Privacy Policy

1. About us

ComplianceIntel Pty Ltd (referred to as "ComplianceIntel", "we", "us", or "our") is an Australian company that provides a purpose-built compliance management software-as-a-service (SaaS) platform for Australian local government organisations.

Our platform is accessible at app.complianceintel.ai and our marketing website at complianceintel.ai.

2. Information we collect

2.1 Information you provide directly

We collect personal information you provide when you:

• Register for an account or request a demonstration — including your name, work email address, job title, and the name of your organisation
• Contact us through our website contact form — including your name, email address, council name, and the content of your message
• Use our platform — including data you enter into the compliance register, assessment records, incident logs, and any other content you create or upload
• Communicate with us by email, phone, or any other means

2.2 Information collected automatically

When you access our website or platform, we may automatically collect:

• Log data — including your IP address, browser type and version, pages visited, referring URLs, and date/time of access
• Device information — including operating system, screen resolution, and device type
• Usage data — including features accessed, actions performed within the platform, and session duration
• Cookies and similar tracking technologies (see Section 9)

2.3 Information from third parties

We may receive information about you from your organisation's administrator when they set up your account. This may include your name, work email address, and role within the organisation.

2.4 Sensitive information

We do not intentionally collect sensitive information as defined by the Privacy Act (including health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or criminal history). If you believe you have submitted sensitive information to us, please contact us at the details in Section 12 so we can address this promptly.

3. How we use your information

We collect and use personal information only for purposes that are directly related to our functions and activities. These include:

3.1 Providing and operating our services

• Creating and managing your user account
• Delivering the ComplianceIntel platform and its features
• Processing your enquiries and responding to your requests
• Providing technical support and troubleshooting assistance
• Sending transactional communications — including account confirmations, password resets, and service notifications

3.2 Improving our services

• Analysing usage patterns to understand how our platform is used and to improve its features
• Conducting research and development to develop new features and services
• Monitoring the security, integrity, and performance of our systems

3.3 Communications

• Sending you product updates, new feature announcements, and relevant compliance intelligence relevant to your use of the platform — you may opt out of these at any time
• Responding to enquiries and correspondence you initiate

3.4 Legal and compliance

• Complying with applicable laws and regulatory requirements
• Protecting our legal rights and interests
• Preventing fraud, security incidents, and other harmful activities

We will not use your personal information for any secondary purpose unless you have consented, or it is required or permitted by the Privacy Act.

4. Disclosure of your information

We do not sell, rent, or trade your personal information to third parties. We may disclose your information in the following limited circumstances:

4.1 Service providers

We engage trusted third-party service providers to assist in operating our platform. These providers are bound by contractual obligations to handle your information securely and only in accordance with our instructions. Current service providers include:

• Supabase Inc. — database hosting, authentication, and row-level security (data stored in Sydney, Australia, ap-southeast-2 region)
• Cloudflare Inc. — content delivery, web application firewall, and platform hosting
• GitHub Inc. — source code management and deployment infrastructure

4.2 Your organisation

If you access ComplianceIntel through your organisation's account, your organisation's administrators may have access to information associated with your account, including your profile information and activity within the platform.

4.3 Legal requirements

We may disclose your information where required by law, court order, or government authority — including in response to a valid subpoena, search warrant, or other legal process. Where permitted, we will notify you before making such disclosure.

4.4 Business transfers

In the event of a merger, acquisition, or sale of all or part of our business, your personal information may be transferred to the acquiring entity. We will notify you prior to any such transfer and will require the recipient to handle your information consistently with this Privacy Policy.

5. Overseas transfers

Some of our service providers are located outside Australia. In particular, Cloudflare Inc. and GitHub Inc. are headquartered in the United States.

Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information, in accordance with APP 8.

By using our platform and services, you acknowledge that your information may be processed outside Australia in connection with the services provided by the third parties described in Section 4.1. We require all such third parties to implement appropriate data protection safeguards.

Our primary database infrastructure is hosted in Supabase's Sydney region (ap-southeast-2), meaning your core compliance data resides in Australia.

6. Security

We take the security of your personal information seriously. We implement appropriate technical and organisational measures to protect your information from unauthorised access, disclosure, alteration, or destruction, including:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest within our database infrastructure
• Row-level security (RLS) policies enforced at the database level, ensuring users can only access data belonging to their organisation
• Cloudflare Web Application Firewall (WAF) protection on all platform endpoints
• Access controls and authentication requirements including multi-factor authentication support
• Regular security monitoring and review processes

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that is likely to result in serious harm, we will comply with our notifiable data breach obligations under the Privacy Act.

7. Data retention

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Specifically:

• Account data — retained for the duration of your account and deleted within 90 days of account closure, unless a longer retention period is required by law
• Compliance records — retained in accordance with the retention requirements applicable to your organisation; we will provide data export functionality prior to account closure
• Log and usage data — retained for up to 12 months for security monitoring and service improvement purposes
• Correspondence — retained for up to 7 years from the date of last contact, consistent with general record-keeping obligations under Australian law

When personal information is no longer required, we will take reasonable steps to destroy or de-identify it in accordance with APP 11.2.

8. Your rights

Under the Privacy Act and Australian Privacy Principles, you have the following rights in relation to your personal information:

8.1 Right of access (APP 12)

You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days. In some circumstances, we may be required by law to withhold certain information. If we refuse access, we will provide reasons in writing.

8.2 Right to correction (APP 13)

If you believe that any personal information we hold about you is inaccurate, out of date, incomplete, or misleading, you have the right to request that we correct it. We will respond to correction requests within 30 days.

8.3 Right to complain

If you believe we have handled your personal information in breach of the Australian Privacy Principles, you may make a complaint to us in the first instance (see Section 12). If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

8.4 Opt-out of marketing

You may opt out of receiving marketing communications from us at any time by using the unsubscribe link in any email we send, or by contacting us directly. Note that you may still receive transactional or account-related communications even after opting out of marketing.

9. Cookies and tracking technologies

Our website and platform use cookies and similar tracking technologies to enhance your experience and collect usage information.

9.1 Types of cookies we use

• Essential cookies — required for the platform to function, including authentication session cookies
• Preference cookies — used to remember your settings, such as your preferred light/dark mode theme
• Analytics cookies — used to understand how visitors interact with our website and platform, enabling us to improve our services

9.2 Managing cookies

You can control cookies through your browser settings. Note that disabling certain cookies may impact the functionality of the platform. For more information on managing cookies, refer to your browser's help documentation.

10. Children's privacy

ComplianceIntel is designed for use by professional organisations and their authorised employees. Our platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify existing users of material changes by email or prominent notice within the platform at least 30 days before the change takes effect.

The current version of this policy will always be available at complianceintel.ai/privacy.html. Continued use of our platform following any update constitutes your acceptance of the revised policy.

12. Contact us

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal information, please contact us: