Version 1.0 · Effective date: [INSERT DATE] · Australian Privacy Act 1988 (Cth)
EmployClear (“we”, “us”, “our”) is committed to protecting the privacy of the individuals and businesses that use our service. This Privacy Policy explains how we collect, use, store, and disclose personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
By using the EmployClear service, you consent to the collection and handling of your information as described in this policy.
1. What Information We Collect
1.1 Account and Identity Information
- Your name and email address (collected at signup)
- Business name and registered address
- ABN (if provided)
1.2 Business Profile Information
To provide personalised compliance information, we collect details about your business including:
- Industry type and business description
- Australian state or territory of operation
- Number and types of employees (casual, part-time, full-time)
- Applicable Modern Award
- Pay frequency and payroll software used
- Existing compliance policies and documents
1.3 Compliance Questions and Interactions
- Questions you submit through the Q&A interface
- Responses generated by the Service
- Compliance gaps identified in your business profile
- Documents generated and downloaded through the Service
1.4 Usage and Engagement Data
- Login timestamps and frequency
- Pages visited and features used within the Service
- Document download history
- Email open and click data for alert and report emails
1.5 Payment Information
Payment card details are collected and stored by Stripe, our payment processor. We do not store payment card numbers. We receive confirmation of successful payments, subscription status, and billing history from Stripe.
1.6 Information We Do Not Collect
We do not collect sensitive information as defined by the Privacy Act (such as health information, racial or ethnic origin, political opinions, or criminal record information) unless you voluntarily include it in a compliance question.
2. How We Use Your Information
| Purpose | Information Used | Legal Basis |
|---|---|---|
| Providing the Service — generating compliance health checks, documents, Q&A responses, and alerts | Business profile, compliance questions, Modern Award | Contract performance (Terms of Service) |
| Personalising regulatory alerts to your specific business type | Industry, award, state, employee types | Contract performance |
| Processing payments and managing subscription billing | Email, subscription status | Contract performance |
| Sending monthly compliance reports and countdown reminders | Email, engagement data | Contract performance |
| Improving the accuracy and quality of compliance guidance | Anonymised and aggregated Q&A data | Legitimate interest |
| Communicating material changes to Terms or the Service | Email address | Legitimate interest / legal obligation |
| Fraud prevention and security | Login data, usage patterns | Legitimate interest |
We do not use your information for direct marketing to third parties or sell your data to any third party.
3. How We Share Your Information
We share your information only with the third-party service providers necessary to operate the Service. Each provider is engaged under data processing agreements and is required to handle your data in accordance with applicable privacy law.
Anthropic PBC (Claude API)
What is shared: Your compliance questions and relevant business profile context (industry, award, employee types, state) are transmitted to Anthropic’s Claude API to generate responses, documents, and assessments.
Purpose: AI-powered compliance guidance — the core function of the Service.
Data handling: Anthropic processes data under its API Terms of Service. API inputs are not used to train Anthropic’s models by default. Anthropic is a US-based company; your data is transferred outside Australia to US servers. See anthropic.com/privacy.
Stripe Inc.
What is shared: Your name, email address, and billing information for payment processing.
Purpose: Subscription billing, payment processing, and customer portal.
Data handling: Stripe is a US-based company. Your data is transferred outside Australia. Stripe is PCI-DSS Level 1 certified. See stripe.com/privacy.
Resend Inc.
What is shared: Your email address and the content of transactional emails (alerts, monthly reports, countdown reminders).
Purpose: Delivering email communications from the Service.
Data handling: Resend is a US-based company. See resend.com/privacy.
Hetzner Online GmbH (when VPS is active)
What is shared: All data stored in the Service database is hosted on Hetzner servers.
Purpose: Cloud infrastructure and data hosting.
Data handling: Hetzner is a German company. Data is hosted in Germany (EU). Subject to GDPR. See hetzner.com/legal/privacy-policy.
3.1 Overseas Transfers
As described above, some of your personal information is transferred to and stored in the United States and Germany. By using the Service, you consent to these overseas transfers. We take reasonable steps to ensure overseas recipients handle your information consistently with Australian Privacy Principles.
3.2 Legal Disclosure
We may disclose your information if required by law, court order, or regulatory authority, or where we believe disclosure is necessary to protect the rights, property, or safety of EmployClear, our users, or the public.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Business profile and account information | Duration of subscription + 7 years (ATO record-keeping requirement) |
| Q&A session history | Duration of subscription + 2 years, then anonymised or deleted |
| Generated documents | Duration of subscription + 7 years (employment record-keeping) |
| Payment records | 7 years (ATO requirement) |
| Regulatory change logs | Indefinitely (anonymised aggregate data for Service improvement) |
| Email engagement data | Duration of subscription + 12 months |
After the relevant retention period, we will delete or anonymise your personal information.
5. Security
We implement reasonable technical and organisational measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. These measures include:
- Encryption of data in transit (TLS) and at rest
- Access controls limiting who within our team can access client data
- Magic-link authentication (no stored passwords)
- Regular security reviews of our infrastructure
No security system is impenetrable. In the event of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme.
6. Your Rights
6.1 Access
You have the right to request access to the personal information we hold about you. You can access much of this information directly through your client dashboard. For information not available through the dashboard, contact us at the address below.
6.2 Correction
You can update most of your business profile information directly through the dashboard. If you believe information we hold is incorrect or out of date, contact us and we will correct it within 30 days.
6.3 Deletion
You may request deletion of your personal information by contacting us. We will delete your information subject to our legal retention obligations. Some information (payment records, generated documents) may need to be retained for legal or tax purposes as described in Section 4.
6.4 Complaints
If you believe we have breached the Australian Privacy Principles, please contact us first. If your complaint is not resolved to your satisfaction within 30 days, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.
7. Cookies and Tracking
The Service uses session cookies to maintain your login state and deliver the Service. We do not use advertising cookies, third-party tracking pixels, or behavioural advertising.
Transactional emails sent through the Service include open-tracking and click-tracking to measure engagement and determine whether regulatory alerts have been received. You can opt out of email tracking by contacting us, though this may affect the relevance of churn-prevention interventions.
8. Children
The Service is intended for use by businesses and persons aged 18 and over. We do not knowingly collect personal information from persons under 18. If you believe a minor has provided us with personal information, contact us immediately.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The current version is always available at employclear.com.au/privacy-policy/.