Privacy and Data Management Policy
Effective Date: 11 February 2026 · Document Ref: HHQ-POL-PRIV-001
ABN 34 689 167 477 · ACN 689 167 477
Privacy and
Data Management Policy
Comprehensive framework for the collection, use, protection, and governance of personal and organisational data
Effective Date: 11 February 2026
Document Reference: HHQ-POL-PRIV-001
Classification: PUBLIC
Review Cycle: Annual (or upon material change)
1. Introduction and Scope
1.1 About This Policy
Handover HQ Pty Ltd (ABN 34 689 167 477 · ACN 689 167 477) (Handover HQ, we, us, or our) operates the handoverhq.com and handoverhq.ai websites and the Handover HQ AI-powered employee knowledge capture and transfer platform (collectively, the Service). This Privacy and Data Management Policy (Policy) sets out how we collect, use, disclose, store, protect, and govern personal information and organisational data when you visit our website, register for a free trial, or use our Service.
This Policy is designed to meet the requirements of, and to ensure compliance with, the following legislation and frameworks:
1.2 Scope
This Policy applies to all personal information and organisational data processed by Handover HQ, regardless of the medium or format in which it is held. It covers data relating to:
1.3 Consent and Acceptance
By accessing or using the Service, including by registering for a free trial, you acknowledge that you have read, understood, and agree to the collection and use of your information in accordance with this Policy. If you do not agree with this Policy, please do not access or use the Service.
Where you submit personal information of third parties (such as departing employees) through the Service, you represent and warrant that you have obtained all necessary consents and authorisations under applicable law prior to submission.
2. Key Definitions
In this Policy, the following terms have the meanings set out below:
| Term | Meaning |
|---|---|
| Personal Information / Personal Data | Information relating to an identified or identifiable natural person, as defined under the Privacy Act 1988 (Cth), the GDPR, and other applicable Data Protection Laws. |
| Sensitive Information / Special Category Data | A subset of Personal Data afforded heightened protection, including health information and information revealing racial or ethnic origin, political opinions, religious beliefs, or trade union membership. |
| Data Controller | The party that determines the purposes and means of processing Personal Data. For Handover Content, the subscribing organisation is the Controller. |
| Data Processor | The party that processes Personal Data on behalf of the Controller. Handover HQ acts as Processor for Handover Content. |
| Data Subject | The individual to whom Personal Data relates, such as an account user or a departing employee. |
| Handover Content | All information submitted during the employee knowledge capture and transfer process, including questionnaire responses, uploaded documents, voice interview recordings and transcriptions, and AI-generated outputs. |
| Processing | Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, restriction, erasure, or destruction. |
| Sub-processor | A third party engaged by Handover HQ to process Personal Data on our behalf. |
| Anonymisation | Irreversible de-identification such that data can no longer be linked to a specific individual. |
| Pseudonymisation | Processing such that data can no longer be attributed to a specific individual without additional information held separately and securely. |
3. Data Governance Framework
3.1 Governance Structure and Accountability
Handover HQ maintains a data governance framework that assigns clear accountability for the protection and management of personal information. Ultimate accountability for data protection rests with the Handover HQ Board of Directors, with day-to-day responsibility delegated as follows:
3.2 Privacy by Design and Default
Handover HQ embeds privacy into the design and architecture of our Service from the outset, in accordance with Article 25 of the GDPR and consistent with APP 1.2. This means:
3.3 Data Protection Impact Assessments (DPIAs)
We conduct Data Protection Impact Assessments in accordance with Article 35 of the GDPR before undertaking any processing that is likely to result in a high risk to the rights and freedoms of individuals. This includes, but is not limited to:
DPIAs are documented, reviewed by the Privacy Officer, and retained as part of our compliance records. Where a DPIA identifies residual high risks that cannot be mitigated, we will consult with the relevant supervisory authority before proceeding.
4. Data Classification
All data processed by Handover HQ is classified according to the following framework. Classification determines the security controls, access restrictions, retention policies, and handling procedures applied to the data:
| Classification | Description | Examples | Handling Controls |
|---|---|---|---|
| Restricted | Highly sensitive data whose unauthorised disclosure would cause serious harm. | Sensitive Information, voice interview recordings, authentication credentials, encryption keys. | AES-256 encryption, strict role-based access, MFA, full audit logging, need-to-know access only. |
| Confidential | Customer Personal Data and Handover Content. | Questionnaire responses, transcripts, employee identity and employment data. | Encryption at rest and in transit, RBAC, tenant isolation, access logging. |
| Internal | Non-public operational data. | Aggregated analytics, internal documentation, system configuration. | Access limited to authorised personnel; not for external disclosure. |
| Public | Information approved for public release. | Marketing content, published policies, this document. | No access restrictions. |
All personnel with access to Confidential or Internal data are required to handle such data in accordance with the controls specified for its classification level. Mishandling of classified data is a disciplinary matter.
5. Information We Collect
5.1 Information You Provide to Us
We collect information that you voluntarily provide when you register for an account, sign up for the Free Trial, subscribe to a paid plan, use the Service, or contact us. This includes:
5.2 Information We Collect Automatically
When you access or use our Service (including during the Free Trial), we automatically collect:
5.3 Information from Third Parties
We may receive information about you from third-party sources, including identity verification services, fraud prevention services, analytics providers, public databases, and integration partners where you have connected Handover HQ with other workplace tools.
5.4 Sensitive Information
In the course of processing Handover Content, we may process information that constitutes Sensitive Information under the Privacy Act 1988 or Special Category Data under the GDPR. This may include health-related disclosures made during exit interviews, information revealing racial or ethnic origin, or trade union membership. We process Sensitive Information only where: (a) you or the data subject has provided explicit consent; (b) processing is necessary for compliance with employment law obligations; or (c) another lawful basis under applicable law applies. We apply heightened security controls to all Sensitive Information in accordance with our data classification framework.
6. Lawful Bases for Processing
6.1 Processing Activity Mapping
In accordance with GDPR Article 6 and the accountability principle, we document the lawful basis for each category of processing we undertake. The following table summarises our primary processing activities and their corresponding legal bases:
| Processing Activity | Lawful Basis (GDPR) | Australian Privacy Act Basis |
|---|---|---|
| Account creation and administration | Performance of a contract (Art. 6(1)(b)) | APP 3 — collection necessary for our functions |
| Processing Handover Content for customers | Processing on the Controller’s documented instructions; the Controller’s own lawful basis applies (Art. 28) | APP 6 — use for the primary purpose |
| Billing and payments | Performance of a contract (Art. 6(1)(b)); legal obligation for financial records (Art. 6(1)(c)) | APP 3 / APP 6 |
| Security, fraud and abuse prevention | Legitimate interests (Art. 6(1)(f)) | APP 6 — use reasonably necessary for a related purpose |
| Product improvement (aggregated and anonymised only) | Legitimate interests (Art. 6(1)(f)) | APP 6 — de-identified data |
| Marketing communications | Consent (Art. 6(1)(a)) | APP 7 — direct marketing with consent |
| Legal compliance and responding to authorities | Legal obligation (Art. 6(1)(c)) | APP 6 — use required or authorised by law |
6.2 Legitimate Interests Assessment
Where we rely on legitimate interests as a lawful basis, we have conducted a Legitimate Interests Assessment (LIA) to ensure that our interests are not overridden by the rights and freedoms of data subjects. Our LIAs consider the nature of the processing, the reasonable expectations of data subjects, the potential impact on individuals, and any safeguards we can put in place. LIA records are maintained by the Privacy Officer and are available to supervisory authorities upon request.
6.3 Consent Management
Where consent is the lawful basis for processing, we ensure that consent is freely given, specific, informed, and unambiguous. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal. We maintain records of consent including the date, method, and scope of consent given.
7. Purpose Limitation and Data Minimisation
7.1 Purpose Limitation
Personal information is collected only for specified, explicit, and legitimate purposes as set out in this Policy. We do not process personal information in a manner incompatible with those purposes unless: (a) we have obtained your further consent; (b) processing is required by law; or (c) further processing is compatible with the original purpose, as assessed in accordance with GDPR Article 6(4).
7.2 Data Minimisation
We collect only the personal information that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Specifically:
8. How We Use Your Information
We use the information we collect for the following purposes:
9. AI-Specific Data Processing
9.1 How AI Processes Your Data
Handover HQ uses artificial intelligence to deliver core Service features including automated summarisation, sentiment analysis, quality scoring, intelligent knowledge extraction, and voice interview transcription and analysis. When you submit Handover Content, it is processed as follows:
9.2 Automated Decision-Making and Profiling
In accordance with GDPR Article 22 and the Australian Privacy Principles, we disclose the following regarding automated decision-making:
The Service does not make automated decisions that produce legal effects or similarly significant effects on individuals without human involvement. AI-generated Outputs (such as quality scores and sentiment analysis) are provided as informational tools to support human decision-making, not as determinative assessments. Subscribing organisations are responsible for ensuring that no employment decisions are made solely on the basis of automated processing.
You have the right to: (a) request information about the logic involved in any automated processing; (b) express your point of view; and (c) contest any decision that significantly affects you. These rights can be exercised by contacting our Privacy Officer.
9.3 Third-Party AI Providers
We currently use the following third-party AI providers to deliver intelligent features: OpenAI (GPT-4o and GPT-4o-mini) for interview evaluation, summarisation, and sentiment analysis; and ElevenLabs for text-to-speech in the voice interview. These providers process your data transiently to generate outputs, do not retain it beyond the processing session, and do not use it to train their models, in accordance with our Data Processing Agreements. A full, current list of all providers is maintained in our Sub-processor Register at handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors) and in our Trust Centre at handoverhq.com/trust (or handoverhq.ai/trust). All providers are subject to Data Processing Agreements requiring equivalent data protection standards.
10. How We Share Your Information
We do not sell, rent, or trade your personal information. We may share your information in the following limited circumstances:
11. Third-Party and Sub-Processor Management
We maintain a rigorous framework for managing third-party service providers and sub-processors who handle personal data on our behalf:
11.1 Due Diligence
11.2 Contractual Safeguards
11.3 Ongoing Monitoring
Our full Sub-processor Register is published at handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors) and in our Trust Centre at handoverhq.com/trust (or handoverhq.ai/trust). Customers may subscribe to advance notice of sub-processor changes by emailing privacy@handoverhq.com / privacy@handoverhq.ai.
12. International Data Transfers
12.1 Transfer Locations
Handover HQ Pty Ltd is headquartered in Australia. Your information may be transferred to, stored, and processed in Australia and other countries where our service providers and sub-processors operate. We operate across Australia/New Zealand, the United Kingdom, and the United States.
12.2 Transfer Safeguards
Where personal data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the European Commission or the UK Secretary of State, we implement one or more of the following safeguards:
You may request a copy of the relevant transfer safeguards by contacting our Privacy Officer.
13. Data Lifecycle Management
We manage personal data throughout its entire lifecycle, from collection to destruction:
13.1 Collection
Data is collected only through defined channels (the Service, website, customer communications) and only for the purposes documented in this Policy. Collection points display appropriate privacy notices.
13.2 Processing and Use
Data is processed only for the purposes for which it was collected, by authorised personnel, using approved systems, and in accordance with documented procedures.
13.3 Storage
Data is stored on encrypted infrastructure with access controls, audit logging, and monitoring. Storage locations are documented in our Records of Processing Activities.
13.4 Retention
We retain personal information only for as long as reasonably necessary to fulfil the purposes for which it was collected. Our retention schedule is as follows:
| Data Category | Retention Period |
|---|---|
| Account and profile data | For the life of the account; deleted within 30 days of account closure (subject to any legal hold). |
| Handover Content | For the life of the subscription; available for export for 30 days after termination, then deleted. Earlier deletion available on the Controller’s request. |
| Free Trial data | Retained for 30 days after trial expiry to allow conversion, then permanently deleted. |
| Billing and transaction records | Seven (7) years, to meet Australian taxation and record-keeping obligations. |
| Support and communications | Up to three (3) years from the date of last contact. |
| Security and audit logs | Minimum twelve (12) months; data breach records retained for a minimum of five (5) years. |
| Backups | Purged on a rolling schedule, within 90 days of deletion from primary storage. |
| Marketing consent records | Until consent is withdrawn, plus a reasonable period to evidence compliance. |
13.5 Archival
Data that has exceeded its active retention period but is subject to legal hold or regulatory requirement is moved to secure archival storage with restricted access. Archived data is encrypted and access-logged.
13.6 Deletion and Destruction
Upon expiry of the applicable retention period (and absent any legal hold), personal data is permanently deleted using industry-standard methods:
Deletion certificates are available upon request for Enterprise customers. Subscribing organisations may request early deletion of Handover Content at any time, subject to any legal hold obligations.
14. Departing Employee Data
Given the nature of our Service, we process personal data of departing employees on behalf of subscribing organisations. We recognise the particular sensitivity of this data and apply the following principles:
14.1 Controller-Processor Relationship
The subscribing organisation acts as the Data Controller for Handover Content relating to its departing employees. Handover HQ acts as the Data Processor, processing data only on the documented instructions of the subscribing organisation and in accordance with our Data Processing Agreement.
14.2 Departing Employee Rights
Departing employees retain all rights under applicable data protection legislation, including the right to access, correct, and request deletion of their personal data. Requests from departing employees will be referred to the subscribing organisation (as Data Controller) unless we are legally required to respond directly. We will cooperate with subscribing organisations in fulfilling such requests.
14.3 Informed Participation
We strongly recommend that subscribing organisations inform departing employees about: (a) the nature and purpose of the handover process; (b) the categories of data being collected; (c) who will have access to the data; (d) their rights regarding their data; and (e) how to exercise those rights. Template privacy notices for departing employees are available to subscribing organisations upon request.
15. Data Quality
In accordance with APP 10 and GDPR Article 5(1)(d), we take reasonable steps to ensure that personal data is accurate, complete, up-to-date, and relevant to the purpose for which it is processed:
16. Data Security
We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. A summary of our security measures is provided below; comprehensive detail is available in our separate Security and Data Protection Overview document.
17. Data Breach Management
17.1 Breach Detection and Assessment
Handover HQ maintains automated monitoring and detection systems to identify potential data breaches in real time. Upon detection of a suspected breach, our incident response team conducts an immediate assessment to determine the nature, scope, and severity of the incident.
17.2 Notification Obligations
In the event of an eligible data breach:
17.3 Breach Records
All data breaches, including near-misses, are documented with details of the facts, effects, and remedial action taken. Breach records are retained for a minimum of five (5) years and are available for regulatory inspection.
18. Your Privacy Rights
18.1 Australian Privacy Principles (APPs)
If you are an Australian resident, you have the right to: (a) access personal information we hold about you (APP 12); and (b) request correction of inaccurate, out-of-date, incomplete, or misleading information (APP 13). You may also make a complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au if you believe we have breached the APPs.
18.2 GDPR Rights (EEA and UK Residents)
If you are located in the EEA or UK, you have the following rights under the GDPR:
18.3 CCPA/CPRA Rights (California Residents)
If you are a California resident, the CCPA as amended by the CPRA provides you with:
18.4 How to Exercise Your Rights
To exercise any of the above rights, please submit a request to our Privacy Officer:
We will verify your identity before processing any request. We will respond to verified requests within: (a) 30 days for requests under the APPs and GDPR (extendable by a further 60 days for complex requests, with notice); and (b) 45 days for requests under the CCPA/CPRA (extendable by a further 45 days, with notice). Requests are fulfilled free of charge unless manifestly unfounded or excessive.
19. Records of Processing Activities
In accordance with GDPR Article 30 and the accountability principle, Handover HQ maintains comprehensive Records of Processing Activities (ROPA) that document: (a) the purposes of processing; (b) categories of data subjects and personal data; (c) categories of recipients; (d) international transfers and safeguards; (e) retention periods; and (f) a general description of technical and organisational security measures. Our ROPA is reviewed and updated at least quarterly and is available to supervisory authorities upon request.
20. Anonymisation and Pseudonymisation
Where technically feasible and consistent with the purpose of processing, we apply anonymisation or pseudonymisation techniques to reduce privacy risk:
21. Children's Privacy
The Service is directed at organisations and their adult representatives. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete that information and, where required, notify the relevant parent or guardian.
22. Training and Awareness
All Handover HQ employees and contractors receive data protection and privacy awareness training upon onboarding and at least annually thereafter. Training covers:
Training completion is documented and records are maintained by the Privacy Officer.
23. Audit, Review, and Compliance
This Policy and our data protection practices are subject to regular review and audit:
24. Complaint Handling
If you have a complaint about our handling of your personal information, we encourage you to contact us first so we can attempt to resolve the matter:
24.1 Regulatory Authorities
25. Changes to This Policy
We may update this Policy from time to time. We will notify you of material changes by: (a) posting the updated Policy on our website with a revised Effective Date; (b) sending an email notification to the address associated with your account; and (c) where required by law, obtaining your consent before material changes take effect. We encourage you to review this Policy periodically. Non-material changes (such as formatting corrections or typographical fixes) may be made without notice.
26. Contact Us
If you have questions, concerns, or requests regarding this Policy or your personal information, please contact us at:
Privacy Officer
Handover HQ Pty Ltd
ABN 34 689 167 477 · ACN 689 167 477
Privacy Enquiries: privacy@handoverhq.com / privacy@handoverhq.ai
Security Enquiries: security@handoverhq.com / security@handoverhq.ai
General Enquiries: enquiries@handoverhq.com / enquiries@handoverhq.ai
Websites: handoverhq.com and handoverhq.ai
Trust Centre: handoverhq.com/trust (or handoverhq.ai/trust)