Privacy Policy - Liberate Consulting

Version 3.0 — May 2026. This policy has been updated to reflect the Privacy and Other Legislation Amendment Act 2024 (Cth), which received Royal Assent on 10 December 2024. Key changes include: expanded individual rights, the new statutory tort for serious invasions of privacy (in force 10 June 2025), updated overseas-disclosure requirements, new automated-decision-making (ADM) transparency obligations (commencing 10 December 2026), and increased OAIC enforcement penalties. It supersedes all previous versions.

1. About this Policy

Liberate Consulting Pty Ltd ("Liberate Consulting", "we", "us", "our") helps Australian financial services firms — including AFSL holders, wealth managers, and advisers — design, govern, and operate AI systems that are secure, transparent, and compliant.

This policy explains how we collect, use, disclose, and protect personal information across all of our channels and engagements, including:

Visits to liberateconsulting.com and any subdomains we operate
Contact forms, enquiries, demo requests, and consultation bookings
Mailing lists, lead magnets, and event invitations
AI Governance Workshops (including AFSL-focused half-day sessions)
AI Discovery & Strategy engagements and other consulting work
Purchases made through our online checkout

We are committed to handling personal information in compliance with:

The Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth), and the 13 Australian Privacy Principles (APPs)
The EU General Data Protection Regulation (GDPR) and UK GDPR, where applicable
APRA prudential standards CPS 230 (Operational Risk Management) and CPS 234 (Information Security), to the extent our work touches APRA-regulated entities

This policy is available free of charge on our website. If you need it in an alternative format, please contact us using the details in Section 15.

2. Definitions

Personal information has the meaning given in the Privacy Act 1988 (Cth): information or an opinion about an identified individual, or an individual who is reasonably identifiable. This broadly corresponds to "personal data" under the GDPR.

Sensitive information means the categories of personal information listed in the Privacy Act, including health information and information about racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal record. We do not collect sensitive information unless you provide it voluntarily or the law permits.

Automated decision-making (ADM) means a decision made or materially supported by a computer program using personal information. An ADM Register is the inventory of those systems, which we help clients build and maintain.

Client engagement materials means documents, system exports, screenshots, configuration data, transcripts, and any other artefacts a client provides us during an engagement.

APP entity means an organisation or agency bound by the Australian Privacy Principles under the Privacy Act, which includes Liberate Consulting.

3. Personal Information We Collect

We collect different categories of personal information depending on how you interact with us. We collect only the information that is reasonably necessary for the relevant purpose (APP 3).

3.1 Website visitors

When you browse liberateconsulting.com we collect:

Technical data: IP address, device type, browser type and version, referring URL, pages visited, and timestamps
Cookie identifiers and similar tracking data (see Section 11)
Aggregated, de-identified analytics data about site usage

3.2 Enquiries, consultations, and newsletter

When you submit a contact form, request a consultation, download a lead magnet, subscribe to our mailing list, or register for an event, we collect:

Your name, business email address, phone number, and job title
Your organisation name and, where relevant, AFSL number or regulatory identifier
The nature of your enquiry or area of interest
Your marketing preferences and consent record

3.3 AI Governance Workshop attendees

When your firm engages us for an AI Governance Workshop, or you attend as a participant, we collect:

Names, roles, business contact details, and signatures of attendees
Pre-read responses, self-assessment surveys, and workshop discussion notes
Session recordings — only where the host has confirmed written consent from all participants; we do not record by default
Information required to compile the AI governance roadmap, ADM Register baseline, and Board-ready evidence pack

3.4 AI Discovery & Strategy and consulting engagements

During longer consulting engagements, we may receive or be granted access to:

Business documentation: policies, procedures, registers, board papers, and vendor contracts
System configuration data, model documentation, prompts, logs, and ADM outputs
Staff information (names, roles, system access) to the extent needed to assess controls
In limited cases, sample customer records used to test AI controls or complaint patterns

We request clients to de-identify or minimise personal information before sharing it. Where personal information must be shared, we handle it under a written engagement contract with confidentiality obligations.

3.5 Online purchases

If you purchase a product or service through our checkout, we (or our payment processor) collect:

Billing name, organisation, and address
Email address and phone number
Order details and invoice records
Payment confirmation data (we do not store full card numbers or CVV codes on our systems)

3.6 Information from third parties

We may receive limited personal information from third parties, such as a colleague who refers you to us, a regulator or industry body that provides an attendee list, or publicly available professional sources (for example, ASIC's professional registers and LinkedIn). Where we receive your information this way, we will notify you at or before our first contact with you, unless an exception under the APPs applies.

4. How We Collect Personal Information

We collect personal information directly from you wherever it is reasonable and practicable to do so (APP 3.5), through our website, email, phone calls, workshops, document exchanges, and engagement portals.

Where we collect information from a third party, we will notify you at or before our first contact, unless notification is inconsistent with our legal obligations or a permitted exception under the APPs applies.

We collect personal information only where it is reasonably necessary for one or more of the purposes described in Section 5, or where you have consented (APP 3).

5. How We Use Personal Information

We use personal information only for purposes that are directly related to our functions and activities, or for purposes you would reasonably expect (APP 6). Specifically, we use it to:

Respond to enquiries and provide quotes, proposals, and consultations
Deliver our services: AI Governance Workshops, AI Discovery & Strategy engagements, advisory work, and bespoke deliverables
Maintain client records, billing, and engagement files
Send service updates and, where you have opted in, marketing communications, event invitations, and newsletters
Improve our website, services, and content
Operate our internal business: security monitoring, training, quality assurance, and professional indemnity
Comply with our legal, regulatory, and professional obligations

We will not use your personal information for a secondary purpose unless you have consented, or the use falls within a permitted general situation under the Privacy Act.

5.1 Legal basis (GDPR / UK GDPR)

If you are in the EU, EEA, or UK, we rely on one or more of the following legal bases:

Contract — to take steps to enter into and perform an engagement with you or your organisation
Legitimate interests — to run, protect, and grow our consulting business, where those interests are not overridden by your rights (for example, B2B relationship management, security, professional indemnity)
Consent — for marketing emails, optional cookies, and any session recording
Legal obligation — to comply with tax, corporate, anti-money-laundering, and similar laws

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. AI and Automated Decision-Making (ADM)

Our commitment Because AI governance is our core service, we hold ourselves to a higher standard than the law currently requires, and we are preparing now for the ADM transparency obligations that commence on 10 December 2026 under APP 1.7–1.9.

6.1 How we use AI internally

We use AI-assisted tools (for example, drafting assistants) to support our work. We configure these tools to disable training on client inputs and to keep client material out of public model providers wherever practicable.
We do not make decisions about you using solely automated processing that produces legal or similarly significant effects on you.
We do not train third-party generative AI or machine-learning models on client engagement materials.
If you would like to know whether AI was used in producing a specific deliverable or response, contact us at privacy@liberateconsulting.com.

6.2 AI we operate on a client's behalf

Where we operate AI tooling on behalf of a client, we:

Record the system in the client's ADM Register
Document the data flows and decision logic
Apply the same transparency and oversight expectations we recommend to our clients, consistent with OAIC guidance on ADM transparency

6.3 Preparing for APP 1.7–1.9 (commencing 10 December 2026)

From 10 December 2026, APP entities must include specific disclosures in their privacy policy where they arrange for a computer program to use personal information to make decisions that could reasonably be expected to significantly affect the rights or interests of an individual. We are undertaking an internal ADM audit now and will update this policy before that date to include:

The kinds of personal information used in any such programs
The kinds of decisions made and their potential effect on individuals
Whether a human reviews or can override each decision
How individuals may seek further information about any such decision

At present, we do not make decisions of this kind about individuals using solely automated processing.

7. Disclosure of Personal Information

We disclose personal information only where it is necessary to deliver our services or comply with the law (APP 6). Recipients include:

Our personnel — employees, contractors, and associate consultants engaged on your matter, all bound by written confidentiality obligations
Sub-processors / service providers — website hosting, cloud storage, productivity tools (e.g. Google Workspace), email marketing platforms, CRM, scheduling, video conferencing, and our payment processor
Professional advisers — accountants, auditors, lawyers, and our professional indemnity insurer
Regulators and authorities — where required by law, court order, or a regulator's lawful direction
A business purchaser — in connection with any sale or restructure of Liberate Consulting, subject to confidentiality protections

We do not sell personal information.

A current list of key sub-processors is available on request from privacy@liberateconsulting.com.

8. Overseas Disclosure

Some of our service providers store or process personal information outside Australia, including in the United States and the European Union.

Before disclosing personal information overseas, we take reasonable steps to ensure the overseas recipient handles the information consistently with the APPs (APP 8.1). We do this through:

Contractual data-protection terms with sub-processors (including, where applicable, Standard Contractual Clauses for EEA/UK transfers)
Where a country or binding scheme is included on the Minister's approved "whitelist" (as introduced by the Privacy and Other Legislation Amendment Act 2024), we may rely on that approval

We do not disclose personal information overseas where we cannot take reasonable steps to ensure APP-equivalent protection.

Specific countries to which we currently disclose personal information, or are likely to disclose, include: United States (cloud infrastructure providers), Ireland / EU (productivity and communication tools). An up-to-date list is available on request.

9. Data Security and Operational Resilience

We protect personal information using administrative, technical, and physical controls (APP 11), including:

Access controls, multi-factor authentication, and least-privilege access
Encryption in transit (TLS) and encryption at rest for cloud-stored client material
Vendor due diligence and written data-protection contracts with sub-processors
Personnel training on confidentiality, information security, and AI governance
Documented incident response and breach-notification procedures, aligned with the Notifiable Data Breaches (NDB) scheme

For engagements with APRA-regulated clients, we work to support their obligations under CPS 230 (operational risk management, critical operations, and third-party arrangements) and CPS 234 (information security), including maintaining incident response procedures and notifying clients promptly of incidents that could affect them.

Data breach notification No system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the NDB scheme, and will notify EU/UK supervisory authorities where the GDPR or UK GDPR applies.

10. Retention and Destruction

We keep personal information only for as long as we need it for the purposes set out in this policy, or as required by law and professional standards (APP 11.2). When information is no longer needed, we destroy it securely or de-identify it.

Category of Information	Indicative Retention Period
Website enquiries / unconverted leads	Up to 24 months from last contact
Mailing list data	Until you unsubscribe, plus a short suppression record
Workshop and engagement files	7 years from end of engagement (statutory and professional standards)
Tax, accounting and corporate records	At least 7 years (as required by law)
Backup copies	Cycled out per our backup schedule; maximum 90 days additional retention
Marketing consent records	Retained for the duration of the marketing relationship plus 3 years

11. Cookies, Analytics, and Tracking

Our website uses cookies and similar technologies. We categorise these as follows:

Category	Purpose	Consent required?
Strictly necessary	Core site functionality (e.g. session management, security)	No — essential
Functional	Remembering preferences (e.g. language, region)	Yes
Analytics	Measuring how the site is used to improve content and performance	Yes
Marketing / remarketing	Supporting targeted advertising where you have opted in	Yes

You can manage cookies through your browser settings and, where presented, through our cookie consent banner. Disabling non-essential cookies may affect some site functionality.

We use third-party tools (web analytics, embedded video, and form/booking widgets) that may process limited information about your visit. A current list of third-party processors is available on request from privacy@liberateconsulting.com.

12. Your Rights — Australia (Privacy Act / APPs)

Under the Privacy Act 1988 (Cth) and the APPs, you have the following rights:

Access (APP 12)

Ask what personal information we hold about you and request access to it. We will respond within 30 days. We may charge a reasonable fee for access; if so, we will advise you in advance.

Correction (APP 13)

Ask us to correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond within 30 days.

Opt-out of direct marketing (APP 7)

Opt out of direct marketing communications at any time by clicking unsubscribe in our emails or contacting us directly.

