Oceanside Analytics Privacy Policy

1. Introduction

At Oceanside Analytics Pty Ltd (ABN: 63685040555), we're committed to protecting your privacy while helping your business navigate the digital seas. This Privacy Policy explains how we collect, use, store, and protect your personal information when you engage with our services through our website (https://oceansideanalytics.com) and application stack (app.oceansideanalytics.com). Our services include Reports (e.g., Visibility Snapshot, Digital Deep Dive, Growth Blueprint), Web Development (for Australian clients only), AI Consulting and Automation, and Other Automations tailored for small and medium businesses (SMBs). We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as applicable international laws like the GDPR for EU/EEA users and the CCPA for California residents.

2. Scope of Services and Applicability

• Reports: Digital reports (e.g., Visibility Snapshot, Digital Deep Dive, Growth Blueprint) to analyze and improve your online presence, available to all clients globally.
• Web Development: Optimization services for existing websites (e.g., site speed, mobile-friendliness, SEO), offered exclusively to Australian clients. EU/EEA and U.S. clients seeking Web Development services will be referred to our partner network and may opt in or out of working with these partners.
• AI Consulting and Automation: Consulting and automation solutions (e.g., automating tasks, data insights, personalization), available to all clients globally.
• Other Automations: Automated tools (e.g., website audits, chatbots, workflow optimizations) via our website and application stack, available to all clients globally.

Geographic Applicability: This Privacy Policy applies to all users but includes specific provisions for EU/EEA users (GDPR) and California residents (CCPA) where applicable, particularly for Reports, AI Consulting, and Other Automations.

3. What Information We Collect

We collect only the information necessary to provide our services, deliver your reports, and meet legal obligations. The type of information we collect depends on the service and transaction value:

For Services Under AUD 1,000 (e.g., Reports, some automations): We collect minimal information to process your purchase, including:

• Email address (for report delivery and communication).
• First name and last name (for personalization and invoicing).

For Services Over AUD 1,000 (e.g., Web Development, AI Consulting): In addition to the above, we collect further details as required by Australian law, including:

• Address (for billing and tax compliance).

Optional Information: You may choose to opt in to receive our newsletter and/or marketing communications via two separate checkboxes at checkout. These are not pre-selected, ensuring your choice is voluntary.

Automatically Collected Information: When you visit our website or application stack, we may collect non-personal information, such as:

• IP address, browser type, device information, and usage data (e.g., pages visited, time spent) to improve our services and user experience.
• Cookies and similar technologies (with your consent, where required) to enhance functionality and analyze site performance. For EU users, we obtain explicit consent for non-essential cookies (e.g., analytics, marketing). You can manage cookie preferences through your browser settings or our cookie consent banner.

Service-Specific Data: To provide our services, we may process business-related data you provide, such as:

• Website URLs for Reports or Web Development (Australian clients only).
• Customer data for AI Consulting and automations (e.g., data for workflow optimization).
• Analytics data for reports or automations.

This data is used solely for the purpose of delivering the service.

4. How We Use Your Information

We use your information to provide, improve, and personalize our services while ensuring compliance with applicable laws. Specifically, we use your data to:

• Process and deliver your purchases, such as generating and emailing reports (e.g., Digital Deep Dive PDFs).
• Create invoices and manage payments, including uploading invoices to Xero for record-keeping.
• Communicate with you about your services, updates, or issues (e.g., report delivery confirmations).
• Send newsletters or marketing communications, but only if you have explicitly opted in via the relevant checkbox. You can unsubscribe at any time via the link in each email.
• Analyze website and application usage to improve our services and user experience (e.g., through aggregated, anonymized data).
• Comply with legal obligations, such as tax and invoicing requirements under Australian law.

Legal Bases for Processing (for EU Users):

• For Reports, AI Consulting, and automations: We process your data under GDPR Article 6(1)(b) as it's necessary to fulfill our contract with you (e.g., delivering a report).
• For Web Development (Australian clients only): Same as above, under Article 6(1)(b).
• For marketing: We rely on your consent under Article 6(1)(a), obtained via opt-in checkboxes.
• For analytics cookies: We rely on consent under Article 6(1)(a) for EU users, obtained via our cookie banner.

5. How We Store and Secure Your Information

We take your data security seriously, ensuring it remains safe while in our care:

• Storage on Our Servers: Personal information, invoices, and report PDFs are securely stored on our servers using industry-standard encryption (e.g., AES-256) and access controls. Only authorized personnel can access this data, and only for the purpose of providing our services.
• Transfer to Xero: Invoices are uploaded to Xero, our accounting software, for 7-year storage as required by Australian tax law (e.g., per the Taxation Administration Act 1953). Once uploaded, invoices and report PDFs are removed from our servers to minimize data retention.
• Minimal Retention: We retain your personal information only for as long as necessary to fulfill the purpose for which it was collected or to meet legal obligations. For example, first name, last name, and email addresses included in invoices are retained for 7 years to comply with Australian tax law requirements. If you opt in to marketing or newsletters, we retain your email address until you unsubscribe. Other personal information not required for legal purposes is deleted once the service is fulfilled (e.g., after report delivery confirmation).
• Soft Delete Option: You may request a soft delete of your personal information (e.g., email, name) at any time, which anonymizes your data in our systems while retaining non-identifiable records for legal or audit purposes (e.g., transaction IDs). For EU and California residents, we fully delete identifiable data upon request, except where required for legal obligations like tax compliance. To request a soft delete, contact us at info@oceansideanalytics.com.
• Data Breaches: In the unlikely event of a data breach, we comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. If a breach is likely to result in serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required. For EU users, we will also notify the relevant Data Protection Authority within 72 hours of a breach, as per GDPR Article 33, and inform you if there's a high risk to your rights and freedoms (Article 34).

