Effective date: 05-12-2025

1. Introduction

1.1 ForeFlow Pty Ltd (ABN 41 693 400 029) (“ForeFlow”, “we”, “us”, “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose and protect your personal information in connection with:

- our website (including foreflow.com.au and related domains);

- our ForeFlow web application and related services; and

- any other services that link to this Privacy Policy (together, the Services).

1.2 By using our Services or providing personal information to us, you consent to us handling your personal information in accordance with this Privacy Policy and the Privacy Act 1988 (Cth) and other applicable privacy laws.

1.3 We may update this Privacy Policy from time to time. The updated version will be published on our website and will take effect from the date of publication.

2. What personal information we collect

2.1 The personal information we collect will depend on how you interact with us, and may include:

- Identity and contact details: name, business or role, email address, phone number, business name, and contact preferences.

- Account details: username, password (stored in encrypted form), account settings, subscription details.

- Business and usage information: information about your business (e.g. number of staff, services you provide), how you use the Services, dashboard configurations and preferences.

- Integrated system data: where you connect third-party systems (such as job management or accounting platforms), we may receive job records, invoices, customer names or IDs, transaction details, schedule information, costs and similar business data, which may sometimes include personal information.

- Support and communication records: details of enquiries, feedback, support requests and communications with us.

- Recruitment information: if you apply for a job with us, we may collect information from your CV/resume, cover letter, references and related information you or third parties provide.

2.2 We generally do not seek to collect ‘sensitive information’ (as defined in the Privacy Act), such as health information, except where it is reasonably necessary (for example, in recruitment) and you provide it to us voluntarily.

3. How we collect personal information

We may collect personal information:

3.1 Directly from you, when you:

- create an account or use the Services;

- connect or authorise integrations with Third-Party Services;

- fill out forms or questionnaires;

- subscribe to our mailing list;

- contact us by email, phone, web form or social media; or

- participate in feedback, surveys or promotions.

3.2 From third parties, for example:

- from Third-Party Services you choose to integrate with ForeFlow (job management platforms, accounting systems, etc.);

- from service providers who assist us in delivering our Services;

- from recruitment agencies or referees when you apply for a role.

3.3 Automatically, when you use our website or app, we may collect:

- your IP address;

- device and browser type;

- pages viewed and time spent;

- referring pages;

- log data related to how you use the Services.

3.4 Cookies and similar technologies

We use cookies and similar technologies to:

- remember your preferences and settings;

- keep you logged in;

- understand how our website and Services are used;

- improve performance and user experience.

You can adjust your browser settings to refuse cookies, but this may limit some functionality.

3.5 Analytics

We may use third-party analytics tools (such as Google Analytics or similar services) to help us understand how our website and app are used and to improve them. These tools may collect information about your use of our Services and your device, in accordance with their own privacy policies.

4. How we use personal information

We may use your personal information for purposes including:

- Providing and operating the Services: to set up and manage your account, process subscriptions and payments, operate integrations and deliver features.

- Analytics and insights: to analyse trends and usage, understand how our Services are used, and improve performance and experience.

- AI features and model improvement: to power forecasts, dashboards, insights and AI-generated suggestions and to improve our models and features over time (primarily using de-identified or aggregated data).

- Customer support: to respond to enquiries, support requests and complaints.

- Security and fraud prevention: to monitor, detect and prevent unauthorised access, abuse or harmful activity.

- Marketing and communication: to send you updates, newsletters and information about features or offers, in accordance with your communication preferences and applicable laws.

- Business operations: to manage our business, maintain records, conduct audits, perform reporting, and comply with our legal obligations.

- Recruitment: to assess job applications and manage recruitment processes.

We may also create de-identified or aggregated data from your information (for example, usage statistics or industry benchmarks). De-identified or aggregated data no longer reasonably identifies individuals and we may use or disclose it for any purpose.

5. How we share personal information

We may disclose personal information:

5.1 Service providers

To trusted third-party service providers who help us operate and support the Services and our business, such as:

- hosting and infrastructure providers;

- data storage and backup services;

- analytics and monitoring tools;

- payment processors;

- email, communications and support tools;

- professional advisers (lawyers, accountants, auditors, consultants).

These providers may be located in Australia or overseas. We require them to handle personal information in a manner consistent with this Privacy Policy and applicable law.

5.2 Third-Party Services you connect

Where you enable integrations between ForeFlow and Third-Party Services:

- we may share data with those services where necessary to operate the integration; and

- we may receive data from those services.

You control which integrations are enabled. The privacy practices of those Third-Party Services are governed by their policies, not this Privacy Policy.

5.3 Business transfers

If we are involved in a merger, acquisition, sale of assets, restructuring or similar transaction, your personal information may be transferred as part of that transaction, subject to confidentiality and applicable law.

5.4 Legal and regulatory

We may disclose personal information where required or authorised by law, regulation, court order or government request, or to enforce our legal rights, protect our property, or protect the safety of individuals.

6. Overseas disclosures

Our service providers and infrastructure may be located in, or store data in, countries outside Australia, including (for example) the United States, the European Union, the United Kingdom and New Zealand.

By using the Services, you:

- acknowledge that your personal information may be transferred to and stored in these locations; and

- consent to such transfers, understanding that the privacy laws in those jurisdictions may not provide the same level of protection as the laws in Australia.

We will take reasonable steps to ensure that any overseas recipients protect your personal information in a manner consistent with this Privacy Policy and the Australian Privacy Principles, where required.

7. Security

7.1 We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure, including through:

- limiting access to personal information to personnel and service providers who need it to perform their duties;

- using reputable cloud and infrastructure providers;

- implementing technical safeguards (such as encryption in transit, access controls and logging).

7.2 However, no method of transmission or storage is completely secure. We cannot guarantee absolute security and you use the Services at your own risk.

8. Retention and deletion

8.1 We keep personal information:

- for as long as your account is active and as reasonably needed to provide the Services; and

- for a further period as necessary for legitimate business purposes (for example, records and compliance) or as required by law.

8.2 We take reasonable steps to:

- destroy or permanently de-identify personal information that we no longer need; and

- ensure any data held in backups is subject to appropriate security controls until it is deleted in the ordinary course of our backup lifecycle.

8.3 If you close your account, we may retain limited information (for example, transaction records, communications or audit logs) where required for our legitimate business purposes or legal obligations.

9. Access and correction

9.1 You can generally access and correct certain personal information directly via your account settings in the Service.

9.2 You may also request access to, or correction of, the personal information we hold about you by contacting us using the details in section 11.

9.3 We will respond to such requests within a reasonable time. In some cases, we may need to verify your identity or we may be permitted or required by law to refuse your request. If we refuse, we will tell you why (unless it is unreasonable to do so).

10. Marketing communications

10.1 We may send you marketing communications (such as emails about new features, offers or updates) where:

- you have given your consent; or

- we are otherwise permitted by law.

10.2 You can opt out of marketing communications at any time by:

- using the unsubscribe link in the message; or

- contacting us using the details below.

10.3 Even if you opt out of marketing, we may still send you non-marketing communications (for example, service announcements, security alerts, invoices or important notices about your account).

11. Contacting us and complaints

11.1 If you have any questions, concerns or complaints about how we handle your personal information, please contact us at:

Email: [email protected]

11.2 We will investigate your query or complaint and aim to respond within a reasonable time (usually within 30 days).

11.3 If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

- Website: oaic.gov.au

- Phone: 1300 363 992