Privacy Policy

Effective date: 1 January 2026

Last updated: February 2026

Newframe Group Pty Ltd (ACN 674 XXX XXX) ("we", "us", "our", "ApprovalPath") operates the ApprovalPath platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information and health information when you use our Service.

We are committed to complying with:

• The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• The Notifiable Data Breaches (NDB) Scheme under the Privacy Act
• Other applicable Australian privacy and data protection laws

1. Information We Collect

1.1 Information You Provide Directly

Account and Registration Data

• Legal business name and trading name
• Australian Business Number (ABN)
• Full name, email address, phone number
• Business address and physical location
• Business type or industry classification
• User role or position within the business

Payment Information

• Credit or debit card details (processed securely via Stripe—we do not store full card numbers on our servers)
• Billing address and contact information
• Invoice and payment history

Guide Data

• Property addresses (which may include information about customers' residential projects)
• Project descriptions and scope details
• Answers to guide questions related to proposed building or renovation work
• Project location, zoning, and land use information
• Any additional documentation or notes you upload

Communication Data

• Support requests and inquiries
• Emails, messages, and correspondence with our team
• Feedback, bug reports, and product suggestions
• Customer service interactions and chat logs

Optional Information

• Profile information or company descriptions
• Preferences and communication settings

1.2 Information Collected Automatically

Usage and Behavioural Data

• Pages visited and features accessed
• Session duration and frequency of use
• Actions performed (e.g., reports generated, guides run)
• Interaction patterns with the Service
• Timestamps of your activities
• Referral source (how you found us)

Technical Data

• Device type and model
• Operating system and version
• Browser type and version
• Internet Protocol (IP) address
• Unique device identifier (UDID) or advertising ID
• Mobile network information (if applicable)
• Diagnostic and crash data

Location Data

• Approximate geographic location (inferred from IP address)
• Property addresses you query (for guide purposes)

Cookie and Tracking Technologies

• Essential cookies for authentication, session management, and Service functionality
• Analytics cookies (optional) to understand usage patterns and improve the Service
• Marketing cookies (if you consent) to track campaign performance
• Pixel tags and similar tracking technologies

2. How We Use Your Information

We use your information for the following purposes:

2.1 Primary Service Delivery

• Providing the ApprovalPath guide platform and generating council approval reports
• Processing subscriptions and managing your account
• Facilitating secure authentication and access controls
• Storing and retrieving your guide history and data

2.2 Communication and Support

• Sending transactional emails (account confirmations, payment receipts, billing statements)
• Providing customer support and responding to inquiries
• Sending service-related notices and updates
• Notifying you of changes to our Terms, Privacy Policy, or Service features

2.3 Product Improvement and Analytics

• Analysing usage patterns to understand how the Service is used
• Identifying trends and areas for improvement
• Debugging technical issues and optimising performance
• Conducting research on planning guide outcomes and effectiveness
• Developing new features or enhancements

2.4 Compliance and Legal Obligations

• Complying with legal, regulatory, or statutory requirements
• Fulfilling obligations under the Privacy Act 1988 (Cth), Australian Consumer Law, and tax laws
• Maintaining records for audit and regulatory purposes
• Verifying your ABN and business credentials with the Australian Business Register

2.5 Business Operations

• Conducting business analytics and financial reporting
• Monitoring fraud and security threats
• Enforcing our Terms of Service and other agreements
• Protecting the rights, privacy, safety, or property of Newframe Group Pty Ltd and others

2.6 Marketing (with your consent)

• Sending newsletters, promotional materials, and product updates (only with your opt-in consent)
• Notifying you of special offers or new features
• Conducting customer satisfaction surveys and feedback campaigns
• Personalising your experience based on preferences

3. Legitimate Basis for Processing

Under the Australian Privacy Principles, we process your information on the basis of:

• Contractual necessity — to provide the Service you've subscribed to
• Legal obligation — to comply with Australian laws, tax requirements, and regulatory frameworks
• Legitimate business interests — to improve the Service, prevent fraud, and operate our business
• Consent — for optional analytics, marketing communications, and non-essential features
• Vital interests — to protect the security and integrity of the Service and user safety

4. AI and Data Processing

4.1 How AI Guide Generation Works

When you run a guide in ApprovalPath:

1. Your inputs (property address, project details, answers to questions) are processed by our AI models
2. The AI analyses publicly available planning data relevant to the property's jurisdiction
3. The AI generates a structured guide report with the likely approval pathway
4. Your inputs and the generated report are stored in your account for future reference

4.2 Training and Model Improvement

We may use anonymised and aggregated data to:

• Improve AI model accuracy and performance
• Identify patterns in guide data that enhance the Service
• Develop new features or guide categories
• Train our own AI systems (we do not share your data with third-party model providers for training without your explicit consent)

We do not sell your personal data or individual guide inputs to third parties.