Make a complaint (APP 1)

Lodge a complaint about how we have handled your personal information. We will respond within 30 days. See Section 15 for details.

We may need to verify your identity before we act on an access or correction request. We will not charge a fee for making a request, but may charge a reasonable cost-recovery fee to provide access to information.

13. Your Rights — EU / UK (GDPR & UK GDPR)

If you are located in the EEA or UK, in addition to the rights in Section 12, you may have the following rights under the GDPR or UK GDPR:

Erasure ("right to be forgotten")

Request deletion of your personal data where there is no compelling legal basis for continued processing.

Restriction of processing

Ask us to restrict how we use your data in certain circumstances (e.g. while a correction request is pending).

Data portability

Receive your personal data in a structured, commonly used, machine-readable format.

Object to processing

Object to processing based on legitimate interests, including direct marketing, at any time.

Withdraw consent

Withdraw any consent you have given at any time, without affecting processing done before withdrawal.

Lodge a supervisory authority complaint

Complain to your local EU/EEA data protection authority or the UK ICO (see Section 15).

We do not appoint an EU Article 27 representative at this time. To exercise GDPR rights, please contact us directly at privacy@liberateconsulting.com and we will respond within 30 days (or within the statutory timeframe where shorter).

14. Statutory Tort — Serious Invasions of Privacy

New right — in force 10 June 2025 The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a statutory tort for serious invasions of privacy, which came into force on 10 June 2025.

Under this new tort, an individual may bring a civil action against a person who has intentionally or recklessly invaded their privacy by:

Intruding upon their seclusion (e.g. watching, listening to, or recording their private activities), or
Misusing information that relates to them

where the individual had a reasonable expectation of privacy, the invasion was serious, and the public interest does not outweigh the individual's privacy interest.

We take this obligation seriously. Our personnel are trained to recognise and avoid conduct that could constitute a serious invasion of privacy. Affected individuals may seek damages, injunctions, or other relief through the courts.

This right is separate from, and in addition to, the right to complain to the OAIC under the Privacy Act.

15. Contact and Complaints

To make a privacy enquiry, exercise your rights, or lodge a complaint, contact our Privacy Officer:

Privacy Officer — Liberate Consulting Pty Ltd

Email: privacy@liberateconsulting.com
Registered office: 88 Choota Drive, Maryborough, Qld 4650
ABN: 32 164 691 561
Website: liberateconsulting.com

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. Where a complaint is complex or requires investigation, we will keep you informed of our progress.

If you are not satisfied with our response, you may escalate to:

Body	Contact	Relevant jurisdiction
Office of the Australian Information Commissioner (OAIC)	oaic.gov.au · 1300 363 992	Australia
Your local EU/EEA data protection supervisory authority	Varies by member state — see edpb.europa.eu	EU / EEA
Information Commissioner's Office (ICO)	ico.org.uk	United Kingdom

16. Changes to this Policy

We may update this policy from time to time to reflect changes in our services, technology, legal obligations, or industry practice. The current version will always be available at liberateconsulting.com/privacy-policy/.

Where changes are material — such as new categories of personal information, new disclosure recipients, or significant changes to individual rights — we will take reasonable steps to bring those changes to your attention before they take effect (for example, by a notice on our website or by email).

The version number and "Last updated" date at the top of this policy indicate when it was last changed. We recommend checking this page periodically.

Version	Date	Summary of changes
1.0	20 Feb 2026	Initial policy published
2.0	20 Apr 2026	GDPR legal basis added; expanded AI & ADM section; overseas disclosure updated
3.0	1 May 2026	Updated for Privacy & Other Legislation Amendment Act 2024: new statutory tort (s.14), ADM transparency roadmap (s.6.3), overseas whitelist mechanism (s.8), updated cookie table (s.11), OAIC penalty framework reference, version history table, accessibility improvements

Questions About Your Privacy?

Our Privacy Officer responds within 5 business days. If you're a financial services firm looking to align your own AI governance with privacy obligations, our team can help.

Email Our Privacy Officer → Talk to Our Team