Privacy Policy

Effective: 21 April 2026 (version 2 — trial-abandonment retention clause added; billing-data enumeration updated for annual billing and trial state). Operated by REG MON AUS PTY LTD (ABN 49 697 171 074, ACN 697 171 074), Western Australia. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy describes how Regulatory Monitor AU collects, uses, discloses, and protects personal information in the course of operating an informational regulatory monitoring service for Australian professional services firms. Regulatory Monitor AU is an information service only; it does not provide legal, tax, or financial product advice. See the Disclaimer for the full statement of what the service is and is not.

1. About us

REG MON AUS PTY LTD (ABN 49 697 171 074, ACN 697 171 074) is a company incorporated in Western Australia. We operate Regulatory Monitor AU, a subscription information service that monitors Australian regulatory sources (including the ATO, ASIC, APRA, AER, ACCC, OAIC, FWO, FWC, DCCEEW, Treasury, the Takeovers Panel, ACNC, AASB, the TPB, the RBA, AUSTRAC, and AustLII) and delivers digests, alerts, and articles to subscriber firms. We are an "APP entity" for the purposes of the Privacy Act and this policy describes our APP-aligned practices.

2. The personal information we collect

We collect only what we need to deliver the service, bill it, and improve it. Specifically:

• Firm and contact details — firm name, ABN (optional), business address, phone numbers, the name and email address of one or more authorised contacts at the firm, and the role and seniority of each user.
• Service preferences — practice areas, jurisdictions, regulatory sources to monitor, alert thresholds, and email or SMS delivery preferences.
• Authentication data — hashed passwords, session tokens, and (if multi-factor authentication is enabled) MFA enrolment information.
• Billing data — Stripe customer ID, subscription tier, billing interval (monthly or annual), trial state (in-trial, trialled-and-converted, trialled-and-cancelled), invoice and payment status. Card numbers and bank account details are collected and stored by Stripe; we do not see or store them.
• Usage data — Portal logins, alerts viewed, queries submitted (and the text of those queries), articles read, and digest open and click events.
• Web analytics — pages visited, approximate location (city), device and browser type, and referrer URL, collected via Google Tag Manager and Google Analytics 4. These are loaded only after you give analytics consent through the cookie banner (see s.10).
• Technical logs — IP addresses and request metadata logged by our hosting providers for security, rate-limiting, and abuse-prevention purposes.

What we do not collect

We do not collect or store personal information about your clients or any third party. The Service is not designed to receive client matter data and you must not submit personal information about a third party through a query or any other channel. We do not collect sensitive information (within the meaning of the Privacy Act) and we do not collect data from children.

3. How we collect it

We collect information directly from you when you sign up, update your profile, log in to the Portal, submit a query, or contact support. We collect billing information through Stripe when you provide a payment method. We collect usage and analytics data automatically through the Portal and the marketing site (subject to consent for non-essential cookies). Where reasonable and practicable, we collect personal information directly from you (APP 3).

4. Why we collect it (APP 6)

We collect and use personal information to:

• deliver the Service (digests, alerts, articles, query responses) tailored to your practice areas and jurisdictions;
• authenticate users, maintain account security, and prevent unauthorised access;
• process payments and issue invoices;
• provide support and respond to your enquiries, including questions about our content;
• improve the Service by analysing aggregate usage patterns, alert relevance, and editorial accuracy;
• send service notices, regulatory updates, and (where you have consented) marketing communications, which you may unsubscribe from at any time;
• comply with our legal obligations, respond to lawful requests, and protect our rights and the rights of others.

We do not use personal information for any purpose unrelated to the operation of an informational regulatory monitoring service.

5. Disclosure of personal information

We disclose personal information only to the categories of recipient set out below, and only as needed for the purposes in s.4. We do not sell personal information.

• Hosting and database — Supabase Inc. We host the Portal database and authentication on Supabase in the Sydney region (ap-southeast-2). Supabase processes firm contact details, preferences, and usage logs.
• Application hosting — Railway Corp. The backend application runs on Railway. Logs may contain request metadata and (transiently) authenticated user IDs.
• Marketing site hosting — Vercel Inc. The marketing and admin sites are hosted on Vercel.
• Email delivery — Twilio SendGrid Inc. Used to send digests, alerts, password resets, and other transactional email. SendGrid processes the recipient email address and the contents of the message.
• SMS delivery — Twilio Inc. Used for urgent alerts to subscribers who opt in. Twilio processes the recipient phone number and the message body.
• Payments — Stripe Payments Australia Pty Ltd / Stripe, Inc. Used to take subscription payments. Stripe processes payment-method and billing-contact data under its own privacy commitments.
• AI processing — Anthropic, PBC. We use Anthropic's Claude API to classify, score, summarise, and draft Content. The data we send Anthropic is the public regulatory source text, the practice-area taxonomy, and (for query responses) the query text. We do not send Anthropic firm names, contact details, billing data, or any sensitive information about your clients.
• SEO data — DataForSEO LLC. Used for aggregate keyword and SERP research that informs editorial planning. We do not send DataForSEO any personal information.
• Analytics — Google LLC. Google Tag Manager and Google Analytics 4 process anonymous usage signals from the marketing site, but only after you give analytics consent through the cookie banner (see s.10).
• Professional advisers, regulators, and law enforcement — when required by law, when reasonably necessary to enforce our rights, or to protect health, safety, or property.
• A successor entity — in the event of a sale, merger, restructure, or transfer of all or substantially all of our business, with notice to you.

6. Automated decision-making and AI processing transparency

Consistent with the transparency disclosures introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth):

• We use the Claude API (Anthropic) to score regulatory items for relevance against subscriber practice areas, to classify items by topic, and to draft article content.
• AI-assisted decisions in the Service are limited to which regulatory items appear in your weekly digest and which generate a real-time alert. Subscribers can see the underlying source for any item and can adjust their preference settings to override the AI-assisted prioritisation.
• AI-drafted articles are reviewed by a human editor before publication. We do not use AI to make decisions about subscribers (such as price, eligibility, or termination) without human review.
• We do not use personal information to train any machine-learning model, and our agreement with Anthropic excludes the use of submitted content for model training.

7. Cross-border disclosure (APP 8)

Some recipients in s.5 are located outside Australia, including in the United States (Anthropic, SendGrid, Twilio, Stripe US, DataForSEO, Vercel, Google) and the European Union and United Kingdom (Stripe entities operate in multiple jurisdictions). Where we disclose personal information overseas, we take reasonable steps to ensure the recipient handles it consistent with the APPs, including by entering into the recipient's published data-processing terms and relying on their published privacy commitments.

By using the Service you consent to overseas disclosure to these recipients for the purposes described in this policy. Different jurisdictions may have privacy laws that differ from Australian law, and you may not be able to seek redress in those jurisdictions on the same terms as in Australia.

8. How we keep it safe (APP 11)

• All connections to the Portal and the marketing site use TLS 1.2 or higher.
• The database is encrypted at rest by Supabase. Row-level security is enforced so that one subscriber's data is never returned in another subscriber's query results.
• Service-role database keys are held only on the backend; the public Portal uses scoped anonymous keys behind RLS policies.
• API secrets are held in environment variables, not in source control.
• Access to administrative tooling requires authentication and (for staff) is restricted by role.
• We monitor for unusual activity and review our security posture regularly.

No information system is perfectly secure. If you become aware of a vulnerability, contact us at contact@regmonitor.com.au and we will investigate.

9. Retention and deletion

• Account profile — retained for the life of your subscription and for 90 days afterward, then deleted.
• Abandoned trials — if you start a free trial but do not convert to a paid subscription, we retain your trial account data for 90 days after the trial ends to support re-activation if you change your mind. After 90 days we delete the trial account data, except for the minimum Stripe customer record required to prevent trial abuse by the same firm.
• Usage logs — retained for 12 months from collection.
• Billing records — retained for 7 years to comply with tax and corporations-law record-keeping obligations.
• Aggregated regulatory content — retained indefinitely. The content is publicly sourced and forms the basis of historical search; it does not contain subscriber personal information.
• Analytics — retained according to Google Analytics 4 default retention (currently up to 14 months).

You can ask us to delete your account and the personal information we hold about you at any time by emailing the Privacy Officer (see s.13). We will action a deletion request within 30 days, except for information we are required by law to retain (such as billing records).

10. Cookies and online tracking

The marketing site uses essential cookies for security, session, and load-balancing functions. These are required for the site to work and do not require consent.

For non-essential analytics (Google Tag Manager and Google Analytics 4) we operate on an opt-in basis. We initialise Google Consent Mode v2 with all consent signals defaulted to denied, so no analytics or advertising cookies are written and no identifiers are sent until you choose to accept. We display a consent banner on your first visit; you can change your choice at any time using the "Cookie preferences" link in the footer.

We do not use third-party advertising trackers and we do not sell or rent personal information to advertisers.

11. Notifiable Data Breaches

We comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act. If we become aware of a data breach that is likely to result in serious harm, we will assess the breach as soon as practicable (and in any case within 30 days of becoming aware), notify the Office of the Australian Information Commissioner, and notify affected individuals as soon as practicable. Where we have engaged a third-party processor, we will work with the processor to investigate any suspected breach.

You may report a suspected breach to the Privacy Officer (s.13) or directly to the OAIC.

12. Access, correction, and complaints (APPs 12, 13)

You have the right to ask us what personal information we hold about you, to ask us to correct it, and to complain if you believe we have breached the APPs.

Access and correction. Email the Privacy Officer (s.13) and tell us what information you want and (for a correction request) what is wrong. We will respond within 30 days. We may need to verify your identity. We do not charge for reasonable access or correction requests; if a request is unusually large or complex we will tell you the cost in advance.

Complaints. If you believe we have breached the APPs, contact the Privacy Officer first. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response you may escalate to the OAIC at oaic.gov.au or by phone on 1300 363 992.

13. Contact — Privacy Officer

Privacy Officer
REG MON AUS PTY LTD
Email: contact@regmonitor.com.au
Postal: address to be confirmed; pending update before commercial launch

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy here with a new effective date and, if the change is material, notify subscribers by email at least 30 days before it takes effect (changes required by law or to address security may take effect immediately). Continued use of the Service after the change takes effect is acceptance of the updated policy.