Privacy Policy

1. Data Controller

The data controller responsible for your personal information is:

2. Personal Data We Collect

We collect the following categories of personal information when you create an account and use our platform:

• Account information — name, email address, username, and password (hashed).
• Profile data — profile picture, job title, and organisation details you choose to provide.
• Authentication data — passkey credentials, two-factor authentication tokens, and external identity provider tokens (e.g. Google, Microsoft).
• Usage logs — IP addresses, browser type, pages visited, timestamps, and actions taken within the platform.
• Support data — information you provide when submitting support tickets or contacting us.

3. Business Data Processed on Behalf of Tenants

As part of the EDI platform service, we process business documents on behalf of our tenant organisations. This includes:

• EDI documents (X12, EDIFACT, and similar standards)
• CSV, XML, JSON, and PDF files
• Transformation mappings and validation rules
• Transmission logs and document routing records

This business data may incidentally contain personal information (such as names or addresses in purchase orders or invoices). We process this data solely as a data processor on behalf of the tenant that controls the data. Tenants are responsible for ensuring they have a lawful basis to provide this data to us.

4. Purpose of Data Processing and Legal Basis

We process personal data for the following purposes:

Under Australian law, we collect and handle personal information in accordance with Australian Privacy Principle 3 (collection) and APP 6 (use and disclosure), ensuring that information is only used for the primary purpose for which it was collected or a directly related secondary purpose.

5. Multi-Tenant Data Isolation

EzEdi is a multi-tenant platform. We maintain strict logical separation between tenant environments:

• Each tenant’s data (documents, configurations, and user accounts) is isolated at the database level.
• Cross-tenant access is prevented through enforced tenant context on every request.
• Tenant administrators control user access and permissions within their own environment.
• Audit logs are tenant-scoped and not shared across organisations.

6. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or as required by law:

• Account data is retained for the duration of the account and deleted upon account closure, subject to any legal retention obligations.
• Business documents are retained according to the retention settings configured by each tenant. Tenants may delete their documents at any time.
• Usage logs are retained for up to 12 months for security and operational purposes.
• Support tickets are retained for 24 months after resolution.

When a tenant account is terminated, all associated data (including documents, configurations, and user accounts) is permanently deleted within 30 days, unless a longer retention period is required by law.

7. Third-Party Services and Sub-Processors

We use the following categories of third-party services to operate the platform:

• Cloud hosting — our infrastructure runs on cloud services that provide compute, database, and networking resources.
• Object storage (S3-compatible) — used for storing uploaded documents and generated files.
• Email delivery — transactional emails (account verification, notifications, password resets) are sent through a third-party email service.
• CDN and DDoS protection — Cloudflare is used for traffic routing, SSL termination, and security.
• Authentication providers — Google and Microsoft identity services when external sign-in is enabled by a tenant.

All sub-processors are contractually obligated to handle data in accordance with applicable data protection laws. We conduct due diligence on sub-processors and require them to implement appropriate technical and organisational safeguards. A current list of specific sub-processors is available upon request by contacting privacy@ezedi.online.

8. Your Rights Under the Australian Privacy Act

Under the Australian Privacy Act 1988, you have the right to:

• Access — request access to the personal information we hold about you (APP 12).
• Correction — request correction of inaccurate, out-of-date, or incomplete personal information (APP 13).
• Complaints — lodge a complaint if you believe we have breached the Australian Privacy Principles.

To exercise these rights, contact us at privacy@ezedi.online. We will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

9. Additional Rights for EU/EEA Users

If you are located in the European Union or the European Economic Area, you have the following additional rights under the GDPR:

• Right to erasure — request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to restrict processing — request that we limit how we use your data in certain circumstances.
• Right to data portability — receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object — object to processing based on legitimate interests, including profiling.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact privacy@ezedi.online. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

Personal data may be transferred to Australia for processing. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where applicable.

10. Cookies and Analytics

We use cookies and similar technologies for the following purposes:

• Essential cookies — required for authentication, session management, and security. These cannot be disabled.
• Preference cookies — store your settings such as dark mode and language preferences.

We do not currently use third-party analytics or advertising cookies. If this changes, we will update this policy and provide appropriate notice and controls.

11. Data Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss, misuse, or alteration. These measures include:

• Encryption of data in transit (TLS) and at rest
• Hashed and salted password storage
• Multi-factor authentication support
• Role-based access controls and tenant isolation
• Regular security monitoring and logging

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify affected users by email or by posting a prominent notice on the platform. The “Effective date” at the top of this page indicates when the policy was last revised.

13. Contact Information

If you have any questions, concerns, or requests regarding this privacy policy or our handling of your personal information, please contact us: