Privacy Policy

1. Introduction

Stage Zero Operations Pty Ltd (ABN: [To be provided]) ("Stage0", "we", "us", or "our") is committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, use, disclose, store and protect your personal information when you use our AI-powered IRAP assessment platform and related services (the "Services").

2. Information We Collect

2.1 Personal Information

We may collect the following types of personal information:

• Identity information: Name, job title, organisation name
• Contact information: Email address, phone number, business address
• Account information: Username, password (encrypted), security credentials
• Professional information: IRAP assessor number, professional certifications, role and responsibilities
• Usage data: Log data, device information, IP address, browser type, pages visited, time and date of access
• Communication data: Records of correspondence with us, support requests, feedback

2.2 Security Assessment Information

When you use our Services, you may upload:

• System documentation and architecture diagrams
• Security policies and procedures
• Assessment reports and findings
• Information Security Manual (ISM) control assessments
• Other security-related documentation

This information may contain personal information of your clients, employees, or third parties. You are responsible for ensuring you have appropriate authority and consent to upload such information to our Services.

3. How We Collect Information

We collect personal information:

• Directly from you: When you register for an account, use our Services, complete forms, or communicate with us
• Automatically: Through cookies, log files, and similar technologies when you access our platform
• From third parties: Such as your employer or organisation when they set up your account, or from publicly available sources
• From your use of the Services: Including documents you upload and actions you take within the platform

4. How We Use Your Information

We use your personal information for the following purposes:

• Service provision: To provide, operate, maintain and improve our Services
• AI processing: To process uploaded documents using AI technology for automated ISM control assessments and knowledge graph generation
• Account management: To create and manage your account, verify your identity, and provide customer support
• Communication: To send service-related notifications, updates, security alerts, and respond to your enquiries
• Security: To detect, prevent and address technical issues, fraud, and security vulnerabilities
• Legal compliance: To comply with applicable laws, regulations, and legal processes
• Analytics and improvement: To analyse usage patterns, improve our Services, and develop new features
• Marketing: To send you information about our Services, updates, and offers (with your consent where required)

We will only use your personal information for the purposes for which it was collected, or for a related purpose where you would reasonably expect us to do so.

5. Disclosure of Your Information

5.1 Within Your Organisation

If you are using our Services as part of an organisation, we may share your information with other authorised users within your organisation's tenant in accordance with your organisation's access controls.

5.2 Service Providers

We may disclose your personal information to trusted third-party service providers who assist us in operating our Services, including:

• Cloud hosting providers: Australian-based infrastructure providers
• AI service providers: Anthropic (Claude AI) for document processing and analysis
• Payment processors: For subscription billing and payment processing
• Analytics providers: For usage analytics and service improvement
• Customer support tools: For providing technical support

These service providers are contractually obligated to protect your information and may only use it for the purposes we specify.

5.3 Legal Requirements

We may disclose your personal information if required by law, court order, or legal process, or to protect the rights, property, or safety of Stage0, our users, or the public.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity, subject to the same privacy protections.

6. Cross-Border Disclosure

Your personal information is primarily stored and processed in Australia using Australian-based infrastructure. However, we may disclose personal information to overseas recipients in the following circumstances:

• Anthropic (United States): For AI-powered document analysis using Claude AI. Anthropic is subject to privacy laws in the United States and has appropriate safeguards in place.
• Other service providers: As specified in Section 5.2, which may be located overseas

When we disclose personal information to overseas recipients, we take reasonable steps to ensure they comply with the APPs or are subject to substantially similar privacy protections. By using our Services, you consent to such disclosures.

You acknowledge that if we disclose personal information to an overseas recipient, we may not be able to ensure that the recipient complies with the APPs, and you may not be able to seek redress under the Privacy Act 1988 (Cth).

7. Data Security

We implement robust security measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction:

• Encryption: Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Multi-tenant architecture: Complete data isolation between organisational tenants
• Access controls: Role-based access controls and multi-factor authentication
• Infrastructure security: Australian-hosted infrastructure with regular security assessments
• Monitoring: Continuous security monitoring and logging
• Incident response: Documented security incident response procedures
• Staff training: Regular security awareness training for all personnel

Despite our security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

8. Data Retention

We retain your personal information for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account information: Retained while your account is active and for 7 years after account closure for legal and compliance purposes
• Assessment data: Retained in accordance with your organisation's data retention policies and legal requirements
• Usage logs: Retained for 2 years for security and analytics purposes
• Financial records: Retained for 7 years as required by Australian tax law

Upon deletion, we will securely destroy or de-identify your personal information in accordance with our data retention and disposal procedures.

9. Your Rights and Choices

9.1 Access and Correction

You have the right to request access to the personal information we hold about you and to request correction of any inaccurate, incomplete, or out-of-date information. You can access and update much of your account information directly through your account settings.

9.2 Anonymity and Pseudonymity

Where practicable, we will provide you with the option to interact with us anonymously or using a pseudonym. However, for most of our Services, we require personal information to provide the service effectively.

9.3 Marketing Communications

You can opt out of receiving marketing communications from us at any time by clicking the unsubscribe link in our emails or contacting us directly. Please note that you cannot opt out of service-related communications (e.g., account notifications, security alerts).

9.4 Data Portability

You may request a copy of your data in a structured, commonly used format to facilitate transfer to another service provider.

9.5 Account Deletion

You may request deletion of your account and associated personal information, subject to our legal retention obligations. Please contact us to initiate an account deletion request.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Maintain your session and keep you logged in
• Remember your preferences and settings
• Analyse usage patterns and improve our Services
• Provide security features and detect fraudulent activity

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of our Services.

11. Third-Party Links

Our Services may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any personal information.

12. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice within our Services

Your continued use of our Services after the effective date of the updated Privacy Policy constitutes acceptance of the changes.

14. Privacy Complaints

If you have a complaint about how we handle your personal information, please contact us using the details below. We will:

• Acknowledge your complaint within 7 days
• Investigate your complaint thoroughly
• Provide a written response within 30 days

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

15. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, or wish to exercise your privacy rights, please contact us: