Privacy Policy

2. Who We Are

Encode Digital Software Solutions Pty Ltd is a digital solutions and custom software development company based in Sydney, New South Wales, Australia. We provide professional services including website development, web application development, mobile app development, MVP development, API development and integration, and AI solutions.

For the purposes of applicable data protection laws, Encode Digital Software Solutions Pty Ltd is the data controller (or equivalent) responsible for the personal information collected through this Website and in connection with our Services.

3. Definitions

In this Privacy Policy:

• "Personal Information" has the meaning given to it in the Privacy Act 1988 (Cth) and means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether it is recorded in a material form or not.
• "Sensitive Information" means personal information about an individual's racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, health information, genetic information, or biometric information. We do not intentionally collect Sensitive Information through our Website.
• "Services" means the digital solutions, software development, consulting, and related professional services offered by Encode Digital, including Landing Pages & Websites, Web Applications, Mobile App Development, MVP Development, API Development & Integration, and AI Solutions.
• "Client" means any individual or entity that engages Encode Digital to provide Services.
• "APPs" means the Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth).

4. Information We Collect

4.1 Information You Provide Directly

We collect personal information that you voluntarily provide to us, including:

Contact Form Submissions

When you submit an inquiry through our contact form, we collect:

• Full name (required) — to identify you and personalise our communications;
• Email address (required) — to respond to your inquiry and send a confirmation email;
• Company name (optional) — to understand your business context;
• Phone number (optional) — to contact you by phone if preferred;
• Service of interest (optional) — to understand which of our services may be relevant to you;
• Estimated project budget (optional) — to help us tailor an appropriate proposal; and
• Project description/message (required) — to understand your project requirements and goals.

Email Correspondence

When you contact us via email at info@encodedigital.com.au, we collect your name, email address, and the contents of your correspondence.

Client Engagement

If you engage us to provide Services, we may additionally collect business contact details, billing information, project-related documentation, access credentials (provided by you for the purpose of performing the Services), and any other information necessary for the performance of the agreed Services.

4.2 Information Collected Automatically

When you visit our Website, we may automatically collect certain technical information, including:

• IP address — collected via server headers (including the x-forwarded-for header) for the purposes of rate limiting, security, and abuse prevention. IP addresses are used to enforce a limit of 3 contact form submissions per 60-second window per IP address;
• Browser type and version;
• Operating system;
• Referring URL (the page that directed you to our Website);
• Pages visited and time spent on the Website; and
• Date and time of access.

This information is collected through standard web server logs and is used in aggregate form to analyse Website usage patterns, maintain security, and improve our Website.

4.3 Information We Do Not Collect

We do not intentionally collect Sensitive Information as defined by the Privacy Act 1988 (Cth). We do not collect financial information (such as credit card numbers) directly through our Website. Any payment processing is handled through separate, secure channels as outlined in our service agreements.

5. How We Collect Information

We collect personal information through the following methods:

• Contact form — When you submit an inquiry through the contact form on our Website. All form submissions undergo input validation (using schema-based validation), HTML sanitisation (to prevent cross-site scripting and injection attacks), and bot detection (via a hidden honeypot field). Submissions identified as automated or malicious are silently discarded;
• Email — When you send us an email directly;
• Consultations — During discovery calls, meetings, or other communications related to potential or existing projects;
• Service engagement — When you enter into a service agreement with us and provide information necessary for the performance of the Services;
• Server logs — Automatically through standard web server logging when you visit our Website; and
• Third parties — In limited circumstances, we may receive personal information about you from third parties, such as referrals from existing clients, business directories, or publicly available sources. Where we do, we will handle that information in accordance with this Privacy Policy.

We will only collect personal information by lawful and fair means and, where reasonable and practicable, will collect it directly from you (APP 3).

6. Why We Collect Information

We collect, hold, use, and disclose your personal information for the following purposes:

• Responding to inquiries — To review your contact form submission, respond to your inquiry, and provide relevant information about our Services;
• Confirmation communications — To send you a confirmation email acknowledging receipt of your inquiry, and to send our team an internal notification email for processing;
• Service delivery — To provide, manage, and improve the Services we offer, including preparing proposals, managing projects, and delivering Deliverables;
• Scheduling consultations — To schedule and conduct free discovery calls and follow-up meetings;
• Business administration — To manage our business relationship with you, including invoicing, payment processing, and record-keeping;
• Legal compliance — To comply with applicable laws, regulations, and legal processes, including taxation and corporate record-keeping obligations;
• Security and fraud prevention — To protect the security and integrity of our Website, including through rate limiting (3 submissions per IP per 60 seconds), bot detection via honeypot fields, and input sanitisation;
• Website improvement — To analyse Website usage patterns, diagnose technical issues, and improve the functionality and user experience of our Website; and
• Communication — To communicate with you about your inquiry, project, or our Services, including responding to your questions and providing updates.

We will not use your personal information for purposes other than those described in this Privacy Policy unless we have obtained your consent or are otherwise required or authorised by law to do so (APP 6).

7. Legal Basis for Processing

Under the Privacy Act 1988 (Cth) and the APPs, we collect and process your personal information on the following bases:

• Consent — By submitting the contact form or providing your personal information to us, you consent to its collection, use, and disclosure as described in this Privacy Policy;
• Contractual necessity — Where processing is necessary for the performance of a contract to which you are a party (e.g., a service agreement or proposal);
• Legitimate interests — Where processing is necessary for our legitimate business interests, such as maintaining Website security, preventing fraud, improving our Services, and managing our business operations, provided that such interests are not overridden by your rights and interests; and
• Legal obligation — Where processing is necessary to comply with a legal obligation to which we are subject, such as taxation, corporate reporting, or responding to lawful requests from government authorities.

8. Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your personal information in the following limited circumstances:

• Email service provider — We use a third-party transactional email service (Resend) to deliver confirmation emails to you and notification emails to our team when you submit a contact form inquiry. Your name and email address are shared with this provider solely for the purpose of email delivery;
• Hosting and infrastructure providers — Our Website is hosted on third-party infrastructure providers who may have access to server logs containing your IP address and technical browsing data as part of providing their hosting services;
• Professional advisors — We may share your information with our legal, accounting, or other professional advisors where necessary for the management of our business;
• Legal requirements — We may disclose your personal information where required by law, regulation, court order, subpoena, or other legal process, or where we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
• Business transfers — In the event of a merger, acquisition, restructure, sale of assets, or insolvency, your personal information may be transferred as part of the transaction. We will take reasonable steps to ensure the recipient handles your personal information in accordance with this Privacy Policy; and
• With your consent — We may share your personal information with third parties where you have given us your express consent to do so.

All third-party service providers with whom we share personal information are contractually obligated to handle your information securely and only for the purposes for which it was disclosed (APP 8).

9. Third-Party Services

We use the following third-party services in the operation of our Website and business:

Each third-party service has its own privacy policy governing the use of your data. We encourage you to review their respective policies. We select third-party providers that demonstrate a commitment to data security and privacy, and we limit the data shared with each provider to what is strictly necessary for the service they provide.

10. Data Storage and Security

10.1 Security Measures

We take the security of your personal information seriously and implement reasonable technical and organisational measures to protect it from misuse, interference, loss, unauthorised access, modification, and disclosure (APP 11). These measures include:

• Input validation — All contact form submissions are validated against a strict schema (using Zod validation) to ensure data integrity and prevent malformed or malicious input;
• HTML sanitisation — All user-submitted text is sanitised to strip HTML entities, null bytes, and potentially harmful content, protecting against cross-site scripting (XSS) and injection attacks;
• Rate limiting — Contact form submissions are rate-limited to 3 requests per IP address per 60-second sliding window to prevent abuse and denial-of-service attempts;
• Bot detection — A hidden honeypot field is used to detect and silently discard automated spam submissions;
• HTTPS encryption — All data transmitted between your browser and our Website is encrypted using TLS/SSL;
• Environment variable protection — Sensitive configuration values such as API keys are stored as server-side environment variables and are never exposed to the client; and
• Access controls — Access to personal information is restricted to authorised personnel who require it for legitimate business purposes.

10.2 Limitations

While we take reasonable steps to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your information. You acknowledge that you provide your personal information at your own risk.

10.3 Your Responsibilities

You are responsible for maintaining the confidentiality of any credentials, access details, or sensitive information you share with us in connection with a project. You should notify us immediately if you become aware of any unauthorised use or security breach related to information you have shared with us.

11. Data Retention

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law. Specifically:

• Contact form inquiries — Retained for the duration of the business relationship and for a reasonable period thereafter (typically up to 3 years) for record-keeping and potential follow-up purposes;
• Client project data — Retained for the duration of the project engagement and for a period of 7 years thereafter in accordance with Australian taxation and corporate record-keeping requirements;
• Email correspondence — Retained for the duration of the business relationship and a reasonable period thereafter;
• Rate limiting data — IP addresses used for rate limiting are stored in temporary server memory and are automatically purged every 60 seconds. This data is not persisted to any permanent storage; and
• Server logs — Standard web server logs are retained in accordance with our hosting provider's retention policies.

When personal information is no longer required for any purpose for which it may be used or disclosed under this Privacy Policy, we will take reasonable steps to destroy or de-identify it (APP 11.2), unless we are required by law to retain it.

12. Cookies and Tracking

12.1 Current Cookie Usage

Our Website currently does not set any first-party tracking cookies or use third-party analytics tracking tools (such as Google Analytics). We do not use advertising cookies, retargeting pixels, or social media tracking scripts.

12.2 Essential Cookies

Our hosting infrastructure may set essential cookies that are strictly necessary for the operation and security of the Website (such as session management or security tokens). These cookies do not track your browsing activity across other websites and cannot be used to identify you personally.

12.3 Third-Party Cookies

Where our Website loads resources from third-party services (such as images from Unsplash), those third parties may set their own cookies in accordance with their own cookie policies. We have no control over these third-party cookies.

12.4 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may affect the functionality of the Website. For more information, please refer to our Cookie Policy.

13. Your Rights

Under the Privacy Act 1988 (Cth) and the APPs, you have the following rights in relation to your personal information:

13.1 Right of Access (APP 12)

You have the right to request access to the personal information we hold about you. We will respond to your request within a reasonable period (generally within 30 days). We may charge a reasonable fee for providing access where permitted by law, and will inform you of any applicable fee before processing your request.

13.2 Right of Correction (APP 13)

You have the right to request that we correct any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will take reasonable steps to correct your information within 30 days of your request. If we refuse to correct your information, we will provide you with written reasons for the refusal and advise you of your right to make a complaint.

13.3 Right to Withdraw Consent

Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time by contacting us. Withdrawal of consent will not affect the lawfulness of any processing carried out before the withdrawal.

13.4 Right to Request Deletion

You may request that we delete your personal information where it is no longer necessary for the purpose for which it was collected, or where you have withdrawn your consent (and no other legal basis for processing applies). We will comply with such requests unless we are required to retain the information for legal, tax, or regulatory purposes.

13.5 How to Exercise Your Rights

To exercise any of the above rights, please contact us at info@encodedigital.com.au. We may need to verify your identity before processing your request. We will respond to all legitimate requests within 30 days. If we require additional time, we will notify you and provide the reasons for the delay.

14. Children's Privacy

Our Website and Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at info@encodedigital.com.au. If we become aware that we have collected personal information from a child under the age of 18 without verification of parental consent, we will take immediate steps to delete that information from our records.

15. International Data Transfers

Our Website is hosted on infrastructure that may process and store data in locations outside of Australia, including the United States. Additionally, our third-party email service provider (Resend) may process data in jurisdictions outside of Australia.

Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to your information (APP 8). This may include entering into contractual arrangements that require the recipient to comply with privacy protections substantially similar to those under the Privacy Act 1988 (Cth), or relying on the recipient being subject to a law or binding scheme that provides comparable privacy protections.

By providing us with your personal information and using our Website, you consent to the transfer of your information to recipients in other countries, subject to the protections described in this Privacy Policy.

16. Client Project Data

In the course of providing our Services, Clients may provide us with access to data, systems, databases, or applications that contain personal information of their own users, customers, or employees ("Client Data").

• We process Client Data solely on behalf of and in accordance with the instructions of the Client. We act as a data processor (or equivalent) in respect of Client Data;
• We will not access, use, or disclose Client Data for any purpose other than performing the agreed Services, unless required by law;
• Responsibility for obtaining all necessary consents, authorisations, and compliance obligations in respect of Client Data remains with the Client;
• We implement reasonable security measures to protect Client Data during the course of the engagement; and
• Upon completion of the engagement or upon the Client's written request, we will return or securely delete all Client Data in our possession, except where retention is required by law or as agreed in the applicable service agreement.

Specific data handling obligations for Client Data may be set out in individual service agreements, which shall prevail over this Privacy Policy to the extent of any inconsistency.

17. Data Breach Response

In the event of an eligible data breach (as defined by the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme), we will:

• Take immediate steps to contain the breach and, where possible, remediate any harm caused;
• Conduct an assessment to determine whether the breach is likely to result in serious harm to any individuals whose personal information is involved;
• If the breach is assessed as likely to result in serious harm, notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals as soon as practicable, in accordance with Part IIIC of the Privacy Act 1988 (Cth);
• Include in our notification: the nature of the breach, the types of personal information involved, recommendations for steps affected individuals can take in response, and our contact details for further information; and
• Maintain a record of all data breaches (whether notifiable or not) and review our security measures to prevent recurrence.

Where the breach involves Client Data, we will notify the affected Client as soon as practicable so that they may take appropriate action in respect of their own notification obligations.

18. Links to Other Websites

Our Website may contain links to third-party websites, including but not limited to our LinkedIn profile and external resources. These third-party websites have their own privacy policies, and we have no responsibility or liability for their content, privacy practices, or terms of use.

We encourage you to read the privacy policy of every website you visit. A link from our Website to a third-party website does not constitute an endorsement, authorisation, or representation of our affiliation with that third party, nor does it constitute an endorsement of their privacy or information security policies or practices.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, applicable laws, or for other operational, legal, or regulatory reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this page;
• Make reasonable efforts to notify you of significant changes, such as by posting a prominent notice on our Website; and
• Where required by law, seek your consent to any material changes that affect how we handle your personal information.

Your continued use of the Website after the posting of changes constitutes your acceptance of such changes. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal information.

20. Complaints

If you believe we have breached the APPs or handled your personal information inappropriately, you have the right to make a complaint. To lodge a complaint:

• Contact us first — Please contact us in writing at info@encodedigital.com.au with details of your complaint. We will acknowledge receipt of your complaint within 5 business days and aim to investigate and respond within 30 days;
• Escalation — If you are not satisfied with our response, or if we have not responded within 30 days, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC).

21. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

We aim to respond to all privacy-related inquiries within five (5) business days. For urgent privacy matters, please clearly mark your correspondence as urgent.