Privacy Policy

Last updated: February 2026

1. About Client Culture and this policy

Client Culture Pty Ltd (ABN 88 619 177 132) (“Client Culture”, “we”, “us”, “our”) provides client and employee experience measurement and analytics services to business customers worldwide. This Privacy Policy explains how we collect, use, disclose and protect personal information (also called personal data) when we act as either data controller or data processor/service provider across:

  • Australia — under the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
  • United Kingdom — under the Data Protection Act 2018 and UK GDPR
  • European Economic Area (EEA) — under the EU General Data Protection Regulation (GDPR)

This policy applies to our websites, SaaS platform, professional services and marketing activities. Local addenda in Section 17 set out country-specific rights and obligations.

2. Key definitions

  • “Personal information / personal data” — information about an identified or reasonably identifiable individual.
  • “Processing” — any operation performed on personal data such as collection, storage, use or disclosure.
  • “Controller” — the entity that determines the purposes and means of processing.
  • “Processor / Service Provider” — the entity that processes personal data on behalf of a controller.

3. What we collect

CategoryExamplesSource
Identity & contact dataName, title, role, business email, phoneClient upload; survey respondent entry; website forms
Interaction dataSurvey scores and free-text feedback; support ticketsRespondent; end-user device
Technical dataIP address, device ID, browser type, cookies, log filesAutomatically via cookies & SDK
Usage analyticsPage views, click-stream, session metadataCookies; analytics tools
Business profileCompany name, industry segment, relationship tierClient upload; CRM sync
Regulatory IDs (AU only)ABN/ACN of enterprise contactsPublic registers or client upload

We do not intentionally collect special-category or sensitive information unless a client instructs us and appropriate safeguards are in place.

4. How and why we process personal data

PurposeLegal basis (UK/EU)APP compliance
Deliver SaaS platform & surveysContract performance (Art 6-1-b)APP 3, 6
Improve and secure our servicesLegitimate interests (Art 6-1-f)APP 11
Marketing our products to B2B prospectsConsent or legitimate interestsAPP 7 (opt-out)
Legal & compliance, fraud preventionLegal obligation (Art 6-1-c)APP 6, 11

Where we rely on legitimate interests, we have conducted balancing tests to ensure your interests and fundamental rights are not overridden.

5. AI processing and data minimisation

Where AI is used to analyse survey feedback, we apply our EphemeralAI™ privacy framework:

  • Personal identifiers are detected and anonymised before AI processing
  • AI providers (OpenAI, Anthropic) never receive your name, email, or other identifying details
  • AI-generated insights are based on anonymised, aggregated data
  • Raw verbatim feedback is retained only for the period configured by your firm, then permanently deleted

6. Disclosure to third parties

We only share personal data:

  • Within Client Culture on a need-to-know basis and under intra-group data-sharing agreements
  • With authorised sub-processors bound by written contracts that meet Art 28 GDPR and APP 8 requirements, including:
    • Vercel — hosting and infrastructure
    • Resend — transactional email delivery
    • OpenAI / Anthropic — AI analysis (anonymised data only, via EphemeralAI™)
    • Neon (PostgreSQL) — database hosting
  • With business customers (our clients) when we act as their processor, transmitting respondent feedback to them
  • With regulators, courts or law enforcement where required by law

We do not sell personal information.

7. International transfers

We host data in Australia. If we must transfer personal data internationally we use one or more of:

  • European Commission Standard Contractual Clauses (2021) with the UK International Data-Transfer Addendum
  • The EU–US Data Privacy Framework (or its successor) for transfers to certified US vendors
  • Partner or supplier adequacy decisions recognised by the European Commission or UK ICO

8. Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or to comply with legal obligations. Client survey data is retained for four (4) years, only so long as you remain an active customer of our client (your professional services provider). Beyond this period we take the view that the balance is in favour of removing your data.

Firms can also configure shorter retention periods to suit their data governance requirements. Verbatim feedback can be set to delete automatically after a period chosen by the firm. After the configured period, verbatim feedback is permanently deleted. Aggregated, non-identifying statistics (such as NPS scores and trend data) may be retained for longer to support historical reporting.

If you cease to be an active customer of our client, your data will be deleted. Additionally we will delete your data within two weeks of receiving a request by you to delete your data. Archived and backup copies are securely destroyed within 90 days thereafter.

9. Security measures

We maintain technical and organisational security aligned with ISO 27001/SOC 2 controls, including:

  • TLS 1.2+ encryption in transit and AES-256 at rest
  • Role-based access control and MFA for staff
  • Annual penetration testing and independent audits
  • 24×7 infrastructure monitoring and incident-response plan

10. Cookies and similar technologies

Our websites and platform use cookies, SDKs and pixels to:

  • authenticate users
  • remember preferences
  • analyse traffic
  • deliver relevant B2B advertising

You can manage cookies through your browser settings.

11. Your privacy rights

EU / UK (GDPR)

Access, rectification, erasure, restriction, portability, object, withdraw consent, complaint to your data protection authority.

Australia (APPs)

Access, correction, anonymity / pseudonymity, complaint to the OAIC.

To exercise any right, email privacy@clientculture.com. We respond within 30 days (21 days for APP access requests).

12. Children

Our services are directed to business users. We do not knowingly collect data from anyone under 16 years of age.

13. Automated decision-making

We do not use personal data for solely automated decisions that have legal or similarly significant effects.

14. Links to other sites

This policy does not cover third-party sites linked from our platform. Please review their privacy notices.

15. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email or platform banner and posted on our website with a revised “last updated” date.

16. Contact and complaints

Privacy Officer / Data Protection Officer
Client Culture Pty Ltd
Email: privacy@clientculture.com

If you believe we have not resolved your concern, you may contact:

  • Office of the Australian Information Commissioner (OAIC) oaic.gov.au
  • UK Information Commissioner’s Office (ICO) ico.org.uk
  • Your local EU supervisory authority ec.europa.eu

17. Regional addenda

17.1 Australia

  • We comply with the APPs and Notifiable Data Breaches (NDB) scheme. Eligible data breaches will be notified to affected individuals and the OAIC within 30 days.
  • You may request to remain anonymous or use a pseudonym where practicable.

17.2 European Economic Area & Switzerland

  • Data-protection impact assessments (DPIAs) are conducted for high-risk processing.
  • Cross-border transfers rely on SCCs, adequacy decisions or appropriate safeguards.
  • You have the right to lodge a complaint with your Member-State supervisory authority.

17.3 United Kingdom

  • Transfers from the UK follow the UK International Data-Transfer Addendum.
  • Individuals may complain to the ICO (see Section 16).

Client Culture — Independent quality assurance for leading firms