Privacy Policy

This Privacy Policy explains how [Your Business Name Pty Ltd] (ABN/ACN [00 000 000 000]) collects, uses, discloses, and protects your personal information when you use the Nomarch service.

Our registered office is located at: [Level 00, 123 Placeholder St, City, State, 0000].

We are committed to protecting your privacy and complying with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breaches (NDB) scheme, and the Spam Act 2003 (Cth).

This Privacy Policy should be read together with our Terms of Service, AI Use & Limitations Notice, Cookies Policy, and Security Overview.

1. What Personal Information We Collect

Account and Profile Information

When you create an account, we collect: name, email address, password (hashed/encrypted), practice area (optional), jurisdiction (optional), organization/firm name (optional), and professional role (optional).

Billing and Payment Information

When you subscribe to a paid plan, we collect: billing name and address, payment method information (processed by Stripe - we only store tokenized references), Stripe customer ID and subscription ID, transaction history and invoices, and tax information (e.g., ABN for GST).

Important: We do NOT store your full credit card numbers or CVV codes. Payment processing is handled by Stripe, a PCI-DSS compliant payment processor.

Usage and Activity Data

When you use the Service, we automatically collect: search queries, feature usage, brainstorm sessions (anonymized metadata only), timestamps, usage counts (for billing), session data, saved searches and favorites, and export/download activity.

AI Service Inputs and Outputs

Search Queries: Search queries and keywords are cached for up to 7 days to improve performance. Cached queries do not contain Case Facts, only search terms and result summaries.

AI-Generated Outputs: Outputs generated by the AI (summaries, arguments, analyses) may be stored in your account. You can view, export, and delete Outputs from your account dashboard.

[NOTE: Counsel should verify that the zero-retention implementation is correctly configured and documented, and confirm that this approach adequately protects client confidentiality and legal professional privilege.]

Device and Technical Information

We automatically collect: IP address, browser type and version, operating system, device type, screen resolution, referrer URL, and user agent string.

Cookies and Tracking Technologies

We use essential cookies (required for the Service to function), analytics cookies (with your consent), and preference cookies (to remember your settings). You can manage cookie preferences through our cookie consent banner and your browser settings. See our Cookies Policy for details.

Communications and Support

When you contact us, we collect: email correspondence, support tickets, feedback and survey responses, and phone call records (if you call us - with notice).

Marketing and Preferences

If you opt in to marketing communications, we collect: email marketing preferences, email engagement data (opens, clicks), and unsubscribe requests.

Information We Do NOT Collect

Unless you specifically provide it, we do NOT intentionally collect: Sensitive Information (as defined in the Privacy Act) such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or criminal records; biometric information; government identifiers; or financial account details (beyond what Stripe collects).

2. How We Collect Personal Information

Directly From You: Account registration, profile updates, service use, communications, surveys and feedback, payment information.

Automatically When You Use the Service: Server logs, cookies and tracking technologies, analytics tools (if you consent), error and diagnostic logs.

From Third Parties: Stripe (payment status, subscription status), email service providers (delivery status), analytics providers (with your consent).

3. How We Use Personal Information

To Provide and Operate the Service (APP 6)

Account management, service delivery, billing and payments, usage enforcement, customer support, and service communications (transactional emails).

To Improve and Develop the Service (APP 6)

Product analytics (with consent), performance monitoring, feature development, and research and testing (with consent).

Important: We do NOT use your Case Facts or confidential inputs to train AI models. Our AI provider (Anthropic) operates in zero-retention mode.

For Security and Fraud Prevention (APP 6)

Security monitoring, threat detection, account security, and compliance monitoring.

For Marketing and Communications (APP 6, with consent)

Marketing emails (only if you opt in), surveys and feedback (you can opt out), and announcements about new features or important updates.

You can opt out of marketing emails at any time by clicking "unsubscribe" in any marketing email or updating your preferences in your account settings.

For Legal and Compliance Purposes (APP 6)

Legal obligations, dispute resolution, enforcement of our Terms of Service, audit and compliance, and protection of rights.

4. Disclosure of Personal Information to Third Parties

Service Providers and Subprocessors (APP 6)

We engage third-party service providers to help us operate the Service. These providers may access or process your personal information on our behalf, subject to contractual confidentiality and data protection obligations.

[NOTE: Counsel should confirm the final list of service providers and verify that appropriate data processing agreements are in place with each provider, particularly for overseas recipients (APP 8 compliance).]

Legal and Regulatory Authorities (APP 6.2(e))

We may disclose personal information to law enforcement agencies, courts and tribunals, regulatory bodies (e.g., OAIC, ACCC), and government agencies when legally required or permitted. We will notify you unless prohibited by law.

Professional Advisers (APP 6.2(e))

We may disclose personal information to lawyers, accountants and auditors, and consultants (subject to confidentiality obligations).

Business Transfers (APP 6.2(e))

If we are involved in a merger, acquisition, sale of assets, or bankruptcy, we may disclose or transfer personal information to prospective buyers, successors, or administrators. You will be notified of any such transfer.

5. Overseas Disclosure of Personal Information (APP 8)

Countries Where Data May Be Processed

United States: Stripe (payment processing), Anthropic (AI services), Vercel (hosting), email service providers, analytics and monitoring tools

European Union (depending on configuration): Some service providers offer EU data residency options. We may use EU-based servers for certain services.

[NOTE: Counsel should verify the actual locations where data is processed and confirm that appropriate safeguards are in place for overseas transfers, including contractual protections and compliance with APP 8.]

Safeguards for Overseas Disclosure

When we disclose personal information overseas, we take reasonable steps to ensure: contractual protections (data processing agreements, contractual obligations to protect personal information, compliance with Australian privacy standards); security measures (encryption in transit and at rest, access controls and authentication); and vendor due diligence (we assess service providers' privacy and security practices).

Your Acknowledgment

By using the Service, you acknowledge and consent to the overseas disclosure of your personal information as described in this section. If you do not consent to overseas disclosure, you should not use the Service, as overseas processing is necessary for us to provide the Service.

6. AI Processing and Confidential Information

Special Handling of Case Facts

We recognize that legal professionals may submit confidential or privileged information to the Service. We have implemented special safeguards:

Your Responsibilities

You are responsible for: Ensuring you have authority and client consent to submit information to the Service; anonymizing or de-identifying Case Facts where appropriate; not submitting information that you are prohibited from disclosing; and complying with your professional obligations regarding confidentiality and privilege.

We recommend: Removing client names, identifying details, and sensitive information before submission; using generic descriptions of facts where possible; and obtaining client consent for use of AI tools (as may be required by professional conduct rules).

[NOTE: This section should be reviewed by an Australian lawyer with expertise in legal professional privilege and professional conduct rules. Consider whether additional warnings or restrictions are needed.]

No Guarantee of Privilege Protection

While we implement technical safeguards, we cannot guarantee that legal professional privilege will be maintained, confidentiality obligations will not be breached by your use of the Service, or third-party AI providers will not be subject to legal process requiring disclosure. You should obtain independent legal advice on the privilege and confidentiality implications of using AI tools in your practice.

7. Data Retention and Deletion

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Information: Retained while your account is active; deleted within 90 days of account closure (subject to legal retention requirements)

Usage and Activity Data: Search queries cached for up to 7 days, then deleted; usage metadata retained for up to 2 years for billing and analytics; session logs retained for up to 90 days for security

AI Inputs and Outputs: Case Facts NOT stored (zero-retention mode); search queries cached for up to 7 days; AI-generated Outputs retained until you delete them or close your account

Billing and Payment Data: Transaction records and invoices retained for 7 years for tax and accounting compliance; payment method tokens retained while your subscription is active, deleted upon cancellation

Communications: Support tickets and email correspondence retained for 3 years

Legal and Compliance: Records required for legal compliance, dispute resolution, or regulatory purposes retained as required by law (typically 7 years)

[NOTE: Counsel should review these retention periods against applicable legal requirements, including tax law, corporations law, and professional conduct rules. Adjust as necessary.]

8. Security of Personal Information

We implement reasonable technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, and destruction.

Technical Measures: Encryption in transit (TLS 1.2 or higher/HTTPS), encryption at rest (AES-256 or equivalent for sensitive data), access controls (role-based access controls), authentication (strong password requirements, optional 2FA), and security monitoring.

Organizational Measures: Employee training, access restrictions, confidentiality agreements, and incident response plan.

Your Security Responsibilities: You are responsible for keeping your password secure and confidential, not sharing your account credentials, using a strong unique password, enabling two-factor authentication (if available), logging out after each session, and notifying us immediately if you suspect unauthorized access.

Limitations: No system is 100% secure. Despite our safeguards, unauthorized access, hacking, or data breaches may occur, internet transmission is not completely secure, and you use the Service at your own risk. We will continuously improve our security measures, respond promptly to security incidents, and notify you of data breaches as required by law.

9. Data Breach Notification (NDB Scheme)

Under the Notifiable Data Breaches (NDB) scheme in the Privacy Act, we are required to notify you and the OAIC if there is unauthorized access to or disclosure of personal information, personal information is lost in circumstances where unauthorized access or disclosure is likely, and the breach is likely to result in serious harm to affected individuals.

If a notifiable data breach occurs, we will: assess the breach, contain and remediate, notify affected individuals as soon as practicable (typically within 72 hours), notify the OAIC, and investigate and prevent recurrence.

10. Your Rights and Choices

Right to Access (APP 12)

You have the right to request access to the personal information we hold about you. Email privacy@nomarch.com.au with your request. We will respond within 30 days.

Right to Correction (APP 13)

You have the right to request correction of inaccurate, incomplete, or out-of-date personal information. Email privacy@nomarch.com.au or update information directly in your account settings. We will respond within 30 days.

Right to Deletion / Erasure

You have the right to request deletion of your personal information in certain circumstances. Email privacy@nomarch.com.au or delete your account from your account settings. We may retain information if required by law.

Right to Data Portability

You can export your data from the Service at any time. Log in to your account, go to Settings > Data Export, click "Export My Data". You will receive a download link via email (typically within 24 hours) in JSON or CSV format.

Right to Opt Out of Marketing

You can opt out of marketing communications at any time by clicking "Unsubscribe" in any marketing email, updating your preferences in Settings > Notifications, or emailing privacy@nomarch.com.au. You will still receive transactional emails.

Right to Complain

If you believe we have breached your privacy rights, you have the right to complain. Email privacy@nomarch.com.au with details of your complaint. We will acknowledge your complaint within 5 business days and respond within 30 days.

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au, 1300 363 992, enquiries@oaic.gov.au

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you are under 18, you must not create an account or use the Service. If you are a parent or guardian and believe your child has provided personal information to us, contact privacy@nomarch.com.au. We will delete the information as soon as reasonably practicable.

[NOTE: Counsel should confirm whether age verification measures are required and whether the 18+ restriction is appropriate for the Service.]

12. Contact Us About Privacy

If you have questions about this Privacy Policy or our privacy practices, contact us:

Email: privacy@nomarch.com.au
Subject line: Privacy Inquiry

Postal Address:
Privacy Officer
[Your Business Name Pty Ltd]
[Level 00, 123 Placeholder St, City, State, 0000]
Australia

General Support: support@nomarch.com.au
Legal Inquiries: legal@nomarch.com.au