Introduction
Finswiss Labs ("we", "us" and "our") is committed to protecting the privacy of your personal information and managing it openly and transparently in accordance with the Australian Privacy Act 1988 (Cth) (as amended, including by the Privacy and Other Legislation Amendment Act 2024) ("Privacy Act") and the 13 Australian Privacy Principles ("APPs"). This Privacy Policy explains how we collect, hold, use, disclose, and protect personal information about visitors to this website, prospective clients, research collaborators, job applicants, and other individuals who interact with us, and how we comply with our legal obligations under the Privacy Act. It also outlines how to access and correct your personal information and how to contact us with questions or complaints.
This Privacy Policy applies to personal information we collect, hold, and use in the course of our business activities, including when you visit our website, complete the contact form, communicate or interact with us (including via social media), subscribe to our newsletter, or apply for employment.
In this Policy, "personal information" has the same meaning as defined in the Privacy Act: information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not. "Sensitive information" (a subset of personal information, such as health information or racial or ethnic origin) is handled with the additional protections required under the Privacy Act.
We may update this Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated version on our website and, where practicable, by direct communication. Your continued use of our services after such changes constitutes acceptance of the revised Policy.
We are not responsible for the privacy practices of third-party websites or platforms linked from this site. We encourage you to review their privacy policies separately.
What personal information do we collect?
We collect only the personal information necessary for our business purposes. The types of information we may collect include:
- Contact form submissions. When you use the contact form on this site, we receive the information you submit: your name, organisation, work email address, telephone number, engagement type, and the content of your message.
- Newsletter subscriptions. If you subscribe to our newsletter, the subscription is managed by Substack under its own privacy policy. Substack collects your email address and any other details you provide directly to it. We receive aggregated subscriber metrics and do not hold the subscriber list ourselves.
- Server logs. Our hosting provider records standard web-server data for the requests it handles: IP address, user agent, request path, response code, and timestamp. These logs are retained for the provider's standard retention period and are used for abuse mitigation and security.
- Employment application information. For job applicants, we may collect résumés, cover letters, references, qualifications, work history, and any other information you choose to provide. Sensitive information is collected only with your express consent and only where strictly necessary for the role.
We do not collect payment data, purchase history, delivery addresses, loyalty information, or location data on this site. We do not operate advertising trackers, behavioural profiling, fingerprinting scripts, or cross-site tracking.
We do not knowingly collect personal information from children under 16 without verifiable parental consent, consistent with APP 3.
How do we collect and hold personal information?
Where reasonable and practicable, we collect personal information directly from you, including via the contact form, newsletter signup, email, or direct communication. We may also collect it indirectly through our hosting provider's standard server logs, and we will notify you of indirect collection where required under APP 5.
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure (APP 11), including:
- Transport-layer encryption (HTTPS) for all data transmitted to and from this website.
- Access controls on the customer relationship management system that holds contact-form submissions.
- Retention boundaries: contact-form submissions are retained for the duration of the engagement plus three years for tax and audit purposes. Enquiries that do not lead to an engagement are deleted at 24 months.
- Compliance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.
Personal information may be stored on our customer relationship management database or on the systems of our service providers, including providers hosted outside Australia as described under "Cross-border disclosure" below.
Why do we collect, use, and disclose personal information?
Under APP 6, we use and disclose your personal information only for the primary purpose for which it was collected, for a secondary purpose you would reasonably expect, or with your consent. Common purposes include:
- Responding to enquiries submitted via the contact form.
- Scoping, proposing, and delivering professional engagements.
- Managing newsletter subscriptions through Substack.
- Assessing the suitability of job applicants and onboarding successful candidates.
- Complying with our legal and regulatory obligations.
- Detecting, preventing, and addressing fraud, abuse, or breaches of our terms.
Under APP 7, we do not send direct marketing email from this site. Our newsletter is delivered by Substack; you may unsubscribe at any time using the link at the foot of any newsletter email or via your Substack account settings.
How do we disclose personal information?
Under APPs 6 and 8, we disclose personal information only as necessary for the purposes set out above or where required or permitted by law. Recipients may include:
- Service providers. Our hosting provider, newsletter provider (Substack), customer relationship management provider, and other third parties that support our business operations. Each is bound by contract to handle information consistently with the APPs and to use it only for the purposes for which we disclose it.
- Professional advisors. Lawyers, accountants, and auditors where reasonably necessary.
- Legal and regulatory authorities. Where required by law, including disclosure to courts, tribunals, regulators, or law enforcement.
We do not sell your personal information.
Cross-border disclosure (APP 8)
Some of our service providers operate outside Australia:
- Our hosting provider operates a global edge network and may route or serve requests from servers located in the United States, the European Union, and other regions.
- Our newsletter provider (Substack) stores subscriber information in the United States.
Before any cross-border disclosure, we take reasonable steps to ensure the overseas recipient does not breach the APPs, including through contractual safeguards or reliance on equivalent regimes (such as the General Data Protection Regulation in the European Union and United Kingdom). You may request details of overseas recipients by contacting us.
Accessing and correcting your information
Under APPs 12 and 13, you may request access to the personal information we hold about you, and you may request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Equivalent provisions apply under the General Data Protection Regulation in the European Union and United Kingdom, the New Zealand Privacy Act 2020, and the California Consumer Privacy Act, where applicable.
We aim to respond to access and correction requests within 30 days. We may require identity verification before fulfilling a request, and we may decline a request in limited circumstances permitted by the Privacy Act, in which case we will provide the reasons in writing.
Complaints and questions
To raise a complaint or ask a question about this Policy, please .