← Back

Privacy Policy

Last updated: 13 April 2026  ·  Version 1.0

Base Platform Pty Ltd (“we”, “us”, “our”) is committed to protecting your personal information. This Privacy Policy explains how we collect, use, hold, and disclose personal information in accordance with the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in Schedule 1 of that Act.

By using the Base Platform Pty Ltd service (“Service”) or providing us with your personal information, you consent to the practices described in this policy.

1. What Personal Information We Collect

We collect the following categories of personal information:

  • Identity data — full name, email address, and any profile information you provide.
  • Credential data — hashed passwords and two-factor authentication secrets (stored as irreversible hashes; we cannot retrieve your raw password).
  • Account activity data — login timestamps, session identifiers, IP addresses, user-agent strings, and audit log events (actions you perform in the Service).
  • Billing data — organisation billing identity, invoice records, and payment confirmation references. We do not store raw payment card numbers; card processing is handled by our PCI-DSS-compliant payment processor (Stripe).
  • Communication data — emails we send you and your responses, including password-reset and invitation emails.
  • Device data — browser type, device fingerprint fragments used for known-device recognition, and general geolocation derived from IP address.
  • Preference data — interface theme, email notification settings, and digest subscription preferences.

We do not collect sensitive information (as defined in the Privacy Act) unless you choose to include it in Customer Data, in which case you are responsible for ensuring its collection and storage is lawful.

2. How We Collect Personal Information

We collect personal information:

  • Directly from you — when you register an Account, accept an invitation, update your profile, or contact us.
  • Automatically — through server logs, cookies, and similar technologies when you use the Service.
  • From your organisation — when an administrator creates or invites your Account on behalf of an organisation.

3. Why We Collect and Use Personal Information

We collect and use personal information to:

  • Create and manage your Account and provide the Service.
  • Authenticate your identity and maintain security, including detecting and preventing fraud and unauthorised access.
  • Send transactional emails (password resets, invitations, billing invoices) necessary to operate the Service.
  • Send service announcements, maintenance notices, and security alerts.
  • Send optional digest and notification emails where you have opted in.
  • Generate aggregated, de-identified analytics to improve the Service.
  • Comply with our legal obligations, including tax and record-keeping requirements under Australian law.
  • Resolve disputes and enforce our Terms of Service.

We will not use your personal information for direct marketing without your explicit consent, and you may opt out of marketing communications at any time by following the unsubscribe instructions in those communications or by updating your preferences in your Account settings.

4. Legal Basis for Processing

Under Australian law, we are authorised to handle your personal information where:

  • It is necessary to perform the contract between us (provision of the Service).
  • You have consented — for example, to optional notification emails.
  • It is required or authorised by Australian law (e.g., the Corporations Act 2001 (Cth), the A New Tax System (Goods and Services Tax) Act 1999 (Cth)).
  • It is necessary for our legitimate interests, provided those interests are not overridden by your privacy interests (e.g., security monitoring, fraud prevention).

5. Disclosure of Personal Information

We may disclose your personal information to:

  • Service providers and sub-processors — including cloud hosting providers, email delivery services (Resend), and payment processors (Stripe), who assist us in operating the Service and are contractually bound to protect your data.
  • Your organisation's administrators — account activity data (including audit logs and session information) may be visible to administrators in your organisation.
  • Legal and regulatory authorities — where we are required or permitted to do so by law, court order, or government regulation, or to protect the rights, property, or safety of us, our customers, or others.
  • Successors in interest — in the event of a merger, acquisition, or sale of all or substantially all of our assets, subject to the acquirer agreeing to honour this policy or providing you with equivalent protections.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

6. Overseas Disclosure

Some of our sub-processors operate servers or support staff outside Australia, including in the United States of America. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure they handle it in a manner consistent with the APPs (APP 8). Where an overseas recipient does not have equivalent privacy protections, we will obtain your consent or rely on an applicable exception under the Privacy Act.

By using the Service you acknowledge that your information may be transferred to and processed in countries outside Australia.

7. Data Security

We implement industry-standard technical and organisational measures to protect personal information from unauthorised access, use, alteration, or disclosure. These measures include:

  • Passwords stored as salted bcrypt hashes — we cannot retrieve your raw password.
  • HTTPS / TLS encryption for all data in transit.
  • Database-level access controls and encrypted storage at rest.
  • Two-factor authentication (TOTP) available to all Users.
  • Session management with per-session revocation and automatic expiry.
  • Audit logging of all significant account and data events.
  • Role-based access controls limiting what data each User can view or modify.

No method of transmission over the internet is 100% secure. If you suspect a security breach affecting your Account, contact us immediately at security@baseplatform.com.au.

8. Data Retention

We retain personal information for as long as your Account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

  • Account data — retained for the life of the Account plus 30 days after termination to allow export, then securely deleted.
  • Audit logs — retained for a configurable period (default 90 days) and then automatically pruned.
  • Billing records — retained for a minimum of 7 years as required by Australian taxation law.
  • Server logs — typically retained for 90 days.

9. Cookies and Tracking Technologies

We use essential cookies and similar technologies strictly necessary to operate the Service:

  • Session cookies — maintain your authenticated session.
  • Preference cookies — store your chosen theme (light/dark mode).
  • Security cookies — support two-factor authentication flows and impersonation sessions.

We do not use third-party advertising or tracking cookies. You may disable cookies in your browser settings, but this will prevent you from logging in to the Service.

10. Your Rights

Under the APPs and other applicable Australian laws you have the right to:

  • Access — request a copy of the personal information we hold about you (APP 12).
  • Correction — request that we correct inaccurate, out-of-date, incomplete, or misleading information (APP 13).
  • Anonymisation / deletion — in certain circumstances, request that we delete or de-identify your personal information.
  • Withdraw consent — where our processing is based on consent, withdraw it at any time (this will not affect processing carried out before withdrawal).
  • Complain — lodge a complaint with us or with the Office of the Australian Information Commissioner (“OAIC”) at oaic.gov.au.

To exercise any of these rights, contact our Privacy Officer at privacy@baseplatform.com.au. We will respond within 30 days. We may need to verify your identity before processing a request.

11. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

12. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If a data breach is likely to result in serious harm to affected individuals, we will notify the OAIC and the affected individuals as soon as practicable after becoming aware of the breach.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the Service. The updated policy will be effective from the date indicated at the top of this page. Continued use of the Service after that date constitutes your acceptance of the revised policy.

14. Contact Us

For any privacy-related queries, access or correction requests, or complaints, please contact our Privacy Officer:

Privacy Officer — Base Platform Pty Ltd

Email: privacy@baseplatform.com.au

Australia

If you are not satisfied with our response you may lodge a complaint with the OAIC at oaic.gov.au/privacy/privacy-complaints.

© 2026 Base Platform Pty LtdTerms of Service