Privacy Policy
Last updated: 8 May 2026 | Version: 2.0
1. About this Policy
Relevate Consulting Pty Ltd (ABN 93644570212) ("Relevate", "we", "us", or "our") is committed to protecting your privacy and handling personal information in accordance with the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs).
This Privacy Policy explains what personal information we collect, how we collect, use, disclose, store and protect that information, and how you can exercise your privacy rights. It also explains how to contact us with any privacy questions or complaints.
This Policy applies to Relevate Consulting Pty Ltd and to the following related Relevate brands and business units: Lance IT, Rippa Hosting, Relevate People and Relevate Academy. Where one of those brands has a separate published Privacy Policy, that separate policy prevails for the activities covered by it.
Privacy Officer — Relevate Consulting Pty Ltd
· Email: contact@relevate.com.au
· Phone: 1300 677 276 (or +61 7 3078 3922)
You can use these contact details for any privacy enquiry, request to access or correct your personal information, or to make a privacy complaint.
3. Who this Policy applies to
We collect, hold, use and disclose personal information in three different roles. This Policy covers all three. The lawful basis, the purposes, and your rights vary by role:
· Website visitors and prospective customers — people who visit relevate.com.au or our subdomains, contact us through forms, sign up for marketing communications, attend our events, or interact with us before becoming a customer.
· Customers — businesses (and the individual representatives of those businesses) that engage us for consulting, implementation, managed services or training.
· Personnel of our customers' end-users — individuals whose personal information appears in the systems we implement, configure or support for our customers (for example, in a CRM or marketing automation platform). For that information, our customer is responsible as the holder of the information; Relevate handles it on our customer's behalf under the contract between us and our customer. Section 18 (Personal information about our clients' customers) sets out how we treat that information.
The kinds of personal information we collect depend on how you interact with us.
· Identity and contact information — name, business name, role, email address, telephone number, postal or work address.
· Account and billing information — billing contact, payment details (we use third-party payment processors and do not store full card data), purchase history.
· Engagement information — information you share with us about your business, requirements, projects, configuration choices and feedback.
· Customer support information — operating system, software, error logs and other technical information you provide when seeking support.
· Recruitment information — if you apply for a role with us, your CV, work history, qualifications, references and any information you provide during interviews. We refer to a separate Recruitment Privacy Notice on our Careers page.
· Other information you choose to share — for example, if you complete a survey, attend a webinar, leave a review or testimonial, or contact us with a question.
· Technical information — IP address, browser type and version, device identifiers, operating system, referrer URL, pages viewed, time and duration of visit, clickstream data.
· Cookies and similar technologies — see Section 10 (Cookies, tracking and analytics).
· Email engagement information — when we send marketing or transactional emails, we may track whether they are opened and which links are clicked.
· Public sources — for example, business directories, professional networks (such as LinkedIn) and your published web presence.
· Referrers — when a partner, existing customer or other source refers you to us.
· Service providers — payment processors, marketing platforms, analytics providers and identity verification providers.
We do not normally collect sensitive information (as defined in s 6 of the Privacy Act, including health information, information about racial or ethnic origin, religious beliefs, sexual orientation and similar). We will only collect sensitive information with your explicit consent, where it is necessary for an engagement (for example, where we configure a HRIS that holds health-related information for your business) and where the law permits.
We collect personal information in lawful, fair and transparent ways, including:
· From you directly — through forms on our websites (including the Zoho contact form and RFP/Referral form), email, phone calls, video calls, in-person meetings and through our Customer Portal.
· Automatically when you interact with our websites or marketing emails.
· From third parties as described in Section 4.3.
Where we collect personal information about you from someone other than you (for example, a referrer or your employer), we will, where reasonable and practicable, take steps to make sure you are aware of the matters in APP 5 (notification of collection).
We use and disclose personal information for the following purposes:
· To provide our services to you, including consulting, implementation, training, support and managed services.
· To respond to your enquiries, requests and proposals.
· To set up and manage customer accounts, billing, payments and collections.
· To verify your identity and authority to interact with us on behalf of a business.
· To manage our business operations, including internal reporting, audits and quality assurance.
· To improve our services, including by analysing how customers and visitors interact with our websites and marketing.
· To comply with our legal obligations and to deal with regulators, courts and law enforcement.
· Direct marketing — see Section 7.
