Privacy Policy

Effective Date: 26-Aug-2025

Your privacy is important to us. This Privacy Policy explains how TRACTUUM IMPACT MANAGEMENT SOLUTIONS PTY LTD ("Tractuum", "we", "our", or "us") collects, uses, and protects personal information.

Our Privacy Policy is designed for an Australian consultancy company operating globally. It reflects the requirements of the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and (where relevant) other jurisdictions such as the European Union (GDPR).

1. Introduction
   Purpose - Tractuum (“we”, “us” or “our”) is an Australian-based consultancy that provides advice and professional services to clients worldwide. This policy explains how we manage personal information. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which require us to have an up-to-date, clearly expressed privacy policy describing the types of information we collect, how we collect, hold, use and disclose personal information, how individuals may access and correct it, how to complain, and whether we disclose information overseas. We also comply with overseas privacy laws (such as the EU General Data Protection Regulation) where they apply to our activities.
   
   Who this policy applies to - This policy applies to clients, prospective clients, suppliers, job applicants, contractors and other individuals whose personal information we may handle in the course of providing services. It does not apply to employee records within Australia that are exempt under the Privacy Act.
   
   Updates - We may amend this policy to reflect changes to laws or our practices. The current version will be available on our website, and it was last updated on 26 August 2025.
2. Kinds of personal information we collect
   Under APP 1, we must identify the types of personal information we collect. The specific information we collect will depend on our relationship with you and may include:
   • Identity and contact details - name, job title, employer, postal address, email address, telephone numbers and country of residence.
   • Professional information - work history, qualifications, professional memberships and references relevant to a consultancy engagement.
   • Financial information - bank account details, credit-card details, billing and invoicing information when you purchase services from us.
   • Web-usage data - IP address, browser type, cookies, device identifiers, online behaviour and other analytics captured through our website or platforms.
   • Sensitive information - where necessary and permitted, we may collect information about racial or ethnic origin, health conditions, disability, membership of a professional or trade association or criminal history. We only collect sensitive information with your consent and where it is reasonably necessary for our functions or activities, or where another exception under APP 3 applies.
   • Other information - any other information you provide to us voluntarily (e.g., survey responses, feedback, and communications).
   You may choose not to provide personal information, and in certain circumstances APP 2 gives individuals the option of remaining anonymous or using a pseudonym. However, if you choose to withhold information, we may not be able to provide you with our services or respond to your requests.
3. How we collect personal information
   We collect personal information only by lawful and fair means. The main ways we collect information are:
   • Directly from you - when you engage us, sign up to our newsletters, attend webinars, fill in forms, call us or meet our staff.
   • From third parties - referrals from your employer or colleagues, publicly available sources (e.g., professional directories), government agencies or our service providers (e.g., identity verification services). We only collect personal information about you from others with your consent or where it is not reasonable or practicable to collect it directly.
   • Automatically through our website - via cookies and similar technologies when you visit our website. Cookies help us understand website traffic and tailor our communications. You can set your browser to refuse cookies, but this may affect site functionality.
4. Why we collect, hold, use and disclose personal information
   We collect personal information to conduct our consultancy business and comply with legal obligations. Our purposes include:
   • Providing professional services - to assess your needs, provide advice, manage projects, carry out research and deliver reports.
   • Communicating and managing relationships - to respond to enquiries, send updates, newsletters, invitations to events and other information you may find useful.
   • Administering accounts and payments - to issue invoices, process payments and recover debts.
   • Managing risk and compliance - to identify and manage conflicts of interest, meet regulatory requirements, prevent fraud, and comply with applicable laws.
   • Recruitment and human resources - to assess job applications, manage contractors and employees.
   • Improving our services - to analyse service usage and website trends and develop new products or services.
   We do not collect, use or disclose personal information for purposes other than those described above, unless permitted by the Privacy Act.
5. Direct marketing
   APP 7 restricts the use of personal information for direct marketing. We may, from time to time, use your personal information (such as your contact details or service history) to send you newsletters, insights or invitations. We will only do this where:
   • you would reasonably expect us to use your information for this purpose; or
   • you have consented to receive marketing communications; or
   • an exception applies under APP 7.2 or 7.3.
   All marketing communications will contain a simple opt-out mechanism. We will honour requests to opt out of marketing free of charge and as soon as practicable. On request, we will also inform you of the source of your personal information used for direct marketing unless it is impracticable or unreasonable to do so.
6. Disclosure of personal information
   We disclose personal information only for the primary purpose for which it was collected or where otherwise permitted under the Privacy Act. Disclosures may include:
   • Our staff and related entities - we may share information with our employees, contractors or subsidiaries to deliver services.
   • Service providers - external IT providers, cloud hosting providers, document management systems, marketing platforms, accountants, auditors, insurers, legal advisors, or other professional advisors who assist us. We require all contractors who handle personal information on our behalf to protect it in a way that is consistent with the APPs.
   • Business transfers - if we merge, sell or reorganise our business, personal information may be transferred to new owners under strict confidentiality arrangements.
   • Regulators and enforcement bodies - we may be compelled to disclose information to courts, tribunals, law enforcement agencies or regulatory bodies where required or authorised by law.
   • Your authorisation - any other disclosure you consent to, or where you have been otherwise informed.
7. Overseas disclosure and cross-border data transfers
   As a global consultancy, we may disclose personal information to recipients located outside Australia (e.g., in the United States, United Kingdom, European Union, India or New Zealand). APP 8 and s 16C require us to take reasonable steps to ensure that overseas recipients do not breach the APPs and make us accountable for their handling of your information. We will only transfer personal information overseas when:
   • the overseas recipient is subject to laws or binding schemes that provide substantially similar protection to the APPs, and there are accessible mechanisms for individuals to enforce those protections;
   • you have provided informed consent to the disclosure after being advised that APP 8.1 will not apply;
   • the transfer is required by Australian law or court order; or
   • another exception under APP 8 applies.
   Where applicable, we use contractual measures (e.g., data transfer agreements or standard contractual clauses) and technical safeguards to protect personal information transferred to overseas recipients. If our services involve data about individuals in the European Economic Area (EEA) or United Kingdom, we will also comply with the EU General Data Protection Regulation (GDPR) and UK GDPR. Under the GDPR, Australian entities may need to comply if they have an establishment in the EU or if they offer goods or services or monitor the behaviour of individuals in the EU. Both the GDPR and Australian Privacy Act emphasise transparency, accountability and data breach notification; our practices are designed to meet these standards.
8. Data quality, security and retention
   8.1 Quality
   

   Under APP 10, we take reasonable steps to ensure that the personal information we collect is accurate, up-to-date and complete, and that information we use or disclose is relevant and not misleading. We encourage you to let us know if your details change.

   8.2 Security
   

   APP 11 requires us to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. We implement administrative, physical and technical safeguards including:

   • secure office premises and controlled access to records;
   • password-protected systems, multi-factor authentication and encryption;
   • access controls based on least-privilege principles;
   • staff training on privacy and data security;
   • regular risk assessments and auditing.

   Where we provide personal information to a third-party service provider, we require them to have appropriate security and confidentiality safeguards.

   8.3 Retention and destruction
   

   We retain personal information only for as long as necessary to fulfil the purposes for which it was collected or as required by law. When personal information is no longer needed and we are not required to retain it by law or a court/tribunal order, we will take reasonable steps to destroy or de-identify it in accordance with APP 11.

9. Access and correction
   APP 12 provides that individuals may request access to personal information we hold about them. To access or correct your information, please contact our Privacy Officer using the details below. We may ask you to verify your identity and specify what information you require. We aim to respond within a reasonable period (usually 30 days). We will provide access in the manner requested where reasonable and practicable. In limited circumstances, we may refuse access on the grounds listed in APP 12 (e.g., where granting access would pose a serious threat to safety or be unlawful). If we refuse access or refuse to correct personal information, we will provide a written notice explaining our reasons and how you can complain.
10. Anonymity and pseudonymity
    Where possible, individuals have the option of interacting with us anonymously or using a pseudonym. However, identification may be required when it is impracticable to deal with individuals anonymously (for example, when delivering services, verifying identity or satisfying legal obligations).
11. Cookies and website analytics
    Our website may use cookies, web beacons and similar technologies to collect information about how the site is used. This may include your IP address, browser type, pages visited, and time spent on each page. We use this data to improve functionality and user experience. You can adjust your browser settings to refuse cookies or to alert you when cookies are being sent; however, some parts of our site may not function properly without cookies.
    
    Our website may also include links to third-party sites. We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policies of any external websites you visit.
12. Notifiable Data Breaches
    Under the Notifiable Data Breaches (NDB) scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm. A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure (e.g., lost or stolen devices, hacked databases or accidental disclosure). If an eligible data breach occurs, we will assess the situation, take steps to contain and remedy the breach, and notify affected individuals and the OAIC as required. Our notification will include recommendations on steps individuals can take to mitigate any harm.
13. Complaints and enquiries
    If you have a query about this policy, believe we have breached the APPs or other privacy laws, or wish to make a complaint, please contact our Privacy Officer:
    Email: admin@tractuum.com.au
    Telephone: +61 488 576 902
    Address: PO Box 904 Booval QLD 4304
    
    Please provide as much detail as possible about your concern and include your contact details. We will acknowledge receipt of your complaint within a reasonable time and will investigate the matter. We endeavour to respond in writing within 30 days. If you are not satisfied with our response, you can lodge a complaint with the OAIC (contact details at oaic.gov.au).
14. Further information
    For more information about privacy in Australia, visit the OAIC website at [oaic.gov.au]. For information on the GDPR and its potential application to Australian entities, see the OAIC's guidance on Australian entities and the European Union General Data Protection Regulation.