Privacy Policy

2. What Personal Information We Collect
2.1 Information We Collect Directly
We collect personal information when you engage with us, including:

• Name, email address, phone number, and postal address

• Company or organisation name, job title, and industry

• Communications and correspondence (email, phone, meetings)

• Engagement and project-related information

• Billing and payment information

• Information provided through our website contact forms

2.2 Information Collected Automatically
When you visit our website, we may automatically collect:

• IP address, browser type, and operating system

• Pages visited, time spent, and referring URLs

• Device information and general location (city/region level)

This information is collected through Google Analytics 4 and website cookies (see Section 9).
2.3 Sensitive Information
AegisIQ does not generally collect sensitive information (as defined in the Privacy Act, including health information, racial or ethnic origin, political opinions, or criminal records). Where sensitive information is required for specific purposes — such as background checks for government engagements — we will obtain explicit consent and handle it in accordance with APP 3.3.
3. How We Use Personal Information
We use personal information for the following purposes:

• To deliver consulting and advisory services to our clients

• To process invoices and manage billing

• To communicate about our services, engagements, and support

• To respond to enquiries and requests

• To improve and develop our services

• To send marketing communications (with consent — see Section 8)

• To comply with legal, regulatory, and contractual obligations

• To protect against fraud, security risks, and misuse

• To manage recruitment and onboarding processes

We will not use personal information for a purpose other than the primary purpose of collection, or a related secondary purpose that would reasonably be expected, without consent.
4. How We Disclose Personal Information
AegisIQ may disclose personal information to:

• Service providers and contractors who assist in our service delivery (e.g. cloud hosting, accounting, legal advisory)

• Government agencies, regulators, and law enforcement where required or authorised by law

• Professional advisors (lawyers, accountants, insurers)

• Third parties with your explicit consent

• A successor organisation in the event of a merger, acquisition, or restructure

AegisIQ does not sell personal information to third parties.
5. Cross-Border Disclosure
AegisIQ may transfer personal information to overseas recipients in limited circumstances, primarily through cloud services. Our key service providers store data in the following jurisdictions:

• Australia (primary data residency for Microsoft 365)

• United States (certain cloud service components)

• European Union (certain cloud service components)

Before disclosing personal information overseas, we take reasonable steps to ensure the overseas recipient handles it in accordance with the APPs, as required by APP 8. Where practical, we use contractual arrangements to protect transferred information.
6. Security of Personal Information
AegisIQ implements appropriate technical and organisational measures to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These include:

• Encryption of data in transit and at rest

• Multi-factor authentication for all cloud services

• Access controls based on the principle of least privilege

• Regular security updates and patching

• Security awareness training for all personnel

• Incident response procedures for data breaches

Our security practices are aligned to the Australian Signals Directorate’s Essential Eight Maturity Model. Further detail is set out in the AegisIQ Information Security Management Policy.
No security system is completely impenetrable. While we take reasonable steps to protect personal information, we cannot guarantee absolute security.
7. Data Retention
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including:

• For the duration of client engagements, plus any contractually required retention period

• In accordance with applicable legal and regulatory requirements (e.g. 7-year retention for financial records under taxation law)

• For legitimate business purposes such as maintaining engagement history and managing ongoing relationships

When personal information is no longer required, it is securely deleted or de-identified.
8. Direct Marketing
AegisIQ may use personal information to send marketing communications about our services, events, and insights (e.g. the IQ|Brief newsletter). We will only do so where:

• You have consented to receive marketing communications; or

• We have an existing client or business relationship and you would reasonably expect to receive such communications

You can opt out of marketing communications at any time by:

• Clicking the unsubscribe link in any marketing email

• Contacting the Privacy Officer (see Section 15)

We will process opt-out requests within 5 business days. Opting out of marketing does not affect service-related communications.
9. Cookies and Website Tracking
Our website uses cookies and similar tracking technologies:

• Essential cookies: Required for website functionality (e.g. session management)

• Analytics cookies: Google Analytics 4 is used to measure website usage and improve our content. Google Analytics collects anonymised usage data and does not identify individual visitors.

• Marketing cookies: Used to measure the effectiveness of our marketing campaigns

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies. Disabling cookies may affect website functionality.
For information about how Google processes data, see Google’s privacy policy at policies.google.com/privacy.
10. AI and Automated Decision-Making
AegisIQ does not use personal information for automated decision-making that produces legal or similarly significant effects on individuals.
Where AI tools are used in the delivery of our consulting services, client data is handled in accordance with engagement-specific agreements and our AI and Generative AI Acceptable Use Policy. We do not input client personal information into public AI tools.
11. Access and Correction
You have the right to:

• Access: Request access to the personal information we hold about you (APP 12). We will respond to access requests within 30 calendar days.

• Correction: Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13). We will respond to correction requests within 30 calendar days.

To make an access or correction request, contact the Privacy Officer (see Section 15). We may need to verify your identity before processing your request.
In limited circumstances, we may refuse an access request (for example, where providing access would unreasonably impact another person’s privacy). If we refuse a request, we will provide written reasons.
12. Anonymity and Pseudonymity
Where practicable, you may interact with AegisIQ without identifying yourself or by using a pseudonym (APP 2). However, in many cases we will need to verify your identity to provide our services, respond to enquiries, or meet our legal obligations.
13. Children’s Privacy
AegisIQ does not knowingly collect personal information from individuals under 18 years of age. If we become aware that personal information has been collected from a child, we will take reasonable steps to delete it. Parents or guardians who believe their child has provided information to AegisIQ should contact the Privacy Officer.
14. Third-Party Links
Our website may contain links to third-party websites and services. AegisIQ is not responsible for the privacy practices of external sites. We recommend reviewing the privacy policies of any third-party website before providing personal information.
15. Privacy Complaints
If you believe your privacy has been breached, or you have a concern about how we handle personal information, you can lodge a complaint with us:
Step 1: Contact the AegisIQ Privacy Officer with details of your complaint (see contact details below).
Step 2: We will acknowledge your complaint within 7 business days and advise you of the expected timeframe for investigation.
Step 3: We will investigate the complaint and provide a written response, aiming to resolve the matter within 30 business days.
Step 4: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Online: www.oaic.gov.au

• Phone: 1300 363 992

• Post: GPO Box 5218, Sydney NSW 2001

16. Data Breach Notification
AegisIQ will notify affected individuals and the OAIC of eligible data breaches in accordance with the Notifiable Data Breaches scheme under the Privacy Act. An eligible data breach occurs when there is unauthorised access to, or disclosure of, personal information that is likely to result in serious harm.
Our procedures for responding to data breaches are set out in the AegisIQ Incident Response Plan.
17. Social Media
AegisIQ maintains a presence on professional social media platforms (including LinkedIn). Information shared or communicated through social media platforms is subject to the platform’s own privacy policy. We recommend reviewing the relevant platform’s privacy settings.
18. Changes to This Policy
AegisIQ may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify affected individuals of material changes and seek consent where required by the Privacy Act.
The current version of this policy is always available at aegisiq.com.au/privacy-policy.
19. Australian Privacy Principles Compliance
AegisIQ voluntarily complies with the 13 Australian Privacy Principles under the Privacy Act 1988 (Cth).
20. Privacy Officer Contact Details
For privacy enquiries, access or correction requests, or to lodge a complaint:
Privacy Officer
Mike Booth, Managing Director
Email: mike.booth@aegisiq.com.au
Website: www.aegisiq.com.au/contact
Address: Suite 302, 13/15 Wentworth Avenue, Sydney NSW 2000
21. Governing Law
This privacy policy is governed by the laws of the Commonwealth of Australia, specifically the Privacy Act 1988 (Cth) and the Australian Privacy Principles.