Privacy Policy

1. What does this policy cover?

At Adapt By Design Pty Ltd (ACN 161 032 588, trading as Adapt ("us", "we", "our" or the "Company"), we value your privacy and the importance of safeguarding your data. This Privacy Policy explains how and why we collect and use information about you, including what types of information we collect, how it is collected and used, how we keep your information safe, when and why we might share that information, and your choices about your information.

In this Policy, "Personal Data" (also referred to as "personal information") refers to any information that, on its own or in combination with other available information, can directly or indirectly identify an individual.

2. When this policy applies

This Policy applies to our websites, domains, the Embed platform, and related services that link to it, and when you use our platform and services as an authorised user, or visit our websites that link to this Policy.

This Policy does not apply to third-party websites, apps, products, services or platforms that may be linked from our services. Such third-party websites, apps, products, services or platforms have their own privacy practices.

Our services are designed for use by business customers only (subscribers are companies, not individuals acting in a personal capacity). When we process Personal Data, we usually do so on behalf of our business subscribers in the context of their employment or commercial relationships.

For most platform usage, we act as a ‘processor’ (or ‘service provider’ under the CCPA) for our business subscribers, processing Personal Data on their instructions. For some activities (such as our own marketing and website analytics), we act as a ‘controller’ (or ‘business’). This Policy describes our practices in both roles.

Australian focus

We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

International compliance

Where we collect Personal Data from individuals who are located in the European Economic Area (EEA) or United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and UK GDPR as applicable. Where we collect Personal Data from California residents in the course of business, we also comply with the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). If you are located in another jurisdiction with applicable data protection laws, please contact us for information about how we handle your data.

3. Personal data we collect

a) When you provide it to us directly

This includes when you visit our websites, use our services, or provide Personal Data directly through other interactions with us. For example, we collect your contact information when you sign up for a subscription, and collect details you share when you request support. You do not have to provide us with Personal Data, but if you choose not to, it may mean you cannot use parts of our services.

b) Automatically

We collect some Personal Data about you automatically when you visit our websites or use our platform. For example, we collect data about the pages you view, features you use, and the links you click.

c) From third parties

We may receive Personal Data from trusted third-party service providers that help us deliver our services, including analytics providers and CRM platforms.

4. Categories of personal data and sources

The categories of Personal Data we collect and their sources include:

Identity and contact data: your name, email address, telephone number, address, and job title. Sourced directly from you or your organisation.

Account data: your login and profile information, including subscription details. Sourced directly from you.

Billing data: invoicing details, billing address, and payment history. Sourced directly from your organisation. We do not process or store credit card details.

Communications data: feedback on our services, chat, email or call history. Sourced directly from you.

Device and usage data: IP address, browser type, device type, operating system, pages viewed, features used, timestamps, and time zone. Sourced automatically.

Uploaded content: business meeting records, photographs, videos, audio recordings or transcripts that you upload to the platform. This content is business-focused and is uploaded at your discretion. Sourced directly from you.

Cultural survey data: employee engagement, satisfaction, and organisational health metrics collected through surveys administered by your organisation via the platform. In limited cases, survey responses may include information about trade union membership where individuals choose to provide it. Where that occurs, we treat it as sensitive information and process it only with the individual’s explicit consent and subject to additional safeguards.

Marketing data: newsletter subscription preferences and communication preferences. Sourced directly from you.

We do not generally collect or require sensitive personal information (such as health data, racial or ethnic origin, political opinions, or religious beliefs) to operate our services. Where cultural survey responses include trade union membership data, we treat this as sensitive information and process it only with the express consent of the individual concerned. We do not intentionally collect health or medical information, financial account numbers, or government identifiers about individuals through the Embed platform.

5. Cookies and similar technologies

We use essential cookies that are necessary for the operation of our services (no consent required). For analytics cookies, we obtain your consent before placing them on your device. You can manage your cookie preferences at any time via our cookie banner or your browser settings. See our Cookie Notice for more details.

We honour Global Privacy Control (GPC) and Do Not Track signals where required by applicable law. Some site features may not function without essential cookies.

Our public website currently offers newsletter subscription forms but does not provide self-service sign-up for the Embed platform. Access to the platform is provisioned separately for business customers under our subscription agreements.

6. Automated processing

We may use automated tools to assist with customer support enquiries and to enable search functionality within the platform (for example, retrieving meeting records or documents you have uploaded).  We do not use automated decision-making to make legal or similarly significant decisions about individuals, and we do not currently use your Personal Data or Subscriber Data to train AI or machine learning models.

