Privacy Policy

1. About this Privacy Policy

1.1 This Privacy Policy explains how XSMIRP Pty Ltd ABN 54 639 863 602 (SMIRP, we, us or our) collects, holds, uses and discloses personal information in connection with:

(a) our public website at www.smirp.io and related webpages;

(b) the SMIRP software platform, customer portals, mobile applications, AI-enabled features and related services; and

1.2 In this Privacy Policy, customer means a person or entity that has subscribed to the SMIRP platform and Services under a paid subscription.

1.3 This Privacy Policy is intended to apply to website visitors, prospective customers, customer representatives, Authorised Users, collaborators, portal users and other individuals whose personal information we handle in connection with our business and the SMIRP platform.

1.4 We are committed to handling personal information in an open and transparent way and, where applicable, in a manner consistent with the Privacy Act 1988 (Cth), the Australian Privacy Principles and other privacy laws that apply to us.

1.5 In many cases, our customers determine what information is uploaded into and processed within their own SMIRP environment. Where a customer uploads or controls personal information about its own staff, clients, suppliers, investors, advisers, collaborators or other end users, that customer generally remains responsible for determining why that information is collected and used, and for ensuring it has all required notices, consents and other legal authority to provide that information to us through the platform.

2. The kinds of personal information we collect and hold

2.1 The kinds of personal information we collect depend on how you interact with us, the Services you use and the way our customers configure their SMIRP environments. The personal information we may collect and hold includes:

identity and contact details such as names, usernames, display names, email addresses, phone numbers, postal addresses and other contact information;
business and account details such as business name, position, role, account administrator details, billing contacts and organisation details;
account and access information such as login credentials, password-reset information, user permissions and authentication-related information;
communications and support information such as support requests, messages, enquiry content, meeting notes, feedback, issue reports and other correspondence with us;
billing and transaction information such as subscription status, payment confirmations, invoice details and limited payment-related metadata received from our payment processors;
website and technical usage data such as IP address, browser type, device information, app version, cookies, analytics data, logs, timestamps and interaction information;
AI-related inputs and outputs such as prompts, free-text inputs, uploaded files, messages, transcripts and AI-assisted outputs, where AI-enabled features are used; and
other information you or our customers choose to provide to us or make available through the website or platform.

2.2 We may collect personal information about customer representatives during account registration and onboarding, billing and payment set-up, account administration, customer relationship management, support requests and troubleshooting.

2.3 Our customers may upload, store or otherwise process personal information within the platform about their own staff, clients, suppliers, investors, advisers, collaborators and other end users. Depending on the customer's use of the platform, that information may include names, dates of birth, contact details, communications, financial or investor information, business records, files, account credentials, addresses and other information chosen by that customer.

2.4 We do not generally need to store full payment card details in order to provide the platform. Payment card processing is handled by third-party payment providers, although we may receive limited billing, transaction and payment-status information from those providers.

3. Sensitive and higher-risk information

3.1 We do not generally seek sensitive information directly from individuals unless it is reasonably required for a specific feature, support activity or service that we provide.

3.2 Because the platform is configurable, our customers may choose to upload or store higher-risk or sensitive information in their own platform environments. Depending on the customer's particular use case, this may include government identifiers, financial information, employment records, identity documents, health information, biometric information or other categories of sensitive information within the meaning of the Privacy Act.

3.3 Where higher-risk or sensitive information is uploaded to a customer-controlled environment in the platform, we handle that information solely to host, operate, maintain, secure and support the platform and related services for that customer, unless otherwise agreed or required by law.

3.4 The relevant customer remains responsible for ensuring that the collection, upload and use of that information through the platform complies with applicable privacy laws, including by providing any required privacy notices and obtaining any necessary consents or other permissions.

4. How we collect personal information

4.1 We may collect personal information directly from you when you:

browse our website or interact with website forms, contact pages, sign-up pages or demo request pages;
contact us by email, telephone, social media, video meeting or other communication channel;
purchase, administer or renew a Subscription;
create or use an account, portal or mobile application;
submit support requests, issue reports, feedback or other correspondence;
upload information into the platform or use platform features, including customer portals and collaboration features; or
use SMIRP AI or another AI-enabled feature and provide prompts, uploaded files, messages, text or other inputs.

4.2 We may collect personal information indirectly:

from customers who provide personal information about their representatives or about other individuals in connection with their use of the platform;
through customer uploads, platform configurations, portal activity and collaboration features used by our customers;
from third-party service providers, payment providers or integrated systems, where such collection is enabled or authorised;
from cookies, logs, analytics tools and similar technologies used on our website or within the platform; and
from publicly available sources, professional advisers or referrers where reasonably necessary for our business operations.

4.3 If you provide us with personal information about another person, you must ensure that you are authorised to do so and, where required by law, that the individual has been informed that their personal information may be disclosed to and handled by us in accordance with this Privacy Policy.

5. How we hold personal information

5.1 We generally hold personal information in electronic form, including within our website and platform infrastructure, cloud-hosted systems, customer environments, ticketing systems, email systems, logs, backup environments, CRM tools, accounting systems, documents and other business records.

5.2 Personal information may be stored within active customer environments while a Subscription is current, and may also be reflected in backups, archives, support records, security logs and administrative records for the periods described in this Privacy Policy or otherwise permitted by law.

6. Why we collect, hold, use and disclose personal information

6.1 We may collect, hold, use and disclose personal information for purposes including to:

operate our website and provide our Services;
create, administer and secure accounts and Subscriptions;
verify identity, authenticate users and manage permissions;
process payments, administer billing, maintain records and collect amounts owing;
configure customer environments, perform onboarding, implement customisations and provide support;
enable collaboration, portals, workflows, reporting, notifications and other platform functionality;
deliver AI-enabled features and generate AI-assisted outputs;
monitor service usage, detect security issues, prevent misuse, investigate incidents and maintain system integrity;
analyse platform usage, feature utilisation and system performance, including for service analytics, benchmarking, product development and service improvement;
communicate with you about your account, your Subscription, updates, changes, security matters, support matters and business opportunities;
send direct marketing communications in accordance with applicable law;
respond to enquiries, complaints, requests for access or correction, and other communications;
comply with legal, regulatory, taxation, audit, risk-management and enforcement obligations; and
facilitate a business sale, restructuring, investment, merger or similar corporate transaction involving our business or assets.

6.2 Where permitted by law, we may use de-identified or aggregated information, including de-identified service analytics and derived usage trends, for analytics, benchmarking, system administration, product development, service improvement and AI-related development or improvement.

7. Direct marketing

7.1 We may use personal information to send you direct marketing communications about our services, product updates, features, solutions, events, promotions or business opportunities by email and other electronic means permitted by law.

7.2 You can opt out of receiving direct marketing communications at any time by using the unsubscribe facility in the communication or by contacting us using the contact details set out below.

8. Cookies, analytics and similar technologies

8.1 We and our service providers may use cookies, pixels, tags, logs, analytics tools, software development kits and similar technologies on our website and within the platform to collect technical and usage information about users and devices.

8.2 These technologies may be used to remember user settings, maintain sessions, measure and improve functionality, understand website traffic, monitor service performance, support security controls, analyse usage patterns and support our marketing and communications activities.

8.3 Most browsers allow you to disable or block cookies. However, doing so may affect the functionality, availability or user experience of parts of the website or platform.

9. Disclosure of personal information

9.1 We may disclose personal information to the following categories of recipients where reasonably necessary for the purposes described in this Privacy Policy:

our directors, officers, employees, contractors and support personnel who require access to perform their duties;
cloud hosting, infrastructure, storage, monitoring, ticketing, analytics, communications, payment, AI and other technology providers that support our website, platform and business operations;
professional advisers, accountants, auditors, insurers, financiers and legal advisers;
regulators, courts, law enforcement agencies and government authorities where disclosure is required or authorised by law;
prospective or actual purchasers, investors, financiers or advisers in connection with a corporate transaction involving our business or assets;
customer-authorised integrations, external collaborators, portal users or other recipients to whom information is disclosed at the direction of, or through permissions configured by, the relevant customer; and
other persons where the relevant individual has consented or where disclosure is otherwise permitted by law.

9.2 If a customer grants third parties access to a customer-controlled environment, enables platform-based collaboration with external parties, or authorises integrations with third-party systems, personal information may be disclosed through those arrangements in accordance with that customer's configuration and instructions.

9.3 We may also disclose personal information where reasonably necessary to establish, exercise or defend legal claims, enforce our rights, investigate fraud or security incidents, or protect the rights, property or safety of SMIRP, our customers or others.

10. Overseas disclosure and cross-border access

10.1 We may store personal information on infrastructure located in Australia or in other countries and may permit access to personal information from overseas where this is reasonably necessary for hosting, support, development, security, maintenance, analytics or other operational purposes.

10.2 Depending on the services we use and our operational arrangements from time to time, personal information may be disclosed to, stored with or accessed from recipients located outside Australia. Information handled by global technology providers may also transit through or be processed in other jurisdictions in which those providers operate infrastructure or support functions.

10.3 Where required, we take reasonable steps to ensure that overseas recipients handling personal information for us do so under appropriate contractual, technical or organisational protections as reasonably required under the Privacy Law.

11. Security of personal information and data breach response

11.1 We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

11.2 The safeguards we use may include access controls, role-based permissions, authentication measures, encryption, network and system monitoring, logging, software updates, internal security practices, confidentiality obligations for Personnel and other technical and organisational measures appropriate to the circumstances.

11.3 Despite these measures, no method of transmission over the internet and no electronic storage system can be guaranteed to be completely secure. You should take appropriate precautions when transmitting information electronically.

11.4 If we become aware of a suspected or actual data breach involving personal information, we will assess, contain, investigate and respond to the incident in accordance with our internal processes and applicable law, including the Notifiable Data Breaches scheme to the extent it applies to us.

12. Retention, deletion, de-identification and offboarding

12.1 We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain records, comply with legal obligations, resolve disputes, enforce our rights and protect the security and integrity of our systems.

12.2 During an active customer Subscription, personal information may remain in the relevant customer environment for as long as the account remains active and the information is required for the customer's use of the platform.

12.3 When a customer Subscription ends, we generally retain relevant account and platform data for a limited offboarding period of up to 30 days to allow for data export and orderly account closure, unless the data is deleted earlier or a longer retention period is required or agreed.

12.4 After the offboarding period, we may delete or de-identify personal information from active systems, subject to any legal requirement to retain information and subject to the continued retention of limited records reasonably required for billing, dispute resolution, audit, compliance, security and enforcement purposes.

12.5 Deletion from active systems may not result in immediate removal from backup media, archives or disaster-recovery environments. Residual copies may remain until they are overwritten or otherwise deleted in the ordinary course of our backup and retention processes.

12.6 We may retain de-identified or aggregated service analytics, metadata and derived information on an ongoing basis for the purposes described in this Privacy Policy.

13. Access and correction

13.1 You may request access to personal information we hold about you, and request correction of inaccurate, out-of-date, incomplete, irrelevant or misleading personal information, by contacting us using the details set out below.

13.2 Before responding to a request, we may need to verify your identity and ask for further information to clarify the scope of your request.

13.3 Where the relevant personal information sits within a customer-controlled platform environment, we may direct you to make your request to the relevant customer first, because that customer may be best placed to respond to the request or to instruct us in relation to that information.

13.4 We may refuse access to, or correction of, personal information in circumstances permitted by law. If we do so, we will provide reasons where required.

14. Complaints

14.1 If you have a complaint about how we have handled your personal information, you may contact us using the details set out below and provide sufficient detail to allow us to investigate the complaint.

14.2 We will review the complaint and respond within a reasonable period.

14.3 If you are not satisfied with our response, you may be able to refer your complaint to the Office of the Australian Information Commissioner or another relevant regulator.

15. Third-party websites and services

15.1 Our website and platform may contain links to, or may interoperate with, third-party websites, applications or services. We are not responsible for the privacy practices of those third parties.

15.2 If you leave our website, use a third-party service, or authorise a third-party integration through the platform, you should review the relevant third party's privacy policy and terms before providing personal information or using that service.

16. Changes to this Privacy Policy

16.1 We may update this Privacy Policy from time to time to reflect changes to our services, technology, legal obligations or business practices.

16.2 The updated version will be published on our website and will take effect from the date stated in the updated version.

17. Contact Us

If you have any questions, requests or complaints about this Privacy Policy or our privacy practices, you can contact us using the following details:

SMIRP

Privacy Officer

Email: info@smirp.io