6. Sharing Your Information

We do not sell or share your personal information with third parties for marketing purposes. We may share your information only in the following circumstances:

• Service Providers: We share data with trusted third parties necessary to deliver our services, such as:
  • Xero, for invoice storage and accounting (7-year retention as per Australian tax law).
  • Payment processors like PayPal and Stripe for transaction processing (we do not store your financial data; transactions are processed securely on their platforms).
  • Analytics platforms or AI tools to generate reports or automations (e.g., analyzing website URLs for a Digital Deep Dive Report). These providers are bound by confidentiality and privacy obligations.
• Subcontractors for Web Development (Australian Clients Only): For Web Development services, we may engage subcontractors, including those based in countries like India, to assist with service delivery for Australian clients only. They are subject to strict confidentiality agreements and comply with the APPs.
• Partner Network for EU/EEA and U.S. Clients (Web Development): EU/EEA and U.S. clients seeking Web Development services will be referred to our partner network, which may include partners based in countries like India. You may opt in or out of working with these partners. If you opt in, your data will be shared with the partner under a separate agreement, and their privacy practices will apply. We will provide their privacy policy for your review before sharing any data.
• Subcontractors for Other Services: For AI Consulting, Reports, or Other Automations, we may engage subcontractors to assist with service delivery globally. These subcontractors, which may be based in countries like India, are subject to strict confidentiality agreements and comply with applicable privacy laws (e.g., APPs, GDPR).
• Legal Obligations: We may disclose your information if required by law, such as to comply with tax obligations or respond to a court order.
• Business Transfers: If Oceanside Analytics is involved in a merger, acquisition, or sale, your information may be transferred as part of that transaction, but we will ensure it remains protected under the APPs and applicable laws.

7. International Data Transfers

Oceanside Analytics primarily stores and processes your data within Australia. However, some third-party providers or subcontractors may process data overseas:

• For All Services (Reports, AI Consulting, Automations): Data may be processed by third-party providers like Stripe, PayPal, or analytics/AI tools, which may operate in the U.S. or other countries.
• For Web Development (Australian Clients Only): Data may be processed by subcontractors, which may be based in countries like India.
• For Web Development (EU/EEA and U.S. Clients): If you opt in to work with our partner network, your data may be transferred to countries like India under the partner's privacy practices.

When data is transferred internationally:

• We ensure these parties comply with the Australian Privacy Principles (APPs), particularly APP 8 (cross-border disclosure), by entering into agreements that require equivalent privacy protections.
• For EU users, we use GDPR-approved mechanisms like Standard Contractual Clauses (SCCs) for transfers to countries without an adequacy decision (e.g., U.S. for Stripe/PayPal, India for subcontractors).
• You acknowledge that, under APP 8.2, we are not responsible for breaches by overseas recipients if they are not subject to similar privacy laws, but we take reasonable steps to ensure your data remains protected.

8. Your Rights and Choices

Under the Privacy Act 1988 and the Australian Privacy Principles (APPs), you have rights over your personal information:

• Access and Correction: You can request access to or correction of your personal information by contacting us at info@oceansideanalytics.com. We will respond within 30 days, as required by law.
• Soft Delete: You can request a soft delete of your data, anonymizing identifiable information while retaining necessary records for legal purposes (see Section 5). For EU and California residents, we fully delete identifiable data upon request, except where required for legal obligations.
• Marketing Opt-Out: If you opt in to newsletters or marketing communications, you can unsubscribe at any time via the link in each email or by contacting us.

Additional Rights for EU Users (GDPR): If you are in the EU/EEA, you have the following rights under GDPR:

• Right to access your data (Article 15).
• Right to rectify inaccurate data (Article 16).
• Right to erasure ("right to be forgotten") (Article 17).
• Right to restrict processing (Article 18).
• Right to object to processing, including for marketing (Article 21).
• Right to data portability (Article 20).
• To exercise these rights, contact us at info@oceansideanalytics.com.

Additional Rights for California Residents (CCPA): If you are a California resident, you have the following rights under the CCPA:

• Right to know: We collect identifiers (e.g., email, name), internet activity (e.g., IP address, usage data), and professional information (e.g., business data for AI automations), directly from you, and share with service providers like Xero, Stripe, and PayPal for service delivery.
• Right to delete (subject to legal exceptions).
• Right to opt-out of sale/sharing (not applicable, as we don't sell/share your data).
• Right to non-discrimination.
• To exercise these rights, contact us at info@oceansideanalytics.com.

Complaints: If you have concerns about how we handle your data, you can lodge a complaint with us at info@oceansideanalytics.com. We will respond within 30 days. If unsatisfied, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. EU users can also contact their local Data Protection Authority.

9. Cookies and Tracking

We use cookies and similar technologies to improve your experience on our website and application stack:

• Essential Cookies: Necessary for basic functionality, such as navigating our site or processing payments.
• Analytics Cookies: Help us understand how you use our site (e.g., pages visited, time spent) to improve our services. This data is aggregated and anonymized.
• Marketing Cookies: Used to deliver relevant marketing content, but only if you opt in to marketing communications.

For EU users, we obtain explicit consent for non-essential cookies (e.g., analytics, marketing) via our cookie consent banner, as required by GDPR. You can manage cookie preferences through your browser settings or our cookie consent banner. Note that disabling essential cookies may affect site functionality.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes via email (if you've provided one) or by posting a notice on our website. The updated policy will be effective from the date of posting, as noted at the top of this page.