Privacy Policy

Version 1.4.0 | Last Updated: December 4, 2024

Archanaut Pty Ltd (ABN 93 670 225 395) ("Archanaut", "we", "our", or "us") is committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Archanaut Galxy platform and related services.

1. Information We Collect

1.1 Personal Information

We collect personal information when you:

  • Register for an account on the Archanaut Galxy platform
  • Subscribe to our services
  • Contact us for support or inquiries
  • Subscribe to our newsletter or marketing communications
  • Participate in surveys, webinars, or training programs

Personal information we collect includes:

  • Name and professional title
  • Email address and phone number
  • Business address
  • NatHERS accreditation details and professional credentials
  • Payment and billing information
  • Account login credentials

1.2 Assessment Data

When you use the platform to conduct energy assessments, we collect:

  • Property addresses and location coordinates
  • Building characteristics (construction type, materials, dimensions)
  • Photographs and visual documentation of building elements
  • Energy performance measurements and calculations
  • Assessment reports and compliance documentation
  • Assessor notes, observations, and data overrides
  • Audit trail information (timestamps, user actions, data sources)

1.3 Automatically Collected Information

We automatically collect technical information including:

  • IP address and device information
  • Browser type and version
  • Operating system
  • Usage data (pages visited, features used, time spent)
  • Log files and error reports
  • Cookies and similar tracking technologies

1.4 Third-Party Data Sources

To optimize assessment workflows, we automatically retrieve data from authoritative sources:

  • NCC climate zone datasets
  • Cadastral and property valuation records (PSMA Australia, Geoscape)
  • Aerial and satellite imagery (Nearmap, Google Maps)
  • Geospatial and mapping services
  • Public property records and land parcel data

1.5 Consent and Your Choices

We are committed to obtaining, recording, and managing your consent in accordance with the 2024 Privacy Act reforms:

  • How We Obtain Consent: When you register for an account, you provide explicit consent for us to collect and use your personal information for service delivery. Consent is obtained through clear opt-in mechanisms during registration and account setup.
  • How We Record Consent: Your consent preferences are recorded in your account settings and maintained throughout your use of the platform. We keep records of when and how consent was obtained.
  • How We Manage Consent: You can review and update your consent preferences at any time through your account settings. You have the right to withdraw consent, subject to legal and contractual obligations.
  • Separate Consent: We obtain separate consent for different purposes:
    • Service delivery and platform access (required for account operation)
    • Marketing communications (optional - you can opt out at any time)
    • Platform improvement and analytics (you can opt out through account settings)
  • Withdrawing Consent: To withdraw consent, contact us at [email protected] or update your account settings. Note that withdrawing consent for essential services may affect your ability to use the platform.

Your consent is always voluntary, informed, and specific to the purposes described in this Privacy Policy.

2. How We Use Your Information

We use your information for the following purposes:

2.1 Service Delivery

  • Provide access to the Archanaut Galxy platform
  • Process and validate energy assessments
  • Submit assessment data to the CSIRO AccuRate calculation engine
  • Generate assessment reports and compliance documentation
  • Maintain audit trails for NatHERS compliance

2.2 Account Management

  • Create and manage your user account
  • Process payments and manage subscriptions
  • Verify professional accreditations
  • Provide customer support and technical assistance

2.3 Platform Improvement

  • Analyze usage patterns to improve features and workflows
  • Develop and refine automated optimization algorithms
  • Conduct quality assurance and accuracy testing
  • Train and improve computer vision models

2.4 Communications

  • Send service updates and platform notifications
  • Provide training materials and user guides
  • Send marketing communications (with your consent)
  • Respond to inquiries and support requests

2.5 Compliance and Legal

  • Comply with NatHERS UIP requirements
  • Meet regulatory and government obligations
  • Maintain records for audit and compliance purposes
  • Protect against fraud and security threats
  • Enforce our Terms of Service

2.6 Automated Processing and AI

In accordance with the 2024 Privacy Act reforms, we disclose our use of automated processing:

  • Platform Optimization: We use artificial intelligence and machine learning to improve platform features, including:
    • Computer vision models to assist with building element identification from photographs
    • Automated data extraction from property records and imagery
    • Workflow optimization algorithms to streamline assessment processes
  • No Automated Decision-Making Affecting Users: We do not use automated processing to make decisions that significantly affect your rights or access to services. All assessment validations, account decisions, and compliance determinations involve human review and oversight.
  • Human Oversight: Assessors maintain full control over assessment data and decisions. AI tools provide suggestions and assistance, but final decisions rest with the professional assessor.
  • Transparency: When AI assists with data extraction or suggestions, this is clearly indicated in the platform interface, and assessors can review, modify, or override any AI-generated suggestions.

