Privacy Policy

We are committed to managing personal information openly and transparently. This policy is publicly available on our website at redrocksystems.com.au/privacy. A copy is also available on request by contacting us at hello@redrocksystems.com.au.

We only collect personal information that is reasonably necessary for one or more of our functions or activities. Where it is lawful and practicable to do so, individuals may deal with us anonymously or by pseudonym.

Our Privacy Officer can be contacted at: hello@redrocksystems.com.au or by writing to REDROCK SYSTEMS PTY LTD, Australia.

We collect personal information that is reasonably necessary to provide our Services, respond to enquiries, process payments, and comply with our legal obligations.

At or before the time we collect personal information, or as soon as practicable afterwards, we will take reasonable steps to notify you (or ensure you are aware) of the following:

• Our identity and contact details
• The fact and circumstances of collection
• Whether the collection is required or authorised by law
• The purposes for which we collect the information
• The consequences if the information is not collected
• Other entities or categories of entities to whom we usually disclose the information
• That this Privacy Policy contains information about how to access, correct, or complain about handling of the information

Notification is provided through collection notices displayed on our sign-up forms, account creation flows, and product onboarding screens. Where personal information is collected from a third party, we take reasonable steps to ensure you are notified.

We only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose that you would reasonably expect, or where you have consented, or where otherwise permitted by the Privacy Act.

We will only use or disclose personal information for direct marketing purposes if we have your consent, or where the information was collected in the course of a commercial relationship and the marketing relates to our similar goods and services.

Every marketing communication we send will include a clear and easy mechanism to opt-out (unsubscribe). You may also opt out at any time by emailing hello@redrocksystems.com.au with the subject line “Unsubscribe”. We will action opt-out requests within five (5) business days. We do not sell personal information to third parties for marketing purposes.

Some of our service providers are located overseas and may receive personal information from us. We take reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with the APPs before any disclosure.

Countries or regions to which personal information may be disclosed include:

• United States — Stripe (payment processing), Resend (email delivery)
• Global edge network — Vercel (hosting and content delivery; data may transit multiple regions)
• Australia (Sydney) — Supabase (primary database storage at AWS ap-southeast-2)

Where personal information is disclosed to overseas entities, we rely on contractual arrangements (including standard contractual clauses or data processing agreements) to ensure an adequate level of protection. By accepting this policy and using our Services, you acknowledge and consent to these cross-border disclosures as described.

Some of our Services handle government-related identifiers, including:

• NDIS participant numbers — collected and stored in CoordHub solely for the purpose of providing NDIS support coordination services as required under the NDIS Act 2013 and the NDIS (Registered Providers and Approved Quality Auditors) Rules
• Tax File Numbers (TFNs) — may be collected in RedRock PM in the context of accounting practice management, handled strictly in accordance with the Tax File Number Guidelines issued by the Privacy Commissioner
• Other business identifiers (ABN, ACN) — used for business identification only, not for individual tracking

We do not adopt government-related identifiers as our own identifiers for individuals, and we do not disclose them except as required to deliver the specific service for which they were collected or as required by law.

We take reasonable steps to ensure that personal information we collect, use, or disclose is accurate, up to date, and complete. These steps include:

• Allowing users to review and update their account information at any time within the platform
• Validating data formats at the point of collection (e.g., email addresses, phone numbers)
• Conducting periodic reviews of data held where operationally appropriate
• Acting promptly on notifications from individuals that their information is inaccurate or out of date

If you believe information we hold about you is inaccurate, incomplete, or outdated, please contact us and we will take reasonable steps to correct it (see APP 13 below).

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:

You have the right to request access to personal information we hold about you. To make an access request:

• Email us at hello@redrocksystems.com.au with the subject line "Privacy Access Request"
• Include sufficient information to identify yourself and describe the information you are seeking
• We will respond within 30 days of receiving a valid request

We may decline to give access in circumstances permitted under the Privacy Act, including where providing access would pose a serious threat to health or safety, have an unreasonable impact on others' privacy, or where the request is frivolous. If we decline, we will give you written reasons and notify you of available complaint mechanisms.

We will not charge a fee for making an access request, but may charge a reasonable fee for providing access where the retrieval is complex or time-consuming.

If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request that we correct it. To make a correction request:

• Email us at hello@redrocksystems.com.au with the subject line "Privacy Correction Request"
• Describe the information you believe is incorrect and what the correct information should be
• We will respond within 30 days and take reasonable steps to correct the information

If we decline to correct information, we will give you written reasons. You may request that we attach a statement of the correction sought to the information, which we will do if it is reasonable to do so.

Sensitive information as defined in the Privacy Act receives a higher standard of protection. We collect sensitive information only with express consent or where required or authorised by law.

We retain personal information only for as long as it is needed for the purpose for which it was collected, or as required by law. Our general retention periods are:

• Account and profile data: retained while your account is active, plus a 30-day recovery period following account closure, then deleted
• Billing and transaction records: retained for 7 years from the date of the transaction (compliance with Australian tax law)
• AML/CTF records (RedRock AML, Growth Advisory): retained for 7 years from the date the relevant transaction or business relationship ends, as required by Part 10 of the AML/CTF Act 2006
• NDIS participant records (CoordHub): retained in accordance with the NDIS Act 2013 and applicable NDIS rules; customers are responsible for their own retention obligations
• Support communications: retained for 3 years from the date of the last interaction
• Audit and security logs: retained for 12 months, then archived or deleted

We use a minimal number of cookies and do not use third-party tracking or advertising cookies.

If you believe we have interfered with your privacy or breached the Australian Privacy Principles, you may make a complaint to us. We take all privacy complaints seriously.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The updated policy will be published on our website with the revised effective date.

For material changes — those that significantly affect how we handle your personal information — we will provide at least 30 days' notice before the changes take effect, via a notice on our website and, where we hold your email address, by direct notification.

Your continued use of our Services after the effective date of any changes constitutes acceptance of the updated policy.