4.3 Data Processing Agreements

All AI model providers used by ApprovalPath are subject to strict Data Processing Agreements (DPAs) that ensure:

• Data is processed only as instructed
• Appropriate security measures are in place
• Data is not used for their own commercial purposes or training without consent
• Regular audits and compliance checks occur

5. Sharing Your Information

We only share your information with trusted partners, and only to the extent necessary:

5.1 Service Providers and Processors

• Payment processors: Stripe (for credit card processing and billing)
• Cloud infrastructure providers: Vercel and Neon (for hosting, database management, and Service uptime)
• AI model providers: Third-party AI services (under strict Data Processing Agreements)
• Communication platforms: Email service providers for transactional communications
• Analytics tools: Google Analytics (anonymised data only; you can opt-out)

All service providers are bound by confidentiality obligations and data processing agreements.

5.2 Legal and Regulatory Authorities

We may disclose your information without consent if required by:

• Court orders, subpoenas, or legal process
• Australian federal, state, or local law enforcement agencies
• Regulatory or government authorities investigating suspected illegal activity
• The Australian Information Commissioner (OAIC) or Privacy Commissioner

5.3 Business Transfers

If Newframe Group Pty Ltd is acquired, merged, or substantially restructured, your information may be transferred to the acquiring organisation. We will provide notice of any such change and your right to opt-out.

5.4 Protecting Our Rights

We may disclose information to enforce our Terms of Service, investigate breaches, prevent fraud, or protect the legal rights, property, or safety of Newframe Group Pty Ltd, our users, or the public.

5.5 What We Do NOT Do

• We do not sell or license your personal data to third parties for commercial purposes
• We do not share your data with competitors or other commercial entities without consent
• We do not disclose customer details to councils, government agencies, or other tradies

6. Data Retention

6.1 Account Data

We retain your personal information (account details, payment records, contact information) for as long as your subscription is active, and for a minimum of 7 years after account closure for:

• Accounting and tax compliance (Australian Taxation Office requirements)
• Legal dispute resolution
• Regulatory compliance

6.2 Guide Data

Your guide inputs and generated reports are retained for the duration of your active subscription. You can export or download this data at any time.

6.3 After Cancellation

Upon cancellation of your subscription:

• Your account will remain accessible for 30 days to allow data export
• After 30 days, your account data and guide history will be securely deleted
• We may retain anonymised, aggregated data for analytics and Service improvement
• We will retain records as required by law (e.g., invoices, tax records) for 7 years

6.4 Communication Records

• Support emails and correspondence will be retained for 12 months for reference
• You may request deletion of personal communication records at any time (except where legally required)

7. Data Security

We implement industry-leading security measures to protect your personal information:

7.1 Technical Safeguards

• Encryption in transit: TLS 1.2+ encryption for all data transmitted to/from our servers
• Encryption at rest: AES-256 encryption for sensitive data stored on our servers
• Secure authentication: OAuth 2.0 and multi-factor authentication (MFA) options available
• Access controls: Role-based access controls limiting employee access to personal data
• Network security: Firewalls, intrusion detection, and DDoS protection

7.2 Administrative Safeguards

• Employee training on privacy and data security
• Confidentiality agreements with all staff and contractors
• Regular security audits and vulnerability assessments
• Incident response procedures and breach protocols

7.3 Subprocessor Security

• All third-party service providers undergo security assessments
• We maintain updated lists of subprocessors and their locations
• We audit subprocessor security practices regularly

7.4 Limitations

While we strive to protect your information, no system is 100% secure. We cannot guarantee absolute protection against all security breaches. If a breach occurs, we will notify affected individuals in accordance with the Notifiable Data Breaches scheme (see Section 8).

8. Notifiable Data Breaches

Under the Privacy Act 1988 (Cth), we are required to notify you if:

• A data breach occurs involving your personal information
• The breach is likely to result in serious harm to you
• We cannot prevent the breach or mitigate the serious harm

Notification will include:

• Nature of the breach and information involved
• Likely consequences
• Steps we are taking to respond and mitigate harm
• Your recommended actions
• Contact details for further information

Notifications will be sent to your registered email address as soon as practicable, and without unreasonable delay (generally within 30 days).

9. Your Privacy Rights and Choices

Under the Australian Privacy Principles, you have the following rights:

9.1 Right of Access

You have the right to access the personal information we hold about you. To request access:

• Email privacy@approvalpath.com.au with your request
• Include your account email and details of information sought
• We will respond within 30 days with the requested information (or within 45 days for complex requests)
• No fee applies for accessing your own information

9.2 Right to Correction

If you believe personal information we hold is inaccurate, incomplete, or out-of-date, you can request correction:

• Contact us at privacy@approvalpath.com.au
• We will investigate and correct information within 30 days
• If we disagree with your correction request, we will explain why and provide details of dispute resolution options

9.3 Right to Deletion

You have the right to request deletion of your personal information:

• Email privacy@approvalpath.com.au with your deletion request
• We will delete your information within 30 days, except where:
  • Retention is required by law (e.g., tax records, legal proceedings)
  • The information is necessary to provide ongoing services
  • We have a legitimate business purpose for retention
• If we cannot delete all information, we will explain why

9.4 Right to Opt-Out of Marketing

You can opt-out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account dashboard
• Emailing privacy@approvalpath.com.au
• We will honour opt-out requests within 2 business days

9.5 Right to Withdraw Consent

For any processing based on your consent (e.g., optional analytics, marketing), you can withdraw consent at any time:

• Update your account settings or privacy preferences
• Email privacy@approvalpath.com.au
• Withdrawal takes effect immediately

9.6 Right to Complain

If you believe we have breached your privacy rights, you can lodge a complaint:

• To us: Contact our Privacy Officer at privacy@approvalpath.com.au
  • We will acknowledge receipt within 2 business days
  • We will investigate and respond within 30 days
• To the OAIC: If unsatisfied with our response, you can complain to the Office of the Australian Information Commissioner
  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • No fee applies

10. Cookies and Tracking Technologies

10.1 Essential Cookies

These cookies are necessary for the Service to function. They cannot be disabled:

• Session cookies: Maintain your login session and authentication state
• Security cookies: Prevent unauthorized access and fraud
• Preference cookies: Remember your account settings and preferences

10.2 Optional Cookies

These cookies are optional and require your consent:

• Analytics cookies: Track usage patterns to improve the Service (Google Analytics, Mixpanel)
• Marketing cookies: Track campaign performance and personalise advertisements
• Social media cookies: Enable sharing to social platforms

10.3 Managing Cookies

You can manage cookie preferences:

• Accept or reject optional cookies when you first visit our site
• Adjust cookie settings in your browser (most browsers provide options to refuse or delete cookies)
• Opt-out of specific analytics services via their opt-out tools
• Clear cookies from your browser settings at any time

Note: Disabling essential cookies may prevent the Service from functioning properly.

11. Children and Privacy

ApprovalPath is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided information to us, we will delete it promptly and notify the parent or guardian.

If you are a parent or guardian concerned about a child's privacy, please contact us at privacy@approvalpath.com.au.

12. International Data Transfers

Your information may be transferred to and stored on servers located outside Australia, including in the United States (Vercel, Stripe), Canada, or the European Union, as required for Service delivery.

By using ApprovalPath, you consent to the transfer and processing of your information in these jurisdictions. We ensure that all international transfers comply with:

• Data Processing Agreements meeting Australian privacy standards
• Appropriate security measures in receiving jurisdictions
• Cross-border data transfer safeguards

13. Third-Party Links

ApprovalPath may contain links to third-party websites or services (e.g., council websites, government planning portals). We are not responsible for the privacy practices of third-party sites. Please review their privacy policies before providing personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes to our privacy practices
• Changes in applicable law
• Feedback from users or regulators

We will notify you of material changes via:

• Email to your registered account address (at least 14 days before the change takes effect)
• An in-app notice or banner
• Updating the "Last updated" date at the top of this policy

Continued use of the Service after changes take effect constitutes your acceptance of the revised Privacy Policy. If you do not agree with changes, your sole remedy is to cancel your subscription.

15. Our Privacy Officer

For privacy-related inquiries, concerns, or requests, please contact our Privacy Officer:

Email: privacy@approvalpath.com.au

Mailing Address: Newframe Group Pty Ltd [Street Address] New South Wales, Australia

Response timeframe: We will acknowledge your inquiry within 2 business days and provide a substantive response within 30 days (or as required by law).

16. Verification and Authentication

To protect your privacy, we may ask you to verify your identity before providing access to your personal information. This may include:

• Requesting your account email and password
• Sending a verification link to your registered email
• Confirming your business ABN
• Other reasonable identification methods

This verification process ensures that only you can access your personal data.

17. Governing Law

This Privacy Policy is governed by the laws of New South Wales, Australia, and the Privacy Act 1988 (Cth). Any disputes will be resolved in accordance with Australian privacy law and the jurisdiction of the courts of New South Wales.