If our use of automated processing changes in ways that significantly affect users, we will update this Privacy Policy and notify you in accordance with Section 8.

3. Information Sharing and Disclosure

3.1 NatHERS and Government Authorities

We share assessment data with:

  • CSIRO AccuRate calculation engine (mandatory for NatHERS compliance)
  • NatHERS Administrator for accreditation and compliance purposes
  • Government agencies as required by law or regulation

3.2 Service Providers

We engage trusted third-party service providers who process data on our behalf:

  • Cloud Infrastructure: Google Cloud Platform (GCP), Amazon Web Services (AWS), Microsoft Azure - for data storage and platform hosting
  • Geospatial Data: PSMA Australia, Geoscape, Nearmap, Google Maps - for property data and mapping services
  • Security & Compliance: Vanta, SecureFrame, security consultants - for security monitoring and compliance management
  • Sovereign AI Compute: ResetData (Australian data residency) - for AI processing with Australian data sovereignty
  • Payment Processing: Payment gateway providers (as applicable) - for secure payment processing

All service providers are bound by confidentiality agreements and process data only as instructed by us. We conduct due diligence on all service providers to ensure they maintain appropriate security and privacy standards. Where service providers are located overseas, we ensure appropriate safeguards are in place as described in Section 3.5 below.

3.3 Business Transfers

If Archanaut is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

3.4 Legal Requirements

We may disclose your information if required by law, court order, or government authority, or to protect our rights, property, or safety.

3.5 Cross-Border Data Transfers

While we prioritize Australian data residency, some of our service providers may process or store data outside Australia:

  • Primary Data Location: All primary data storage is in Australian data centers (GCP Australia region)
  • Overseas Service Providers: Some service providers (such as Google Maps, Nearmap, and certain cloud infrastructure providers) may process data in overseas locations including the United States and other jurisdictions
  • Safeguards: When we transfer personal information overseas, we ensure:
    • Service providers are bound by contractual obligations to protect your information
    • Transfers comply with Australian Privacy Principles (APP 8)
    • Appropriate technical and organizational security measures are in place
    • We remain accountable for the protection of your information
  • Your Consent: By using our platform, you consent to these overseas transfers subject to the safeguards described above

If you have concerns about overseas data transfers, please contact us at [email protected].

4. Data Storage and Security

4.1 Data Location

Your data is stored in secure cloud infrastructure:

  • Primary storage: Australian-based data centers (GCP Australia region)
  • Backup storage: Multi-cloud redundancy (AWS, Azure) with Australian data residency
  • AI processing: ResetData sovereign compute infrastructure (Australia)

4.2 Security Measures

We implement industry-standard security measures:

  • End-to-end encryption (TLS 1.2+ in transit, AES-256 at rest)
  • Role-based access control (RBAC) via GCP IAM
  • Multi-factor authentication (MFA) for user accounts
  • Secure secrets management (Google Secret Manager)
  • Continuous security monitoring and audit logging
  • Regular security assessments and penetration testing
  • Compliance with PSPF and ISM security frameworks

4.3 Data Retention

We retain your information for as long as necessary to provide services and comply with legal obligations:

  • Assessment Data: 7 years (NatHERS compliance requirement)
  • Account Information: Duration of active account plus 7 years
  • Audit Trails: 7 years for compliance and regulatory purposes
  • Marketing Data: Until you unsubscribe or request deletion

4.4 Data Breach Response

In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth), we have established procedures to respond to data breaches:

  • What is an Eligible Data Breach: An eligible data breach occurs when there is unauthorized access to or disclosure of personal information we hold, and this is likely to result in serious harm to affected individuals.
  • Our Notification Commitment: If an eligible data breach occurs, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, typically within 72 hours of becoming aware of the breach.
  • What We Will Tell You: Our notification will include:
    • The nature of the breach and the personal information involved
    • The steps we have taken to contain and mitigate the breach
    • Recommendations for steps you can take to protect yourself
    • Contact information for further inquiries
  • Reporting a Suspected Breach: If you suspect a data breach involving your personal information, please contact us immediately at [email protected] or +61 431 575 309.
  • Our Response Process: Upon becoming aware of a suspected breach, we will:
    • Immediately investigate and assess the breach
    • Take steps to contain and mitigate the breach
    • Determine if the breach is likely to result in serious harm
    • Notify the OAIC and affected individuals if required
    • Implement measures to prevent future breaches

We maintain comprehensive security monitoring and incident response procedures to detect and respond to potential breaches promptly.

