Privacy Policy

Last updated: March 2026  |  Effective: March 2026

Code Nexas Pty Ltd (ABN pending) ("Code Nexas", "we", "us", or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and safeguard information when you visit our websites (including codenexas.com.au and ziplineos.com.au), use our software-as-a-service platforms including ZiplineOS, or otherwise engage with our services.

This policy is prepared in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we handle information subject to the General Data Protection Regulation (GDPR) or other international data protection laws, we will comply with those requirements in addition to Australian law.

1. Application Data Practices

This section provides a clear summary of how ZiplineOS — our cloud-based business operating system — collects, stores, and uses data when you interact with the application.

1.1 Data Collection

When you use the ZiplineOS application, we collect the following categories of data:

  • Account information: Your name, email address, organisation name, and role when you register for or are invited to a ZiplineOS workspace
  • Content you create: CRM contacts, deals, notes, documents, email campaigns, forms, workflow configurations, and any other content you enter into the platform
  • File uploads: Documents, images, and other files you upload to your workspace's document management system
  • Communication data: Email messages sent and received through connected email accounts (e.g., Gmail, Outlook) when you enable email sync features
  • Integration data: Data retrieved from third-party services you connect, such as Google Drive files or calendar events
  • Usage and analytics data: Feature interaction patterns, page views within the application, session duration, and performance metrics collected to improve the platform
  • Device and access data: IP address, browser type, device identifiers, and authentication tokens used to secure your sessions

1.2 Data Storage

All customer data within ZiplineOS is stored on Google Cloud Platform infrastructure located in Sydney, Australia (australia-southeast1 region). Specifically:

  • Database records: CRM data, workflow configurations, user accounts, and application metadata are stored in managed PostgreSQL databases with automated daily backups
  • Uploaded files: Documents and media are stored in Google Cloud Storage buckets within the Australian region, encrypted at rest using AES-256
  • Email data: Synced email metadata and message content are stored in our Australian-hosted databases and are not transferred outside of Australia
  • Session data: Authentication tokens and session information are managed through AWS Cognito with temporary, encrypted credentials
  • Backups: Automated backups are retained for disaster recovery purposes and are stored within the same Australian region

We do not store primary customer data outside of Australia unless explicitly required for a specific third-party integration that you choose to enable (see Section 10 — International Data Transfers).

1.3 Data Usage

Data collected through the ZiplineOS application is used for the following purposes:

  • Providing the service: Powering your CRM, email campaigns, document management, workflow automation, analytics dashboards, and all other platform features you interact with
  • Authentication and security: Verifying your identity, managing role-based access within your organisation, and detecting unauthorised access attempts
  • Email sync and communication: Capturing and displaying email activity linked to your CRM contacts when you connect your email provider
  • Platform improvement: Analysing aggregated, de-identified usage patterns to improve features, fix issues, and inform our product roadmap
  • Customer support: Accessing your account information (with your permission) to troubleshoot issues and provide technical assistance
  • Notifications: Sending in-app and email notifications for workflow triggers, task assignments, and system alerts that you have opted into

We do not sell, rent, or trade your data. We do not use your content data for advertising purposes or share it with third parties except as described in Section 5 (Disclosure of Your Information) of this policy.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide, including when you:

  • Create an account or register for our services
  • Subscribe to our communications or newsletters
  • Submit an enquiry, request a demo, or contact our sales team
  • Enter into a service agreement or purchase our products
  • Participate in surveys, promotions, or events
  • Apply for employment or contractor positions

This information may include:

  • Identity data: Full name, job title, company name, ABN
  • Contact data: Email address, phone number, postal address
  • Account data: Username, password (hashed), account preferences
  • Financial data: Billing address, payment card details (processed via PCI-DSS compliant third-party processors — we do not store card numbers)
  • Technical data: IP address, browser type and version, device identifiers, operating system
  • Usage data: Pages visited, features used, session duration, interaction patterns

2.2 Information Collected Automatically

When you access our websites or platforms, we automatically collect certain technical and usage data through cookies, server logs, and similar technologies. This includes:

  • Browser type, version, and language preferences
  • Device type, screen resolution, and operating system
  • IP address and approximate geographic location
  • Referring URLs, pages viewed, and navigation paths
  • Date, time, and duration of your visit

2.3 Information from Third Parties

We may receive personal information from third-party sources, including:

  • Authentication providers: When you sign in using Google, Microsoft, or other identity providers
  • Business partners: Referral partners or resellers who introduce you to our services
  • Publicly available sources: Company registries, LinkedIn, and other professional networks

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

  • Providing, operating, and maintaining our software platforms and services
  • Processing transactions and managing your account
  • Providing customer support and responding to your requests
  • Sending service-related communications, including updates, security alerts, and administrative messages

3.2 Improvement and Development

  • Analysing usage patterns to improve our products and user experience
  • Conducting research and development for new features and services
  • Performing analytics and generating aggregated, de-identified insights

3.3 Marketing and Communications

  • Sending promotional communications (only with your consent, and you may opt out at any time)
  • Personalising content and advertising based on your interests

3.4 Legal and Compliance

  • Complying with applicable laws, regulations, and legal processes
  • Enforcing our terms of service and other agreements
  • Detecting, preventing, and addressing fraud, security issues, or technical problems
  • Protecting the rights, property, and safety of Code Nexas, our users, and the public

4. Legal Bases for Processing

We process your personal information on the following legal bases:

  • Contractual necessity: Processing required to perform our obligations under a service agreement with you
  • Legitimate interests: Processing necessary for our legitimate business interests, such as improving our services, provided these interests are not overridden by your rights
  • Consent: Where you have given us explicit consent to process your information for specific purposes (e.g., marketing communications)
  • Legal obligation: Processing required to comply with applicable laws and regulations

5. Disclosure of Your Information

We do not sell, rent, or trade your personal information. We may share your information with the following categories of recipients:

5.1 Service Providers

We engage trusted third-party service providers who assist us in operating our business and delivering services. These providers are contractually bound to protect your information and may only use it for the specific purposes we direct. Key categories include:

  • Cloud infrastructure: Google Cloud Platform (Australian regions)
  • Authentication: AWS Cognito
  • Payment processing: Stripe (PCI-DSS Level 1 compliant)
  • Email delivery: Mailgun
  • Analytics: Google Analytics (with IP anonymisation enabled)

5.2 Professional Advisers

We may share information with our lawyers, auditors, accountants, and insurers where necessary for professional advice, audit, or insurance purposes.

5.3 Legal Requirements

We may disclose your information where required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and the choices you may have regarding your information.

6. Data Storage and Security

6.1 Data Residency

All primary customer data is hosted on Google Cloud Platform infrastructure located in Australia (Sydney region: australia-southeast1). We do not transfer primary customer data outside of Australia unless explicitly required for service delivery and disclosed to you in advance.

6.2 Security Measures

We implement industry-standard security measures to protect your information, including:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • Encryption at rest: All stored data is encrypted using AES-256 encryption
  • Access controls: Role-based access control (RBAC) with principle of least privilege
  • Authentication: Multi-factor authentication for privileged access, JWT token-based session management
  • Infrastructure: Virtual private cloud (VPC) network isolation, automated vulnerability scanning
  • Monitoring: Continuous security monitoring, audit logging, and intrusion detection
  • Personnel: Background checks for employees with data access, regular security awareness training

6.3 Data Breach Response

In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Notifiable Data Breaches (NDB) scheme within 30 days. We maintain a documented incident response plan and conduct regular breach response exercises.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including:

  • Active accounts: For the duration of your account or service agreement
  • After termination: For a reasonable period to fulfil legal, tax, accounting, or reporting obligations (typically 7 years for financial records as required by Australian tax law)
  • Marketing data: Until you withdraw consent or opt out
  • Server logs: Retained for up to 90 days for security and troubleshooting purposes

Upon expiry of the relevant retention period, personal information is securely deleted or de-identified.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. The types of cookies we use include:

  • Strictly necessary cookies: Required for the operation of our websites (e.g., session management, security tokens)
  • Analytical cookies: Help us understand how visitors interact with our websites (e.g., Google Analytics)
  • Functional cookies: Remember your preferences and settings

We do not use advertising or tracking cookies. You can control cookie preferences through your browser settings. Disabling certain cookies may limit the functionality of our websites.

9. Your Rights

Under Australian privacy law and, where applicable, the GDPR, you have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you (APP 12)
  • Correction: Request correction of inaccurate or incomplete information (APP 13)
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Objection: Object to certain processing activities, including direct marketing
  • Data portability: Request your data in a structured, commonly used, machine-readable format
  • Withdraw consent: Where processing is based on consent, withdraw that consent at any time
  • Lodge a complaint: File a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

To exercise any of these rights, please contact us using the details below. We will respond to your request within 30 days.

10. International Data Transfers

Some of our third-party service providers may process data outside Australia (e.g., AWS Cognito operates in the US). Where personal information is transferred overseas, we ensure appropriate safeguards are in place, including contractual data protection clauses that comply with APP 8 (cross-border disclosure of personal information) and, where applicable, standard contractual clauses approved under the GDPR.

11. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a revised "Last updated" date. For material changes, we will provide prominent notice (such as email notification or an in-app banner) at least 30 days before the changes take effect.

13. Contact and Complaints

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints or by calling 1300 363 992.