Privacy Policy
A privacy policy discloses how your business collects, uses, stores, and handles personal information — a legal requirement for most Australian businesses.
What is a Privacy Policy?
A privacy policy is a document that explains to individuals how a business collects, uses, stores, and discloses their personal information. Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), most Australian businesses with an annual turnover above $3 million are required to have a privacy policy. Businesses below this threshold may still be required to have one if they handle health information or operate in certain regulated sectors.
For technology companies that collect personal data from users — emails, usage data, payment information, location data — a privacy policy is both a legal requirement and a trust signal for customers. The document must be clear, accurate, and reflect the company's actual data practices — not a generic template.
Privacy policies must also address international data transfers (if data is stored offshore), the rights of individuals to access and correct their information, and how individuals can make complaints. With GDPR requiring disclosure for Australian businesses with European users, many technology companies now draft their privacy policies to satisfy both the Privacy Act and GDPR simultaneously.
When do you need a Privacy Policy?
- ✓Before launching any product or service that collects personal information from users
- ✓When adding a new data collection mechanism (analytics, cookies, email capture)
- ✓When changing how you use or share personal data in ways not previously disclosed
- ✓When partnering with a third party that will receive personal data
- ✓When onboarding enterprise customers who conduct privacy due diligence
- ✓Annually, to ensure the policy remains accurate and up to date
Key provisions to include
What Information is Collected
Precise list of personal data types collected — name, email, payment, device, location, usage.
How Information is Collected
Collection methods — forms, cookies, third-party integrations, automatic logging.
Why Information is Used
Purposes for which data is used — service delivery, marketing, analytics, legal obligations.
Disclosure to Third Parties
Which third parties receive personal data and under what circumstances.
Overseas Disclosure
Whether data is transferred to overseas servers or third parties, and which countries.
Data Security
Measures taken to protect personal information from unauthorised access or disclosure.
Access & Correction Rights
How individuals can request access to or correction of their personal information.
Complaints Process
How to make a privacy complaint and the right to complain to the Office of the Australian Information Commissioner.
Common mistakes to avoid
Using a generic template that does not reflect your actual data practices — the OAIC can take action for misleading privacy policies
Not updating the privacy policy when data practices change — outdated policies create legal and reputational risk
Not addressing cookies and third-party analytics tools, which collect significant personal data on most websites
Failing to address international data transfers when using US-based cloud services (AWS, Google Cloud, Stripe)
Burying the privacy policy in the footer without linking it clearly from sign-up forms, checkout pages, and data collection points
Frequently asked questions
Is a privacy policy required by law in Australia?
Yes. Under the Privacy Act 1988 (Cth), Australian Privacy Principle 1 requires most entities with an annual turnover above $3 million to have a clearly expressed, up-to-date privacy policy. Small businesses below $3 million turnover may still need one if they handle health information, provide health services, or contract to the government.
Does the GDPR apply to Australian businesses?
Yes, if your business offers goods or services to individuals in the EU, or monitors the behaviour of EU individuals, the GDPR applies — regardless of where your business is located. Australian technology companies with EU users often need to satisfy both the Privacy Act and GDPR requirements simultaneously.
What information must a privacy policy include under Australian law?
Under Australian Privacy Principle 1, a privacy policy must include: the kinds of personal information collected, how it is collected and held, the purposes for collection and use, how individuals can access or correct information, how complaints can be made, whether information is disclosed overseas and to which countries, and how to contact the privacy officer.
How often should I update my privacy policy?
You should review and update your privacy policy whenever your data practices change materially — when you add new data collection methods, start using new third-party services, or change how you use or share data. An annual review is good practice regardless. Any material changes should be communicated to existing users.
Related documents
Draft your Privacy Policy in minutes
Try Neureson free for 3 days — no credit card required.
Start for free →