Privacy Policy

1. Information We Collect

1.1 Personal Information

We may collect the following types of personal information:

• Contact details: name, email address, phone number, job title, and company name
• Business information: company details, industry sector, and project requirements
• Communication records: correspondence via email, contact forms, or other communication channels
• Technical information: IP address, browser type, device information, and website usage data
• Payment information: billing details and payment transaction records (when applicable)

1.2 How We Collect Information

We collect personal information through:

• Direct interactions when you submit enquiries via our contact form, request services, or communicate with us
• Website analytics and cookies when you browse our website (see Section 7 for details)
• Third-party platforms such as LinkedIn or professional networking events
• Publicly available sources for business development purposes

2. Handling of Sensitive Information

2.1 Definition of Sensitive Information

Under the Privacy Act 1988 (Cth), "sensitive information" has the meaning given in section 6 and includes information or an opinion about an individual's:

• Racial or ethnic origin
• Political opinions or associations
• Religious beliefs or affiliations
• Philosophical beliefs
• Professional or trade association membership
• Trade union membership
• Sexual orientation or practices
• Criminal record
• Health information (including information about a disability)
• Genetic information
• Biometric information used for identification purposes
• Biometric templates

2.2 Our Role as Service Provider

When we provide consulting services, clients may grant us access to their systems, databases, or environments as part of service delivery. In these situations, we act as a service provider (also known as a data processor), not as a data custodian or data controller.

You (the client) retain custody and control of all data within your systems, including any sensitive information. We access such data solely under your direction and in accordance with our contractual obligations to you.

2.3 Service Delivery Access to Client Systems

In the course of providing consulting services (such as data engineering, system architecture, database consulting, or analytics services), you may grant us access to your systems that contain personal information, including potentially sensitive information. This access is:

• Provided by you under the terms of our service agreement or Statement of Work (SOW)
• Limited to the specific purposes outlined in our engagement (see our Terms of Service)
• Used solely for the purpose of delivering the agreed services
• Subject to strict confidentiality and security obligations (see Section 6 below)

This access does not constitute "collection" of personal information under APP 3, as we are acting under your instructions as a service provider rather than collecting information for our own purposes.

2.4 Security and Confidentiality Obligations

Notwithstanding our role as service provider, we implement reasonable technical and organisational measures to protect any information we access during service delivery, including sensitive information, in accordance with APP 11 (Security of Personal Information).

Our security measures are detailed in Section 6 (Data Security) below and include:

• Strict access controls and authentication mechanisms
• Employee and contractor confidentiality obligations and privacy training
• Secure transmission protocols (SSL/TLS encryption)
• Regular security assessments and compliance reviews
• Access limited to authorised personnel with a legitimate need-to-know basis

These confidentiality and security obligations continue after the completion of our engagement, in accordance with our contractual terms.

2.5 Limited Use and Disclosure

We will not use or disclose any sensitive information accessed during service delivery for any purpose other than providing the services you have engaged us to deliver. Specifically:

• No secondary use: We will not use your data for our own marketing, analytics, business development, or any other purposes without your explicit written consent
• Limited disclosure: We will only disclose information to authorised personnel (employees, contractors, or subcontractors) who require access to perform the services
• No third-party disclosure: We will not disclose sensitive information to third parties without your prior consent, except where required by law or to protect our legal rights
• Deletion upon completion: Unless otherwise agreed in writing, we will delete or return any copies of your data (including sensitive information) upon completion of the engagement

2.6 Client Responsibilities

As the data custodian or data controller of information in your systems, you are responsible for:

• Obtaining consents: Ensuring you have obtained all necessary consents, authorisations, and lawful bases from data subjects (including individuals whose sensitive information may be in your systems) before granting us access to that information
• Minimum necessary access: Providing only the minimum level of access necessary for us to deliver the services, and restricting access to sensitive information where possible
• Special requirements: Notifying us in advance of any special handling requirements, restrictions, compliance obligations (e.g., health privacy laws, industry-specific regulations), or data classification policies that apply to the information we may access
• Compliance: Ensuring that your grant of access to us complies with all applicable privacy laws, regulations, and your own privacy policies
• Third-party data: If you are processing personal information on behalf of your own clients or third parties, ensuring you have the necessary authorisations to grant us access to that information

We rely on your representations that you have the lawful right and authority to grant us access to your systems and data, including any sensitive information contained therein. You warrant that granting such access does not breach any privacy laws, contractual obligations, or third-party rights.

2.7 Unsolicited Sensitive Information

Please do not provide sensitive information to us through emails, contact forms, or other communications unless it is reasonably necessary for us to deliver the services you have requested or for us to respond to your enquiry.

If we receive sensitive information that we did not solicit and could not have collected under APP 3 (because it is not reasonably necessary for our functions or activities), we will, within a reasonable period:

• Destroy the information (if it is lawful and reasonable to do so); or
• De-identify the information so that it is no longer personal information

This is in accordance with our obligations under APP 4 (Dealing with Unsolicited Personal Information). However, we may retain such information where:

• We could have collected the information under APP 3 (i.e., it is reasonably necessary for our business functions)
• We are required or authorised by law to retain it
• You have provided explicit consent for us to retain and use it

2.8 No Active Collection of Sensitive Information

Panoptes does not actively collect sensitive information as defined by the Privacy Act 1988 (Cth). We do not seek, solicit, or request sensitive information from individuals for our own purposes.

We may only encounter sensitive information in the following limited circumstances:

• Service delivery access: When clients grant us access to their systems that contain sensitive information as part of delivering consulting services (as described in Section 2.3 above); or
• Unsolicited receipt: When sensitive information is provided to us unsolicited through email, contact forms, or other communications (as described in Section 2.7 above)

In both cases, we handle such information in accordance with the Australian Privacy Principles and this Privacy Policy.

2.9 Notification to Third Parties (Client Guidance)

If you wish to inform individuals whose personal information we may access during service delivery about our involvement, you may include language such as the following in your own privacy policy or privacy notices:

"We engage Panoptes Pty Ltd as a service provider for data engineering, analytics, and consulting services. Panoptes may access systems containing personal information solely for the purpose of delivering these services under our instruction and control. Panoptes is bound by confidentiality and security obligations to protect your information in accordance with the Privacy Act 1988 (Cth) and Australian Privacy Principles."

This disclosure is optional and provided for your convenience to assist with your transparency obligations under APP 5 (Notification of Collection). You should seek your own legal advice on your privacy disclosure obligations.

3. How We Use Your Information

We use your personal information for the following purposes:

• Service delivery: To provide consulting services, respond to enquiries, and fulfill contractual obligations
• Communication: To contact you regarding projects, updates, or service-related matters
• Business operations: To manage client relationships, process payments, and maintain records
• Marketing: To send newsletters, case studies, or promotional materials (with your consent where required)
• Website improvement: To analyse website usage, improve user experience, and optimise content
• Legal compliance: To comply with legal obligations, resolve disputes, and enforce our agreements

4. Disclosure of Your Information

We may disclose your personal information to:

• Service providers: Third-party vendors who assist with website hosting, email delivery, payment processing, and analytics (e.g., Vercel, Resend, Plausible Analytics)
• Professional advisers: Lawyers, accountants, auditors, and consultants who provide professional services
• Business partners: Collaborators or subcontractors involved in delivering services to you
• Legal authorities: Government agencies, law enforcement, or regulatory bodies when required by law or to protect our rights

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Overseas Disclosure

Some of our service providers may store or process data outside Australia, including in the United States and European Union. We take reasonable steps to ensure that overseas recipients comply with the APPs and handle your information securely.

We do not transfer client-controlled sensitive information outside the client’s environment unless authorised by the client.

By using our services, you consent to the disclosure of your personal information to overseas recipients for the purposes outlined in this Privacy Policy.

6. Data Security

We implement reasonable technical and organisational measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. These measures include:

• Secure socket layer (SSL) encryption for data transmission
• Access controls and authentication mechanisms
• Regular security assessments and updates
• Employee training on data protection and privacy

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Typically, we retain client records for seven (7) years after the completion of a project or engagement, in accordance with Australian tax and business record requirements.

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Opt-out: Unsubscribe from marketing communications at any time
• Complaint: Lodge a complaint if you believe we have breached the Privacy Act

To exercise any of these rights, please contact us using the details in Section 12 below. We will respond to your request within a reasonable timeframe (usually 30 days).

9. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party websites you visit.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a revised "Last updated" date.

We encourage you to review this Privacy Policy periodically. Continued use of our website or services after changes are made constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact us:

12. Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us using the contact details above. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):