· Recruitment — to assess applications and run interviews and reference checks.
We will not use your personal information for purposes that are unrelated to those above unless you would reasonably expect us to, or unless you have consented.
7. Direct marketing
We may use your contact details to send you information about Relevate products, services, events, webinars, newsletters and promotions, by email, telephone or post. We do this in line with APP 7 of the Privacy Act and the Spam Act 2003 (Cth).
Every marketing email we send includes a clear and simple unsubscribe option. You can also opt out at any time by contacting our Privacy Officer using the details in Section 2. We will action your opt-out request within 5 business days.
You can ask us at any time how we obtained your contact details. We will respond within a reasonable period and at no cost to you.
We do not sell your personal information and we do not provide your personal information to third parties for them to use for their own direct marketing purposes.
We share personal information only as needed to support the purposes set out in Section 6, including with:
· Members of the Relevate group of companies — Relevate IT, Rippa Hosting, Relevate People and Relevate Community — under intra-group agreements that bind each entity to handle the information in line with this Policy.
· Our service providers and sub-processors — including hosting (such as AWS), marketing platforms (such as Zoho), CRM and customer support platforms, payment processors, professional advisers, identity verification, telecommunications and analytics providers. We require service providers to handle personal information consistently with the APPs and our contract with them.
· Our customers — where you are an authorised representative or contact of a customer, we may share information with the customer organisation as part of providing the service.
· Regulators, courts and law enforcement — where required or permitted by law.
· Acquirers and advisers — if Relevate (or a part of it) is sold or restructured, we may disclose information to a prospective buyer and their advisers, on terms that bind them to confidentiality and at least equivalent privacy protections.
· With your consent — for any other purpose you have consented to.
9. Disclosure to overseas recipients (APP 8)
Relevate uses cloud-based platforms that store and process information in Australia and overseas. When we use those platforms to handle your personal information, your personal information may be disclosed to recipients in countries other than Australia.
The countries to which your personal information is most commonly disclosed include:
· Australia — for our primary business operations and most customer-facing platforms.
· United States — through service providers such as AWS, Salesforce, HubSpot and similar.
· European Union (commonly Ireland, Germany, Netherlands) — through service providers including Salesforce, HubSpot and Zoho EU regions.
· India — through service providers such as Zoho Corporation Pvt Ltd.
· Other locations — where dictated by a customer's data residency choice or platform default. We maintain a current sub-processor and data residency list and can provide it on request.
Where we disclose personal information to overseas recipients, we take reasonable steps to ensure they handle your personal information in line with the APPs, including through written contractual commitments. To the extent permitted by law, we remain accountable for the acts of those recipients.
10. Cookies, tracking and analytics
A cookie is a small file placed on your browser or device that allows a website to recognise you, remember your preferences, and measure how the site is used. We use cookies and similar technologies (including pixels and local storage) on our websites and in our marketing emails.
We use these tools for the following purposes:
· Essential — to make our websites function (for example, security, load balancing, session management). These cannot be turned off without affecting basic functionality.
· Analytics — to understand how visitors use our websites (for example, Google Analytics). We may treat IP address combined with browsing activity as personal information.
· Marketing — to measure the effectiveness of our campaigns and to deliver relevant content (for example, HubSpot, LinkedIn Insight Tag where used).
· Customer engagement — to support live chat (for example, Zoho SalesIQ).
You can control cookies through your browser settings. Where we are required to do so by law, we will request your consent to non-essential cookies through a banner on our websites and you can change those preferences at any time.
11. Storage and security
We take reasonable steps under APP 11 to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Our controls include:
· Encryption of data in transit (using TLS) and encryption at rest for production systems holding personal information.
· Multi-factor authentication for administrative access to systems handling personal information.
· Role-based access controls and the principle of least privilege.
· Logging and monitoring of access to systems handling personal information.
· Vendor due diligence and written contractual security requirements with sub-processors.
· Staff training on privacy and information security and confidentiality obligations in employment and contractor agreements.
· Documented security incident response and business continuity processes.
No method of transmission over the internet or electronic storage is fully secure. We cannot guarantee absolute security, but we work to maintain controls that are appropriate to the kind of personal information we hold and the risks involved.
We keep personal information only for as long as we need it for the purposes described in this Policy or as required by law. After that, we destroy it or de-identify it under APP 11.2. Typical retention periods are:
· Active customer information — for the duration of the engagement and for 7 years after the engagement ends, in line with our taxation and corporate record-keeping obligations.
· Prospective customer enquiries that do not become engagements — for up to 24 months, then deleted unless you have asked to remain on our marketing list.
· Marketing list contacts — until you unsubscribe; logs of unsubscribes are kept for compliance with the Spam Act.
· Recruitment applications — for up to 12 months from the close of the role, unless you have consented to longer retention for future opportunities.
· Website analytics and cookie identifiers — typically 12–26 months, or earlier if you reset your browser or revoke consent.
Under APP 12 you can ask for access to the personal information we hold about you, and under APP 13 you can ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading. To make a request, contact our Privacy Officer using the details in Section 2.
We will respond within a reasonable period — generally within 30 days. There is no fee to make a request, although a reasonable charge may apply for complex access requests (we will tell you in advance). We will not charge for correction.
In limited circumstances we may decline access (for example, where the request is frivolous or where access would unreasonably affect another person's privacy). If we decline, we will explain why and tell you how to complain.
14. Privacy complaints
If you have a privacy complaint about how Relevate has handled your personal information, please contact our Privacy Officer using the details in Section 2. We will:
· Acknowledge your complaint within 7 days.
· Investigate and respond substantively within 30 days, or tell you why we need more time.
· Tell you what action we propose to take and offer remedies where appropriate.
If you are not satisfied with our response, you can escalate the complaint to:
· Office of the Australian Information Commissioner (OAIC) — phone 1300 363 992, online at oaic.gov.au.
15. Data breaches
We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we become aware of an Eligible Data Breach involving your personal information, we will notify you and the OAIC as required by the scheme, with practical steps you can take to protect yourself. We aim to notify affected individuals within 72 hours of becoming aware of an Eligible Data Breach where practicable.
16. Children's privacy
Our services are designed for businesses, not children, and we do not market to or knowingly collect personal information directly from children. Where one of our customers configures a system that holds information about minors (for example, a CRM record), our customer is responsible for the lawful basis for that collection and use, and we will handle that information on our customer's behalf in line with our contract and Section 18 of this Policy.
We will follow any guidance issued by the OAIC and any binding requirements under the Children's Online Privacy Code when it comes into force.
We may compile aggregate or de-identified statistics about our customers and website visitors, for example to share trends or industry insights. This information does not identify you and is not subject to this Policy.
When we configure, implement, support or operate systems for our customers (for example, a CRM, marketing automation, ERP or HRIS platform), those systems may contain personal information about our customer's own customers, employees or other individuals. In that situation:
· Our customer is the entity that has collected the information from those individuals and is responsible for handling it in line with the law.
· Relevate handles the information on our customer's behalf under the contract between us and our customer.
· We do not use that information for our own purposes (for example, our own marketing) without the customer's instructions.
· We apply the security and confidentiality controls described in Section 11 to that information.
· On the end of the engagement, we return or destroy that information in line with the customer's instructions and any legal retention obligations.
If you have a privacy concern about information held in a system that Relevate operates for one of our customers, please contact that customer in the first instance. We will assist them as required by our contract.
19. Government clients and supplier obligations
When we deliver services under a Commonwealth or State government contract, we comply with the additional privacy and information security requirements of that contract — including, where applicable, the Privacy (Australian Government Agencies — Governance) APP Code 2017 — to the extent those requirements apply to us as a contracted service provider.
20. Changes to this Policy
We may update this Policy from time to time. The updated Policy will take effect when posted on relevate.com.au with an updated "Last updated" date at the top. Where the change is material, we will take reasonable steps to draw your attention to it (for example, by email or website banner). The current version is always available at relevate.com.au/privacy-policy.
21. Definitions
In this Policy:
· "APP" or "Australian Privacy Principles" means the principles set out in Schedule 1 of the Privacy Act 1988 (Cth).
· "Personal information" has the meaning given in s 6 of the Privacy Act — broadly, information or an opinion about an identified individual, or an individual who is reasonably identifiable.
· "Sensitive information" has the meaning given in s 6 of the Privacy Act and includes information about an individual's health, racial or ethnic origin, religious beliefs and sexual orientation.
· "Eligible Data Breach" has the meaning given in Part IIIC of the Privacy Act.