interAction
Login
interAction



Home

About Us

Services

Resources

Case Studies

Blog

Contact Us

Login

InterAction Privacy Policy

1. Purpose for Collecting/Processing Personal Information

InterAction collects and processes personal information for the following specific purposes:

Business Operations

  • Client Service Delivery: To provide consulting, software development, and IT services to our clients
  • Project Management: To manage client projects, track deliverables, and ensure service quality
  • Communication: To respond to inquiries, provide support, and maintain business relationships
  • Contract Management: To execute agreements, process invoices, and maintain business records

Marketing and Business Development

  • Lead Generation: To identify and engage potential clients through our website and marketing activities
  • Newsletter and Updates: To send business updates, technical insights, and industry news to subscribers
  • Event Management: To organize and manage webinars, workshops, and other business events

Legal and Compliance

  • Legal Obligations: To comply with applicable laws, regulations, and industry standards
  • Audit and Compliance: To demonstrate compliance with SOC 2, GDPR, and other regulatory requirements
  • Risk Management: To assess and manage business risks, including security and privacy risks

 

2. Lawful Basis for Processing Personal Information

InterAction processes personal information based on the following lawful bases:

For EU/UK Data Subjects (GDPR)

  • Legitimate Interests (Article 6(1)(f)): Business operations, client service delivery, and marketing to existing clients
  • Contract Performance (Article 6(1)(b)): Fulfilling service agreements and client contracts
  • Consent (Article 6(1)(a)): Newsletter subscriptions and marketing communications
  • Legal Obligation (Article 6(1)(c)): Compliance with tax, employment, and regulatory requirements

For Other Jurisdictions

  • Business Purpose: Processing necessary for legitimate business operations
  • Consent: Where explicitly provided by data subjects
  • Legal Compliance: As required by applicable local laws and regulations

 

3. Types of Personal Information Collected

 

Contact Information

  • Full name and professional title
  • Email addresses (business and personal where provided)
  • Phone numbers (office, mobile)
  • Postal addresses (business and billing)
  • Company name and department

Professional Information

  • Job title and role responsibilities
  • Industry and sector information
  • Professional qualifications and certifications
  • Technical skills and expertise areas
  • Project history and deliverables

Technical Information

  • IP addresses and device identifiers
  • Browser type and version
  • Operating system information
  • Website usage data and analytics
  • Login credentials and access logs

Communication Records

  • Email correspondence and attachments
  • Meeting notes and call recordings (with consent)
  • Support ticket history and resolution notes
  • Feedback and survey responses

Financial Information

  • Billing addresses and payment contact details
  • Purchase order numbers and invoicing references
  • Payment history and transaction records
  • Tax identification numbers (where required)

 

4. Choice and Consent

 

Consent Mechanisms

  • Website Forms: Explicit consent checkbox for privacy policy acknowledgment
  • Email Marketing: Opt-in consent for newsletters and marketing communications
  • Cookies: Cookie consent banner with granular control options
  • Data Processing: Clear consent requests for specific processing activities

Withdrawal Rights

  • Email Unsubscribe: One-click unsubscribe from all marketing communications
  • Contact Us: Direct contact method to withdraw consent for specific processing
  • Account Access: Self-service options to modify consent preferences where available

Consent Records

  • All consent actions are logged with timestamp, IP address, and consent type
  • Consent records maintained for audit and compliance purposes
  • Regular review and refresh of consent where required by law

 

5. Methods of Collection

 

Direct Collection

  • Website Contact Forms: Name, email, phone, and inquiry details
  • Email Communications: Business correspondence and file attachments
  • Phone Calls: Contact information and business discussion notes
  • In-Person Meetings: Business cards and discussion notes
  • Contracts and Agreements: Detailed contact and project information

Automated Collection

  • Website Analytics: Google Analytics for usage patterns and performance
  • Server Logs: Access logs for security monitoring and troubleshooting
  • Email Tracking: Open rates and engagement metrics for business communications
  • Security Monitoring: AWS CloudTrail and GuardDuty for security event logging

Third-Party Sources

  • Business Directories: LinkedIn, company websites, and industry directories
  • Partners and Referrals: Information shared by business partners with appropriate consent
  • Public Records: Publicly available business registration and contact information

Cookies and Tracking Technologies

  • Essential Cookies: Required for website functionality and security
  • Analytics Cookies: Google Analytics for website performance measurement
  • Preference Cookies: User interface and experience preferences
  • Marketing Cookies: Conversion tracking and advertising effectiveness (with consent)

 

6. Use, Retention, and Disposal

 

Data Use

  • Client Services: Project delivery, communication, and relationship management
  • Business Operations: Invoicing, contract management, and compliance reporting
  • Marketing: Targeted outreach to prospective and existing clients (with consent)
  • Legal Compliance: Audit trails, regulatory reporting, and legal proceedings support

Retention Periods

  • Active Client Data: Duration of contract plus 7 years for legal and tax purposes
  • Prospect Data: 3 years from last meaningful interaction or until consent withdrawn
  • Marketing Data: Until consent withdrawn or 2 years of inactivity
  • Security Logs: 7 years for audit and compliance purposes
  • Financial Records: 7 years as required by tax and corporate law
  • Employee Data: Duration of employment plus 7 years

Secure Disposal

  • Digital Data: Cryptographic deletion from encrypted storage systems
  • Physical Media: Professional data destruction service with certificates of destruction
  • Cloud Storage: Permanent deletion from AWS S3, Azure Storage, and backup systems
  • Documentation: Secure shredding of physical documents containing personal data

 

7. Data Subject Rights

Under applicable privacy laws, you have the following rights:

Access Rights

  • Right to Access: Request copies of your personal data we hold
  • Data Portability: Receive your data in a structured, machine-readable format
  • Response Time: Within 30 days of verified request

Correction Rights

  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Update Process: Self-service updates where possible, or contact our privacy team
  • Verification: Identity verification required for data modification requests

Deletion Rights

  • Right to Erasure: Request deletion of your personal data where legally permissible
  • Right to be Forgotten: Complete removal from marketing and non-essential systems
  • Legal Limitations: Some data must be retained for legal, tax, or regulatory compliance

Control Rights

  • Right to Restrict Processing: Limit how we use your personal data
  • Right to Object: Object to processing based on legitimate interests
  • Opt-Out: Withdraw consent for marketing and non-essential processing

Exercise Your Rights

  • Contact Method: privacy@iaction.com.au or +61 [phone number]
  • Identity Verification: Government ID or other acceptable identification required
  • Response Process: Acknowledgment within 5 business days, resolution within 30 days

 

8. Use of Subprocessors and Third Parties

InterAction shares personal data with the following categories of third parties:

Technology Service Providers

  • Amazon Web Services (AWS): Cloud hosting and data processing
    • Location: Australia and US regions
    • Data Types: All business data including personal information
    • Safeguards: SOC 2 certified, GDPR compliant, data processing agreements
  • Microsoft Azure: Cloud services and Office 365
    • Location: Australia region
    • Data Types: Email communications, document storage
    • Safeguards: SOC 2 certified, GDPR compliant, standard contractual clauses
  • Google Workspace: Email and productivity services
    • Location: Australia region
    • Data Types: Email communications, calendar, documents
    • Safeguards: SOC 2 certified, GDPR compliant, data processing agreement

Business Service Providers

  • Atlassian (Jira/Confluence): Project management and documentation
    • Location: Australia region
    • Data Types: Project information, client communications
    • Safeguards: SOC 2 certified, privacy shield framework
  • Accounting Software Provider: Financial and invoicing systems
    • Location: Australia
    • Data Types: Client contact information, billing data
    • Safeguards: Local privacy law compliance, confidentiality agreements

Professional Services

  • Legal Advisors: Contract review and legal compliance
  • Accounting Firm: Tax preparation and financial audit
  • IT Security Consultants: Security assessments and compliance auditing

Subprocessor Requirements

  • All subprocessors must maintain SOC 2 Type II or equivalent security certification
  • Data processing agreements required for all personal data sharing
  • Regular security assessments and compliance monitoring
  • Incident notification procedures within 24 hours

 

9. Technical and Organizational Measures

 

Technical Safeguards

  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Access Controls: Multi-factor authentication and role-based access control
  • Network Security: Firewalls, intrusion detection, and VPN access requirements
  • Monitoring: 24/7 security monitoring with AWS GuardDuty and Security Hub
  • Backup and Recovery: Encrypted backups with quarterly restoration testing

Organizational Measures

  • Privacy Training: Annual privacy and security training for all staff
  • Access Management: Regular access reviews and principle of least privilege
  • Incident Response: Documented procedures for privacy breach response
  • Vendor Management: Due diligence and ongoing monitoring of all data processors
  • Policy Framework: Comprehensive information security and privacy policies

Physical Security

  • Office Security: Locked facilities with access control and security monitoring
  • Device Management: Encrypted laptops and mobile devices with remote wipe capability
  • Document Security: Secure storage and disposal of physical documents
  • Visitor Management: Escorted access and visitor registration procedures

 

10. Quality and Data Subject Responsibilities

 

Data Accuracy Obligations

  • InterAction Responsibilities:
    • Implement reasonable measures to ensure data accuracy
    • Provide mechanisms for data subjects to update their information
    • Regularly review and validate data quality
    • Correct inaccuracies promptly when identified
  • Data Subject Responsibilities:
    • Provide accurate information when submitting forms or communications
    • Notify us of changes to contact information or other personal details
    • Review and verify information before submission
    • Report any inaccuracies discovered in their personal data

Data Quality Measures

  • Validation: Form validation and email verification for new data collection
  • Regular Updates: Annual review requests for ongoing client relationships
  • Source Verification: Cross-reference with authoritative sources where appropriate
  • Error Reporting: Clear process for reporting and correcting data errors

 

11. Monitoring and Enforcement

 

Privacy Compliance Program

  • Privacy Officer: Nick Brideson serves as designated Privacy Officer
  • Regular Audits: Annual privacy impact assessments and compliance reviews
  • Training Program: Mandatory annual privacy training for all staff
  • Policy Reviews: Annual review and update of privacy policies and procedures

Monitoring Activities

  • Data Processing Logs: Regular review of data access and processing activities
  • Consent Management: Ongoing monitoring of consent preferences and withdrawal requests
  • Vendor Compliance: Quarterly reviews of subprocessor compliance and certifications
  • Incident Tracking: Documentation and analysis of all privacy-related incidents

Enforcement Procedures

  • Internal Discipline: Clear consequences for privacy policy violations by staff
  • Corrective Actions: Systematic approach to addressing compliance gaps
  • Continuous Improvement: Regular updates to policies and procedures based on lessons learned
  • Regulatory Compliance: Cooperation with privacy authorities and regulatory investigations

Contact Information

 

12. Changes to This Policy

 

  • Update Notifications: Material changes communicated via email and website notice
  • Version Control: All policy versions maintained with effective dates
  • Consent Refresh: New consent obtained for material changes affecting data processing
  • Implementation Period: 30-day notice period before material changes take effect

This Privacy Policy was last updated on 28/8/2025 and is effective as of 28/8/2025.