How it works Why us Pricing Sign in Start free
Legal

Privacy Policy

Last updated: 20 June 2026 — DRAFT pending final legal review

Draft notice. This Privacy Policy is a working draft and is not yet finalised by counsel. It is published here for transparency while under review and may change before it takes legal effect.

1. Who we are & how to contact us

1.1 INTEGRIWORKS PTY LTD (ACN 697 589 825 / ABN 22 697 589 825), Level 1, 63-73 Ann Street, Surry Hills, NSW 2010, Australia, is responsible for the personal information described in this policy.

1.2 This policy covers the website (integriworks.org), the app (app.integriworks.org), our SaaS subscriptions, and our AI-led Oracle NetSuite implementation and consulting services.

1.3 Privacy contact / Privacy Officer: privacy@integriworks.org.

1.4 Roles. For information about our own visitors and SaaS subscribers we generally act as the entity responsible (controller). For personal information inside a client's data that we process during an implementation, the client is the controller and we act as processor under the Data Processing Agreement and MSA — that information is handled on the client's instructions, and the client's own privacy notice governs its collection.

2. What personal information we collect

2.1 Account information — name, business name, email, role, authentication identifiers (via our identity provider, Clerk), and account settings.

2.2 Billing information — billing name, address, subscription plan, and payment metadata. Card payments are processed by Stripe; we do not store full card numbers.

2.3 Usage information — log data, device/browser information, IP address, pages and features used, and similar analytics.

2.4 Support & communications — emails, messages, call/meeting notes, and (where you use our avatar/voice features) audio and related transcripts.

2.5 Client Data processed during engagements — to implement NetSuite we process data clients provide, which may include financial records, accounting data, employee and contact details, and other personal information ("personal data") belonging to the client's staff, customers or suppliers. We process this on the client's documented instructions as a processor; categories are set out in the DPA's processing schedule.

2.6 We collect information directly from you, automatically through use of the Platform, and from clients (for engagement Client Data).

3. How and why we use personal information

3.1 We use personal information to: provide and operate the Platform and services; authenticate and secure accounts; process billing and subscriptions; deliver implementation engagements; provide support; communicate service and (with consent or as permitted) marketing messages; improve and develop our services; and comply with legal obligations.

3.2 Lawful basis / purpose. Under the Privacy Act we collect only what is reasonably necessary for these functions. Where the GDPR applies, our lawful bases are contract performance, legitimate interests, consent (e.g. some marketing), and legal obligation (see §10).

3.3 Direct marketing. Where we send marketing, you can opt out at any time via the unsubscribe link or by contacting us.

4. AI processing disclosure

4.1 Our services are AI-assisted. To deliver them, personal information and Client Data may be processed by artificial-intelligence models and by AI sub-processors (see §6), including for generating configuration, documentation, analysis, and (where used) avatar/voice interactions.

4.2 We engage AI providers on terms intended to prevent your data being used to train their general models, and we apply least-privilege access and per-engagement isolation.

4.3 AI outputs may contain errors and are reviewed by a chartered accountant at defined human-gated steps; they do not replace your professional judgement.

5. When we disclose personal information

5.1 We disclose personal information to: our sub-processors and service providers (§6); a client (for that client's own Client Data); professional advisers; payment and identity providers; and authorities where required by law.

5.2 We may disclose in connection with a business sale or restructure, subject to appropriate protections.

5.3 We do not sell personal information for money. (For the CCPA/CPRA meaning of "sell"/"share", see §9.)

6. Sub-processors & third parties

6.1 We use the following key providers (also listed in the DPA's Annex B):

ProviderPurposeNotes
Amazon Web Services (AWS)Hosting & storage (incl. the S3 "SuiteVault" store)Data may be stored in [region]
NeonManaged database
ClerkAuthentication / identity
StripePayments
ResendTransactional email
AnthropicAI models
Tavus / ElevenLabsAvatar / voice (where used)

6.2 We remain responsible for our sub-processors' handling of personal information and require them to provide appropriate protection. We may add or change sub-processors; for engagement Client Data, change notice is given under the DPA.

7. Cross-border / overseas disclosure (APP 8)

7.1 Some of our providers process or store data outside Australia, including in the United States and potentially other regions. By using the Platform and services, you acknowledge that your personal information may be disclosed to and processed by overseas recipients.

7.2 Before disclosing personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the APPs, or rely on an APP 8.2 exception (such as your consent or a binding scheme). Where the GDPR applies, overseas transfers rely on appropriate safeguards (e.g. Standard Contractual Clauses).

8. Cookies & analytics

8.1 We use cookies and similar technologies for authentication, security, preferences and analytics. You can control cookies through your browser; disabling some may affect functionality.

8.2 We may use analytics tools to understand site usage. [Specific analytics provider to be confirmed.]

9. Your rights — Australia, and US (CCPA/CPRA)

9.1 Australia (APPs). You may request access to the personal information we hold about you and ask us to correct it if inaccurate. We will respond within a reasonable time and may verify your identity first. Some requests may be subject to exceptions in the Privacy Act.

9.2 United States — CCPA/CPRA (California, and similar US state laws). If you are a covered consumer, you may have the right to: know/access the categories and specific pieces of personal information we collect; request deletion; request correction; and opt out of "sale"/"sharing" of personal information and of certain targeted advertising. We do not sell personal information for money. We will not discriminate against you for exercising these rights. To exercise them, contact privacy@integriworks.org; we will verify your request. Authorised agents may submit requests where the law allows.

9.3 For engagement Client Data, individuals should contact the relevant client (the controller); we will assist the client to respond.

10. EU / EEA & UK — GDPR (where applicable)

10.1 Where the GDPR/UK GDPR applies to our processing of your personal data:

  • (a) Lawful bases: contract, legitimate interests, consent, and legal obligation (§3.2).
  • (b) Your rights: access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent and to lodge a complaint with a supervisory authority.
  • (c) Transfers: overseas transfers use appropriate safeguards such as Standard Contractual Clauses (§7.2).
  • (d) EU/UK representative: to be appointed if required.

11. Security

11.1 We apply reasonable technical and organisational measures appropriate to the data, including encryption in transit and at rest, per-engagement key isolation, least-privilege access controls, secrets management, and monitoring. Immutable, region-restricted backups protect against loss.

11.2 No system is perfectly secure; we cannot guarantee absolute security. We will notify affected individuals and the OAIC where required under the Notifiable Data Breaches scheme, and clients under the DPA.

12. Data retention & deletion

12.1 We keep personal information only as long as needed for the purposes in this policy or as required by law (e.g. tax/accounting records).

12.2 Engagement exit. For implementation engagements, on termination or request we provide an export pack and then cryptographically delete the client's per-engagement data and issue a deletion certificate, subject to legal retention limits (as set out in the MSA/DPA).

12.3 You may request deletion of your account information, subject to legal retention and the limits above.

13. Children

13.1 The Platform is for business use and not directed to children under 16. We do not knowingly collect their personal information.

14. Complaints

14.1 To raise a privacy concern, contact our Privacy Officer (§1.3); we will investigate and respond. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. EU/UK and US residents may also contact their relevant regulator.

15. Changes to this policy

15.1 We may update this policy and will post the new version with an updated effective date; material changes will be notified by reasonable means.

© 2026 IntegriWorks Pty Ltd · NetSuite OneWorld implementation, accelerated.
Terms · Privacy · integriworks.org · hello@integriworks.org