Handover HQHandover HQ

Privacy and Data Management Policy

Effective Date: 11 February 2026 · Document Ref: HHQ-POL-PRIV-001

ABN 34 689 167 477 · ACN 689 167 477

Privacy and

Data Management Policy

Comprehensive framework for the collection, use, protection, and governance of personal and organisational data

Effective Date: 11 February 2026

Document Reference: HHQ-POL-PRIV-001

Classification: PUBLIC

Review Cycle: Annual (or upon material change)

1. Introduction and Scope

1.1 About This Policy

Handover HQ Pty Ltd (ABN 34 689 167 477 · ACN 689 167 477) (Handover HQ, we, us, or our) operates the handoverhq.com and handoverhq.ai websites and the Handover HQ AI-powered employee knowledge capture and transfer platform (collectively, the Service). This Privacy and Data Management Policy (Policy) sets out how we collect, use, disclose, store, protect, and govern personal information and organisational data when you visit our website, register for a free trial, or use our Service.

This Policy is designed to meet the requirements of, and to ensure compliance with, the following legislation and frameworks:

  • Australia: Privacy Act 1988 (Cth), Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme.
  • European Union: General Data Protection Regulation (EU) 2016/679 (GDPR).
  • United Kingdom: UK GDPR and the Data Protection Act 2018.
  • United States: California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable state privacy laws.
  • International: any other applicable privacy and data protection legislation in jurisdictions where we operate or where our users are located.
  • 1.2 Scope

    This Policy applies to all personal information and organisational data processed by Handover HQ, regardless of the medium or format in which it is held. It covers data relating to:

  • Account holders and their authorised users.
  • Departing employees whose knowledge and information is captured through the Service.
  • Website visitors and prospective customers.
  • Free trial users.
  • Business contacts, partners, and suppliers.
  • Job applicants and Handover HQ employees (to the extent relevant to the Service).
  • 1.3 Consent and Acceptance

    By accessing or using the Service, including by registering for a free trial, you acknowledge that you have read, understood, and agree to the collection and use of your information in accordance with this Policy. If you do not agree with this Policy, please do not access or use the Service.

    Where you submit personal information of third parties (such as departing employees) through the Service, you represent and warrant that you have obtained all necessary consents and authorisations under applicable law prior to submission.

    2. Key Definitions

    In this Policy, the following terms have the meanings set out below:

    TermMeaning
    Personal Information / Personal DataInformation relating to an identified or identifiable natural person, as defined under the Privacy Act 1988 (Cth), the GDPR, and other applicable Data Protection Laws.
    Sensitive Information / Special Category DataA subset of Personal Data afforded heightened protection, including health information and information revealing racial or ethnic origin, political opinions, religious beliefs, or trade union membership.
    Data ControllerThe party that determines the purposes and means of processing Personal Data. For Handover Content, the subscribing organisation is the Controller.
    Data ProcessorThe party that processes Personal Data on behalf of the Controller. Handover HQ acts as Processor for Handover Content.
    Data SubjectThe individual to whom Personal Data relates, such as an account user or a departing employee.
    Handover ContentAll information submitted during the employee knowledge capture and transfer process, including questionnaire responses, uploaded documents, voice interview recordings and transcriptions, and AI-generated outputs.
    ProcessingAny operation performed on Personal Data, including collection, recording, storage, use, disclosure, restriction, erasure, or destruction.
    Sub-processorA third party engaged by Handover HQ to process Personal Data on our behalf.
    AnonymisationIrreversible de-identification such that data can no longer be linked to a specific individual.
    PseudonymisationProcessing such that data can no longer be attributed to a specific individual without additional information held separately and securely.

    3. Data Governance Framework

    3.1 Governance Structure and Accountability

    Handover HQ maintains a data governance framework that assigns clear accountability for the protection and management of personal information. Ultimate accountability for data protection rests with the Handover HQ Board of Directors, with day-to-day responsibility delegated as follows:

  • Privacy Officer: Responsible for overseeing compliance with this Policy and applicable data protection legislation, managing data subject requests, conducting privacy impact assessments, and serving as the primary point of contact for regulatory authorities. Contactable at privacy@handoverhq.com / privacy@handoverhq.ai.
  • Chief Technology Officer (or equivalent): Responsible for implementing and maintaining technical security measures, overseeing data architecture, and ensuring privacy by design principles are embedded in platform development.
  • All Staff: Every employee and contractor with access to personal data is responsible for handling it in accordance with this Policy and any applicable internal procedures.
  • 3.2 Privacy by Design and Default

    Handover HQ embeds privacy into the design and architecture of our Service from the outset, in accordance with Article 25 of the GDPR and consistent with APP 1.2. This means:

  • New features and product changes undergo a privacy review before release.
  • Data collection is limited to what is strictly necessary for the stated purpose (data minimisation).
  • Default settings are configured to the most privacy-protective option.
  • Personal data is pseudonymised or anonymised wherever technically feasible and consistent with the purpose of processing.
  • Access to personal data is restricted to personnel who require it for their role.
  • 3.3 Data Protection Impact Assessments (DPIAs)

    We conduct Data Protection Impact Assessments in accordance with Article 35 of the GDPR before undertaking any processing that is likely to result in a high risk to the rights and freedoms of individuals. This includes, but is not limited to:

  • Introduction of new AI models or significant changes to existing AI processing.
  • Large-scale processing of sensitive or special category data.
  • Systematic monitoring or profiling of individuals.
  • Processing involving new technologies or novel combinations of existing technologies.
  • Cross-border data transfers to jurisdictions without an adequacy decision.
  • DPIAs are documented, reviewed by the Privacy Officer, and retained as part of our compliance records. Where a DPIA identifies residual high risks that cannot be mitigated, we will consult with the relevant supervisory authority before proceeding.

    4. Data Classification

    All data processed by Handover HQ is classified according to the following framework. Classification determines the security controls, access restrictions, retention policies, and handling procedures applied to the data:

    ClassificationDescriptionExamplesHandling Controls
    RestrictedHighly sensitive data whose unauthorised disclosure would cause serious harm.Sensitive Information, voice interview recordings, authentication credentials, encryption keys.AES-256 encryption, strict role-based access, MFA, full audit logging, need-to-know access only.
    ConfidentialCustomer Personal Data and Handover Content.Questionnaire responses, transcripts, employee identity and employment data.Encryption at rest and in transit, RBAC, tenant isolation, access logging.
    InternalNon-public operational data.Aggregated analytics, internal documentation, system configuration.Access limited to authorised personnel; not for external disclosure.
    PublicInformation approved for public release.Marketing content, published policies, this document.No access restrictions.

    All personnel with access to Confidential or Internal data are required to handle such data in accordance with the controls specified for its classification level. Mishandling of classified data is a disciplinary matter.

    5. Information We Collect

    5.1 Information You Provide to Us

    We collect information that you voluntarily provide when you register for an account, sign up for the Free Trial, subscribe to a paid plan, use the Service, or contact us. This includes:

  • Account Information: your name, email address, job title, organisation name, phone number, and billing address.
  • Payment Information: credit card or payment details, billing address, and transaction history. Payment processing is handled by our third-party payment processor; we do not store full payment card numbers on our servers. No payment information is collected during the Free Trial unless you voluntarily elect to subscribe early.
  • Handover Content: all information submitted during the employee knowledge capture and transfer process, including exit questionnaire responses, uploaded documents and artifacts, voice interview recordings and transcriptions, IT equipment records, and any other data provided as part of a handover. This may include Personal Information and Sensitive Information of departing employees.
  • Organisation Data: information about your organisation including employee names, roles, departmental structures, and organisational hierarchies as required to facilitate handover processes.
  • Communication Data: information contained in your correspondence with us, including support requests, feedback, and survey responses.
  • 5.2 Information We Collect Automatically

    When you access or use our Service (including during the Free Trial), we automatically collect:

  • Usage Data: pages viewed, features used, credit consumption, session duration, click patterns, and interaction flows within the platform.
  • Device and Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, language preferences, and time zone.
  • Log Data: server logs including access timestamps, referring and exit URLs, HTTP status codes, and error logs.
  • Cookies and Similar Technologies: we use cookies, web beacons, and similar technologies as described in our separate Cookie Policy.
  • 5.3 Information from Third Parties

    We may receive information about you from third-party sources, including identity verification services, fraud prevention services, analytics providers, public databases, and integration partners where you have connected Handover HQ with other workplace tools.

    5.4 Sensitive Information

    In the course of processing Handover Content, we may process information that constitutes Sensitive Information under the Privacy Act 1988 or Special Category Data under the GDPR. This may include health-related disclosures made during exit interviews, information revealing racial or ethnic origin, or trade union membership. We process Sensitive Information only where: (a) you or the data subject has provided explicit consent; (b) processing is necessary for compliance with employment law obligations; or (c) another lawful basis under applicable law applies. We apply heightened security controls to all Sensitive Information in accordance with our data classification framework.

    6. Lawful Bases for Processing

    6.1 Processing Activity Mapping

    In accordance with GDPR Article 6 and the accountability principle, we document the lawful basis for each category of processing we undertake. The following table summarises our primary processing activities and their corresponding legal bases:

    Processing ActivityLawful Basis (GDPR)Australian Privacy Act Basis
    Account creation and administrationPerformance of a contract (Art. 6(1)(b))APP 3 — collection necessary for our functions
    Processing Handover Content for customersProcessing on the Controller’s documented instructions; the Controller’s own lawful basis applies (Art. 28)APP 6 — use for the primary purpose
    Billing and paymentsPerformance of a contract (Art. 6(1)(b)); legal obligation for financial records (Art. 6(1)(c))APP 3 / APP 6
    Security, fraud and abuse preventionLegitimate interests (Art. 6(1)(f))APP 6 — use reasonably necessary for a related purpose
    Product improvement (aggregated and anonymised only)Legitimate interests (Art. 6(1)(f))APP 6 — de-identified data
    Marketing communicationsConsent (Art. 6(1)(a))APP 7 — direct marketing with consent
    Legal compliance and responding to authoritiesLegal obligation (Art. 6(1)(c))APP 6 — use required or authorised by law

    6.2 Legitimate Interests Assessment

    Where we rely on legitimate interests as a lawful basis, we have conducted a Legitimate Interests Assessment (LIA) to ensure that our interests are not overridden by the rights and freedoms of data subjects. Our LIAs consider the nature of the processing, the reasonable expectations of data subjects, the potential impact on individuals, and any safeguards we can put in place. LIA records are maintained by the Privacy Officer and are available to supervisory authorities upon request.

    6.3 Consent Management

    Where consent is the lawful basis for processing, we ensure that consent is freely given, specific, informed, and unambiguous. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal. We maintain records of consent including the date, method, and scope of consent given.

    7. Purpose Limitation and Data Minimisation

    7.1 Purpose Limitation

    Personal information is collected only for specified, explicit, and legitimate purposes as set out in this Policy. We do not process personal information in a manner incompatible with those purposes unless: (a) we have obtained your further consent; (b) processing is required by law; or (c) further processing is compatible with the original purpose, as assessed in accordance with GDPR Article 6(4).

    7.2 Data Minimisation

    We collect only the personal information that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Specifically:

  • Account registration collects only the fields required to provision and manage your account.
  • Handover Content fields are configurable by the subscribing organisation to enable collection of only the data relevant to their knowledge transfer needs.
  • Optional features (such as voice interviews) are disabled by default and activated only where the subscribing organisation and departing employee consent.
  • Analytics and telemetry data is aggregated and anonymised wherever possible.
  • 8. How We Use Your Information

    We use the information we collect for the following purposes:

  • Service Delivery: to provide, operate, maintain, and improve the Handover HQ platform, including processing handovers, generating AI-powered insights, quality scores, sentiment analysis, and summarisation.
  • Account and Trial Administration: to create and manage your account, administer Free Trial periods, process subscriptions and payments, allocate and track Handover Credits, and send account-related communications including trial expiry notifications.
  • AI Processing: to power our artificial intelligence features. See Section 9 (AI-Specific Data Processing) for comprehensive detail on how AI processes your data.
  • Product Improvement: to analyse aggregated and anonymised usage patterns to improve the Service, develop new features, and enhance AI accuracy. Individual Handover Content is not used for general product improvement without explicit consent.
  • Communication: to send you service updates, security alerts, credit usage notifications, and to respond to your enquiries and support requests. Marketing communications are sent only with your explicit opt-in consent.
  • Security and Fraud Prevention: to detect, prevent, and address fraud, unauthorised access, abuse of the Free Trial, and other illegal or harmful activities.
  • Legal Compliance: to comply with applicable laws, regulations, court orders, and legal processes.
  • Dispute Resolution and Enforcement: to enforce our Terms of Service and resolve disputes.
  • 9. AI-Specific Data Processing

    9.1 How AI Processes Your Data

    Handover HQ uses artificial intelligence to deliver core Service features including automated summarisation, sentiment analysis, quality scoring, intelligent knowledge extraction, and voice interview transcription and analysis. When you submit Handover Content, it is processed as follows:

  • Input Processing: your Handover Content is transmitted via encrypted channels to our AI processing infrastructure (or to approved third-party AI model providers) where it is analysed to generate Outputs.
  • Output Generation: the AI generates summaries, sentiment scores, quality assessments, and structured knowledge documents based on the input data.
  • Data Isolation: each organisation's data is logically isolated. One customer's Handover Content is never used to generate Outputs for another customer.
  • No Model Training on Customer Data: Handover HQ does not use your Handover Content to train, fine-tune, or improve our general AI models unless you have provided explicit, separate, written consent to participate in a model improvement programme.
  • Transient Processing: where third-party AI model providers are used, your data is processed transiently and is not retained by the provider beyond the processing session, in accordance with our data processing agreements.
  • 9.2 Automated Decision-Making and Profiling

    In accordance with GDPR Article 22 and the Australian Privacy Principles, we disclose the following regarding automated decision-making:

    The Service does not make automated decisions that produce legal effects or similarly significant effects on individuals without human involvement. AI-generated Outputs (such as quality scores and sentiment analysis) are provided as informational tools to support human decision-making, not as determinative assessments. Subscribing organisations are responsible for ensuring that no employment decisions are made solely on the basis of automated processing.

    You have the right to: (a) request information about the logic involved in any automated processing; (b) express your point of view; and (c) contest any decision that significantly affects you. These rights can be exercised by contacting our Privacy Officer.

    9.3 Third-Party AI Providers

    We currently use the following third-party AI providers to deliver intelligent features: OpenAI (GPT-4o and GPT-4o-mini) for interview evaluation, summarisation, and sentiment analysis; and ElevenLabs for text-to-speech in the voice interview. These providers process your data transiently to generate outputs, do not retain it beyond the processing session, and do not use it to train their models, in accordance with our Data Processing Agreements. A full, current list of all providers is maintained in our Sub-processor Register at handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors) and in our Trust Centre at handoverhq.com/trust (or handoverhq.ai/trust). All providers are subject to Data Processing Agreements requiring equivalent data protection standards.

    10. How We Share Your Information

    We do not sell, rent, or trade your personal information. We may share your information in the following limited circumstances:

  • Service Providers and Sub-Processors: with third-party vendors who perform services on our behalf (cloud hosting, payment processing, analytics, customer support). All service providers are bound by written data processing agreements requiring them to process data only on our instructions and to implement appropriate security measures. See Section 11 for our sub-processor management framework.
  • AI Model Providers: Handover Content may be processed by third-party AI model providers to deliver intelligent features, subject to the safeguards described in Section 9.
  • Within Your Organisation: handover reports, insights, and captured knowledge are shared with authorised users within the subscribing organisation as part of normal Service operation. The subscribing organisation acts as Data Controller for this sharing.
  • Legal Requirements: where required by law, regulation, court order, subpoena, or valid governmental request. We will assess the validity and scope of any legal demand and, where legally permitted, notify affected users before disclosure.
  • Business Transfers: in connection with a merger, acquisition, reorganisation, or sale of assets. In such event, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.
  • Safety and Enforcement: where we believe in good faith that disclosure is necessary to protect the safety of any person, to address fraud or security issues, or to enforce our Terms of Service.
  • With Your Consent: where you have provided explicit consent for a specific sharing purpose.
  • 11. Third-Party and Sub-Processor Management

    We maintain a rigorous framework for managing third-party service providers and sub-processors who handle personal data on our behalf:

    11.1 Due Diligence

  • All prospective sub-processors undergo a privacy and security assessment before engagement.
  • Assessments evaluate the provider's data protection policies, security certifications, breach history, data residency, and ability to support data subject rights.
  • Providers processing Confidential data must demonstrate compliance with standards equivalent to or exceeding our own.
  • 11.2 Contractual Safeguards

  • All sub-processors are bound by written Data Processing Agreements (DPAs) that comply with GDPR Article 28.
  • DPAs require sub-processors to: process data only on our documented instructions; ensure confidentiality; implement appropriate technical and organisational measures; assist with data subject requests; notify us of breaches without undue delay; delete or return data upon termination; and submit to audits.
  • 11.3 Ongoing Monitoring

  • Sub-processor compliance is reviewed at least annually.
  • We maintain a register of all sub-processors, which is available to subscribing organisations upon request.
  • Subscribing organisations will be notified of any intended changes to sub-processors, with the right to object where such changes materially affect data protection.
  • Our full Sub-processor Register is published at handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors) and in our Trust Centre at handoverhq.com/trust (or handoverhq.ai/trust). Customers may subscribe to advance notice of sub-processor changes by emailing privacy@handoverhq.com / privacy@handoverhq.ai.

    12. International Data Transfers

    12.1 Transfer Locations

    Handover HQ Pty Ltd is headquartered in Australia. Your information may be transferred to, stored, and processed in Australia and other countries where our service providers and sub-processors operate. We operate across Australia/New Zealand, the United Kingdom, and the United States.

    12.2 Transfer Safeguards

    Where personal data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the European Commission or the UK Secretary of State, we implement one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (module-appropriate) are incorporated into our agreements with data importers.
  • UK International Data Transfer Agreement (IDTA) or Addendum: the UK's approved transfer mechanisms are used for transfers from the UK.
  • Transfer Impact Assessments (TIAs): conducted to evaluate the legal framework of the recipient country and any supplementary measures required.
  • Supplementary Measures: where TIAs identify risks, we implement additional safeguards such as enhanced encryption, pseudonymisation, or contractual restrictions on government access.
  • You may request a copy of the relevant transfer safeguards by contacting our Privacy Officer.

    13. Data Lifecycle Management

    We manage personal data throughout its entire lifecycle, from collection to destruction:

    13.1 Collection

    Data is collected only through defined channels (the Service, website, customer communications) and only for the purposes documented in this Policy. Collection points display appropriate privacy notices.

    13.2 Processing and Use

    Data is processed only for the purposes for which it was collected, by authorised personnel, using approved systems, and in accordance with documented procedures.

    13.3 Storage

    Data is stored on encrypted infrastructure with access controls, audit logging, and monitoring. Storage locations are documented in our Records of Processing Activities.

    13.4 Retention

    We retain personal information only for as long as reasonably necessary to fulfil the purposes for which it was collected. Our retention schedule is as follows:

    Data CategoryRetention Period
    Account and profile dataFor the life of the account; deleted within 30 days of account closure (subject to any legal hold).
    Handover ContentFor the life of the subscription; available for export for 30 days after termination, then deleted. Earlier deletion available on the Controller’s request.
    Free Trial dataRetained for 30 days after trial expiry to allow conversion, then permanently deleted.
    Billing and transaction recordsSeven (7) years, to meet Australian taxation and record-keeping obligations.
    Support and communicationsUp to three (3) years from the date of last contact.
    Security and audit logsMinimum twelve (12) months; data breach records retained for a minimum of five (5) years.
    BackupsPurged on a rolling schedule, within 90 days of deletion from primary storage.
    Marketing consent recordsUntil consent is withdrawn, plus a reasonable period to evidence compliance.

    13.5 Archival

    Data that has exceeded its active retention period but is subject to legal hold or regulatory requirement is moved to secure archival storage with restricted access. Archived data is encrypted and access-logged.

    13.6 Deletion and Destruction

    Upon expiry of the applicable retention period (and absent any legal hold), personal data is permanently deleted using industry-standard methods:

  • Digital data: cryptographic erasure or overwriting to render data unrecoverable.
  • Backup data: purged through scheduled backup rotation within 90 days of source deletion.
  • Physical media (if any): secure shredding or degaussing.
  • Deletion certificates are available upon request for Enterprise customers. Subscribing organisations may request early deletion of Handover Content at any time, subject to any legal hold obligations.

    14. Departing Employee Data

    Given the nature of our Service, we process personal data of departing employees on behalf of subscribing organisations. We recognise the particular sensitivity of this data and apply the following principles:

    14.1 Controller-Processor Relationship

    The subscribing organisation acts as the Data Controller for Handover Content relating to its departing employees. Handover HQ acts as the Data Processor, processing data only on the documented instructions of the subscribing organisation and in accordance with our Data Processing Agreement.

    14.2 Departing Employee Rights

    Departing employees retain all rights under applicable data protection legislation, including the right to access, correct, and request deletion of their personal data. Requests from departing employees will be referred to the subscribing organisation (as Data Controller) unless we are legally required to respond directly. We will cooperate with subscribing organisations in fulfilling such requests.

