Privacy Policy

Holistic Governance ("we", "us", "our") is committed to protecting your personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

1. Information We Collect

Category	Data Collected	How
Governance enquiries	Organisation name, contact name, email, phone, governance challenge, accreditation status	Website enquiry form
Proposals	Client name, email, proposal content, engagement notes	Created by Holistic Governance during engagement
Newsletter	Email address	Newsletter sign-up form
Booking	Name, email (provided to Calendly)	Kickoff meeting booking

2. How We Use Your Information

• To prepare and deliver governance proposals and consultancy services
• To communicate with you about your enquiry or engagement
• To send newsletters you have opted into
• To schedule meetings and kickoff calls

We do not sell, rent, or trade your personal information to third parties.

3. How We Store and Protect Your Data

Measure	Detail
Encryption at rest	Google Cloud default encryption (AES-256)
Encryption in transit	TLS 1.2+ with HSTS
Data location	Sydney, Australia (australia-southeast1)
Access control	Authenticated administrator access only
Input validation	Server-side sanitisation, Content Security Policy, rate limiting
Log redaction	Personal information is masked in all server logs

4. Data Retention

Data Type	Retention Period
Governance enquiries	12 months from submission
Proposals (active)	24 months from last update
Proposals (accepted — frozen copy)	7 years from acceptance, or as required by law, for contractual and legal record-keeping purposes
Proposals (declined/archived)	6 months after status change
Newsletter subscribers	Until you unsubscribe, or 24 months of inactivity

When a proposal is accepted, a protected read-only copy is stored as a permanent record of the agreed terms. This snapshot cannot be edited after acceptance.

After the retention period, your data is reviewed and deleted unless there is a legal or contractual reason to retain it.

5. Third-Party Services

Service	Purpose	Data Shared
Google Cloud (Firestore)	Data storage	All collected data (encrypted, stored in Australia)
Resend	Email delivery	Recipient email, email content
Calendly	Meeting scheduling	Only a link — you provide your details directly to Calendly
Google Analytics	Website usage insights	Anonymised browsing data (IP anonymisation enabled)

Each service operates under its own privacy policy. We encourage you to review them.

6. Cookies

Our main website uses Google Analytics cookies to understand how visitors use the site. These cookies collect anonymised data only.

Our proposal management system uses a single session cookie for administrator authentication. This cookie contains no personal information, is HttpOnly and Secure, and expires after 7 days or on logout.

We do not use advertising or tracking cookies beyond Google Analytics.

7. Your Rights

Under the Australian Privacy Act, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information
• Withdraw consent (e.g. unsubscribe from newsletters)
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

8. Data Breach Response

In the event of a data breach that is likely to result in serious harm, we will:

• Notify affected individuals as soon as practicable
• Notify the OAIC within 30 days as required under the Notifiable Data Breaches scheme
• Take immediate steps to contain and remediate the breach

9. Contact

We will respond to all privacy-related requests within 30 days.

10. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of our services after changes constitutes acceptance of the updated policy.