Privacy Policy

Last updated: 17 April 2026 — Effective immediately

        Summary: We collect only what's necessary to provide the Platform. We don't sell your data. We don't use Customer Data for AI model training. Your data stays in your chosen region. You can export or delete it at any time.
    

1. About This Policy

This Privacy Policy explains how ThoughtWorx Pty Ltd (ABN 68 610 430 192) ("Company", "we", "us") collects, uses, stores, and protects personal information in connection with the Activitee platform ("Platform"). This policy applies to all visitors, trial users, and paying customers.

We are committed to compliance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR) where applicable, and the New Zealand Privacy Act 2020.

2. Information We Collect

2.1 Account Information

When you sign up or are invited to the Platform, we collect:

Name (first and last)
Email address (used as login identifier)
Organisation name and domain
Country/region (for data residency and currency display)
Job title and phone number (optional)

2.2 Customer Data

As an identity governance and compliance platform, you may upload or generate data including:

Identity records (employee names, email addresses, employee IDs, department, title, manager)
Access entitlements, role assignments, group memberships
Compliance assessment responses, evidence documents, findings
Privacy records (ROPA, consent records, DSAR requests, breach incidents)
Audit logs and workflow execution records

Important: Customer Data is processed solely to provide the Platform services. We do not access, analyse, or use Customer Data for any purpose other than delivering the contracted services, unless required by law.

2.3 Usage Data

We automatically collect:

IP address and approximate geolocation (for currency display and security)
Browser type, operating system, and device information
Pages visited, features used, and session duration
Error logs and performance metrics

2.4 Cookies

We use essential cookies for session management and authentication. We use analytics cookies (with your consent where required) to understand usage patterns. We do not use advertising or tracking cookies.

3. How We Use Your Information

We use your information to:

Provide, operate, and maintain the Platform
Create and manage your account and organisation tenant
Process subscription billing and payments
Send transactional emails (onboarding, password resets, assessment notifications)
Provide customer support and respond to enquiries
Improve the Platform's functionality, performance, and security
Detect and prevent fraud, abuse, and security incidents
Comply with legal obligations and respond to lawful requests

We do not:

Sell, rent, or trade your personal information to third parties
Use Customer Data to train AI or machine learning models
Share your data with advertisers or data brokers
Use your data for profiling or automated decision-making that produces legal effects

4. Legal Basis for Processing (GDPR)

For individuals in the EU/EEA/UK, we process personal data on the following legal bases:

Contract performance: Processing necessary to provide the Platform services
Legitimate interests: Security monitoring, fraud prevention, Platform improvement
Legal obligation: Tax records, regulatory compliance, lawful disclosure requests
Consent: Marketing communications, analytics cookies (where required)

5. Data Storage & Residency

Customer Data is stored in the region selected during onboarding:

Australia (Sydney, AU) — default for AU/NZ customers
United States (US-East)
Europe (EU-West)
Asia-Pacific (Singapore)

We do not transfer Customer Data outside the selected region without explicit consent, except where required by law. Enterprise customers may specify their preferred region and receive contractual data residency guarantees.

6. Data Security

We implement comprehensive security measures:

Encryption at rest using AES-256 and in transit using TLS 1.3
Multi-tenant data isolation with per-organisation access controls
Role-based access control (RBAC) for all platform operations
Multi-factor authentication (MFA) support
Immutable audit trails for evidence and compliance data
Regular penetration testing by independent assessors
SOC 2 Type II certification (in progress)
Incident response plan with 72-hour breach notification capability

7. Data Retention

Active subscriptions: Data retained for the duration of the subscription plus the retention period configured per plan (90 days Starter, 365 days Professional, custom Enterprise)
Cancelled subscriptions: Data retained for 30 days after cancellation, then permanently deleted
Trial accounts: Data retained for 30 days after trial expiry
Audit logs: Retained for 7 years for regulatory compliance
Account information: Retained as long as the account exists, plus 90 days after deletion for fraud prevention

8. Data Sharing & Third Parties

We share personal information only with:

Cloud infrastructure providers: For hosting and data storage (subject to data processing agreements)
Payment processors: Stripe (for billing — we do not store credit card details)
Email service providers: For transactional email delivery
Legal and regulatory authorities: When required by law or valid legal process

All third-party processors are bound by data processing agreements that require them to protect your data to standards equivalent to this policy.

9. Your Rights

Depending on your jurisdiction, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Export your data in a machine-readable format
Restriction: Request that we limit processing of your data
Objection: Object to processing based on legitimate interests
Withdraw consent: Where processing is based on consent

To exercise any of these rights, contact us at privacy@activitee.io. We will respond within 30 days (or sooner where required by law).

10. Children's Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. International Transfers

For customers outside Australia, we ensure appropriate safeguards for international data transfers, including:

Standard Contractual Clauses (SCCs) for EU/EEA transfers
Data Processing Agreements with all sub-processors
Adequacy assessments for destination jurisdictions

12. Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours (as required by GDPR/Australian NDB scheme)
Notify affected individuals without undue delay
Provide details of the breach, likely consequences, and measures taken

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-platform notification at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact & Complaints

For privacy enquiries, data requests, or complaints:

Privacy Officer
ThoughtWorx Pty Ltd
ABN 68 610 430 192
Email: privacy@activitee.io
Web: activitee.io

If you are not satisfied with our response, you have the right to lodge a complaint with:

Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
EU/EEA: Your local Data Protection Authority
New Zealand: Office of the Privacy Commissioner — privacy.org.nz