    14.3 Informed Participation

    We strongly recommend that subscribing organisations inform departing employees about: (a) the nature and purpose of the handover process; (b) the categories of data being collected; (c) who will have access to the data; (d) their rights regarding their data; and (e) how to exercise those rights. Template privacy notices for departing employees are available to subscribing organisations upon request.

    15. Data Quality

    In accordance with APP 10 and GDPR Article 5(1)(d), we take reasonable steps to ensure that personal data is accurate, complete, up-to-date, and relevant to the purpose for which it is processed:

  • Account holders can update their information directly through their account settings at any time.
  • We implement validation controls at data entry points to reduce errors.
  • AI-generated Outputs are clearly labelled as machine-generated and should be reviewed by humans for accuracy before reliance.
  • Subscribing organisations are responsible for the accuracy of Handover Content submitted to the Service.
  • 16. Data Security

    We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. A summary of our security measures is provided below; comprehensive detail is available in our separate Security and Data Protection Overview document.

  • Encryption: TLS 1.2+ in transit; AES-256 at rest for all data stores including backups.
  • Access Controls: role-based access control (RBAC), multi-factor authentication, principle of least privilege, automatic session timeout.
  • Network Security: firewalls, web application firewalls (WAFs), DDoS protection, network segmentation.
  • Monitoring: real-time intrusion detection, audit logging of all data access, automated alerting.
  • Personnel: background checks, confidentiality agreements, mandatory security training on onboarding and annually.
  • Testing: regular vulnerability assessments and penetration testing by independent third parties.
  • 17. Data Breach Management

    17.1 Breach Detection and Assessment

    Handover HQ maintains automated monitoring and detection systems to identify potential data breaches in real time. Upon detection of a suspected breach, our incident response team conducts an immediate assessment to determine the nature, scope, and severity of the incident.

    17.2 Notification Obligations

    In the event of an eligible data breach:

  • Australian NDB Scheme: where a breach is likely to result in serious harm, we will notify the OAIC and affected individuals as soon as practicable and in any event within 30 days of becoming aware of the breach, in accordance with Part IIIC of the Privacy Act 1988.
  • GDPR: we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.
  • Subscribing Organisations: where a breach affects Handover Content processed on behalf of a subscribing organisation, we will notify the organisation without undue delay and in any event within 48 hours, providing all information necessary for the organisation to meet its own notification obligations.
  • Other Jurisdictions: we will comply with applicable breach notification requirements in all jurisdictions where we operate.
  • 17.3 Breach Records

    All data breaches, including near-misses, are documented with details of the facts, effects, and remedial action taken. Breach records are retained for a minimum of five (5) years and are available for regulatory inspection.

    18. Your Privacy Rights

    18.1 Australian Privacy Principles (APPs)

    If you are an Australian resident, you have the right to: (a) access personal information we hold about you (APP 12); and (b) request correction of inaccurate, out-of-date, incomplete, or misleading information (APP 13). You may also make a complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au if you believe we have breached the APPs.

    18.2 GDPR Rights (EEA and UK Residents)

    If you are located in the EEA or UK, you have the following rights under the GDPR:

  • Right of Access (Art. 15): obtain confirmation of whether your data is being processed and receive a copy of it.
  • Right to Rectification (Art. 16): request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): request deletion of your personal data where it is no longer necessary, you withdraw consent, or processing is unlawful.
  • Right to Restrict Processing (Art. 18): request limitation of processing while accuracy is contested, processing is unlawful, or data is needed for legal claims.
  • Right to Data Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to Object (Art. 21): object to processing based on legitimate interests or for direct marketing purposes.
  • Rights Related to Automated Decision-Making (Art. 22): not be subject to decisions based solely on automated processing. See Section 9.2.
  • Right to Withdraw Consent: withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: lodge a complaint with a supervisory authority in your country of residence.
  • 18.3 CCPA/CPRA Rights (California Residents)

    If you are a California resident, the CCPA as amended by the CPRA provides you with:

  • Right to know what personal information is collected, used, disclosed, and sold or shared.
  • Right to delete personal information held by us and our service providers.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information. Note: we do not sell or share personal information as defined under the CCPA/CPRA.
  • Right to limit use and disclosure of sensitive personal information.
  • Right to non-discrimination for exercising your privacy rights.
  • 18.4 How to Exercise Your Rights

    To exercise any of the above rights, please submit a request to our Privacy Officer:

  • Email: privacy@handoverhq.com / privacy@handoverhq.ai
  • Subject line: "Data Subject Request — [Your Name]"
  • We will verify your identity before processing any request. We will respond to verified requests within: (a) 30 days for requests under the APPs and GDPR (extendable by a further 60 days for complex requests, with notice); and (b) 45 days for requests under the CCPA/CPRA (extendable by a further 45 days, with notice). Requests are fulfilled free of charge unless manifestly unfounded or excessive.

    19. Records of Processing Activities

    In accordance with GDPR Article 30 and the accountability principle, Handover HQ maintains comprehensive Records of Processing Activities (ROPA) that document: (a) the purposes of processing; (b) categories of data subjects and personal data; (c) categories of recipients; (d) international transfers and safeguards; (e) retention periods; and (f) a general description of technical and organisational security measures. Our ROPA is reviewed and updated at least quarterly and is available to supervisory authorities upon request.

    20. Anonymisation and Pseudonymisation

    Where technically feasible and consistent with the purpose of processing, we apply anonymisation or pseudonymisation techniques to reduce privacy risk:

  • Anonymisation: data that has been irreversibly de-identified such that it can no longer be linked to a specific individual falls outside the scope of data protection legislation and this Policy.
  • Pseudonymisation: data that has been processed so that it can no longer be attributed to a specific individual without the use of additional information. We use pseudonymisation in analytics, AI model evaluation, and internal reporting to reduce the risk of re-identification.
  • 21. Children's Privacy

    The Service is directed at organisations and their adult representatives. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete that information and, where required, notify the relevant parent or guardian.

    22. Training and Awareness

    All Handover HQ employees and contractors receive data protection and privacy awareness training upon onboarding and at least annually thereafter. Training covers:

  • The requirements of this Policy and applicable data protection legislation.
  • Data classification, handling, and security procedures.
  • Recognising and reporting data breaches.
  • Responding to data subject requests.
  • AI ethics and responsible use of AI in processing personal data.
  • Training completion is documented and records are maintained by the Privacy Officer.

    23. Audit, Review, and Compliance

    This Policy and our data protection practices are subject to regular review and audit:

  • Annual Review: this Policy is reviewed at least annually by the Privacy Officer and updated to reflect changes in legislation, the Service, or our processing activities.
  • Internal Audits: data protection practices are audited internally at least annually to verify compliance with this Policy and applicable law.
  • External Audits: as Handover HQ scales, we intend to engage independent third-party auditors and pursue SOC 2 Type II and ISO 27001 certifications.
  • Regulatory Cooperation: we cooperate fully with supervisory authorities and regulatory bodies in any investigation or enquiry relating to our data protection practices.
  • 24. Complaint Handling

    If you have a complaint about our handling of your personal information, we encourage you to contact us first so we can attempt to resolve the matter:

  • Step 1: Contact our Privacy Officer at privacy@handoverhq.com / privacy@handoverhq.ai with details of your complaint.
  • Step 2: We will acknowledge your complaint within five (5) business days and investigate promptly.
  • Step 3: We will provide a substantive response within thirty (30) days of receipt.
  • Step 4: If you are not satisfied with our response, you may escalate your complaint to the relevant regulatory authority.
  • 24.1 Regulatory Authorities

  • Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
  • United Kingdom: Information Commissioner's Office (ICO) — www.ico.org.uk
  • European Union: your local Data Protection Authority (a full list is available at edpb.europa.eu)
  • United States (California): California Privacy Protection Agency (CPPA) — cppa.ca.gov
  • 25. Changes to This Policy

    We may update this Policy from time to time. We will notify you of material changes by: (a) posting the updated Policy on our website with a revised Effective Date; (b) sending an email notification to the address associated with your account; and (c) where required by law, obtaining your consent before material changes take effect. We encourage you to review this Policy periodically. Non-material changes (such as formatting corrections or typographical fixes) may be made without notice.

    26. Contact Us

    If you have questions, concerns, or requests regarding this Policy or your personal information, please contact us at:

    Privacy Officer

    Handover HQ Pty Ltd

    ABN 34 689 167 477 · ACN 689 167 477

    Privacy Enquiries: privacy@handoverhq.com / privacy@handoverhq.ai

    Security Enquiries: security@handoverhq.com / security@handoverhq.ai

    General Enquiries: enquiries@handoverhq.com / enquiries@handoverhq.ai

    Websites: handoverhq.com and handoverhq.ai

    Trust Centre: handoverhq.com/trust (or handoverhq.ai/trust)