Privacy Policy

1. Introduction

We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our dashboard tools and any related applications (collectively, the "Service"). "We", "our", and "us" refer to the operator of the Service.

This Privacy Policy complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the General Data Protection Regulation (GDPR) (EU) 2016/679, where applicable.

2. Operator Information

3. Information We Collect

3.1 Information You Provide

When you use our Service, we may collect various types of information that you provide directly to us. This includes authentication credentials such as API keys, tokens, usernames, passwords, and other authentication information required by specific tools. Where a tool operates locally, such credentials may be stored locally in your browser and never transmitted to our servers.

We also collect account information including user IDs, account identifiers, email addresses (processed by our authentication provider), and profile information from third-party services you connect to through our tools. For tools that require identity verification, we may collect verification data including identification documents, proof of address, and other information as required. Such verification data is processed by our identity verification service provider.

Additionally, we collect your tool preferences and settings, including customisations, export settings, and configuration choices for each tool. We collect content and data that you input or process through our tools, such as files, URLs, course selections, export parameters, and similar information. Any messages, feedback, or inquiries you send to us are also collected as communication data.

For premium features or paid tools, billing and payment processing are handled by third-party providers. We do not store full payment card details on our servers. Payment data is stored and processed by our payment processor in accordance with their privacy policy and applicable standards.

3.2 Automatically Collected Information

We automatically collect certain information about your device and usage patterns when you interact with our Service. This includes technical information such as your browser type, version, and settings; your operating system; device type and model; screen resolution; language preferences; IP address (which we anonymise where possible); and your time zone. This technical information helps us ensure compatibility and optimise the Service for your device.

We collect usage data including pages you visit, tools you access, features you use, time spent on each tool, click patterns, navigation paths, and interaction timestamps. This information helps us understand how users interact with our Service and identify areas for improvement. We also collect performance data such as load times, error rates, response times, and system performance metrics to monitor and improve Service performance.

Technical errors, exceptions, crashes, and diagnostic information are collected in error logs to help us identify and fix issues, improve stability, and enhance the user experience. We may also collect referral information indicating the website or source that referred you to our Service, which helps us understand how users discover our platform.

3.3 Information from Third-Party Services

When you use tools that connect to external services, we may receive information from those services. For tools that operate locally, data may be processed in your browser and never stored on our servers; API calls may be made directly from your browser to the external service.

For tools that involve server-side processing, only the metadata or data necessary to provide the functionality may be processed on our servers; actual content may be streamed to your device and not stored by us. For file upload or sharing tools, files may be stored on third-party servers and are subject to the privacy policy of the hosting service.

Any future tools we add may connect to additional third-party services. The data handling practices for each tool will be clearly disclosed in this policy and within the tool interface. We are committed to transparency regarding how data flows between our Service, your browser, and any third-party services.

3.4 Local Storage and Browser Data

Our Service uses browser local storage, session storage, and IndexedDB to store data locally on your device. This includes authentication data such as API keys, tokens, and credentials for tools that require authentication. Where technically possible, this authentication data is stored in an encrypted format to enhance security.

We store your preferences including tool settings, theme preferences, language choices, and customisations to provide a personalised experience across sessions. To improve performance and reduce API calls, we cache certain data such as course lists and file metadata locally in your browser. This cached data helps the Service load faster on subsequent visits.

Temporary session data needed for current tool operations is stored in session storage, which is automatically cleared when you close your browser. For local tools, we may also store records of your export operations and preferences to facilitate future exports and improve user experience.

All data stored locally in your browser is stored exclusively on your device and is never transmitted to our servers for local tools. You maintain complete control over this data and can clear it at any time through your browser settings or by using the "Clear Cache" function within our Service. Clearing this data will require you to re-enter your credentials and may reset your preferences.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Provision

We use the information we collect primarily to provide, operate, and maintain the tools in our dashboard. This service provision encompasses the full lifecycle of tool operation, from initial access through authentication to ongoing functionality and maintenance. Each tool is designed with specific data handling requirements, and we use your information to ensure these tools operate correctly and securely according to their intended purpose.

User authentication is a critical component of our Service provision. We authenticate your identity through our third-party authentication provider, which manages your account access. This process involves verifying your credentials, managing your login sessions, and ensuring that only authorised users can access our tools and features.

For tools that require identity verification, we use your information to verify your identity through our identity verification service provider. This may apply to certain premium tools or features that involve financial transactions or regulated activities.

When you use tools that require connections to external services, we use your information to authenticate and connect to those services. Where a tool is designed to operate locally, credentials may be stored in your browser and used to make direct API calls from your browser to the external service, so we do not act as an intermediary or store that data on our servers.

We process your requests, exports, downloads, file uploads, and other tool operations to deliver the functionality you request. This processing may occur locally in your browser for local tools, or on our servers for server-based tools, as clearly disclosed for each tool. The processing is designed to be efficient, secure, and aligned with your expectations and our privacy commitments.

To enhance your user experience, we remember your preferences, settings, and customisations across sessions. This includes tool configurations, export settings, theme preferences, language choices, and other personalisations that make your experience with our Service more convenient and tailored to your needs. These preferences are stored locally in your browser and are not transmitted to our servers for local tools.

4.2 Service Improvement

We continuously work to improve our Service through comprehensive analysis of usage patterns, identification of performance bottlenecks, and optimisation of tool performance. This involves collecting and analysing technical information, usage data, and performance metrics to understand how our Service is being used and where improvements can be made. We use this information to optimise resource allocation, improve response times, and ensure that our Service can handle increasing user loads effectively.

Understanding which features are most used and how users interact with our tools helps us develop new tools and functionalities that better serve your needs. We analyse feature usage data to identify popular features, underutilised capabilities, and areas where new functionality would be valuable. This data-driven approach to feature development ensures that we invest our development resources in areas that will provide the most value to our users.

We use collected information, including error logs and diagnostic data, to identify, diagnose, and fix technical issues, errors, and bugs. When errors occur, we analyse the error logs to understand what went wrong, why it happened, and how to prevent similar issues in the future. This proactive approach to bug fixing helps maintain the stability and reliability of our Service, ensuring that you can use our tools without interruption.

User experience improvement is an ongoing priority. We use usage data, interaction patterns, and user feedback to improve the user interface, navigation, and overall user experience. This includes making the Service more intuitive, reducing the number of clicks required to complete tasks, improving visual design, and ensuring that the Service is accessible to users with different needs and preferences. We conduct regular usability assessments and make iterative improvements based on real user behaviour and feedback.

4.3 Communication and Support

We use your information to respond to your inquiries, provide technical support, and assist with tool usage. When you contact us with questions or issues, we use the information you provide and your account information to understand your situation and provide appropriate assistance. This may include accessing your account information to verify your identity, reviewing your usage history to understand the context of your inquiry, and using technical information to diagnose and resolve technical issues.

We may notify you about important changes, updates, new features, or security issues that affect your use of our Service. These notifications are essential for keeping you informed about developments that may impact your experience or require action on your part. We use your contact information to send these notifications through email, in-app messages, or other appropriate channels, ensuring that you are always aware of important Service updates.

We also use your contact information to inform you about changes to this Privacy Policy or our Terms of Service, as required by law and as a matter of transparency. When we make material changes to these documents, we will notify you through appropriate channels and provide you with an opportunity to review the changes. This ensures that you are always aware of how your information is being used and what rights and responsibilities you have when using our Service.

4.4 Legal and Security

We use your information to comply with applicable laws, regulations, legal processes, and governmental requests. This may include responding to subpoenas, court orders, or other legal processes, or cooperating with law enforcement investigations where required by law. When we receive such requests, we carefully review them to ensure they are legally valid and appropriately scoped, and we only disclose information that is necessary to comply with the request. We will notify you of such requests where legally permitted and not prohibited by law or court order.

Security is a paramount concern, and we use collected information to detect, prevent, and address security threats, fraud, abuse, and unauthorised access. This includes monitoring for suspicious activities, analysing patterns that may indicate fraudulent use, and implementing security measures to protect both you and our Service. We use automated systems and manual review processes to identify and respond to security threats in real-time, ensuring that our Service remains secure and that your information is protected from unauthorised access or misuse.

We also use this information to enforce our Terms of Service and protect our rights, property, and safety, as well as that of our users. This includes investigating violations of our Terms of Service, taking appropriate action against users who engage in prohibited activities, and protecting our intellectual property and other legal rights. We take a balanced approach to enforcement, ensuring that we protect our Service and users while respecting user rights and privacy.

5. Tool-Specific Data Handling

5.1 Data handling by tool type

Different tools on the Service handle data in different ways. Some tools process data entirely in your browser (local tools); no data is transmitted to our servers for those tools. Other tools may require server-side processing; in those cases, only the data necessary to provide the functionality is processed on our servers, and actual content may be streamed to your device and not stored by us. Tools that involve file upload or storage may use third-party hosting services; files are then subject to that provider's privacy policy. The data handling for each tool is disclosed within the tool interface and in this policy where relevant.

Where a tool connects to an external service using credentials you provide, those credentials may be stored locally in your browser. For local tools, API calls are made directly from your browser to the external service so we do not act as an intermediary or store that data. Preferences and settings may be stored locally to improve your experience; you can clear this data via your browser settings.

5.2 Future tools

As we continue to expand our Service and add new tools to our dashboard, we are committed to maintaining transparency and privacy in our data handling practices. Each new tool will have clearly disclosed data handling practices, and we will update this Privacy Policy to reflect the data handling practices of new tools as they are added to our Service.

Tools that process data entirely in your browser will be clearly marked as local tools. For these tools, no data is transmitted to our servers, and all processing occurs locally in your browser. This includes authentication credentials, input data, processing results, and any other data associated with the tool. Local tools provide maximum privacy and security, as your data never leaves your device. We will clearly indicate which tools are local tools and explain how they work to help you understand the privacy implications of using each tool.

Tools that require server processing will clearly indicate what data is processed on our servers and how it is used. This includes explaining what data is sent to our servers, why server-side processing is necessary, how the data is processed, and how long the data is retained. We will also explain the security measures in place to protect data processed on our servers and how you can control or delete this data. This transparency ensures that you understand the data handling practices of server-based tools and can make informed decisions about using them.

Tools that use both local and server processing, known as hybrid tools, will have transparent disclosure of data flows. This includes explaining which data is processed locally and which data is processed on our servers, how data flows between your browser and our servers, and what security measures are in place to protect data in transit and at rest. Hybrid tools may offer the benefits of both local and server processing, such as enhanced functionality or performance, while maintaining privacy where possible. We will clearly explain the data handling practices of hybrid tools to help you understand how your data is being used.

Any third-party services used by new tools will be disclosed, and you will be informed of their privacy practices. This includes explaining which third-party services are used, what data is shared with them, how they use your data, and how you can learn more about their privacy practices. We will also explain our relationship with these third-party services and how we ensure that they protect your data appropriately. We encourage you to review the privacy policies of third-party services to understand how they handle your data.

6. Data Storage and Security

We implement appropriate technical and organisational measures to protect your information:

6.1 Local Storage Security

For local tools, your credentials and sensitive data are stored exclusively in your browser's local storage, session storage, or IndexedDB. This browser-based storage approach ensures that your sensitive information remains on your device and is never transmitted to our servers. Local storage provides persistent storage that survives browser sessions, while session storage is cleared when you close your browser. IndexedDB offers more advanced storage capabilities for larger datasets. All three storage mechanisms are standard browser technologies that provide secure, isolated storage for web applications.

For local tools, we do not collect, store, or transmit your credentials or sensitive data to our servers. This fundamental privacy principle ensures that your authentication credentials, API keys, tokens, and other sensitive information remain exclusively on your device. We have no access to this data, and it cannot be compromised through a breach of our servers because it is never stored on our servers in the first place. This architecture provides maximum security and privacy for your sensitive information.

For local tools, API calls are made directly from your browser to external services, bypassing our servers entirely. This direct connection architecture ensures that we do not act as an intermediary or proxy for your API calls. Your browser communicates directly with those external services, and we have no visibility into these communications. This means that we cannot intercept, log, or access the data you exchange with external services, giving you control over your data.

We recommend and support HTTPS connections when accessing external services to encrypt data in transit. HTTPS (Hypertext Transfer Protocol Secure) uses TLS/SSL encryption to protect data as it travels between your browser and external services. This encryption ensures that even if data is intercepted during transmission, it cannot be read by unauthorised parties. We encourage you to use HTTPS connections whenever possible, and our tools are designed to work with HTTPS-enabled services to ensure secure data transmission.

Only you have access to the data stored in your browser. We cannot access this data because it is stored locally on your device and is not transmitted to our servers. This means that you have complete control over your data, and you can view, modify, or delete it at any time through your browser settings or through our Service's data management features. The security of this data depends on the security of your device and browser, so we encourage you to maintain strong security practices on your device.

6.2 Server Security (Where Applicable)

For tools that require server processing, we implement comprehensive security measures to protect your data. These measures are designed to meet industry standards and best practices for data security, ensuring that your information is protected from unauthorised access, disclosure, alteration, or destruction.

Data in transit is encrypted using TLS/SSL protocols, which provide strong encryption for data as it travels between your browser and our servers. This encryption ensures that even if data is intercepted during transmission, it cannot be read by unauthorised parties. Data at rest is encrypted where applicable, using industry-standard encryption algorithms to protect data stored on our servers. This encryption ensures that even if our servers are compromised, the data stored on them remains protected and unreadable without the encryption keys.

We implement strict access controls and authentication mechanisms for our servers and databases. This includes requiring strong authentication credentials for all administrative access, implementing role-based access controls to limit access to authorised personnel only, and using multi-factor authentication where appropriate. We regularly review and update access controls to ensure that only authorised personnel have access to your data, and we monitor access logs to detect and respond to any unauthorised access attempts.

We conduct periodic security assessments and vulnerability scans to identify and address potential security vulnerabilities. These assessments include automated vulnerability scanning, manual security reviews, penetration testing, and code security audits. When vulnerabilities are identified, we prioritise and address them promptly to ensure that our Service remains secure. We also stay informed about emerging security threats and update our security measures accordingly.

We follow the principle of data minimisation, collecting and storing only the minimum data necessary for tool functionality. This means that we do not collect or store unnecessary data, and we regularly review our data collection practices to ensure that we are not collecting more data than is needed. When data is no longer needed, we delete it promptly in accordance with our data retention policies. This minimisation reduces the risk of data exposure and ensures that we only process the data that is necessary for providing our Service.

Our servers are hosted on secure, reputable cloud platforms with industry-standard security measures. These platforms provide robust physical security, network security, and infrastructure security measures that meet or exceed industry standards. We choose hosting providers that have strong security track records and that comply with relevant security certifications and standards. We also implement additional security measures on top of the platform's security to provide defence in depth and ensure comprehensive protection of your data.

6.3 Security Limitations

While we strive to protect your information using industry best practices and comprehensive security measures, it is important to understand that no method of transmission over the Internet or electronic storage is 100% secure. Despite our best efforts, there is always a risk that data could be intercepted, accessed, or compromised through various means, including but not limited to sophisticated cyberattacks, human error, system vulnerabilities, or other security threats. We cannot guarantee absolute security, but we are committed to implementing and maintaining strong security measures to protect your information to the best of our ability.

You play a critical role in maintaining the security of your information. You are responsible for maintaining the security of your device and browser, including keeping your operating system, browser, and security software up to date with the latest patches and updates. Outdated software may contain known vulnerabilities that could be exploited by attackers. You should also use strong, unique passwords for your accounts and enable multi-factor authentication where available. Weak or reused passwords are a common cause of security breaches, and using strong, unique passwords significantly reduces the risk of unauthorised access to your accounts.

You should keep your browser and operating system updated with the latest security patches and updates. Software vendors regularly release updates that fix security vulnerabilities, and failing to install these updates leaves your device vulnerable to known security threats. You should enable automatic updates where possible, or regularly check for and install updates manually. Keeping your software up to date is one of the most important steps you can take to protect your device and data.

You should never share your API credentials or authentication tokens with anyone, including friends, family, or support personnel. These credentials provide access to your accounts and data, and sharing them compromises the security of your information. If you suspect that your credentials have been compromised, you should change them immediately and review your account activity for any unauthorised access. You should also be cautious about phishing attempts and other social engineering attacks that may attempt to trick you into revealing your credentials.

You should use secure networks when accessing our Service, avoiding public Wi-Fi networks or other unsecured networks that may be vulnerable to interception or attack. If you must use a public network, consider using a virtual private network (VPN) to encrypt your connection and protect your data. You should also be cautious about accessing our Service on shared or public devices, as these devices may have malware or other security threats that could compromise your information. Always log out of your account when using shared devices, and avoid saving credentials on devices that you do not control.

7. Third-Party Services and Integrations

Our Service may integrate with or use third-party services. This section describes how we interact with these services:

7.1 Service Providers

We may use third-party service providers to help us operate our Service efficiently and effectively. These service providers perform various functions on our behalf, including hosting, analytics, billing, content delivery, and error tracking. We carefully select service providers that have strong privacy and security practices, and we enter into contractual agreements with them that require them to protect your information and use it only for the purposes we specify.

We use cloud hosting providers for server-based tools and infrastructure. These hosting providers provide the physical and virtual infrastructure necessary to run our Service, including servers, storage, networking, and other computing resources. We choose hosting providers that have strong security track records, comply with relevant security certifications and standards, and provide reliable and scalable infrastructure. Our hosting providers may have access to server logs and other technical data, but they do not have access to your personal information unless it is necessary for providing hosting services.

We use analytics services to understand how our Service is used and improve user experience. These analytics services collect and analyse usage data, such as page views, tool usage, and user interactions, to help us understand how users interact with our Service and identify areas for improvement. We take steps to anonymise this data where possible, removing or obfuscating personally identifiable information before it is sent to analytics services. This helps protect your privacy while still allowing us to gain valuable insights into how our Service is being used.

Billing and subscription management for premium features are handled by our third-party providers. When you subscribe, our providers manage your subscription and process payment card information, billing address, and transaction details. We do not store full payment card details on our servers. Payment information is processed by our payment processor in accordance with applicable standards.

We use content delivery network (CDN) services to improve Service performance and availability. CDNs distribute our Service content across multiple servers located in different geographic regions, reducing latency and improving load times for users around the world. CDNs may cache static content such as images, stylesheets, and JavaScript files to improve performance. While CDNs may have access to technical information such as IP addresses and request headers, they do not have access to your personal information or the content you process through our tools.

We use error tracking services to help us identify and fix technical issues. These services collect error logs, exception information, and diagnostic data to help us understand what went wrong when errors occur. We take steps to anonymise this data where possible, removing or obfuscating personally identifiable information before it is sent to error tracking services. This helps protect your privacy while still allowing us to diagnose and fix technical issues that may affect your experience with our Service.

All service providers are contractually obligated to protect your information and use it only for the purposes we specify. We enter into data processing agreements with our service providers that require them to implement appropriate security measures, comply with applicable privacy laws, and use your information only for the purposes we specify. We regularly review our service providers' privacy and security practices to ensure that they continue to meet our standards, and we will terminate relationships with service providers that do not meet our requirements.

7.2 Authentication Services

We use third-party authentication services to manage user accounts and access to our Service. These services provide secure, reliable authentication and account management capabilities, allowing us to focus on providing excellent tools while ensuring that your account information is protected by industry-leading authentication providers.

We use a third-party authentication provider for user authentication, account management, and access control. They process your email address, authentication credentials, and account information to authenticate your identity and manage your access to our Service. Authentication data is stored by our provider, not on our servers; we do not have access to your password or other sensitive authentication information. Please review our provider's privacy policy to understand how they handle your data.

Our authentication provider may use cookies or similar technologies to maintain your login state across sessions. Billing and subscription management for premium features are handled by our providers; payment card information is processed by our payment processor. We do not store full payment card details on our servers. Please review the relevant providers' privacy policies for payment and subscription data.

7.3 KYC/AML Services

For certain tools that require identity verification or compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, we use specialised third-party services to verify your identity and ensure compliance with applicable laws and regulations. These verification requirements are necessary for tools that involve financial transactions, regulated activities, or other situations where identity verification is required by law or industry standards.

We use a third-party identity verification provider for tools that require identity verification or compliance with applicable regulations. That provider may collect and process personal identification information, including government-issued ID documents, proof of address, and other information necessary for verification. This data is stored and processed by our provider in accordance with their privacy policy and applicable regulations.

When you use a tool that requires such verification, your identification documents and personal information will be processed by our provider. We encourage you to review the provider's privacy policy to understand how they handle your data.

KYC/AML verification may be required for certain premium tools or features that involve financial transactions or regulated activities. These requirements are typically imposed by law or industry regulations to prevent fraud, money laundering, and other financial crimes. You will be clearly notified when such verification is required, and you will have the opportunity to review the verification requirements before proceeding. If you choose not to complete the verification process, you may not be able to access certain tools or features that require verification.

We may share limited information with Didit to initiate the verification process. This may include your email address, name, and other basic information necessary to start the verification process. Didit may also share verification results and status with us to enable access to verified tools. This information sharing is necessary to complete the verification process and grant you access to tools that require verification. We only share the minimum information necessary for verification purposes, and we ensure that Didit protects your information in accordance with applicable privacy laws.

Didit retains verification data in accordance with legal and regulatory requirements for KYC/AML compliance, which may include extended retention periods as required by law. Financial services regulations often require that KYC/AML verification data be retained for extended periods to support compliance audits and regulatory investigations. These retention requirements are designed to ensure compliance with applicable laws and regulations, and Didit complies with these requirements while protecting your personal information.

Please review Didit's privacy policy to understand their data handling practices, including how they collect, store, use, and protect your verification data. We encourage you to review both Kinde's and Didit's privacy policies before using tools that require authentication or verification, so you can make informed decisions about how your information is being used. Understanding these privacy policies will help you understand your rights and how your information is protected throughout the authentication and verification processes.

7.4 External Platform Integrations

Our tools may connect to external platforms and services to provide functionality and enable you to access and process data from various sources. These integrations are designed to enhance the capabilities of our tools while maintaining privacy and security. We are transparent about how these integrations work and what data is shared with external platforms.

The Canvas Exporter tool connects directly to your Canvas instance using the Canvas LMS API. This direct connection means that we do not act as an intermediary or store Canvas data on our servers. All API calls are made directly from your browser to your Canvas instance, and we have no visibility into the data you retrieve from Canvas. This architecture ensures that your Canvas data remains private and under your control, and we cannot access, view, or interfere with your Canvas account or course data.

YT-DLP Online interacts with various video hosting platforms, including YouTube, Vimeo, and other video hosting services, to facilitate video and audio downloads. These interactions are necessary to retrieve video metadata, handle authentication where required, and manage download streams. However, we do not store video content on our servers. The video content is streamed directly from the source platform to your device, and we act only as a facilitator for the download process. We do not cache, store, or retain video content, ensuring that your downloaded videos remain private and that we do not have access to the content you download.

Share Files uses third-party file hosting services to provide file storage and sharing capabilities. When you upload files through Share Files, the files are stored on third-party servers, not on our servers. This means that the file hosting service is responsible for storing and managing your files, and your files are subject to the privacy policy of the hosting service. We encourage you to review the privacy policy of the file hosting service to understand how they handle your files, including their data storage practices, security measures, and data retention policies.

Any future tools that integrate with external services will have their data handling practices clearly disclosed in this Privacy Policy and within the tool interface. We are committed to transparency regarding how data flows between our Service, your browser, and any third-party services. When we add new tools or integrations, we will update this Privacy Policy to reflect the data handling practices of those tools, ensuring that you are always informed about how your data is being used.

7.5 Links to Third-Party Websites

Our Service may contain links to third-party websites or services that are not owned or controlled by us. These links are provided for your convenience and to enhance your experience with our Service. However, we are not responsible for the privacy practices of these external sites. Each third-party website or service has its own privacy policy and data handling practices, which may differ from ours.

We encourage you to review the privacy policies of any third-party sites you visit to understand how they collect, use, and protect your information. When you click on a link to a third-party website, you will be subject to that website's privacy policy and terms of service. We recommend that you exercise caution when providing personal information to third-party websites, and that you review their privacy policies before sharing any information with them.

8. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. This fundamental privacy principle ensures that your personal information is not monetised or shared for commercial purposes unrelated to providing our Service. We are committed to protecting your privacy and using your information only for the purposes described in this Privacy Policy.

We may share your information only in limited circumstances and only when necessary. When we do share your information, we take steps to ensure that it is protected and used only for the purposes we specify. We may share your information when required by law, court order, or governmental authority. This may include responding to subpoenas, court orders, or other legal processes, or cooperating with law enforcement investigations where required by law. When we receive such requests, we carefully review them to ensure they are legally valid and appropriately scoped, and we only disclose information that is necessary to comply with the request. We will notify you of such requests where legally permitted and not prohibited by law or court order.

We may share your information with trusted third-party service providers who assist in operating our Service, subject to strict confidentiality obligations. These service providers perform various functions on our behalf, including hosting, analytics, billing, content delivery, and error tracking. We carefully select service providers that have strong privacy and security practices, and we enter into contractual agreements with them that require them to protect your information and use it only for the purposes we specify. We regularly review our service providers' privacy and security practices to ensure that they continue to meet our standards.

We may share your information in connection with a merger, acquisition, or sale of assets, with notice to users. In such circumstances, your information may be transferred to the acquiring entity as part of the transaction. We will notify you of such transfers and provide you with information about how your information will be used by the acquiring entity. You may have the right to opt out of such transfers in certain circumstances, and we will inform you of your options when such transfers occur.

We may share your information when you have provided explicit consent for such sharing. This means that we will only share your information with third parties when you have specifically agreed to such sharing, and you can withdraw your consent at any time. When you provide consent for sharing, we will clearly explain what information will be shared, with whom it will be shared, and how it will be used, so you can make an informed decision about whether to provide consent.

9. Your Rights

Under GDPR and Australian privacy laws, you have the following rights regarding your personal information:

To exercise any of these rights, please contact us using the information provided in Section 16. We will respond to your request within 30 days.

10. Cookies and Local Storage

Our Service uses browser local storage (not traditional cookies) to store data locally on your device. Unlike traditional cookies, which are sent to servers with each request, local storage data remains on your device and is not automatically transmitted to our servers. This approach provides enhanced privacy and security for your data.

We use local storage to store your API credentials and authentication tokens locally on your device for tools that require them. These credentials are essential for authenticating with external services such as Canvas LMS, and storing them locally allows you to use our tools without re-entering your credentials every time. The credentials are stored securely in your browser's local storage, and we do not have access to them as they are never transmitted to our servers for local tools.

We use local storage to remember your preferences and settings, including tool configurations, export settings, theme preferences, language choices, and other customisations. This allows you to maintain your preferred settings across sessions, so you do not have to reconfigure your preferences every time you use our Service. These preferences are stored locally on your device and are not transmitted to our servers for local tools.

We use local storage to cache data for faster loading. This includes cached course lists, file metadata, and other data that helps our Service load faster on subsequent visits. Caching reduces the number of API calls made to external services, improving performance and reducing load on external servers. The cached data is stored locally on your device and is not transmitted to our servers.

We use local storage to maintain your session state, allowing our Service to remember your current state and provide a seamless user experience. This includes remembering which tools you were using, your current progress, and other session-related information. The session state is stored locally on your device and is cleared when you close your browser.

You can clear this data at any time through your browser settings or by using the "Clear Cache" function within our Service. Clearing this data will remove all locally stored data, including your API credentials, preferences, cached data, and session state. After clearing this data, you will need to re-enter your credentials and reconfigure your preferences. We recommend clearing this data periodically to maintain privacy and security, especially if you are using a shared or public device.

11. Data Retention

Since your credentials are stored locally in your browser, the retention of your data is primarily under your control. This local storage approach means that your data remains on your device and is not stored on our servers, giving you complete control over how long your data is retained.

Data stored in your browser's local storage persists until you clear your browser's local storage. This means that your API credentials, preferences, cached data, and other locally stored information will remain on your device until you explicitly clear it. You can clear this data at any time through your browser settings or through our Service's data management features. The persistence of this data allows you to use our Service without re-entering your credentials every time, but you maintain control over when and how this data is deleted.

For security purposes, credentials stored locally in your browser expire after 12 weeks of inactivity. At the end of this period, you will be prompted to re-enter your credentials to continue using tools that require authentication. This expiration policy helps protect your accounts by ensuring that credentials are not stored indefinitely, reducing the risk of unauthorised access if your device is compromised. The 12-week expiration period provides a balance between security and convenience, allowing you to use our Service without frequent re-authentication while still maintaining reasonable security practices.

You can manually clear all data at any time through the Service or browser settings. This includes clearing your API credentials, preferences, cached data, session state, and any other locally stored information. Clearing this data will require you to re-enter your credentials and reconfigure your preferences, but it provides you with complete control over your data and helps maintain privacy and security, especially when using shared or public devices.

We do not retain copies of your data on our servers for local tools. This means that once you clear your browser's local storage, your data is permanently deleted and cannot be recovered by us. For server-based tools, we retain data only as long as necessary to provide the Service and comply with applicable laws and regulations. We regularly review our data retention practices to ensure that we are not retaining data longer than necessary, and we delete data promptly when it is no longer needed.

12. International Data Transfers

For local tools, your data is stored locally in your browser and not transmitted to our servers, so there are no international data transfers of your credentials. Any data processing for local tools occurs directly in your browser or between your browser and external services, which may be located in various jurisdictions.

For tools that require server processing, we ensure appropriate safeguards are in place for any international transfers, in compliance with GDPR requirements. The data handling practices for each tool are clearly disclosed.

13. Children's Privacy

Our Service is not intended for individuals under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will take steps to delete such information.

14. User Responsibilities

You play a critical role in maintaining the security and privacy of your information when using our Service. While we implement comprehensive security measures to protect your data, you are responsible for taking appropriate steps to safeguard your information and use our Service responsibly.

You are responsible for maintaining the confidentiality of your API credentials, authentication tokens, and any account information. This includes not sharing your credentials with anyone, using strong and unique passwords, and keeping your credentials secure. If you suspect that your credentials have been compromised, you should change them immediately and review your account activity for any unauthorised access. You should also be cautious about phishing attempts and other social engineering attacks that may attempt to trick you into revealing your credentials.

You are responsible for ensuring you have proper authorisation to access and export data from third-party services. For example, when using the Canvas Exporter tool, you should only export data from Canvas LMS courses that you are enrolled in or have permission to access. Using our tools to access or export data that you are not authorised to access may violate applicable laws, regulations, or the terms of service of third-party platforms, and may result in legal consequences. We are not responsible for any unauthorised access or use of third-party services through our tools.

You are responsible for using our tools in compliance with applicable laws, regulations, and the terms of service of third-party platforms you connect to. This includes complying with copyright laws, data protection laws, and other applicable regulations. You should review the terms of service of third-party platforms before using our tools to connect to them, and you should ensure that your use of our tools complies with those terms. We are not responsible for any violations of laws, regulations, or terms of service that result from your use of our tools.

You are responsible for providing accurate information when using our tools and keeping your credentials up to date. This includes ensuring that your API credentials are current and valid, and that any information you provide to our tools is accurate and complete. Providing inaccurate information or using outdated credentials may result in errors or failures when using our tools, and we are not responsible for any consequences that result from inaccurate information or outdated credentials.

You are responsible for maintaining the security of your device and browser, including keeping software updated and using secure networks. This includes installing security updates promptly, using antivirus and anti-malware software, and avoiding public or unsecured networks when possible. You should also be cautious about accessing our Service on shared or public devices, and you should always log out of your account when using shared devices. Maintaining the security of your device and browser is essential for protecting your information and preventing unauthorised access.

You are responsible for backing up any important data before using tools that may modify or export data. While we take steps to ensure that our tools operate correctly and do not cause data loss, we cannot guarantee that data will not be lost or corrupted during use. Backing up important data before using our tools helps protect against data loss and ensures that you can recover your data if something goes wrong. We are not responsible for any data loss that results from your use of our tools.

We are not responsible for any unauthorised access to your accounts or data that results from your failure to maintain security of your credentials or device. While we implement comprehensive security measures to protect your information, you are responsible for taking appropriate steps to safeguard your credentials and device. If you fail to maintain security of your credentials or device, and this results in unauthorised access to your accounts or data, we are not liable for any consequences that result from such unauthorised access.

15. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal information based on specific legal bases that are recognised under European data protection law. These legal bases determine when and how we can lawfully process your personal information, and they provide you with certain rights regarding how your information is used. We are committed to processing your information only when we have a valid legal basis for doing so, and we will clearly explain the legal basis for any processing activities when required.

We process your personal information based on consent when you provide explicit consent for specific processing activities. This may include consent for analytics, marketing communications, or other optional processing activities. When we rely on consent, we will clearly explain what you are consenting to, and you can withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of processing that occurred before you withdrew your consent, but it may affect your ability to use certain features or services that require consent.

We process your personal information based on contract performance to perform our contract with you and provide the Service you request. This includes processing your information to authenticate your identity, manage your account, provide tool functionality, and deliver the services you have requested. This legal basis allows us to process your information as necessary to fulfil our contractual obligations to you, and it is essential for providing our Service effectively.

We process your personal information based on legitimate interests to improve our Service, ensure security, prevent fraud, and analyse usage patterns. Our legitimate interests include maintaining and improving the security and functionality of our Service, preventing fraud and abuse, understanding how our Service is used, and developing new features and tools. We carefully balance our legitimate interests against your rights and interests, and we only process your information based on legitimate interests when these interests are not overridden by your rights and interests.

We process your personal information based on legal obligations to comply with applicable laws and regulations. This may include processing your information to comply with data protection laws, financial services regulations, or other legal requirements. When we process your information based on legal obligations, we do so only to the extent necessary to comply with those obligations, and we will inform you of such processing when required by law.

You have the right to object to processing based on legitimate interests. If you object to such processing, we will stop processing your information based on legitimate interests unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defence of legal claims. For local tools, most processing occurs in your browser and does not involve our servers, which means that we have limited ability to process your information based on legitimate interests for local tools.

16. Contact Information

If you have questions, concerns, or wish to exercise your rights regarding this Privacy Policy, please contact us:

If you are located in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

If you are located in Australia and have concerns about how we handle your personal information, you may contact the Office of the Australian Information Commissioner (OAIC).

17. Data Breach Notification

In the unlikely event of a data breach that affects your personal information:

• We will investigate the breach immediately and take steps to contain and remediate it.
• We will notify affected users and relevant authorities as required by applicable law (typically within 72 hours under GDPR).
• We will provide information about the nature of the breach, what data was affected, and what steps we are taking.
• We will provide guidance on steps you can take to protect yourself.

For local tools, a data breach would primarily affect data stored in your browser, which is under your control. We cannot access this data, so breaches of local storage would typically result from security issues on your device.

18. Unlisted Tools and General Data Protection

This Privacy Policy covers all tools, features, and services available through Pan Tools, including but not limited to those explicitly mentioned in this document. For any tool, feature, or service not specifically detailed herein, the following general protections and principles apply:

18.1 General Data Protection Principles

• Data Minimisation: We collect and process only the minimum amount of personal data necessary for the tool to function effectively.
• Purpose Limitation: Data collected through any tool is used solely for the stated purpose of that tool and related service provision.
• Storage Limitation: Data is retained only for as long as necessary to fulfil the purposes outlined in this policy or as required by law.
• Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
• Integrity and Confidentiality: We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.
• Accountability: We are responsible for demonstrating compliance with all applicable privacy laws and regulations.

18.2 Default Data Handling for Unlisted Tools

Unless explicitly stated otherwise for a specific tool, the following default data handling practices apply:

• Local Processing Preferred: Where technically feasible, data processing occurs locally in your browser rather than on our servers.
• No Unnecessary Data Collection: We do not collect data beyond what is essential for tool functionality.
• Transparent Disclosure: Each tool will clearly indicate its data handling practices, including whether data is processed locally or on servers.
• User Control: You maintain control over your data and can delete or export it at any time where applicable.
• Third-Party Disclosure: We do not share your data with third parties except as explicitly disclosed in this policy or as required by law.

18.3 Future Tools and Services

As we develop and release new tools, features, or services:

• All new tools will be subject to the protections outlined in this Privacy Policy.
• Significant changes to data handling practices will be disclosed through updates to this policy.
• Tools requiring different data handling practices will have those practices clearly disclosed within the tool interface and in this policy.
• We will provide reasonable notice of any material changes to data handling practices.

19. Data Processing Agreements and Third-Party Contracts

We maintain formal agreements with all third-party service providers who process personal data on our behalf:

• Data Processing Agreements (DPAs): All third-party processors are bound by contractual obligations that require them to protect your data and use it only for the purposes we specify.
• GDPR Compliance: Where applicable, our agreements with processors include GDPR-compliant data processing clauses.
• Security Standards: Third-party processors must meet industry-standard security requirements and certifications (e.g., SOC 2, ISO 27001, PCI DSS where applicable).
• Sub-processors: We require processors to notify us of any sub-processors they engage, and we maintain oversight of the processing chain.
• Breach Notification: Processors are contractually obligated to notify us immediately of any data breaches affecting your information.
• Data Return and Deletion: Upon termination of services, processors must return or delete all personal data in accordance with our instructions.

20. Automated Decision-Making and Profiling

We do not currently use automated decision-making or profiling that produces legal effects or significantly affects you. However, should we implement such systems in the future:

• We will provide clear information about the logic involved and the significance and consequences of such processing.
• You will have the right to obtain human intervention, express your point of view, and contest any automated decision.
• We will implement appropriate safeguards to ensure your rights and freedoms are protected.
• Any automated decision-making will be disclosed in this policy and within the relevant tool interface.

21. Data Subject Access Requests (DSARs)

You have the right to request access to your personal data. To submit a Data Subject Access Request:

• How to Submit: Send your request to support@pan.tools with "Data Subject Access Request" in the subject line.
• Verification: We may require you to verify your identity before processing your request to protect your privacy and security.
• Response Time: We will respond to your request within 30 days, or within 90 days for complex requests, as permitted by law.
• Information Provided: We will provide you with: a copy of your personal data, the purposes of processing, the categories of data, recipients of your data, retention periods, and your rights regarding the data.
• Format: Data will be provided in a structured, commonly used, and machine-readable format where technically feasible.
• Fees: We do not charge fees for DSARs unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

22. Data Portability

Where applicable under GDPR, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller:

• Export Functionality: Many of our tools provide built-in export functionality (e.g., Canvas Exporter creates downloadable files).
• Request Format: You may request your data in JSON, CSV, or other standard formats where applicable.
• Scope: This right applies to personal data you have provided to us and which is processed by automated means based on your consent or contract performance.

23. Special Categories of Personal Data

We do not intentionally collect special categories of personal data (sensitive data) such as:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (except where required for KYC/AML verification through Didit)
• Health data
• Sex life or sexual orientation

If any tool inadvertently collects such data, or if you provide such data voluntarily, we will process it only with your explicit consent or as required by law, and we will apply additional safeguards as required by applicable regulations.

24. Cross-Border Data Transfers and Safeguards

For tools that require server processing, data may be transferred to and processed in countries outside your jurisdiction:

24.1 Transfer Mechanisms

• Adequacy Decisions: We may transfer data to countries with adequacy decisions from relevant authorities (e.g., EU adequacy decisions).
• Standard Contractual Clauses: For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by relevant authorities.
• Binding Corporate Rules: Where applicable, we may rely on binding corporate rules for intra-group transfers.
• Certification Schemes: We may use certification schemes or codes of conduct approved by relevant authorities.

24.2 Safeguards

Regardless of transfer mechanism, we implement additional safeguards:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security audits and assessments
• Data minimisation and purpose limitation
• Regular review of transfer mechanisms and safeguards

25. Liability and Limitations

While we implement comprehensive security measures, please note:

• No Absolute Security: No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.
• Third-Party Services: We are not responsible for the privacy practices of third-party services you connect to through our tools (e.g., Canvas LMS, video platforms).
• User Responsibility: You are responsible for maintaining the security of your device, browser, and credentials.
• Unauthorised Access: We are not liable for unauthorised access resulting from your failure to maintain security of your credentials or device.
• Force Majeure: We are not liable for data breaches or privacy violations resulting from circumstances beyond our reasonable control.
• Limitation of Liability: To the maximum extent permitted by law, our liability for privacy-related claims is limited as set forth in our Terms of Service.

26. Dispute Resolution and Complaints

If you have concerns about how we handle your personal data:

26.1 Internal Complaints Process

• Contact us at support@pan.tools with details of your concern.
• We will investigate your complaint and respond within 30 days.
• We will work with you to resolve any issues to your satisfaction where possible.

26.2 Regulatory Complaints

• EU Residents: You may lodge a complaint with your local data protection authority (DPA) or the DPA in the member state where you reside, work, or where the alleged violation occurred.
• Australian Residents: You may contact the Office of the Australian Information Commissioner (OAIC) to lodge a complaint.
• Other Jurisdictions: You may contact the relevant privacy or data protection authority in your jurisdiction.

26.3 Alternative Dispute Resolution

We are committed to resolving disputes amicably. If internal resolution is not possible, we may participate in alternative dispute resolution processes as appropriate under applicable law.

27. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with:

• Primary Jurisdiction: The laws of Australia, where the operator is incorporated.
• Applicable Regulations: Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), GDPR (where applicable to EU residents), and other applicable privacy laws.
• Conflicts: In the event of conflicts between applicable laws, we will comply with the most restrictive requirements to ensure maximum protection of your privacy.
• Jurisdiction: Any disputes arising from this Privacy Policy will be subject to the exclusive jurisdiction of the courts of Australia, except where mandatory consumer protection laws require otherwise.

28. Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be severed from this policy, and the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced with a valid provision that most closely approximates the intent and economic effect of the invalid provision.

29. Entire Agreement and Modifications

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and us regarding the collection, use, and protection of your personal information:

• No Oral Modifications: This policy may only be modified in writing as set forth in Section 30.
• Consent to Electronic Communications: By using our Service, you consent to receive privacy-related notices electronically.
• Language: This policy is provided in English. Any translations are for convenience only, and the English version shall prevail in case of conflicts.
• Waiver: Our failure to enforce any provision of this policy does not constitute a waiver of that provision or any other provision.

30. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top of this policy
• Providing notice through our Service, where appropriate

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

31. Additional Security Measures and Best Practices

Beyond the measures already outlined, we implement additional security practices:

31.1 Technical Security Measures

• Regular Security Updates: We regularly update our systems, dependencies, and infrastructure to address security vulnerabilities.
• Vulnerability Management: We conduct regular vulnerability assessments and penetration testing.
• Network Security: We use firewalls, intrusion detection systems, and network segmentation to protect our infrastructure.
• Code Security: We follow secure coding practices and conduct code reviews to identify and remediate security issues.
• DDoS Protection: We implement measures to protect against distributed denial-of-service attacks.
• Backup and Recovery: We maintain regular backups and have disaster recovery procedures in place.

31.2 Organisational Security Measures

• Access Controls: We implement role-based access controls and principle of least privilege for all personnel.
• Employee Training: Our staff receive regular training on data protection and security best practices.
• Incident Response: We maintain an incident response plan to address security incidents promptly.
• Vendor Management: We assess and monitor third-party vendors for security compliance.
• Audit Logging: We maintain comprehensive logs of system access and data processing activities.

32. Data Accuracy and Quality Assurance

We take steps to ensure the accuracy and quality of personal data:

• Data Validation: We implement validation checks to ensure data accuracy at the point of collection.
• Regular Reviews: We periodically review and update personal data to ensure it remains accurate.
• User Updates: You can update your information through your account settings or by contacting us.
• Error Correction: We promptly correct any inaccuracies identified by you or through our processes.
• Data Quality Metrics: We monitor data quality metrics and take corrective action when issues are identified.

33. Research, Analytics, and Service Improvement

We may use aggregated, anonymised, or pseudonymised data for research and analytics purposes:

33.1 Anonymised Data

• Anonymisation: We may anonymise personal data by removing identifying information such that the data cannot be linked back to you.
• Use of Anonymised Data: Anonymised data may be used for statistical analysis, research, service improvement, and other purposes without restriction.
• No Re-identification: We take reasonable steps to ensure anonymised data cannot be re-identified.

33.2 Pseudonymised Data

• Pseudonymisation: We may pseudonymise data by replacing identifying information with pseudonyms.
• Additional Safeguards: Pseudonymised data is subject to additional technical and organisational measures to prevent re-identification.
• Limited Use: Pseudonymised data is used only for specified purposes and is not used to make decisions about you.

34. Marketing Communications and Opt-Out Rights

We respect your preferences regarding marketing communications:

• Opt-In Required: We will only send marketing communications if you have opted in or where permitted by law.
• Opt-Out Rights: You can opt out of marketing communications at any time by clicking unsubscribe links in emails or contacting us.
• Service Communications: We may send non-marketing service-related communications (e.g., account updates, security notices) which you cannot opt out of.
• Third-Party Marketing: We do not sell your data to third parties for their marketing purposes.
• Preference Management: You can manage your communication preferences through your account settings.

35. Records of Processing Activities

In accordance with GDPR requirements, we maintain records of our processing activities, including:

• Processing Purposes: Detailed records of why we process personal data.
• Data Categories: Records of the categories of personal data we process.
• Data Subjects: Records of the categories of data subjects whose data we process.
• Recipients: Records of recipients of personal data, including third parties.
• Transfers: Records of international data transfers and safeguards used.
• Retention Periods: Records of data retention periods and deletion schedules.
• Security Measures: Records of technical and organisational security measures implemented.

These records are maintained for accountability and compliance purposes and may be made available to supervisory authorities upon request.

36. Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments for processing activities that are likely to result in high risk to your rights and freedoms:

• When Required: DPIAs are conducted before implementing new processing operations that may pose high risks.
• Assessment Process: DPIAs evaluate the necessity, proportionality, and risks of processing, and identify measures to mitigate risks.
• Consultation: Where required, we consult with supervisory authorities before implementing high-risk processing.
• Ongoing Review: We review and update DPIAs as processing activities evolve.

37. Consent Management and Withdrawal

Where we process your data based on consent:

37.1 Consent Requirements

• Freely Given: Consent is obtained without coercion or negative consequences for refusal.
• Specific: Consent is requested for specific processing purposes.
• Informed: You are provided with clear information about what you are consenting to.
• Unambiguous: Consent is given through clear affirmative action.
• Withdrawable: You can withdraw consent at any time as easily as you gave it.

