1. Our Privacy Commitment
Although Superbrand is not currently required to comply with the Privacy Act 1988 (Cth) (the "Privacy Act") because its annual turnover is below AUD $3 million, we voluntarily commit to handling personal information in accordance with the 13 Australian Privacy Principles (the "APPs"). We also commit to:
Notifying affected individuals and the Office of the Australian Information Commissioner ("OAIC") of an eligible data breach in accordance with the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act)
Taking reasonable technical and organisational measures to protect personal information
Respecting individuals' rights to access and correct personal information we hold about them
If our annual turnover exceeds AUD $3 million, or if removal of the small business exemption proceeds under the second tranche of privacy reforms, the Privacy Act and the APPs will apply by force of law.
2. Information We Collect
2.1 Personal Information
When you interact with our Site, we may collect the following kinds of personal information that you voluntarily provide to us, including:
Identity and contact details: Name, business name, email address, phone number, postal address, role or title
Enquiry and engagement information: The content of enquiries, project briefs, proposals, contracts, billing details (excluding full credit card numbers, which are handled by our payment processors), and correspondence
Newsletter and marketing data: Email address, subscription preferences, engagement with our communications
Voice and video data: Where you participate in calls, transcripts and recordings made via our tools (Zoom, Otter.ai, Loom). Recording is disclosed at the start of each call
We do not collect sensitive information (as defined in the Privacy Act) unless you provide it voluntarily and we need it for a specific, disclosed purpose.
2.2 Non-Personal Information
We automatically collect non-personal information when you visit our Site, including:
IP address
Browser type and version
Device type
Operating system
Referring URL
Pages visited and time and date of visit
Links clicked and other analytics data
Cookies and similar tracking technologies (as described in Section 5)
3. How We Collect Information
We collect personal information directly when you submit a form on the Site, send us an email, schedule a call via Calendly, sign a contract, or otherwise communicate with us. We also collect information automatically through cookies, analytics tools, and server logs when you visit the Site, and indirectly through referrals, publicly available sources (LinkedIn, Instagram, business registers), and tools we use to research prospective clients in line with our commercial purposes.
At the point of collection on each form, a short notice is displayed identifying the purpose of collection, our identity, and a link to this Privacy Policy.
4. How We Use Your Information
We use the collected information to:
Respond to enquiries and assess fit for our services
Prepare proposals, contracts, and onboarding documentation
Deliver the services we are engaged to provide
Issue invoices and process payments
Communicate about live engagements and ongoing relationships
Send newsletters and marketing communications where you have given consent
Understand how the Site is used and improve it
Comply with legal, tax, and regulatory obligations
Protect our legitimate business interests, including security and fraud prevention
5. Cookies and Tracking Technologies
The Site uses cookies and similar technologies to enable core site functions (essential cookies), understand how visitors use the Site (analytics cookies, including Google Analytics 4), and remember preferences (functional cookies). You can control cookies through your browser settings. Disabling essential cookies may affect site functionality.
Where the Site uses third-party tracking pixels or analytics scripts that may collect personal information, we will provide a clear notice and (where required) seek consent. This commitment aligns with the OAIC's Tracking Pixels and Privacy Obligations guidance (4 November 2024). We do not use cookies for cross-site behavioural advertising. If this changes, this Privacy Policy will be updated and active consent will be sought.
6. How We Share Your Information
We do not sell personal information. We use the following categories of third-party tools to operate our business, and personal information may be processed by these providers in the course of delivering our services. Each provider is bound by its own privacy and security obligations.
Google Workspace, Google Analytics 4: Email, document storage, productivity, web analytics (United States)
Notion: Project management, internal knowledge base (United States)
Zoom: Video calls (United States)
Otter.ai: Call transcription (United States)
Apify, Perplexity: Research and competitor intelligence (United States, European Union)
Calendly: Meeting scheduling (United States)
DocuSign: Contract execution (United States, Australia)
Wave / Xero: Invoicing and accounting (United States / New Zealand)
Kit (formerly ConvertKit): Email marketing (United States)
Loom: Video walkthroughs and async communication (United States)
Adobe Creative Cloud: Design tools (Australia, United States)
Figma: Design collaboration (United States)
We may also disclose personal information to:
Subcontractors: Designers, video editors, and copywriters who are bound by confidentiality and equivalent privacy obligations under our subcontracting arrangements
Professional advisors: Lawyers, accountants, and insurers
Payment processors and banking institutions
Regulators, courts, or other authorities: Where required by law
Third parties with your consent
7. International Data Transfers
Some of the third-party tools listed in Section 6 are located in or process data through the United States, the European Union, the United Kingdom, or other jurisdictions outside Australia. Where we disclose personal information to an overseas recipient under APP 8, we take reasonable steps to ensure the recipient does not breach the APPs. These steps may include reviewing the provider's privacy and security obligations and entering into contractual terms that require appropriate handling of personal information.
By using the Site or engaging us, you acknowledge that your personal information may be processed outside Australia.
8. Direct Marketing and Spam Act Compliance
We send commercial electronic messages (emails, newsletters, marketing communications) only to people who have given express or inferred consent to receive them, with clear sender identification, and with a functional unsubscribe mechanism in every commercial message. You can withdraw your consent or unsubscribe at any time by clicking the unsubscribe link in any marketing email or by emailing us at the address in Section 16. We process unsubscribe requests within five (5) business days.
We comply with the Spam Act 2003 (Cth) and the ACMA Statement of Expectations (1 July 2024).
9. Children's Data
The Site is not directed at children under the age of 16, and we do not knowingly collect personal information from children under 16. If you are under 16, please do not submit forms or provide personal information through the Site. If we become aware that we have collected personal information from a child under 16, we will delete it on request from a parent or guardian.
We will update our practices once the OAIC's Children's Online Privacy Code is registered (expected by 10 December 2026) and confirm whether the Site falls within scope.
10. Data Retention
We retain personal information only for as long as is necessary for the purposes set out in Section 4 or as required by law. Indicative retention periods are:
Enquiry and prospect data: 24 months from last contact
Client engagement records (proposals, contracts, deliverables, correspondence): 7 years from end of engagement (tax and contractual records)
Invoicing and payment records: 7 years (Australian tax law)
Marketing consent records and email subscriber data: Until consent is withdrawn or 24 months of inactivity, whichever is earlier
Website analytics data: 26 months (Google Analytics default) or as configured
Call transcripts (Otter.ai): 12 months unless retained as part of a client engagement record
At the end of the retention period, we delete or de-identify personal information unless we are required by law to retain it.
11. Security
We take reasonable technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. These measures include access controls, encrypted storage where feasible, password management, regular software updates, and secure data transmission. We require our subcontractors and processors to maintain comparable security standards.
No method of transmission or storage is completely secure. While we take reasonable steps to protect personal information, we cannot guarantee absolute security.
12. Your Rights and Choices
Depending on your jurisdiction, you may have the right to:
Access the personal information we hold about you
Request correction or deletion of your information
Opt out of marketing communications
Withdraw consent for data processing
To exercise these rights, email us at the address in Section 16. We will respond to access and correction requests within thirty (30) days. We may need to verify your identity before processing the request. Reasonable charges may apply for access requests that involve significant time or cost.
If you believe we have breached the APPs or this Privacy Policy, you can submit a complaint to us in writing at the address in Section 16. We will acknowledge receipt within five (5) business days and respond substantively within thirty (30) days. If you are not satisfied with our response, you may complain to the OAIC at oaic.gov.au or by telephone on 1300 363 992.
13. Notifiable Data Breaches
If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will assess the breach within thirty (30) days. If the breach is an "eligible data breach" under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act), we will notify affected individuals as soon as practicable and notify the OAIC.
We will provide affected individuals with information about the breach, the steps they can take to protect themselves, and the steps we are taking to mitigate the breach.
14. Serious Invasion of Privacy
We acknowledge the statutory tort of serious invasion of privacy in Schedule 2 of the Privacy Act, in force from 10 June 2025. We commit to avoiding intrusion on seclusion and misuse of personal information, and to handling personal information with reasonable expectations of privacy in mind. Where we publish content, we balance public interest against privacy considerations.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will provide reasonable notice on the Site or by email to subscribers. Your continued use of the Site after changes are posted constitutes acceptance of the updated policy.
16. Contact Us
If you have any questions about this Privacy Policy, you can reach us at:
Superbrand
hello@superbrand.au