Privacy Policy

Last updated: 28 April 2026

1. About Client Culture and this policy

Client Culture Pty Ltd (ABN 88 619 177 132) (“Client Culture”, “we”, “us”, “our”) provides client and employee experience measurement and analytics services to business customers worldwide. This Privacy Policy explains how we collect, use, disclose and protect personal information (also called personal data) when we act as either data controller or data processor/service provider across:

Australia — under the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
United Kingdom — under the Data Protection Act 2018 and UK GDPR
European Economic Area (EEA) — under the EU General Data Protection Regulation (GDPR)

This policy applies to our websites, SaaS platform, professional services and marketing activities. Local addenda in Section 17 set out country-specific rights and obligations.

2. Key definitions

“Personal information / personal data” — information about an identified or reasonably identifiable individual.
“Processing” — any operation performed on personal data such as collection, storage, use or disclosure.
“Controller” — the entity that determines the purposes and means of processing.
“Processor / Service Provider” — the entity that processes personal data on behalf of a controller.

3. What we collect

Category	Examples	Source
Identity & contact data	Name, title, role, business email, phone	Client upload; survey respondent entry; website forms
Interaction data	Survey scores and free-text feedback; support tickets	Respondent; end-user device
Technical data	IP address, device ID, browser type, cookies, log files	Automatically via cookies & SDK
Usage analytics	Page views, click-stream, session metadata	Cookies; analytics tools
Business profile	Company name, industry segment, relationship tier	Client upload; CRM sync
Regulatory IDs (AU only)	ABN/ACN of enterprise contacts	Public registers or client upload

We do not intentionally collect special-category or sensitive information unless a client instructs us and appropriate safeguards are in place.

4. How and why we process personal data

Purpose	Legal basis (UK/EU)	APP compliance
Deliver SaaS platform & surveys	Contract performance (Art 6-1-b)	APP 3, 6
Improve and secure our services	Legitimate interests (Art 6-1-f)	APP 11
Marketing our products to B2B prospects	Consent or legitimate interests	APP 7 (opt-out)
Legal & compliance, fraud prevention	Legal obligation (Art 6-1-c)	APP 6, 11

Where we rely on legitimate interests, we have conducted balancing tests to ensure your interests and fundamental rights are not overridden.

5. AI processing and data minimisation

Most of our platform uses no third-party AI at all. Dashboards, trend charts, NPS benchmarks and longitudinal reports run on structured data we hold ourselves.

EphemeralAI™ is our trademark for AI processing that strips personal identifiers before any model call. We hold this approach in reserve for future features where it is practical.

Custom Reports — the one live AI feature

AI assists with early-stage drafting tasks only — surfacing relevant quotes from verbatim feedback, providing starting data points for charts, and producing rough first-draft text. Aggregate scores, loyalty driver selections and verbatim feedback are sent to Anthropic under their enterprise data processing agreement. Anthropic is contractually prohibited from training their models on this submitted data, and all transmission is encrypted. The analytical content of every report — themes, interpretations, recommendations — is developed and finalised by Client Culture analysts. AI output is a starting input that accelerates drafting; it is not the deliverable.

Custom Reports does not use EphemeralAI™ processing. Full anonymisation isn't compatible with the analytical task — themes drawn from verbatims need the verbatims, not redacted approximations — so Custom Reports relies on Anthropic's enterprise DPA's anti-training and confidentiality protections rather than EphemeralAI processing.

Verbatim feedback is retained only for the period configured by your firm, then permanently deleted. Aggregate structured data (scores, driver selections, response metadata) persists for trend analysis and contains no free-text content.

6. Disclosure to third parties

We only share personal data:

Within Client Culture on a need-to-know basis and under intra-group data-sharing agreements
With authorised sub-processors bound by written contracts that meet Art 28 GDPR and APP 8 requirements:
- Vercel — application hosting and edge network (Singapore)
- Prisma Postgres — database hosting (Singapore)
- Resend — transactional and survey email delivery (Tokyo, Japan)
- Anthropic, PBC — AI assistance for custom report drafting (US) — operator-triggered, see Section 5
- Google Australia Pty Limited — Google Workspace for custom report preparation (global Google data centres)
Vercel, Prisma Postgres and Resend all operate on Amazon Web Services infrastructure.
With business customers (our clients) when we act as their processor, transmitting respondent feedback to them
With regulators, courts or law enforcement where required by law

We do not sell personal information.

7. International transfers

We host customer data in Asia-Pacific (Singapore and Tokyo). The only US-based sub-processor in our platform stack is Anthropic, which receives data transiently for Custom Reports drafting (see Section 5). Google Workspace, used for custom report preparation, is contracted via Google Australia Pty Limited but processes data on Google's global infrastructure. For any international transfer of personal data, we rely on one or more of:

European Commission Standard Contractual Clauses (2021) with the UK International Data-Transfer Addendum
The EU–US Data Privacy Framework (or its successor) for transfers to certified US vendors
Partner or supplier adequacy decisions recognised by the European Commission or UK ICO

8. Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or to comply with legal obligations. Client survey data is retained for four (4) years, only so long as you remain an active customer of our client (your professional services provider). Beyond this period we take the view that the balance is in favour of removing your data.

Firms can also configure shorter retention periods to suit their data governance requirements. Verbatim feedback can be set to delete automatically after a period chosen by the firm. After the configured period, verbatim feedback is permanently deleted. Aggregated, non-identifying statistics (such as NPS scores and trend data) may be retained for longer to support historical reporting.

If you cease to be an active customer of our client, your data will be deleted. Additionally we will delete your data within two weeks of receiving a request by you to delete your data. Archived and backup copies are securely destroyed within 90 days thereafter.

9. Security measures

We maintain technical and organisational security aligned with ISO 27001 and SOC 2 control objectives, including:

TLS 1.2+ encryption in transit (including outbound email) and AES-256 at rest
Enterprise Single Sign-On via Microsoft Entra ID with per-firm tenant configuration; multi-factor authentication enforced upstream by the identity provider
Role-based access control with office, team and division scoping
Audit logging of administrative and impersonation actions
Automated bot and spam protection on survey submissions
Continuous infrastructure health checks and a documented incident-response policy

A full security overview is available at clientculture.com/security.

10. Cookies and similar technologies

Our websites and platform use cookies, SDKs and pixels to:

authenticate users
remember preferences
analyse traffic
deliver relevant B2B advertising

You can manage cookies through your browser settings.

11. Your privacy rights

EU / UK (GDPR)

Access, rectification, erasure, restriction, portability, object, withdraw consent, complaint to your data protection authority.

Australia (APPs)

Access, correction, anonymity / pseudonymity, complaint to the OAIC.

To exercise any right, email privacy@clientculture.com. We respond within 30 days (21 days for APP access requests).

12. Children

Our services are directed to business users. We do not knowingly collect data from anyone under 16 years of age.

13. Automated decision-making

We do not use personal data for solely automated decisions that have legal or similarly significant effects.

14. Links to other sites

This policy does not cover third-party sites linked from our platform. Please review their privacy notices.

15. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email or platform banner and posted on our website with a revised “last updated” date.

16. Contact and complaints

Privacy Officer / Data Protection Officer
Client Culture Pty Ltd
Email: privacy@clientculture.com

If you believe we have not resolved your concern, you may contact:

Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
UK Information Commissioner’s Office (ICO) — ico.org.uk
Your local EU supervisory authority — ec.europa.eu

17. Regional addenda

17.1 Australia

We comply with the APPs and Notifiable Data Breaches (NDB) scheme. Eligible data breaches will be notified to affected individuals and the OAIC within 30 days.
You may request to remain anonymous or use a pseudonym where practicable.

17.2 European Economic Area & Switzerland

Data-protection impact assessments (DPIAs) are conducted for high-risk processing.
Cross-border transfers rely on SCCs, adequacy decisions or appropriate safeguards.
You have the right to lodge a complaint with your Member-State supervisory authority.

17.3 United Kingdom

Transfers from the UK follow the UK International Data-Transfer Addendum.
Individuals may complain to the ICO (see Section 16).

Client Culture — independent quality assurance for professional services