37.2 Withdrawal of Consent

• How to Withdraw: You can withdraw consent through your account settings, by contacting us, or through tool-specific controls.
• Effect of Withdrawal: Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
• Consequences: Withdrawing consent may affect your ability to use certain features or tools that require consent-based processing.
• Alternative Bases: Where possible, we may continue processing based on alternative legal bases (e.g., contract performance, legitimate interests).

38. Data Breach Detection and Response Procedures

We have comprehensive procedures for detecting, assessing, and responding to data breaches:

38.1 Breach Detection

• Monitoring Systems: We use automated systems to monitor for suspicious activities and potential breaches.
• Log Analysis: We regularly analyse system logs for indicators of unauthorised access.
• User Reports: We encourage users to report suspected security incidents.
• Third-Party Notifications: We receive notifications from service providers about potential security issues.

38.2 Breach Assessment

• Immediate Assessment: Upon detection, we immediately assess the nature, scope, and severity of the breach.
• Risk Evaluation: We evaluate the risk to your rights and freedoms.
• Data Impact Analysis: We determine what data was affected and the potential consequences.
• Containment Assessment: We assess whether the breach has been contained or is ongoing.

38.3 Breach Response

• Containment: We take immediate steps to contain the breach and prevent further unauthorised access.
• Remediation: We address vulnerabilities and implement additional security measures.
• Notification: We notify affected users and supervisory authorities as required by law (typically within 72 hours under GDPR).
• Documentation: We document all aspects of the breach and our response for compliance and improvement purposes.
• Post-Incident Review: We conduct reviews to identify lessons learned and improve our security posture.

39. Privacy by Design and by Default

We implement privacy by design and privacy by default principles in all our tools and services:

39.1 Privacy by Design

• Proactive Approach: Privacy considerations are integrated into the design and architecture of all tools from the outset.
• Data Minimisation: Tools are designed to collect and process only necessary data.
• Functionality with Privacy: Privacy features are built into tools rather than added as afterthoughts.
• End-to-End Security: Security measures are implemented throughout the entire data lifecycle.
• Visibility and Transparency: Tools provide clear information about data processing activities.
• Respect for User Privacy: User privacy is respected as the default setting.

39.2 Privacy by Default

• Maximum Privacy Settings: Tools default to the most privacy-protective settings.
• Opt-In for Sharing: Data sharing with third parties requires explicit opt-in.
• Minimal Data Collection: Only essential data is collected by default.
• Local Processing Default: Where possible, tools default to local processing rather than server processing.
• User Control: Users have easy access to privacy controls and can adjust settings to their preferences.

40. Compliance, Certifications, and Audits

We maintain compliance with applicable privacy laws and regulations:

40.1 Regulatory Compliance

• GDPR Compliance: We comply with the General Data Protection Regulation (EU) 2016/679 for EU residents.
• Australian Privacy Principles: We comply with the APPs under the Privacy Act 1988 (Cth).
• Other Jurisdictions: We comply with applicable privacy laws in all jurisdictions where we operate.
• Industry Standards: We follow industry best practices and standards for data protection.

40.2 Internal Audits and Reviews

• Regular Audits: We conduct regular internal audits of our data processing activities and security measures.
• Compliance Reviews: We periodically review our compliance with applicable privacy laws and regulations.
• Policy Updates: We update our policies and procedures to reflect changes in law and best practices.
• Training Programs: We provide ongoing training to staff on privacy compliance and data protection.

40.3 External Assessments

• Third-Party Audits: We may engage third-party auditors to assess our privacy and security practices.
• Regulatory Cooperation: We cooperate with supervisory authorities and respond to their inquiries.
• Certification Programs: We may pursue relevant privacy and security certifications where applicable.

41. Intellectual Property and Data Ownership

Regarding ownership and intellectual property rights:

• Your Data: You retain ownership of your personal data and content. We do not claim ownership of your data.
• Service Data: Aggregated, anonymised, or statistical data derived from your data may be used by us for service improvement and analytics.
• Intellectual Property: Our Service, including tools, software, and documentation, is protected by intellectual property laws and remains our property.
• User-Generated Content: Content you create or upload through our tools remains yours, subject to any licenses you grant us for service provision.
• Export Rights: You have the right to export your data at any time, and we provide tools to facilitate this.

42. No Waiver of Rights

Nothing in this Privacy Policy constitutes a waiver of any of your rights under applicable privacy laws. You retain all rights granted to you by law, including but not limited to rights under GDPR, the Australian Privacy Act, and other applicable regulations. Our failure to exercise or enforce any right or provision of this policy does not constitute a waiver of such right or provision. Any waiver of any provision of this policy must be in writing and signed by an authorised representative of the operator.

43. Assignment and Business Transfers

In the event of a business transfer, merger, acquisition, or sale of assets:

• Notice Requirement: We will provide notice to users before any transfer of personal data as part of a business transaction.
• Successor Obligations: The acquiring entity will be bound by this Privacy Policy and applicable privacy laws.
• Your Rights: You will have the right to object to the transfer of your data or to request deletion before the transfer, where permitted by law.
• Continuity: We will take steps to ensure continuity of privacy protections during and after any transfer.
• Policy Updates: The Privacy Policy will be updated to reflect any changes in ownership or control.

44. Force Majeure and Unforeseen Circumstances

We are not liable for any failure to perform our obligations under this Privacy Policy due to circumstances beyond our reasonable control, including but not limited to: natural disasters, war, terrorism, pandemics, government actions, labour disputes, internet failures, cyberattacks by third parties, or other force majeure events. In such circumstances, we will take reasonable steps to mitigate the impact on your privacy and resume normal operations as soon as practicable. However, we will continue to comply with applicable privacy laws to the extent possible under the circumstances.

45. Interpretation and Definitions

For the purposes of this Privacy Policy:

45.1 Key Definitions

• Personal Data/Personal Information: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• Controller: The entity that determines the purposes and means of processing personal data (the operator).
• Processor: An entity that processes personal data on behalf of the controller.
• Data Subject: The natural person to whom personal data relates (you).
• Consent: Freely given, specific, informed, and unambiguous agreement to processing.
• Anonymisation: Processing personal data to remove identifying information such that the data cannot be linked to an individual.
• Pseudonymisation: Processing personal data to replace identifying information with pseudonyms.

45.2 Interpretation Rules

• Headings are for convenience only and do not affect interpretation.
• References to "including" are not exhaustive and mean "including without limitation."
• References to laws and regulations include amendments, replacements, and successor legislation.
• References to "we," "us," or "our" refer to the operator of the Service.
• References to "you" or "your" refer to the user of our Service.

46. Designated Privacy Contact

For all privacy-related matters, including requests to exercise your rights, complaints, or questions about this Privacy Policy: