Legal

Privacy policy

How 40 South collects, uses, stores, and protects personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

40 South Pty Ltd · ABN 54 698 132 188 · ACN 698 132 188 Effective date: 23 May 2026

1. About this policy

This privacy policy explains how 40 South Pty Ltd ("40 South," "we," "us," "our") collects, uses, stores, and discloses personal information. It applies to the 40south.au website, the 40 South Guard platform ("Guard"), and any related services. It should be read together with our Terms of Service.

We're an Australian company registered in New South Wales. We take privacy seriously, not just because it's our legal obligation under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), but because our entire product exists to help businesses meet theirs.

2. What personal information we collect

Website visitors: We collect information you provide through our contact and enquiry forms, including your name, email address, company name, and industry. Where we use website analytics, it is configured to be privacy-respecting (see section 14).

Guard platform users: When you use the Guard platform, we collect your name, email address, and role as provided by your organisation's administrator. We also collect usage data related to your interactions with the Guard dashboard.

Guard proxy data: Guard processes AI interactions on behalf of our customers. This data may contain personal information that our customers' personnel send to AI models. We process this data only as a service provider acting on our customer's instructions (see section 8). We do not use this data for our own purposes, we do not train AI models on it, and we do not sell it.

Guard's PII detection identifies sensitive data types (Tax File Numbers, Medicare numbers, ABNs, bank account numbers, and others) within AI interactions. When PII is detected, the finding is recorded in the audit trail — the type, location, and confidence of the match, not the underlying PII itself. By default, raw PII is removed from evidence records before storage. Where a customer explicitly enables the optional full-content logging configuration, content is captured and retained as configured by that customer and under their control.

3. Sensitive information

We do not deliberately collect sensitive information (as defined in the Privacy Act 1988 (Cth)), such as health information, biometric data, or information about racial or ethnic origin. If sensitive information is incidentally included in data processed through the Guard proxy, it is handled in accordance with our role as a service provider (see section 8) and is subject to the same protections as all other proxy data. We will not collect sensitive information about you unless you consent, or collection is required or authorised by law, consistent with APP 3.3.

4. How we collect personal information

We collect personal information directly from you (forms, account creation, email), from your organisation's administrator (account provisioning), automatically (server logs and, where deployed, privacy-respecting analytics), and through the Guard proxy (AI interactions processed on your organisation's behalf).

5. Unsolicited personal information

If we receive personal information that we did not solicit and that we are not permitted to collect under APP 3, we will assess whether we could have collected it lawfully. If not, we will destroy or de-identify the information as soon as practicable, provided it is lawful to do so, in accordance with APP 4.

6. Why we collect and use personal information

We collect and use personal information to provide and operate Guard, respond to enquiries, manage and provision accounts, generate compliance reports and audit evidence, send service-related communications, improve our products, and comply with our legal obligations.

We do not use personal information collected through the Guard proxy for marketing, profiling, or any purpose other than providing the Guard service.

7. Direct marketing and your choices

We may use the contact details you provide through our website or during a sales enquiry to send you information about Guard and related updates. We rely on consent or the reasonable expectations of a business contact, consistent with APP 7 and the Spam Act 2003 (Cth).

Every marketing message includes an unsubscribe option, and you can opt out at any time by emailing privacy@40south.au. We do not sell or rent your contact details, and we do not use personal information processed through the Guard proxy for any marketing purpose.

8. Guard proxy data: our role as a service provider

For personal information that passes through the Guard proxy, our customer is the entity that decides why and how that information is handled. 40 South acts only as a service provider (processor), handling the data on the customer's documented instructions under the Terms of Service and any applicable data processing terms.

If you are an individual whose personal information may have been processed through Guard by one of our customers, requests to access, correct, or delete that information should be directed to that customer (the organisation that operates the AI tool). We will refer such requests to the relevant customer and assist them in responding, as their instructions and the law require.

We do not adopt, use, or disclose a government related identifier (such as a Tax File Number) as our own identifier of an individual. Where Guard detects such identifiers, it records only the fact and type of the detection for compliance evidence, consistent with APP 9.

9. How we store and protect personal information

Personal information that you provide to us, and all Guard platform and customer data, is processed and stored in Australia — specifically in Google Cloud's Sydney region (australia-southeast1), with failover to Melbourne (australia-southeast2).

We protect personal information using encryption at rest (customer-managed encryption keys), encryption in transit (TLS 1.2+), VPC Service Controls, role-based access controls (Firebase Authentication), Cloud IAP for administrative access, and regular security assessments.

Our infrastructure runs on Google Cloud Platform, which is assessed under the Information Security Registered Assessors Program (IRAP) at the PROTECTED level and is SOC 2 Type II certified.

10. Sub-processors and service providers

We use a small number of third-party service providers to deliver our services. Our primary infrastructure sub-processor is Google Cloud Platform, used in its Australian data centres for hosting, storage, encryption key management, and signing. Personal information held by 40 South and all Guard customer data is handled within Australian infrastructure boundaries.

We may also use service providers for functions such as website delivery, product analytics (where deployed), email, and payment processing. We maintain a current list of sub-processors that handle personal information and will provide it to Guard customers on request. We will give Guard customers reasonable notice of any new sub-processor that will handle their personal information, so they can raise any concerns.

11. How long we keep personal information

Website enquiry data: 24 months, then deleted unless there is an ongoing business relationship.

Guard platform account data: Duration of the customer's subscription, plus 90 days after termination for data export.

Guard audit trail data: 7 years in a tamper-evident, immutable audit trail. This retention period exists to meet regulatory requirements (APRA CPS 234 requires evidence of control effectiveness; ADM transparency obligations may require historical records). After 7 years, records are securely deleted.

Analytics data: Aggregated, non-identifiable analytics may be retained indefinitely.

12. Disclosure of personal information

We do not sell personal information.

We may disclose personal information to our infrastructure and service providers (see section 10, under contractual confidentiality and data-protection obligations), your organisation's administrators (as part of the service), and law enforcement or regulators (where required or authorised by Australian law).

13. Cross-border disclosure (APP 8)

Personal information that you provide to 40 South, and all Guard platform and customer data, is held in Australian data centres. We do not use overseas sub-processors for personal information that we hold or for data containing personal information processed through Guard.

One limited exception relates to the public website: like most websites, 40south.au may use standard internet infrastructure (such as a content delivery network for fonts) that can process limited technical data, including IP addresses, on servers outside Australia. This does not involve the personal information you submit to us, your Guard account data, or any data processed through the Guard proxy.

Guard's core function includes monitoring whether our customers' AI interactions involve cross-border data flows. When a customer sends data to an overseas AI provider through Guard, Guard flags the APP 8 implications and records them in the attestation.

14. Cookies and similar technologies

Our website is built to minimise tracking. We do not use third-party advertising trackers, and we do not sell or share data with advertising networks.

  • Essential storage: we use local browser storage to remember preferences such as your light or dark theme choice. This stays on your device and is not transmitted to us.
  • Analytics: where we deploy analytics, we use a privacy-respecting tool configured to avoid collecting more than is necessary to understand aggregate site usage. Any analytics cookies are retained for up to 12 months.

You can disable or clear cookies and local storage in your browser settings. The website will still function, though some preferences may not be remembered.

15. Anonymity and pseudonymity

You may browse our website without identifying yourself. Where it is lawful and practicable, you have the option of dealing with us anonymously or using a pseudonym, consistent with APP 2. Some interactions — such as creating a Guard account or responding to an enquiry — require identifying information so that we can provide the service.

16. Data quality (APP 10)

We take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up to date, complete, and relevant, having regard to the purpose for which it is held. If you believe any information we hold about you is inaccurate, out of date, incomplete, or irrelevant, please contact us and we will take reasonable steps to correct it.

17. Your rights

Under the Australian Privacy Principles, you have the right to access the personal information we hold about you, request correction of inaccurate information, request deletion (subject to legal retention obligations), and lodge a complaint if you believe we have breached the APPs.

To exercise any of these rights, contact us at privacy@40south.au. We will acknowledge your request promptly and respond within 30 days. For personal information processed through the Guard proxy on a customer's behalf, please see section 8 — those requests are directed to the relevant customer.

18. Notifiable data breaches

In the event of a data breach likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). Where we process personal information on a customer's behalf through Guard, we will notify the affected customer without undue delay so they can meet their own notification obligations.

19. Changes to this policy

We may update this policy from time to time. When we do, we will update the effective date at the top. For material changes, we will notify Guard platform customers by email.

20. Contact us

Privacy enquiries: privacy@40south.au

General enquiries: hello@40south.au

40 South Pty Ltd (ABN 54 698 132 188 · ACN 698 132 188), New South Wales, Australia

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

40° South acknowledges the Traditional Custodians of the lands on which we work and live. We pay our respects to Elders past, present, and emerging, and recognise their continuing connection to land, waters, and culture.