Privacy Policy
Version: 2026.2 Effective Date: 27 May 2026 Status: Active
1.1 This Privacy Policy describes how Outpost Systems Pty Ltd (ACN 694 132 235) of Nambucca Heads, NSW 2448 ("Operator", "we", "us", "our"), collects, holds, uses, discloses, and protects personal information in connection with the Outpost platform (the "Services").
1.2 This Privacy Policy forms part of the Outpost Terms of Service and uses the same defined terms ("User", "User Content", "Aggregated Data", "Automated Analysis", "Third-Party Integration", and "Services"). Capitalised terms used but not defined here have the meaning given in the Terms of Service.
1.3 We are an "APP entity" bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). Where we handle personal information of individuals in other jurisdictions, additional laws may apply - see clause 14 (GDPR, UK GDPR, NZ Privacy Act).
1.4 This Privacy Policy is published in plain and open form in accordance with APP 1.3.
3.1 Our role as APP entity. We are an APP entity under the Privacy Act 1988 (Cth) and accept responsibility under the APPs for personal information we hold, however it was collected. This includes personal information we collect directly from individuals (for example, your account details when you sign up), personal information we generate about you through your use of the Services (for example, usage logs, support records, billing records), and personal information contained in User Content that you upload to the Services.
3.2 Your warranty as the collector at source. When you upload User Content containing personal information about third parties (for example, your staff, subcontractors, suppliers, clients, or members of the public appearing in site photos, emails, WhatsApp messages, or documents), that personal information has been collected by you, at source. You warrant under clause 8.5 of the Terms of Service that:
(a) you have the lawful basis required by the APPs (and any applicable foreign privacy law) to have collected it; (b) you have given each affected individual any collection notice required by APP 5; and (c) our processing of the personal information on your behalf for the purposes in clause 6 is authorised by you as the collecting entity.
This allocation is a contractual allocation of warranty responsibility between you and us. It does not shift the Operator's status as an APP entity in respect of personal information held by us, and we remain directly subject to APPs 1, 6, 8, 10, 11, 12, and 13 in respect of that information.
3.3 Joint purposes. For certain purposes (including fraud prevention, security, legal compliance, and development of Aggregated Data and intelligence features), we process personal information for our own purposes as an APP entity in our own right. This Privacy Policy covers those purposes as well.
3.4 Third-party individuals - rights pathway. If you are an individual whose personal information is held by the Services but you are not a User - for example, a worker whose face appears in a site photograph, a subcontractor whose contact details are in another User's record, or a member of the public - you have the same APP 12 access rights and APP 13 correction rights as any other individual. See clause 12.7 for how to exercise them.
4.1 We collect the following categories of personal information. Not every category applies to every User.
(a) Account and identity information
(b) Billing information
(c) User Content uploaded or generated through the Services
User Content commonly contains personal information about third parties, including your employees, subcontractors, suppliers, clients, and their personnel. Clause 3.2 applies.
(d) Usage information
(e) Third-Party Integration data
(f) Communications with us
(g) Sensitive information (special rules apply)
We do not knowingly collect personal information from children under 18. The Services are not directed at children.
5.1 Directly from you when you create an account, subscribe, upload User Content, authorise a Third-Party Integration, communicate with support, or respond to a survey.
5.2 Automatically through cookies, web beacons, pixels, server logs, and usage telemetry as you use the Services.
5.3 From Third-Party Integrations you authorise, within the scopes you grant.
5.4 From public sources (for example, ABN Lookup, ASIC, AusTender, and similar) where you use features that query those sources on your behalf.
5.5 From other users where another User names, tags, invites, or otherwise identifies you within the Services.
5.6 If we collect personal information from a source other than you directly, we will take reasonable steps to notify you or ensure you are aware of the collection as required by APP 5, unless an APP exception applies.
6.1 Primary purposes (APP 6.1(a)). We collect, hold, use, and disclose personal information for the following primary purposes:
(a) to provide, operate, maintain, secure, and support the Services for you; (b) to authenticate you and secure your account (including passkey and OAuth sign-in); (c) to process your payments, manage credits, and issue invoices and tax records; (d) to run Automated Analysis that generates drafts, estimates, classifications, summaries, extractions, recommendations, forecasts, and reports on your behalf; (e) to send operational communications about the Services (service updates, security alerts, billing notices, legal notices, re-acceptance requests); (f) to investigate and respond to support requests; (g) to meet our obligations under the Terms of Service; and (h) to comply with our legal obligations, including record-keeping under tax, corporations, consumer, employment, work health and safety, and privacy laws.
6.2 Secondary purposes (APP 6.2). We use and disclose personal information for the following secondary purposes, which are related to the primary purposes above and which you would reasonably expect us to carry on in light of your acceptance of the Terms of Service (including clause 8, which you are specifically asked to acknowledge at signup):
(a) Intelligence and benchmarking: creating and maintaining Aggregated Data; generating benchmark metrics; developing and operating intelligence, supplier-graph, pricing, risk, programme, and market-intelligence features of the Services; providing those features to you and to other users; (b) Marketplace: developing and operating matching, discovery, recommendation, reputation, directory, procurement, and introduction features of the Services across the user base; (c) Model improvement: improving, training, fine-tuning, evaluating, testing, and validating internal models, prompts, rules, heuristics, embeddings, indices, and machine-learning systems used by the Services, where those systems are controlled by us (see clause 7 for limits on training with third-party providers); (d) Fraud, abuse, and security: detecting, preventing, and investigating fraud, abuse, security incidents, policy violations, and legal risk; (e) Product development: understanding how the Services are used in order to improve them; (f) Marketing (opt-in only): sending you direct marketing communications about the Services, in accordance with the Spam Act 2003 (Cth) and clause 11 of this Privacy Policy; (g) Corporate transactions: evaluating, negotiating, and completing a sale, merger, restructure, financing, or similar transaction of our business; and (h) Legal and regulatory: meeting legal, regulatory, audit, accounting, tax, and insurance obligations, including responding to lawful requests from courts, regulators, and law enforcement.
6.3 Aggregated Data. Once personal information has been de-identified to form Aggregated Data, it is no longer personal information for the purposes of the Privacy Act and we use it freely in accordance with clause 8.3 of the Terms of Service. We create Aggregated Data in accordance with our internal De-identification Standard, which applies the techniques and minimum aggregation thresholds recommended by the OAIC De-identification Decision-Making Framework and relevant updates. We review the Standard, and re-assess the re-identification risk of existing Aggregated Data sets, at least annually.
6.4 Broad authorisation. By accepting these Terms, you authorise us to use and disclose personal information for any purpose that is related to the primary purposes in clause 6.1 or reasonably within the scope of the secondary purposes in clause 6.2. We may add new secondary purposes from time to time by updating this Privacy Policy under clause 18. Where the APPs require consent for a particular secondary purpose that falls outside this authorisation, we will seek that consent before using your personal information for that purpose.
7.1 The Services include Automated Analysis features that use machine-learning systems, including large language models, to generate drafts and recommendations from User Content. These features are advisory and draft-producing. They are not configured to make final decisions that have legal or similarly significant effects on individuals on our behalf.
7.2 Human-judgement requirement for decisions affecting individuals. Automated Analysis can produce scoring, triage, classification, and recommendation outputs that, even though not "final decisions" in form, could have similarly significant effects on an individual if rubber-stamped - for example, in subcontractor prequalification, incident classification, bid/no-bid decisions involving individual counterparties, or site-admission decisions. Where an Automated Analysis output is used as a significant input to a decision about an individual, the User must:
(a) apply genuine human judgement, not merely rubber-stamp the output; (b) verify the factual basis of any output that names or is about the individual; and (c) keep a record of the reasons for the decision.
The Operator does not make such decisions on behalf of any User.
7.3 Automated Analysis outputs can contain errors, including errors about individuals. If an output contains incorrect personal information about you, you may request correction under clause 12 (APP 13).
7.4 We will not submit raw, identifiable User Content to third-party foundation-model training pipelines without your express opt-in consent. See clause 8.8 of the Terms of Service.
8.1 We disclose personal information only as set out in this clause and as otherwise permitted by the APPs.
8.2 Categories of recipients:
(a) Infrastructure and hosting providers (cloud infrastructure, database hosting, storage, content delivery); (b) Automated Analysis providers that power machine-learning features of the Services; (c) Payment processors (to process your payments and prevent fraud); (d) Email and messaging providers (to send transactional, operational, and - with your consent - marketing messages); (e) SMS and WhatsApp providers (to send and receive messages via authorised integrations); (f) Analytics and error-monitoring providers (to measure usage and diagnose problems); (g) Support tooling providers (helpdesk, ticketing); (h) Third-Party Integrations you have authorised (for example, Google Drive, OneDrive, Gmail, Outlook, Xero, AusTender, VendorPanel, BOM, OpenWeather, ABS, RBA, ASIC), under your own authorisation; (i) Our professional advisers (lawyers, accountants, auditors, insurers, consultants) under duties of confidence; (j) Courts, tribunals, regulators, and law enforcement agencies where required by law or to enforce our legal rights; (k) Successors in business in connection with an actual or proposed sale, merger, restructure, or financing of our business, subject to equivalent confidentiality and privacy obligations; and (l) With your express consent, any other recipient you authorise.
8.3 Sub-processor list. We publish a current list of our sub-processors at /legal/sub-processors within the Services and on our public website. The list names each sub-processor, its function, the category of personal information it handles, and the country or countries in which it processes personal information. We update the list when sub-processors change and, where a change is materially adverse to Users, we notify Users by email at least thirty (30) days in advance of the change taking effect.
8.4 We do not sell personal information. We do not disclose personal information to data brokers or advertising networks for their own purposes.
8.5 Aggregated Data is not personal information and is not subject to this clause.
9.1 Some of the recipients in clause 8.2 are located, or may access personal information from, outside Australia. The specific sub-processors and the countries in which they process personal information are set out in the published sub-processor list at /legal/sub-processors (clause 8.3). The countries currently involved include:
(a) the United States (cloud hosting, Automated Analysis providers, payment processing, email, analytics, support tooling); (b) the European Union and United Kingdom (certain analytics, support, and hosting sub-processors); (c) other jurisdictions where our sub-processors operate customer-support, security, or engineering functions, which are identified in the sub-processor list and which may change from time to time.
9.2 Where we disclose personal information to an overseas recipient, we take reasonable steps in the circumstances (having regard to the overseas recipient's privacy environment and the sensitivity of the information) to ensure the recipient handles the information consistently with the APPs. These steps typically include:
(a) contractual privacy and security obligations at least equivalent to the APPs; (b) security requirements (encryption in transit and at rest, access control, incident notification); (c) sub-processor flow-down terms; (d) where available, certification to recognised security standards (for example, ISO/IEC 27001, SOC 2 Type II); and (e) where applicable, approved international transfer mechanisms for personal data subject to the GDPR or UK GDPR (see clause 14).
9.3 APP 8.1 and 8.2. Except where you have expressly consented in accordance with APP 8.2(b) after being informed that we will no longer be accountable for the overseas recipient's handling of the information, we remain accountable for any act or practice of the overseas recipient that would, if done by us, breach the APPs. You acknowledge that by authorising a Third-Party Integration you may be directing us to disclose personal information to that integration's provider on your behalf.
10.1 We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11). Our measures include:
(a) encryption in transit (TLS) and encryption at rest for sensitive fields; (b) role-based access control and row-level security at the database layer; (c) audit logging, rate limiting, and anomaly detection; (d) passkey authentication and multi-factor authentication options; (e) secure development practices, code review, and automated security testing; (f) scheduled backups and tested restoration procedures; (g) staff training, confidentiality obligations, and access restrictions; (h) incident response procedures aligned to the Notifiable Data Breaches scheme (clause 13); and (i) periodic review of our security posture.
10.2 No security measure is perfect. While we take reasonable steps as required by APP 11, we do not warrant that personal information will never be subject to unauthorised access. See clauses 13 and 15 of the Terms of Service for liability provisions.
11.1 We only send direct marketing communications to individuals who have consented (expressly or by reasonable inference from an existing business relationship, within the limits of the Spam Act 2003 (Cth)).
11.2 Every commercial electronic message we send will identify the sender, state the purpose, and contain a functional unsubscribe mechanism.
11.3 You can withdraw consent at any time by using the unsubscribe link or by emailing admin@outpostsystems.com.au. Transactional, operational, security, legal, and account-related communications are not marketing and will continue regardless.
11.4 We do not disclose your personal information to third parties for their own direct marketing purposes.
12.1 Access (APP 12). You may request access to the personal information we hold about you. We will respond within thirty (30) days or such longer period as is reasonable in the circumstances. We may charge a reasonable cost-recovery fee for locating, compiling, and providing access where permitted by law.
12.2 Correction (APP 13). You may request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information. Where we agree the information requires correction, we will correct it within a reasonable time. We are not required to notify past recipients of the correction unless required by law. Where we disagree that correction is warranted, we will explain why in writing.
12.3 Withdrawing consent. Where we rely on your consent for a particular use or disclosure, you may withdraw consent by emailing admin@outpostsystems.com.au. Withdrawal does not affect the lawfulness of processing before the withdrawal.
12.4 Complaints. If you have a complaint about how we have handled your personal information, email admin@outpostsystems.com.au. We will acknowledge your complaint within seven (7) days and respond substantively within thirty (30) days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au or on 1300 363 992.
12.5 Identity verification. Before responding to a request under this clause, we may take reasonable steps to verify your identity.
12.6 Refusal grounds. We may decline a request on a ground permitted by the Privacy Act (for example, where the request is frivolous, where giving access would have an unreasonable impact on another person's privacy, or where the information relates to an anticipated legal proceeding). Where we decline, we will give reasons in writing.
12.7 Third-party individuals (non-Users). If you are an individual who is not a User of the Services but you believe we hold personal information about you - for example, because your face appears in a photograph uploaded by a User, or because your contact details were uploaded as part of a subcontractor or supplier record - you may contact admin@outpostsystems.com.au with:
(a) a description of who you are and, if possible, the User or project context in which you believe your information was uploaded; and (b) identity-verification information sufficient for us to locate your information (such as your name, email address, phone number, a photograph of yourself, or similar).
On receipt of a request that we can reasonably verify, we will search our systems and respond under APP 12 and APP 13 within the statutory timeframes. Where necessary, we will coordinate with the User who uploaded the information, subject to your right to an independent response from us as an APP entity. Where the information forms part of a User's records and the User has a legitimate interest in its retention (for example, contractual or WHS records), we may be unable to delete it but will still respond to access and correction requests. You may also lodge a complaint directly with the OAIC under clause 12.4.
13.1 We comply with the Notifiable Data Breaches ("NDB") scheme under Part IIIC of the Privacy Act 1988 (Cth).
13.2 If we become aware of a suspected data breach, we will:
(a) contain the breach and mitigate harm as promptly as practicable; (b) carry out a reasonable and expeditious assessment under section 26WH of the Privacy Act of whether there are reasonable grounds to believe the breach is an eligible data breach, and in any event complete that assessment within thirty (30) days; (c) prepare a statement under section 26WK of the Privacy Act if the breach is an eligible data breach; and (d) notify the OAIC and affected individuals as soon as practicable, in accordance with sections 26WL and 26WR.
13.3 Notifications will include the information required by section 26WK (our identity and contact details, a description of the breach, the kinds of information involved, and recommendations for steps affected individuals can take).
13.4 We maintain an internal data-breach response plan and review it regularly.
14.1 EU and UK data subjects (GDPR and UK GDPR). If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation ("GDPR") and UK GDPR may apply to our processing of your personal data. In that case:
(a) our lawful bases for processing are: performance of a contract with you (Article 6(1)(b)), compliance with legal obligation (Article 6(1)(c)), our legitimate interests in operating, securing, improving, and commercialising the Services (Article 6(1)(f)), and your consent where required (Article 6(1)(a)); (b) you have the rights of access, rectification, erasure, restriction, objection, portability, and (in certain cases) to withdraw consent and to lodge a complaint with a supervisory authority; (c) international transfers of your personal data rely on the mechanisms described in clause 9 (including Standard Contractual Clauses where applicable); and (d) you may contact us at admin@outpostsystems.com.au to exercise any of these rights.
14.2 New Zealand. If you are located in New Zealand, the Privacy Act 2020 (NZ) may apply. You may contact the Office of the Privacy Commissioner (NZ) at https://www.privacy.org.nz.
14.3 Conflicts. Where the APPs and a foreign privacy law impose different obligations, we will comply with the stricter standard to the extent reasonably possible.
15.1 We retain personal information for as long as is reasonably necessary for the purposes for which it was collected, for any Permitted Purpose under the Terms of Service, or as required by law. We determine retention periods having regard to the purpose of collection, legal obligations, limitation periods, security needs, operational requirements, backup cycles, and APP 11.2.
15.2 Indicative retention periods. Exact periods depend on the purpose and applicable legal holds.
(a) Account records: life of the account plus seven (7) years for tax and corporations law compliance; (b) Billing and transaction records: seven (7) years for tax compliance; (c) User Content: for the life of the account, plus a fourteen (14) day export window after termination, then deletion or de-identification in accordance with clause 11.4 of the Terms of Service; (d) Security logs and audit logs: up to seven (7) years for fraud, security, and legal purposes; (e) Support records: up to five (5) years; (f) Marketing records: until you unsubscribe, plus a suppression record retained indefinitely; (g) Aggregated Data: indefinitely, once de-identified.
15.3 Legal hold. We may retain personal information for longer where necessary to comply with a legal hold, respond to legal process, enforce our rights, or defend against claims.
15.4 Deletion and de-identification under APP 11.2. When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, and we are not required by law or court order to retain it, we take reasonable steps to destroy or de-identify it using reasonable technical and organisational measures. This obligation applies independently of the retention periods in clause 15.2.
16.1 We use:
(a) Strictly necessary cookies for authentication, session management, and security; (b) Functional cookies to remember your preferences (for example, dashboard layout, language, units); (c) Performance and analytics cookies to measure how the Services are used and diagnose errors. Analytics data is aggregated wherever feasible; and (d) No third-party advertising cookies. We do not place advertising cookies and do not participate in cross-site ad networks.
16.2 Most browsers allow you to refuse or delete cookies. Disabling strictly necessary cookies may prevent the Services from working.
16.3 We honour "Do Not Track" signals where technically feasible, but note that there is no common industry standard for honouring such signals.
17.1 Under APP 2, individuals have the option of dealing with an APP entity anonymously or under a pseudonym, unless it is impracticable or unlawful for the entity to do so. The Services involve credit-metered billing, secure authentication, fraud prevention, and contractual accountability to corporate Users. These factors make it impracticable to provide the full Services on an anonymous or pseudonymous basis.
17.2 However, you may:
(a) make general enquiries, privacy complaints, and APP 12 / APP 13 access and correction requests to admin@outpostsystems.com.au without identifying yourself by name (provided we can verify you are the individual whose information is in question, where relevant); (b) use the Services under a business name rather than a personal name where your employer permits; and (c) contact us anonymously to raise concerns about third-party upload of your personal information under clause 12.7.
18.1 We may amend this Privacy Policy from time to time. Amendments take effect when published within the Services. Your continued use of the Services after publication constitutes acceptance of the amended Privacy Policy.
18.2 Where an amendment is materially adverse to you, we will notify you by email. If you do not agree with the amendment, you must stop using the Services.
18.3 The "Version" and "Effective Date" fields at the top of this document identify the current version.
Privacy Officer Outpost Systems Pty Ltd (ACN 694 132 235) Nambucca Heads, NSW 2448 Email: admin@outpostsystems.com.au OAIC: https://www.oaic.gov.au · 1300 363 992
"Aggregated Data", "Automated Analysis", "Services", "Third-Party Integration", "User", and "User Content" have the meanings given in the Terms of Service.
"APPs" means the Australian Privacy Principles in Schedule 1 to the Privacy Act 1988 (Cth).
"GDPR" means Regulation (EU) 2016/679, and "UK GDPR" means the UK General Data Protection Regulation.
"NDB scheme" means the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).
"OAIC" means the Office of the Australian Information Commissioner.
"Personal information", "sensitive information", "APP entity", "collection", "use", "disclosure", and "holding" have the meanings given by the Privacy Act 1988 (Cth) and APPs.
"Privacy Act" means the Privacy Act 1988 (Cth), as amended.
End of Privacy Policy.