5. Your Privacy Rights

Under the Australian Privacy Act 1988 (Cth) and the 2024 reforms, you have the following rights:

5.1 Right to Access

You have the right to access your personal information held by us:

  • What You Can Access: All personal information we hold about you, including account details, assessment data, and usage records
  • How to Request Access: Email [email protected] with your access request, specifying the information you wish to access
  • Response Timeframe: We will respond to your access request within 30 days of receiving it
  • Fees: We do not charge a fee for access requests, except in cases of excessive or repeated requests where reasonable costs may apply. We will notify you of any fees before processing your request
  • Verification: We may need to verify your identity before providing access to protect your personal information

5.2 Right to Correction

You have the right to request correction of inaccurate or incomplete personal information:

  • How to Request Correction: Email [email protected] with details of the information you believe is inaccurate or incomplete, and the corrections you would like made
  • Response Timeframe: We will respond to your correction request within 30 days and make corrections where appropriate
  • If We Refuse Correction: If we refuse your correction request, we will provide you with written reasons and you have the right to:
    • Request that we attach a statement to your record noting that you believe the information is inaccurate
    • Lodge a complaint with us or the OAIC
  • Notification to Third Parties: If we correct information that has been disclosed to third parties, we will take reasonable steps to notify them of the correction

5.3 Right to Deletion

You may request deletion of your personal information, subject to certain exceptions:

  • How to Request Deletion: Email [email protected] with your deletion request
  • What Can Be Deleted: We will delete your personal information where we are not required to retain it
  • Exceptions: We may refuse deletion requests where we are required to retain information due to:
    • NatHERS 7-year retention requirements for assessment data
    • Legal and regulatory obligations
    • Ongoing disputes or legal proceedings
    • Fraud prevention and security purposes
  • Response Timeframe: We will respond to deletion requests within 30 days

5.4 Right to Complain

If you have concerns about how we handle your personal information, you have the right to lodge a complaint:

  • Complain to Archanaut: Email your complaint to [email protected] with details of your concern. We will:
    • Acknowledge your complaint within 7 business days
    • Investigate your complaint thoroughly
    • Provide a written response within 30 days
  • Escalate to the OAIC: If you are not satisfied with our response, or if you prefer to complain directly to the regulator, you can contact the Office of the Australian Information Commissioner:

5.5 Marketing Opt-Out

You can opt out of marketing communications at any time by:

  • Clicking "unsubscribe" in any marketing email
  • Updating your account preferences
  • Contacting us directly at [email protected]

Note: Opting out of marketing communications will not affect essential service communications related to your account and platform use.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Maintain your login session
  • Remember your preferences
  • Analyze platform usage and performance
  • Improve user experience

You can control cookies through your browser settings. Note that disabling cookies may affect platform functionality.

7. Children's Privacy

In accordance with the 2024 Privacy Act reforms providing enhanced protections for individuals under 18 years of age:

  • Age Requirement: You must be at least 18 years old to register for and use the Archanaut Galxy platform. The platform is designed exclusively for professional use by accredited NatHERS assessors and industry professionals.
  • No Collection from Minors: We do not knowingly collect, use, or disclose personal information from individuals under 18 years of age.
  • Inadvertent Collection: If we become aware that we have inadvertently collected personal information from an individual under 18 years of age, we will take immediate steps to delete that information from our systems, unless we are required by law to retain it.
  • Parental Rights: If you are a parent or guardian and believe your child under 18 has provided us with personal information, please contact us immediately at [email protected] so we can delete the information.

By using this platform, you confirm that you are at least 18 years of age and have the legal capacity to enter into this agreement.

8. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or NatHERS protocols. Material changes will be notified via email and posted on our website at least 30 days before taking effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

9. Contact Us

For questions about this Privacy Policy, to exercise your privacy rights, or to lodge a complaint, please contact us:

Archanaut Pty Ltd

ABN: 93 670 225 395

ACN: 670 225 395

Email: [email protected]

Phone: +61 431 575 309

Registered Address: Level 1/54 Balgowlah Rd, Balgowlah NSW 2093

Related Documents: