple opens the website, agrees to the terms, and chats with Kai, which has learned Karen's method, voice and frameworks. Kai teaches, reframes, and gives practical next steps — and when something is serious, it points people to the real Karen Gosling for face-to-face counselling, or to crisis services.

Critically, Kai is positioned and disclosed as an AI assistant — Karen's AI, not Karen herself, not a therapist, not a psychologist, and not a medical or crisis service. Giving the AI its own name (Kai) makes that separation crystal-clear to users, which is deliberate and matters legally (see §5).

🔗 See it live

marriagesimplified.com.au — the main site · Try Kai yourself (private demo chat, ready to go)

A sample conversation with Kai

An actual exchange — note the warmth, the way Kai works to the feeling under the problem, and the gentle "let's find what's really going on" rather than jumping to advice.

Couple: "My husband and I keep having the same argument about money. What should I do?"

Kai: "The same argument, over and over — that's so common, and it's actually a clue. When a couple keeps circling the same fight, it's rarely really about the thing itself. The money is the surface. Underneath it is usually a feeling — feeling unsafe, or controlled, or not respected, or not heard.

So before I give you any 'do this,' can I ask you a couple of things? When the money argument happens — what's the moment that sets it off? Is it a particular spend, a decision made without you, a tone? And when it's happening, what do you find yourself telling yourself about him?"

2How the code works

The entire product is a single Cloudflare Worker — a small program that runs on Cloudflare's global network. There is no traditional server to maintain. When someone visits marriagesimplified.com.au, that worker serves the page and handles the chat.

1. Consent gate → before any chat, the user must confirm they're 18+, agree to the terms, and (separately, off by default) choose whether their de-identified data may help improve the AI.

2. The question comes in → the worker takes the couple's message.

3. Retrieval (the "memory" of Karen's work) → the worker searches Karen's knowledge base (1,893 of her documents + 610 transcribed talks) for the most relevant passages. This search runs on Cloudflare itself using an embedding model (bge) — Karen's corpus never leaves to do this step.

4. The answer → the relevant passages + Karen's persona instructions + the couple's history are sent to Claude Opus 4.8 (Anthropic's AI), which writes the reply in Karen's voice. A smaller model (Haiku) maintains a running memory of each couple.

5. Safety overlay → every message is checked for crisis signals (suicide, self-harm, domestic violence). If detected, the AI stops coaching and shows Australian help lines.

Built with: Cloudflare Workers (Hono framework, TypeScript) · Cloudflare D1 database · Cloudflare Workers AI (embeddings + audio transcription, runs in-region) · Anthropic Claude Opus 4.8 + Haiku 4.5 for the conversation.

3Where it's stored & how data is handled

Where the code & data live

The app + knowledge base: Cloudflare (global edge network). The database is Cloudflare D1 (named marriage-simplified).
Karen's corpus, embeddings, transcription: processed on Cloudflare — chosen specifically so sensitive audio/notes aren't shipped to a separate overseas service.
The conversation itself: the chat text is sent to Anthropic (Claude) to generate each reply. Anthropic processes this outside Australia (USA). This is the one clear cross-border data point and it's addressed in §5 (APP 8).

What we store

Data	What it is	Sensitivity
Couple profile	names/display name, email, city	Personal
Sessions & consent	consent record, age confirmation, IP, communal-learning choice	Personal
Messages	the chat content itself	Sensitive / health information
Counsellor case notes	notes if they also see the real Karen	Sensitive / health information
Knowledge base	Karen's own course material (the AI's brain)	Karen's IP

Because chat content is about people's relationships and mental wellbeing, we treat all of it as "sensitive / health information" — the highest protection bar — and only collect it with the user's express, opt-in consent.

4The AI disclaimers & safety (what users actually see)

Before anyone can chat, they pass a consent & disclaimer screen that:

States clearly: "You're about to chat with an AI — not a human, not a therapist, not a registered psychologist."
States it is not therapy, medical care, or a crisis service, and can be wrong.
Shows the crisis lines up-front and keeps them available at all times: 000 · Lifeline 13 11 14 · 1800RESPECT 1800 737 732.
Requires a separate "I'm 18+" confirmation and a separate agreement to the terms (no pre-ticked boxes).
Has a distinct, default-OFF toggle for whether de-identified data may improve the AI.

Inside the chat, the AI is instructed to disclose it's an AI whenever it matters, never diagnose, never claim to be Karen, and to escalate crises. The drafted legal pack (Privacy Policy, Terms, Consent & Disclaimer, Safety-Escalation rules) already exists and is served live — currently marked "DRAFT — for legal review."

5The Australian legal & health-information landscape

These are the rules that genuinely apply to a product like this. The good news: the groundwork is already built to meet them. The key points:

a) "Counsellor" vs "Psychologist" — the title rules (AHPRA)

In Australia, "psychologist" is a legally protected title regulated by AHPRA — you can't call yourself one, or imply it, without registration. "Counsellor" is NOT an AHPRA-protected title — counselling is largely self-regulated (via bodies like the ACA/PACFA). Karen is a counsellor, not a registered psychologist. What this means: the product must never market as "therapy", "treatment", "psychology", or imply clinical/registered status. We position it as relationship coaching & education, AI-delivered, informed by an experienced human counsellor — which is exactly the current framing.

b) Privacy Act 1988 + the 13 Australian Privacy Principles (APPs)

The single most important finding: the "small business" exemption (under $3M turnover) does NOT apply to us. Any organisation that handles health information as part of providing a health-adjacent service is bound by the Privacy Act regardless of size. Relationship/mental-wellbeing chat content is health information. So we build to the full standard from day one. That means: express consent for sensitive info (APP 3), a clear collection notice at sign-on (APP 5), tight limits on re-using data (APP 6), cross-border protections (APP 8), strong security (APP 11), access/correction rights (APP 12/13), and the Notifiable Data Breaches scheme. The drafted Privacy Policy & consent flow are written specifically to this standard.

c) Cross-border data (APP 8) — because we use Cloudflare + Anthropic

When chat content goes to Anthropic (USA) to generate replies, that's an overseas disclosure. Under APP 8 + s 16C we must take reasonable steps to protect it and we remain accountable for it. Action items: disclose the countries in the Privacy Policy, contractually ensure the AI provider does not use our prompts to train their models, and prefer AU/region-pinned storage where possible. This is a lawyer review point.

d) Medical device rules (TGA)

Software can be a regulated "medical device" if it diagnoses or treats a medical condition. A general relationship/wellbeing coach that explicitly does not diagnose or treat sits on the non-device side — but we must keep it there by never claiming to diagnose, treat, or be clinical. The current positioning does this; it's worth a lawyer confirming.

e) AI-chatbot safety duties (eSafety) — now enforceable

Australia's eSafety Commissioner regulates AI chatbots, and the Phase 2 industry codes are now registered and enforceable (in effect Dec 2025 / Mar 2026), with penalties up to ~$49.5M. The sharpest risk is child access — the codes ban chatbots from engaging minors in self-harm/sexual content and expect age assurance. Our 18+ gate is therefore essential, plus persistent AI disclosure and crisis escalation. (Action: keep strengthening the adult-gating.)

f) Recent 2025–2026 law changes worth knowing

Statutory tort for serious invasions of privacy — IN FORCE (June 2025). Someone could sue directly (separate from the regulator) if intimate disclosures are leaked/misused. This is exactly the harm to guard against → reinforces why security & the privacy review matter.
Automated-decision transparency (from Dec 2026) — if the AI makes decisions about people from their data, the privacy policy will need to say so. Worth building in now.
National AI Plan (Dec 2025) dropped Australia's proposed mandatory AI rules — so there's no AI-specific statute; obligations come through existing law (privacy, consumer law).
Australian Consumer Law (no-fault) — we're liable for what the chatbot says. It must never imply it's human, that Karen personally answers, or that it equals a real consultation. Our AI disclosure + "not a substitute" wording covers this; "AI-washing" is an active ACCC enforcement focus (penalties up to $100M).

g) Crisis & mandatory reporting

The crisis escalation (Lifeline/1800RESPECT/000) is in place. One Queensland-specific point: QLD has mandatory child-protection reporting obligations. The human-counsellor side (Karen) needs a clear process, and the AI must escalate any child-safety disclosure to a human + resources. This is a lawyer review point.

h) Using Karen's identity, voice & method

The AI is built on a named, living professional's voice and method. Karen being a willing partner removes most of the risk — what's left is paperwork, and it's worth doing properly. A written partnership / licence agreement should cover: her name/likeness/voice licence; a copyright licence over her course material (including its use for the AI's knowledge base); her moral-rights consent (under Australian law these can't be signed away, but she can give specific written consent to her material being adapted for AI delivery); her quality-control/approval rights over how the AI behaves in her name; and what happens to the AI and the data if the partnership ever ends. This protects Karen's reputation as much as the business.

6So — do we really need a lawyer? HONEST ANSWER

Yes — a focused commercial/privacy lawyer review is genuinely advisable before going fully public. But it's a validation job, not a from-scratch job.

Here's the honest split:

Why it's needed: we handle health information (no small-business exemption), we make cross-border disclosures to a US AI provider, and we're using a real counsellor's professional identity in a mental-wellbeing-adjacent product. Those three things are exactly where regulators (OAIC, eSafety) focus, and getting the Privacy Policy / consent / claims wrong carries real penalties.
Why it's not a big job: the Privacy Policy, Terms, Consent & Disclaimer, Safety rules and a full compliance checklist are already drafted to the correct standard. The lawyer is reviewing and sign-off, not writing from zero — which keeps it focused and affordable.
The pragmatic path: we could soft-launch to a small, consenting test group (like the current weekend testing) while the legal review runs in parallel, then go fully public once it's signed off. The drafts are good enough to test on; the sign-off is for public, paid launch.

Where the money should actually go — two areas genuinely need a lawyer; the rest is cheap to eyeball:

SPEND Privacy policy + health-information handling — the "we handle health info, so the full Privacy Act applies regardless of size" call is the load-bearing one. Get a privacy lawyer to confirm it in writing and review the policy/consent flow.
SPEND The Karen partnership / IP / likeness agreement — novel enough (an AI persona of a living named professional) to be papered properly.
CHEAP Titles & medical-device wording — the rules are simple (never "psychologist"; never claim to diagnose/treat). A short copy review confirms it.

Bottom line: don't skip the lawyer for public launch — but it's a contained, well-prepared review focused on those two areas, and the email below gives them everything they need to quote and turn it around quickly.

7What's done vs outstanding

Item	Status
Working AI built on Karen's full corpus (1,893 docs + 610 talks)	DONE
Persona aligned to how Karen actually sounds; crisis + boundaries tested	DONE
Consent & disclaimer flow, AI disclosure, crisis signposting	DONE (drafted)
Privacy Policy, Terms, Safety rules — drafted to Privacy-Act standard	DONE (drafted)
Fill in: effective dates, overseas countries list, operator details	TO DO
Written consent/licence from Karen (name, voice, method)	TO DO
Commercial-lawyer review & sign-off (see email below)	LAWYER
Confirm AI-provider contract disables training on our prompts	LAWYER

8Draft email to a commercial lawyer

Copy-ready. It gives a commercial/privacy lawyer the full picture and every specific review point so they can scope, quote and turn it around efficiently.

Subject: Pre-launch legal review — AI relationship-coaching product (privacy + health information) Dear [Lawyer / Firm], We're preparing to launch an Australian consumer product, "Marriage Simplified", and would like a focused commercial/privacy review and sign-off before we go public. We have done substantial groundwork (drafted privacy policy, terms, consent & disclaimer, safety/escalation rules and a compliance checklist mapped to the APPs) — so this should be a review-and-confirm engagement rather than drafting from scratch. We'd appreciate an indication of scope, cost and turnaround. ABOUT THE PRODUCT - "Marriage Simplified" is an AI-delivered relationship-coaching chat service. Users (couples, 18+) chat with an AI built on the method and material of Karen Gosling, an experienced (40-year) relationship counsellor on the Gold Coast. - It is positioned and disclosed as an AI coach — explicitly NOT therapy, NOT psychology, NOT a registered health service, and NOT a crisis service. It signposts users to the real human counsellor and to crisis services. - Operator: Gosling International (ABN 28 219 744 700), Queensland. - It is a paid/subscription product, delivered online (Cloudflare + Anthropic Claude AI). Some data is processed overseas (USA) by the AI provider. - Chat content concerns relationships, mental wellbeing, ADHD/autism etc., which we treat as sensitive/health information. THE SPECIFIC POINTS WE NEED REVIEWED & SIGNED OFF 1. Product framing & claims — confirm our "AI coaching/education" positioning (and the use of "Marriage Simplified" / any use of the word "counselling") does not breach AHPRA protected-title rules or amount to holding out as a registered health service; review all public marketing claims. 2. Privacy Act / APP status — confirm our assumption that the small-business exemption does NOT apply (we handle health information) and that we should comply fully with the 13 APPs + Notifiable Data Breaches scheme. 3. Privacy Policy — review & sign-off (drafted). 4. Consent & Disclaimer flow — review the sign-on consent UX for express, specific, informed consent to collect sensitive information (APP 3), and the APP 5 collection notice. 5. Terms & Conditions — review & sign-off (drafted). 6. Cross-border disclosure (APP 8 / s 16C) — review our overseas-disclosure position (data to a US AI provider), the countries disclosure, and whether the AI provider's terms create unacceptable exposure — in particular confirming prompts are NOT used by the provider to train their models. 7. "Communal learning" feature — we may use de-identified user data to improve the AI. Review the consent path + de-identification methodology and the residual re-identification-risk threshold (we plan consent AND robust de-identification). 8. Third-party data — users describe partners and sometimes children. Review how we handle/identify/delete third-party personal & sensitive information in a couples product. 9. Crisis & duty of care — review our crisis-detection/escalation (Lifeline 13 11 14, 1800RESPECT 1800 737 732, 000) for adequacy. 10. QLD mandatory reporting — review the child-safety reporting workflow for both the AI and the human counsellor. 11. AI-specific safety (eSafety) — confirm our AI-disclosure, 18+ gate / age-assurance and self-harm signposting meet the eSafety Commissioner's now-enforceable Phase 2 AI-chatbot codes (child-access is the highest-penalty risk). 12. Medical-device status (TGA) — confirm the product sits outside "software as a medical device" regulation given it does not diagnose or treat. 13. Record retention — advise the correct retention period for counselling case notes / chat records (e.g. the 7-year norm) for Karen's professional context. 14. Karen's consent/licence — review a written consent/licence from Karen Gosling covering use of her name, likeness, voice and material. 15. Entity/insurance — any advice on the operating entity structure and professional-indemnity / public-liability cover appropriate to launch. 16. Automated-decision-making transparency — advise whether the AI's outputs trigger the new ADM privacy-policy disclosure obligation commencing Dec 2026, and how to word it. 17. Recent reforms — flag any impact of the 2024 Privacy Act reforms (statutory tort for serious invasions of privacy, now in force; higher penalties) on our security posture and risk. We can provide all drafted documents and a technical/data-flow summary on request. Could you let us know your availability, an estimated scope/fee, and anything else you need from us? Kind regards, Daniel Gosling [phone] · [email] Gosling International

Tip: fill the bracketed fields ([Lawyer], [phone], [email]) before sending. Look for a lawyer with privacy / technology / health-information experience — that's the right specialty for this.

Sources behind the legal points: Office of the Australian Information Commissioner (OAIC) — Australian Privacy Principles, Guide to Health Privacy, De-identification framework, Notifiable Data Breaches scheme; Privacy Act 1988 (Cth); eSafety Commissioner AI-chatbot codes; AHPRA (protected titles); Australian Counselling Association Code of Ethics; QLD child-safety mandatory reporting. Full source links are held with the compliance checklist. This brief is general information, not legal advice.

Prepared by the BlackPan Agency build team · Marriage Simplified ·