Where automated processing could produce outcomes that materially affect you, those outcomes are reviewed by a person. You may contact us at any time to request human review of an automated decision or to use a non-automated channel (such as email or telephone) for support.

7. How we use your personal data

We use your Personal Data to provide, maintain and develop our products and services. Our specific purposes are:

a) Deliver our services: set up accounts, authenticate users, administer subscriptions, provide and support platform features, and monitor and maintain systems.

b) Communicate with you: service messages, invoices, technical notices, security alerts, and support responses via email, phone or in-platform notifications.

c) Quality assurance and record-keeping: reviewing support interactions and maintaining service records.

d) Security management: detecting, investigating and preventing security incidents and abuse; protecting users, our business, and people.

e) Compliance management: enforcing terms of use and internal reporting.

f) Improve and develop services: debugging, analytics, and research and development to improve platform features. Where we analyse usage to improve our services, we use aggregated or de-identified information wherever reasonably possible.

g) Marketing communications: with your consent, sending information about our products, services, events and promotions. We comply with the Spam Act 2003 (Cth) and provide easy opt-out mechanisms in every communication.

h) Legal and regulatory compliance: responding to lawful requests and meeting record-keeping obligations.

i) Managing legal claims: protecting our rights and responding to disputes.

Lawful bases for processing (GDPR)

Where we process Personal Data of individuals in the EEA or UK, our lawful bases under Article 6 of the GDPR are:

i) Performance of a contract: purposes (a), (b), (e) – processing is necessary to perform our agreement with you or your organisation.

ii) Legitimate interests: purposes (c), (d), (f), (i) – our legitimate interest is in operating, securing and improving our services. We have conducted balancing assessments to ensure our interests do not override your rights.

iii) Consent: purpose (g) – you may withdraw your consent at any time by contacting us or using the unsubscribe link in our communications.

iv) Legal obligation: purpose (h) – processing is necessary to comply with a legal obligation to which we are subject.

Anonymity and pseudonymity: Where practical, you may interact with us anonymously or using a pseudonym (for example, general website browsing). Some activities (such as support and subscriptions) require identifiable details.

8. Third-party providers

We engage third-party service providers to help us deliver and support the Services. These providers are engaged under contracts that include privacy and security obligations appropriate to their role. For a current list of our sub-processors please contact us.

Our key categories of service providers include:

1. Cloud infrastructure and hosting (e.g. Microsoft Azure);

2. CRM and email communications (e.g. Pipedrive, Klaviyo);

3. Analytics (e.g. Google Analytics); and

4. Website and marketing tools (including tools used for our newsletter sign-up forms and email campaigns).

We will update our sub-processor list when we engage a new sub-processor and will provide notice of material changes. You may opt out of marketing communications at any time.

9. International data transfer and storage

Where possible, we store and process data in Australia (for example, using Australian data centres provided by our hosting partner). However, your Personal Data may be transferred to, and processed in, countries outside Australia where our service providers operate (including, for example the United States).

Australian Privacy Principles: Before disclosing Personal Data to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to your personal information (APP 8).

GDPR transfers: Where we transfer Personal Data from the EEA or UK, we rely on European Commission adequacy decisions, EU Standard Contractual Clauses, or equivalent safeguards as the legal basis for transfer. Details of our transfer safeguards are available on request.

CCPA: We do not sell or share (as defined under the CCPA) the Personal Data of California residents. We do not sell or share your Personal Data for cross-context behavioural advertising. If this changes in future, we will update this Policy and provide a ‘Do Not Sell or Share My Personal Information’ link as required by the CCPA.

10. How we share your personal data

We share Personal Data only as described below or at the time of collection:

Service providers: to help us provide, maintain and improve our services (e.g. hosting, analytics, email, CRM, customer support).

Analytics: we use Google Analytics to understand site usage. We do not use analytics data to identify you directly. You may opt out at https://tools.google.com/dlpage/gaoptout.

Legal and safety: to comply with law, respond to lawful requests, protect life or safety, and protect our rights or property. Where practicable, we will notify you in advance.

Business transfers: in connection with a merger, acquisition or asset sale (we will provide notice before your information is transferred and becomes subject to a different privacy policy).

We do not sell or share your Personal Data for third-party advertising purposes.

11. Data retention

We retain your Personal Data for only as long as necessary for the purposes described in this Policy. Our standard retention periods are:

1. Account data: for the duration of your subscription and 12 months after termination;

2. Communications data: 24 months from the date of the communication;

3. Device and usage data: 24 months on a rolling basis;

4. Uploaded content (Subscriber Data): for the duration of your subscription and 60 days after termination to facilitate data export; and

5. Cultural survey data: for the duration of your subscription and 12 months after termination.

We may retain data for longer where required by law or to establish, exercise or defend legal claims. When no longer needed, we take reasonable steps to securely destroy or de-identify your Personal Data.

12. How we keep your data safe

We use appropriate organisational and technical measures to protect Personal Data against unauthorised access, alteration, disclosure or loss, including:

1. encrypted connections (HTTPS) between your browser and our services;

2. role-based access controls and multi-factor authentication for administrative access;

3. regular backups and tested restoration procedures;

4. device encryption and standard security tools on endpoints;

5. staff training in privacy and security, with confidentiality obligations;

6. vetting and contractual controls for third-party service providers; and

7. audit trails and logging of access to customer records.

Data breach notification

If a notifiable data breach occurs, we will: 

1. notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable in accordance with Part IIIC of the Privacy Act 1988; 

2. notify affected individuals as soon as practicable; and 

3. where the breach involves Personal Data of EEA or UK residents, notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33). 

If you suspect any misuse or unauthorised access, please contact us immediately.

13. Children’s privacy

We do not knowingly collect Personal Data from children. For users in Australia, this means individuals under 18 years of age. For users in the EEA, this means individuals under 16 years of age (or such lower age as permitted by the applicable EU member state). If you believe a child has provided us with Personal Data, please contact us so we can delete it.

14. Your rights and choices

a) All users

You may request access to the Personal Data we hold about you and request correction if it is inaccurate, out of date, incomplete, irrelevant or misleading. You can opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us. For your privacy and security, we may need to verify your identity before actioning a request.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

b) Additional rights for EEA and UK residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the GDPR:

i) Right of access (Article 15): to obtain confirmation of whether we process your Personal Data and to receive a copy;

ii) Right to rectification (Article 16): to have inaccurate Personal Data corrected;

iii) Right to erasure (Article 17): to request deletion of your Personal Data in certain circumstances;

iv) Right to restriction of processing (Article 18): to request we restrict processing while a complaint is investigated;

v) Right to data portability (Article 20): to receive your Personal Data in a structured, commonly used, machine-readable format;

vi) Right to object (Article 21): to object to processing based on legitimate interests or for direct marketing purposes;

vii) Right not to be subject to automated decision-making (Article 22): to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects; and

viii) Right to lodge a complaint with your local data protection supervisory authority.

ix) To exercise any of these rights, contact our Data Privacy Officer at the details in section 16. We will respond within one month (which may be extended by up to two further months for complex requests, in which case we will inform you of the extension and the reasons).

c) Additional rights for California residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

i) Right to know: to know what Personal Data we collect, use, disclose and sell or share;

ii) Right to delete: to request deletion of your Personal Data, subject to certain exceptions;

iii) Right to correct: to request correction of inaccurate Personal Data;

iv) Right to opt-out of sale or sharing: to opt out of the sale or sharing of your Personal Data (note: we do not sell or share your Personal Data as defined under the CCPA/CPRA);

v) Right to limit use of sensitive Personal Data: to limit our use of sensitive Personal Data to what is necessary to perform our services; and

vi) Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact us at the details in section 16. We will respond within 45 days (which may be extended by up to an additional 45 days for complex requests). You may also designate an authorised agent to make a request on your behalf.

Categories of Personal Data collected (CCPA disclosure)

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: Identifiers (name, email, phone, IP address); Professional or employment-related information (job title, employer); Internet or electronic network activity (usage data, device data); and Geolocation data (approximate location from IP address). We have not sold or shared any personal information. We disclose personal information to service providers for the business purposes described in section 7.

15. Changes to this policy

We may update this Policy from time to time. We will post the updated version on this page and update the "Last updated" date. If changes are material, we will provide at least 30 days’ additional notice (for example, by in-product message or email) before the changes take effect. 

If we introduce materially new ways of using Personal Data (for example, AI features that generate new insights about individuals), we will update this Policy and, where required by law, seek your consent before such processing begins.

16. How to contact us

For privacy requests (access, correction, deletion, data portability), to unsubscribe from our mailing list, or for any questions about this Policy:

Data Privacy Officer

Adapt By Design Pty Ltd

4/448 Roberts Road, Subiaco WA 6008, Australia

Email: connect@theadaptway.com

If you are located in the EEA or UK and wish to exercise your GDPR rights or lodge a complaint, you may also contact your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. For the UK, contact the Information Commissioner’s Office (ICO) at ico.org.uk.

Last updated: 09/04/2026