Privacy Policy

1. About This Policy

1.1 This Privacy Policy is maintained by AxiomBlue Pty Ltd (ABN 68 852 461 832) (“AxiomBlue”, “We”, “Us”, or “Our”), the operator of the AxiomBlue cloud-based business management platform (“Platform” or “Service”), including the website at axiomblue.com.au (“Website”), associated mobile applications (“App”), and all related services.

1.2 We are committed to complying with the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in Schedule 1 of the Privacy Act. This Privacy Policy describes how We collect, hold, use, disclose, and otherwise manage personal information in accordance with the APPs.

1.3 By using Our Service, You consent to the collection, use, and disclosure of Your personal information as set out in this Privacy Policy. If You do not agree with this Policy, You must not access or use the Service.

1.4 This Privacy Policy should be read in conjunction with Our Terms and Conditions of Service. In the event of any inconsistency, the Terms and Conditions will prevail to the extent of the inconsistency.

1.5 In this Privacy Policy, “personal information” has the meaning given under the Privacy Act and means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

2. Information We Collect

2.1 We may collect and hold the following categories of personal information:

2.1.1 Account and Identity Information

• Full name, job title, and role within Your organisation;
• Email address, phone number, and business address;
• Username, password (stored in hashed form only), and account preferences;
• ABN, ACN, and business registration details;
• Authorised representative and account administrator details.

2.1.2 Financial and Billing Information

• Payment card details (processed by Our PCI-DSS compliant third-party payment processor — We do not store full card numbers on Our systems);
• Billing address and invoicing details;
• Transaction records and payment history;
• Bank account details (where provided for direct debit arrangements).

2.1.3 Employee and Workforce Information

• Employee names, contact details, and emergency contacts;
• Tax File Numbers (TFN) and superannuation details (for payroll processing where applicable);
• Employment history, qualifications, licences, and certifications;
• Timesheets, leave records, and attendance data;
• Work health and safety records, including incident reports.

2.1.4 Customer and Client Information

• Your customers’ names, addresses, contact details, and communication preferences;
• Job and service records, quotes, invoices, and payment information;
• Notes, communications, and relationship management data;
• Site and property details relevant to service delivery.

2.1.5 Technical and Usage Information

• IP addresses, browser type, operating system, and device identifiers;
• Pages visited, features used, clickstream data, and session duration;
• Error logs, crash reports, and performance data;
• API usage logs and integration activity;
• Geolocation data (where GPS features are enabled with Your consent).

2.1.6 Documents and Files

• Documents, images, photographs, and files uploaded to the Service;
• Scanned documents, receipts, and compliance documentation;
• Metadata associated with uploaded files (file type, size, timestamps).

2.2 Sensitive Information

2.2.1 We generally do not actively seek to collect sensitive information (as defined in the Privacy Act) such as health information, racial or ethnic origin, political opinions, religious beliefs, or criminal records. However, some information You or Your Users upload to the Service (such as work health and safety incident reports or employee medical certificates) may contain sensitive information.

2.2.2 Where We collect sensitive information, We do so only with Your consent or where required or authorised by law. You are responsible for obtaining all necessary consents from individuals before uploading sensitive information to the Service.

2.2.3 Tax File Numbers are collected and handled in accordance with the Taxation Administration Act 1953 (Cth) and the Privacy (Tax File Number) Rule 2015.

3. How We Collect Information

3.1 We collect personal information by the following means:

• Directly from You: when You register an account, complete forms, upload data, use the Service, contact Us, or correspond with Us;
• From Your authorised Users: when employees, contractors, or other Users interact with the Service on Your behalf;
• Automatically: through cookies, analytics tools, server logs, and other tracking technologies when You use the Website or Service;
• From third parties: from third-party services integrated with Your account (such as Xero, MYOB, QuickBooks, Google Calendar, or payment processors), where You have authorised such integrations;
• From publicly available sources: such as ABN registries, ASIC records, and professional directories.

3.2 Where practicable, We collect personal information directly from the individual to whom it relates. Where We collect information from a third party, We take reasonable steps to ensure the individual is aware of the collection.

3.3 You may choose not to provide certain personal information. However, if You do not provide the information We request, We may not be able to provide the Service to You, or may not be able to provide it to the same standard.

4. Purpose of Collection

4.1 We collect, hold, use, and disclose personal information for the following purposes:

• to provide, operate, maintain, and improve the Service;
• to process account registration and manage Your subscription;
• to process payments, generate invoices, and manage billing;
• to provide customer support and respond to inquiries;
• to personalise and optimise Your experience with the Service;
• to communicate with You about Your account, service updates, maintenance schedules, and security alerts;
• to send marketing communications (where You have opted in or where permitted by law);
• to monitor usage, detect fraud, and enforce Our Terms and Conditions;
• to comply with applicable laws, regulations, and legal processes;
• to protect the rights, property, and safety of AxiomBlue, Our users, and the public;
• to generate aggregated, anonymised, or de-identified data for analytics, benchmarking, and product development;
• to facilitate integrations with third-party services You have authorised;
• to administer training, onboarding, and professional services.

4.2 We will not use or disclose personal information for a purpose other than the purpose for which it was collected (the “primary purpose”), unless:

• the individual has consented;
• the individual would reasonably expect the use or disclosure for a related secondary purpose;
• it is required or authorised by or under an Australian law or a court/tribunal order;
• a permitted general situation or permitted health situation exists under the Privacy Act;
• We reasonably believe it is necessary for enforcement related activities conducted by, or on behalf of, an enforcement body.

5. Disclosure of Information

5.1 We may disclose personal information to the following categories of recipients:

• Service providers and subcontractors: who assist Us in operating the Service, including cloud hosting providers (Google Cloud Platform), payment processors, email delivery services, analytics providers, and customer support tools;
• Third-party integrations: where You have authorised the connection of third-party services (such as accounting software, calendar services, or mapping services), personal information may be shared as necessary to facilitate the integration;
• Professional advisors: including legal, accounting, and auditing professionals engaged by Us;
• Regulatory and government bodies: where required by law, regulation, court order, or government request, including the Australian Taxation Office and the OAIC;
• Related entities: Our related bodies corporate (as defined in the Corporations Act 2001 (Cth));
• Business transferees: in connection with any merger, acquisition, restructure, or sale of all or a portion of Our assets, subject to the acquiring entity agreeing to handle personal information in accordance with this Policy;
• Law enforcement: where We believe in good faith that disclosure is necessary to prevent fraud, protect safety, or enforce Our Terms and Conditions.

5.2 We require all third-party service providers to handle personal information in accordance with the APPs and to implement appropriate security measures. We enter into contractual arrangements with service providers that include obligations regarding confidentiality and data protection.

5.3 We do not sell, rent, or trade personal information to third parties for their own marketing purposes.

6. Overseas Disclosure

6.1 Personal information processed through the Service is primarily stored on servers located in Australia via Google Cloud Platform’s Australian data centres (Sydney region — australia-southeast1).

6.2 However, some personal information may be disclosed to recipients located outside of Australia in the following circumstances:

• Cloud infrastructure: While Our primary data storage is in Australia, certain Google Cloud Platform services (such as global load balancing, content delivery, and disaster recovery) may involve data being processed or temporarily cached in other jurisdictions;
• Third-party service providers: Some of Our service providers (such as email delivery, analytics, and customer support tools) may operate or store data in the United States, European Union, or other jurisdictions;
• Third-party integrations: Where You authorise integrations with services operated by overseas entities (such as Xero, QuickBooks, or Google services), Your data may be transferred to those providers’ servers in accordance with their own privacy policies.

6.3 Before disclosing personal information to an overseas recipient, We take reasonable steps to ensure that the overseas recipient complies with the APPs (or is subject to a law or binding scheme that is substantially similar) in relation to the information, in accordance with APP 8. Where we cannot ensure compliance, We will seek Your consent or rely on another exception under the Privacy Act.

6.4 You acknowledge and agree that by using the Service and authorising third-party integrations, You consent to the transfer of personal information to overseas recipients as described in this section. We note that under section 16C of the Privacy Act, We may remain accountable for the handling of personal information by overseas recipients in certain circumstances.

7. Data Security

7.1 We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, in accordance with APP 11. Our security measures include, but are not limited to:

7.1.1 Encryption

• Encryption in transit: All data transmitted between Your devices and Our servers is encrypted using TLS 1.2 or higher (HTTPS);
• Encryption at rest: All data stored on Google Cloud Platform is encrypted at rest using AES-256 encryption. Encryption keys are managed through Google Cloud Key Management Service (KMS);
• Database encryption: Database connections use SSL/TLS encryption. Sensitive fields (such as OAuth tokens and API credentials) are additionally encrypted at the application level using AES-256-GCM;
• Password security: User passwords are hashed using industry-standard one-way hashing algorithms with per-user salts and are never stored in plaintext.

7.1.2 Access Controls

• Role-based access controls (RBAC) to limit access to personal information to authorised personnel only;
• Multi-factor authentication available for user accounts;
• Principle of least privilege applied to all system access;
• Regular review and revocation of access credentials;
• Audit logging of access to sensitive data and administrative actions.

7.1.3 Infrastructure Security

• Hosting on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and other industry certifications;
• Network segmentation and firewall rules to restrict unauthorised access;
• Regular security assessments and vulnerability scanning;
• Automated backup systems with encrypted backup storage;
• Incident response procedures and disaster recovery planning.

7.2 No Guarantee of Security

7.2.1 WHILE WE IMPLEMENT REASONABLE SECURITY MEASURES AND USE COMMERCIALLY REASONABLE EFFORTS TO PROTECT YOUR PERSONAL INFORMATION, NO METHOD OF ELECTRONIC TRANSMISSION OR STORAGE IS 100% SECURE. WE CANNOT GUARANTEE THE ABSOLUTE SECURITY OF YOUR PERSONAL INFORMATION AND DO NOT WARRANT OR GUARANTEE THAT YOUR INFORMATION WILL NOT BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED BY BREACH OF ANY OF OUR PHYSICAL, TECHNICAL, OR ORGANISATIONAL SAFEGUARDS.

7.2.2 YOU ACKNOWLEDGE AND AGREE THAT YOU PROVIDE YOUR PERSONAL INFORMATION AT YOUR OWN RISK. TO THE MAXIMUM EXTENT PERMITTED BY LAW, AXIOMBLUE SHALL NOT BE LIABLE FOR ANY UNAUTHORISED ACCESS TO, LOSS, MISUSE, OR DISCLOSURE OF YOUR PERSONAL INFORMATION THAT OCCURS DESPITE OUR IMPLEMENTATION OF REASONABLE SECURITY MEASURES.

7.2.3 You are responsible for maintaining the security of Your account credentials, including Your password and any API keys. You must immediately notify Us of any unauthorised use of Your account or any other breach of security.

8. Data Retention and Destruction

8.1 We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

• Active accounts: Personal information is retained for the duration of Your subscription and for a reasonable period thereafter to allow for account reactivation or data export;
• Financial records: Retained for a minimum of seven (7) years after the end of the financial year to which they relate, in accordance with Australian taxation and corporate law requirements;
• Tax File Numbers: Retained only for the period necessary for the purpose for which they were collected, in accordance with the Privacy (Tax File Number) Rule 2015;
• System logs and audit trails: Retained for a period of up to twenty-four (24) months;
• Marketing data: Retained until You withdraw consent or unsubscribe;
• Post-termination: Following termination of Your account, Your data is available for export for thirty (30) days. After this period, We will take reasonable steps to destroy or permanently de-identify Your personal information, except where retention is required by law.

8.2 When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, and is not required to be retained by law, We will take reasonable steps to destroy or de-identify the information in accordance with APP 11.2.

8.3 Destruction methods include secure deletion from active systems and removal from backup systems within a reasonable timeframe consistent with Our backup rotation schedule.

9. Data Breach Notification

9.1 In the event of an eligible data breach (as defined in Part IIIC of the Privacy Act), We will comply with the Notifiable Data Breaches (NDB) scheme, including:

• conducting a reasonable and expeditious assessment of the suspected breach within 72 hours of becoming aware of reasonable grounds to suspect a breach;
• notifying the OAIC and affected individuals as soon as practicable if the assessment concludes that an eligible data breach has occurred;
• providing notification that includes the identity and contact details of AxiomBlue, a description of the breach, the kinds of information involved, and recommended steps for affected individuals.

9.2 We will also notify You (as Our customer) of any data breach that may affect Your data or Your customers’ data, and will cooperate with You in responding to the breach and meeting any notification obligations You may have.

9.3 TO THE MAXIMUM EXTENT PERMITTED BY LAW, OUR LIABILITY IN RESPECT OF ANY DATA BREACH SHALL BE LIMITED AS SET OUT IN OUR TERMS AND CONDITIONS OF SERVICE. WE SHALL NOT BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT, OR INCIDENTAL LOSS OR DAMAGE ARISING FROM A DATA BREACH, INCLUDING BUT NOT LIMITED TO REPUTATIONAL DAMAGE, LOSS OF BUSINESS, OR LOSS OF PROFITS.

10. Cookies and Tracking Technologies

10.1 Our Website and Service use cookies and similar tracking technologies to enhance Your experience, analyse usage patterns, and deliver relevant content. We use the following types of cookies:

• Essential cookies: Required for the operation of the Website and Service, including session management, authentication, and security;
• Analytics cookies: Used to collect information about how visitors use Our Website, including pages visited, time spent, and navigation paths. We use Google Analytics for this purpose;
• Marketing cookies: Used to deliver relevant advertisements and track the effectiveness of marketing campaigns. We use Google Ads and Facebook Pixel for this purpose;
• Preference cookies: Used to remember Your settings and preferences across sessions.

10.2 You can manage Your cookie preferences through Your browser settings. Most browsers allow You to refuse cookies or alert You when cookies are being sent. However, disabling cookies may affect the functionality of the Service.

10.3 Our Website may contain links to third-party websites. We are not responsible for the privacy practices or the content of those websites. We encourage You to review the privacy policies of any third-party sites You visit.

11. Third-Party Services

11.1 The Service may integrate with or link to third-party services, including but not limited to:

• Accounting software (Xero, MYOB, QuickBooks);
• Payment processors;
• Google services (Calendar, Maps, Cloud Storage);
• Communication services (SMS, email);
• Analytics and advertising platforms (Google Analytics, Facebook).

11.2 THESE THIRD-PARTY SERVICES HAVE THEIR OWN PRIVACY POLICIES AND TERMS OF SERVICE. WE ARE NOT RESPONSIBLE FOR THE PRIVACY PRACTICES, DATA SECURITY, OR ACTIONS OF ANY THIRD-PARTY SERVICE PROVIDERS. YOUR USE OF THIRD-PARTY SERVICES IS AT YOUR OWN RISK AND IS SUBJECT TO THE TERMS AND PRIVACY POLICIES OF THOSE THIRD PARTIES.

11.3 When You authorise a third-party integration, You grant Us permission to share relevant data with that third-party service as necessary to facilitate the integration. You may revoke third-party access at any time through Your account settings.

12. Your Rights

12.1 Access (APP 12)

You have the right to request access to the personal information We hold about You. We will respond to access requests within a reasonable period (usually within 30 days). We may charge a reasonable fee for providing access, but We will not charge for making the request.

12.2 Correction (APP 13)

If You believe that personal information We hold about You is inaccurate, out of date, incomplete, irrelevant, or misleading, You may request that We correct the information. We will respond to correction requests within a reasonable period.

12.3 Refusal of Access or Correction

We may refuse access or correction in certain circumstances permitted by the Privacy Act, including where:

• providing access would pose a serious threat to the life, health, or safety of any individual;
• providing access would have an unreasonable impact on the privacy of other individuals;
• the request is frivolous or vexatious;
• the information relates to existing or anticipated legal proceedings;
• providing access would be unlawful or would prejudice enforcement activities.

If We refuse a request, We will provide You with written reasons for the refusal and the mechanisms available to complain about the refusal.

12.4 Marketing Opt-Out

You may opt out of receiving marketing communications from Us at any time by clicking the “unsubscribe” link in any marketing email, adjusting Your communication preferences in Your account settings, or contacting Us directly. We will process Your opt-out request within a reasonable timeframe.

12.5 Data Portability

Upon request, and subject to any applicable fees, We will provide You with a copy of Your data in a standard export format (such as CSV or JSON) to facilitate data portability.

13. Children’s Privacy

13.1 The Service is designed for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18.

13.2 If We become aware that We have collected personal information from a child under 18 without appropriate consent, We will take reasonable steps to delete that information.

13.3 We will comply with any applicable requirements of the Children’s Online Privacy Code when issued by the OAIC under the Privacy Act amendments.

14. Automated Decision-Making

14.1 The Service may use automated processes to assist with certain functions, including:

• scheduling and resource allocation recommendations;
• document classification and data extraction;
• fraud detection and security monitoring;
• usage analytics and personalisation.

14.2 Where automated processes are used to make decisions that could reasonably be expected to significantly affect Your rights or interests, We will ensure that Our privacy policy specifies such use in accordance with the Privacy Act amendment requirements effective from 10 December 2026.

14.3 You may contact Us to request human review of any automated decision that significantly affects You.

15. Customer Data and Data Processing

15.1 When You use the Service, You may upload, submit, or otherwise provide data relating to Your customers, employees, contractors, and other individuals (“Customer Data”). In relation to Customer Data:

• You are responsible for ensuring that the collection, use, and disclosure of Customer Data through the Service complies with all applicable privacy laws, including the Privacy Act and the APPs;
• You represent and warrant that You have obtained all necessary consents, provided all required notices, and have a lawful basis for uploading Customer Data to the Service;
• We process Customer Data on Your behalf and in accordance with Your instructions as embodied in this Privacy Policy and Our Terms and Conditions;
• We will not access, use, or disclose Customer Data except as necessary to provide the Service, comply with applicable law, or as otherwise authorised by You.

15.2 YOU ACKNOWLEDGE AND AGREE THAT YOU BEAR PRIMARY RESPONSIBILITY FOR THE LAWFUL COLLECTION, USE, AND DISCLOSURE OF CUSTOMER DATA. AXIOMBLUE SHALL NOT BE LIABLE FOR ANY CLAIMS, LOSSES, OR DAMAGES ARISING FROM YOUR FAILURE TO COMPLY WITH APPLICABLE PRIVACY LAWS IN RELATION TO CUSTOMER DATA, INCLUDING BUT NOT LIMITED TO FAILURE TO OBTAIN NECESSARY CONSENTS OR PROVIDE REQUIRED NOTICES.

15.3 We may use aggregated, anonymised, or de-identified data derived from Customer Data for the purposes of analytics, benchmarking, product improvement, and generating industry insights. Such aggregated data will not identify any individual or business.

16. Limitations of Liability

16.1 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW (INCLUDING THE PRIVACY ACT AND THE AUSTRALIAN CONSUMER LAW), AXIOMBLUE’S TOTAL LIABILITY ARISING OUT OF OR IN CONNECTION WITH THIS PRIVACY POLICY, INCLUDING ANY LIABILITY FOR DATA BREACHES, UNAUTHORISED ACCESS, OR LOSS OF PERSONAL INFORMATION, SHALL NOT EXCEED THE FEES PAID BY YOU TO AXIOMBLUE DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY.

16.2 TO THE MAXIMUM EXTENT PERMITTED BY LAW, AXIOMBLUE SHALL NOT BE LIABLE FOR ANY:

• CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL, OR PUNITIVE DAMAGES;
• LOSS OF REVENUE, PROFITS, BUSINESS, GOODWILL, OR REPUTATION;
• LOSS, CORRUPTION, OR UNAUTHORISED DISCLOSURE OF DATA (INCLUDING PERSONAL INFORMATION OR CUSTOMER DATA);
• DAMAGES ARISING FROM THE ACTS, OMISSIONS, OR PRIVACY PRACTICES OF THIRD-PARTY SERVICE PROVIDERS, INCLUDING CLOUD HOSTING PROVIDERS, PAYMENT PROCESSORS, AND INTEGRATION PARTNERS;
• DAMAGES ARISING FROM YOUR FAILURE TO MAINTAIN ADEQUATE SECURITY MEASURES FOR YOUR ACCOUNT CREDENTIALS;
• DAMAGES ARISING FROM YOUR FAILURE TO COMPLY WITH APPLICABLE PRIVACY LAWS IN RELATION TO CUSTOMER DATA,

WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF STATUTORY DUTY, OR OTHERWISE, EVEN IF AXIOMBLUE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

16.3 Nothing in this Privacy Policy excludes, restricts, or modifies any rights or remedies that You may have under the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)) or any other applicable law that cannot be excluded, restricted, or modified by agreement.

16.4 You agree to indemnify and hold harmless AxiomBlue, its officers, directors, employees, and agents from and against any claims, losses, liabilities, damages, costs, and expenses (including reasonable legal fees) arising from or in connection with:

• Your breach of this Privacy Policy or any applicable privacy law;
• Your collection, use, or disclosure of personal information through the Service;
• any claim by a third party (including Your customers, employees, or contractors) that Your handling of their personal information through the Service violated their privacy rights;
• Your failure to obtain necessary consents or provide required notices under the Privacy Act or any other applicable law.

17. Changes to This Policy

17.1 We may update this Privacy Policy from time to time to reflect changes in Our practices, technology, legal requirements, or other factors. When We make material changes, We will:

• update the “Effective Date” at the top of this Policy;
• post the updated Policy on Our Website;
• notify You by email or through the Service for material changes that affect Your rights.

17.2 Your continued use of the Service after the effective date of any updated Privacy Policy constitutes Your acceptance of the updated Privacy Policy. If You do not agree with any changes, You must discontinue use of the Service.

17.3 We encourage You to review this Privacy Policy periodically to stay informed about how We are protecting Your personal information.

18. Complaints

18.1 If You believe We have handled Your personal information in a manner that breaches the APPs or this Privacy Policy, You may lodge a complaint with Us using the contact details below.

18.2 We will acknowledge receipt of Your complaint within five (5) Business Days and will investigate and respond to Your complaint within thirty (30) days. If We need more time, We will notify You of the reasons for the delay and the expected timeframe for resolution.

18.3 If You are not satisfied with Our response, You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Online: www.oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992
• Mail: GPO Box 5218, Sydney NSW 2001

19. Contact Us

19.1 If You have any questions, concerns, or requests regarding this Privacy Policy or Our handling of Your personal information, please contact Us:

• Entity: AxiomBlue Pty Ltd (ABN 68 852 461 832)
• Email: privacy@axiomblue.com.au
• Website: axiomblue.com.au

19.2 For matters relating to data access requests, correction requests, or privacy complaints, please mark Your correspondence “Attention: Privacy Officer”.