Privacy Policy

Last updated: [REPLACE: review date]

[REPLACE: legal entity name, e.g. B-connex Pty Ltd, ACN 000 000 000] (“B-connex”, “we”, “our”) operates the B-connex platform. This policy explains what personal information we collect, why we collect it, and your rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Information we collect

• Account details — name, email, password hash, role, organisation.
• Business identifiers — ABN, business name, KYC documents you upload for verification.
• Usage data — pages visited, click events, feature usage, IP address, user-agent (used for security and product analytics).
• Authentication metadata — login attempts, last IP, last user-agent, lockout state (used for fraud / abuse prevention).
• Customer leads and outreach data you import or generate within the platform.
• Connected-account tokens — OAuth access tokens for LinkedIn, Email, X and similar (always stored encrypted at rest).
• Billing data — plan, invoice history, GST. Card data is processed by [REPLACE: Stripe / your PSP] and never stored by B-connex.

2. How we use it

• To provide the service you signed up for.
• To send transactional and security emails.
• To detect and prevent abuse, fraud, and unauthorised access.
• To produce ATO/BAS-aligned tax invoices.
• To improve product quality (aggregate analytics).

3. Sub-processors

We use the following third parties to operate the service. By using B-connex you agree to data being shared with them as required for the feature you are using:

• [REPLACE: hosting provider + region, e.g. AWS Sydney ap-southeast-2]
• [REPLACE: Stripe (payments) — region]
• [REPLACE: OpenAI / Anthropic — only used when AI features are invoked; on-prem local model is the default for the Starter tier]
• [REPLACE: SMTP / email provider]
• [REPLACE: Xero (if you push invoices)]

4. Data retention

Account and billing data are retained for the life of your account plus [REPLACE: 7 years for tax records / per APP 11.2]. Authentication and usage events are retained for [REPLACE: 90 / 180 / 365 days] and then aggregated.

5. Your rights

You may request access to or correction of your personal information at any time by emailing [REPLACE: privacy@your-domain.au]. We will respond within 30 days. You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

6. International transfer

[REPLACE: We host data in Australia. AI sub-processors may process prompts outside Australia — see the sub-processor list above. We rely on contractual safeguards consistent with APP 8.]

7. Security

We use Argon2id password hashing, encrypted-at-rest token storage (AES-256-GCM with a per-install APP_KEY), TLS in transit, account lockout after repeated failed logins, and audit logging. We monitor IP and user-agent changes for suspicious activity.

8. Breach notification

We comply with the Notifiable Data Breaches scheme. You will be notified at the email on file within the timeframes required by law if a breach is likely to cause serious harm.

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced via in-app notification and email at least 14 days before they take effect.

10. Contact

Privacy contact: [REPLACE: privacy@your-domain.au] · Postal: [REPLACE: street address]

This page was generated as a scaffold by the B-connex installer. Have it reviewed by Australian legal counsel before publishing. All [REPLACE: …] markers must be removed.