Legal
Privacy Policy
Version 1.0 · Last updated 6 July 2026
This policy explains how [Entity name] (ABN [ABN]) (we, us) handles personal information in operating the Cordance platform and website. We handle personal information in accordance with the Australian Privacy Principles in the Privacy Act 1988 (Cth).
What we collect
Account information. Name, work email address, organisation name, industry, and records of your agreement to our terms.
Customer documents. The policies and procedures your organisation uploads for assessment. These are business documents, but they can contain personal information about staff, children or families (for example names, roles, or health-related procedures). We treat uploaded documents as potentially containing personal and sensitive information and handle them with corresponding care.
Usage and technical data. Log records of sign-ins and actions in the platform (which also form your compliance audit trail), and basic technical information needed to run the service. We do not currently run third-party advertising or analytics trackers; strictly necessary cookies are used to keep you signed in.
Payment information. Handled by our payment processor; we do not store card numbers.
Why we collect it
We collect and use this information to:
- provide the platform: assessing your documents against regulatory obligations, generating findings and suggested wording, and maintaining your audit trail;
- operate accounts, billing and support;
- send service communications (assessment results, regulatory change alerts, review reminders, notices about the service or these terms);
- improve our services, build our assessment and exemplar libraries, and train our personnel and our own models, using information that has first been de-identified; and
- meet our legal obligations.
We do not sell personal information. Where we use uploaded content to improve our services or to train our personnel or our own models, we first remove information identifying you, your organisation or any individual.
How the AI processing works
To assess a document, excerpts of it are transmitted to our AI and embedding subprocessors and the results are stored in our database. These providers’ handling of that data is governed by their own service and privacy terms. As at the date of this policy, they state that data submitted through their business APIs is not used to train their models. Any use of your content by us to improve our services or train our personnel or our own models happens only after de-identification, as described above.
Who we share it with
Our service providers (subprocessors) currently perform these functions:
- database, authentication and file storage
- AI assessment and semantic indexing
- application hosting
- email delivery
- payments
Some of these providers store or process data outside Australia, including in the United States and other countries in which they or their infrastructure operate. We take reasonable steps to ensure overseas recipients handle personal information consistently with the Australian Privacy Principles. A current list of our subprocessors, their functions and their storage locations is available on request from [contact email]. Beyond service providers, we disclose personal information only where required by law.
Security and retention
Data is encrypted in transit and at rest, access is restricted to your organisation through per-organisation isolation, and uploaded documents are stored as immutable originals. We retain your data while your account is active. After termination you may export your content for 30 days, after which we delete it from production systems within a further 30 days (routine backups expire in the ordinary course). If we suffer a data breach likely to result in serious harm, we will notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches scheme.
Access, correction and complaints
You can access and correct your account information in the platform, or contact us at [contact email] to request access to or correction of personal information we hold, or to make a privacy complaint. We will respond within a reasonable time. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au).
Changes
We will post updates to this policy here with a new version number and, for material changes, notify account holders by email. This policy should be read with our Terms of Service.
Privacy contact: [contact email].