Privacy Policy

1. Overview

Innitor Pty Ltd (ABN 49 684 547 288) ("Innitor", "we", "our", or "us") is a technical consulting business based in Melbourne, Australia. We operate the website innitor.com.au and related services.

This privacy policy explains what personal information we collect, how we use it, who we share it with, how we protect it, and what rights you have. It applies to our website, our email communications, and our consulting services.

We are committed to complying with the Australian Privacy Act 1988, the Australian Privacy Principles (APPs), the Spam Act 2003, the EU and UK General Data Protection Regulation (GDPR), and all other applicable privacy laws in the jurisdictions where we operate.

2. Information We Collect

2.1 Information you provide directly

• Contact information when you email us, book a call through Calendly, or submit a form on our website (name, email address, company name, job title, phone number)
• Meeting information when you schedule a consultation (date, time, meeting notes, discussion content)
• Email list sign-up when you download a resource or subscribe to our mailing list (name, email address)
• Project and business information you share during consulting engagements (technical documentation, business requirements, system access credentials)

2.2 Information collected automatically

• Analytics data via Google Analytics 4 (GA4), including pages visited, time on page, referral source, device type, browser type, screen resolution, and approximate geographic location (city-level, derived from IP address)
• Advertising conversion data via Google Ads, including whether you arrived via an ad and whether you completed a conversion action (such as booking a call)
• Server logs via Cloudflare, including IP address, request URL, timestamp, HTTP status code, and user agent string

2.3 Information from third-party sources

• Publicly available business information from sources including company websites, LinkedIn profiles, business directories, and public databases (name, job title, company, business email address, company size, industry)
• Business contact enrichment from data providers such as Apollo.io, used to identify potential consulting clients based on publicly available business information

2.4 Sensitive information

We do not intentionally collect sensitive information (such as health data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or biometric data). If you provide sensitive information during a consulting engagement, we will treat it with additional care and only process it to the extent necessary to deliver our services.

3. How We Use Your Information

We use your personal information for the following purposes:

Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure our interests do not override your rights and freedoms. Our legitimate interests include operating and improving our business, marketing our services to relevant business contacts, and ensuring the security of our systems.

4. Cookies and Tracking Technologies

Our website uses cookies and similar technologies as follows:

4.1 Strictly necessary cookies

These cookies are essential for the website to function and cannot be disabled. They include Cloudflare security cookies used to protect against malicious traffic. No consent is required for these cookies.

4.2 Analytics cookies

We use Google Analytics 4 (GA4) to understand how visitors interact with our website. GA4 uses first-party cookies to distinguish unique users and sessions. These cookies collect information such as pages viewed, session duration, and referral source. GA4 does not collect personally identifiable information by default. IP addresses are anonymised before storage.

4.3 Advertising cookies

We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. These cookies record when you arrive at our site via a Google ad and whether you complete a conversion action such as booking a consultation.

4.4 Cookie consent

When you first visit our website, you will be presented with a cookie consent banner. Analytics and advertising cookies are only activated after you provide consent. You can withdraw your consent at any time by clearing your cookies or using the cookie settings link in our website footer. We implement Google Consent Mode v2, which ensures cookies are blocked by default for visitors who have not provided consent.

For visitors in the European Economic Area (EEA) and United Kingdom, analytics and advertising cookies are blocked until you explicitly opt in. For visitors in other regions, these cookies may be enabled by default, with the option to opt out.

4.5 How to manage cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking certain cookies may affect the functionality of our website. You can also opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on.

5. Email Communications

5.1 Marketing emails you sign up for

If you download a resource or subscribe to our mailing list, we will send you a limited email sequence (typically 4-5 emails over 2 weeks) related to the topic you expressed interest in. You can unsubscribe from these emails at any time using the unsubscribe link included in every message, or by emailing us at [email protected]. We will honour unsubscribe requests within 5 business days.

5.2 Business-to-business outreach

We may send business-to-business communications to professionals whose contact information is publicly available and whose role is relevant to our services. These emails are sent in compliance with the Australian Spam Act 2003 (inferred consent from conspicuously published business addresses), the UK Privacy and Electronic Communications Regulations (PECR) for corporate subscribers, CAN-SPAM (United States), CASL (Canada), and equivalent legislation in other jurisdictions.

Every business email we send includes: clear identification of Innitor as the sender, our business contact details, and a functional unsubscribe mechanism. If you ask us to stop contacting you, we will do so immediately and permanently.

5.3 Transactional emails

If you are an existing client or have booked a consultation, we may send emails directly related to our engagement (meeting confirmations, project updates, invoices). These are not marketing communications and are not subject to unsubscribe requirements.

6. Third-Party Services

We use the following third-party services that may process your personal information:

Each of these services has its own privacy policy. We encourage you to review their policies if you have concerns about how they handle your data.

7. International Data Transfers

Innitor is based in Australia. Some of the third-party services we use process data in other countries, including the United States. When your personal information is transferred outside Australia, the European Economic Area, or the United Kingdom, we take steps to ensure it remains protected:

• We use services that participate in the EU-US Data Privacy Framework (DPF) where applicable (Google, for example, is DPF-certified)
• Where required by the EU or UK GDPR, we rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) as the legal mechanism for cross-border transfers
• We only share your data with third parties who provide adequate safeguards for personal information as required by applicable law

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are:

• Client project data: 7 years after the end of the engagement (to meet Australian tax and legal record-keeping requirements)
• Email marketing contacts: Until you unsubscribe, plus 30 days to process the removal
• B2B outreach contact data: Until you opt out, or 3 years from our last contact with you, whichever comes first
• Website analytics data: 14 months (Google Analytics default retention period)
• Server logs: 90 days
• Consultation booking data: 2 years, or for the duration of any resulting client relationship

When data is no longer needed, we securely delete or anonymise it.

9. Data Security

We take reasonable steps to protect your personal information from unauthorised access, modification, disclosure, or destruction. Our security measures include:

• Encryption in transit (TLS/HTTPS) for all website traffic and email communications
• Encryption at rest for stored data via our cloud service providers
• Access controls limiting who can access personal information to authorised personnel only
• Regular security reviews of our systems and third-party services
• Multi-factor authentication on all accounts that store personal data

No method of electronic storage or transmission is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.

10. Your Privacy Rights

Depending on where you are located, you may have some or all of the following rights regarding your personal information:

10.1 All individuals

• Right to be informed about how your data is collected and used (this policy)
• Right to opt out of marketing communications at any time
• Right to complain to the relevant supervisory authority (see section 10.7)

10.2 Australia (Privacy Act 1988)

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or out-of-date information
• Complain about a breach of the APPs (we will respond within 30 days)

10.3 European Economic Area and United Kingdom (GDPR / UK GDPR)

If you are in the EEA or UK, you have additional rights under the General Data Protection Regulation:

• Right of access to your personal data and a copy of it
• Right to rectification of inaccurate or incomplete data
• Right to erasure ("right to be forgotten") in certain circumstances
• Right to restrict processing while a dispute is resolved
• Right to data portability in a structured, machine-readable format
• Right to object to processing based on legitimate interest, including direct marketing (this right is absolute for direct marketing; we will stop processing immediately upon your request)
• Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
• Rights related to automated decision-making (we do not currently make decisions based solely on automated processing that produce legal or similarly significant effects)

10.4 United States

If you are a resident of California or another US state with comprehensive privacy legislation (including Virginia, Colorado, Connecticut, Texas, Oregon, and others), you may have the right to:

• Know what personal information we have collected about you
• Request deletion of your personal information
• Request correction of inaccurate personal information
• Opt out of the sale or sharing of your personal information (we do not sell personal information)
• Not be discriminated against for exercising your privacy rights

We honour the Global Privacy Control (GPC) browser signal as a valid opt-out of the sharing of personal information for cross-context behavioural advertising.

We do not sell your personal information. Google Analytics and Google Ads may constitute "sharing" of personal information for cross-context behavioural advertising under certain US state laws. You can opt out of this sharing by declining analytics and advertising cookies, or by enabling GPC in your browser.

10.5 Canada (PIPEDA)

If you are in Canada, under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

• Access the personal information we hold about you
• Challenge the accuracy and completeness of your information and have it corrected
• Withdraw your consent to our collection, use, or disclosure of your information (subject to legal or contractual restrictions)

10.6 New Zealand, Singapore, and Hong Kong

If you are in New Zealand (Privacy Act 2020), Singapore (Personal Data Protection Act 2012), or Hong Kong (Personal Data (Privacy) Ordinance), you have rights to access and correct the personal data we hold about you, and to withdraw consent for its use. We will comply with the specific requirements of your local privacy legislation upon request.

10.7 Supervisory authorities

If you believe we have not handled your personal information correctly, you have the right to lodge a complaint with the relevant authority:

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• European Union: Your local data protection authority (a full list is available at edpb.europa.eu)
• Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
• New Zealand: Office of the Privacy Commissioner — privacy.org.nz
• Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg
• Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD) — pcpd.org.hk

We encourage you to contact us first so we can try to resolve your concern directly.

11. How to Exercise Your Rights

To exercise any of your privacy rights, contact us at: [email protected]

We will respond to your request within 30 days (or sooner if required by your local law). We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

You can also write to us at:

Innitor Pty Ltd
Privacy Enquiries
Melbourne, VIC
Australia

12. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to affected individuals, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme
• Notify the Information Commissioner's Office (ICO) and any other relevant supervisory authority within 72 hours where required by the GDPR
• Notify affected individuals without undue delay, including a description of the breach, the likely consequences, and the steps we are taking to address it

13. Children's Privacy

Our services are directed at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly. If you believe we have inadvertently collected information from a child, please contact us at [email protected].

14. Do Not Track and Global Privacy Control

We honour the Global Privacy Control (GPC) signal as a valid opt-out of the sharing of personal information for cross-context behavioural advertising. When we detect a GPC signal, we will treat it as a request to opt out of analytics and advertising cookies.

We do not currently respond to the older Do Not Track (DNT) browser signal, as there is no industry-standard interpretation for how it should be handled.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Effective date" at the top of this page. We encourage you to review this policy periodically.

If we make a change that materially reduces your rights, we will provide prominent notice (such as a banner on our website or an email to affected individuals) before the change takes effect.

16. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our handling of your personal information, please contact us:

• Email: [email protected]
• General enquiries: [email protected]
• Website: innitor.com.au