Privacy Policy
CalnetCorp Pty Ltd (ABN 55 697 522 204) ("we", "us", "CalnetCorp") respects your privacy and is committed to handling your personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Spam Act 2003 (Cth).
This policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and what rights you have over it.
The short version. We collect what we need to build your website and run your account: name, email, phone, business details, payment info (via Stripe), and your intake answers. We share necessary data with our service providers (Stripe, Resend, Google, Meta, Vercel, DigitalOcean). We don't sell your data. You can access, correct, or delete your data by emailing cal@calnetcorp.com.au.
1. What is "personal information"
Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable. This includes obvious things like your name and email, but also things like your IP address, browsing behaviour on our site, and inferences we might make about you from your business intake answers.
2. What we collect
Information you give us directly
- Contact details — name, email address, mobile number, business name.
- Intake form answers — the 16 questions covering business activities, target customer, services, pricing, brand assets, deadlines, and other notes you provide.
- File uploads — logos, photos, brand documents, or other files you upload via the intake form.
- Payment details — handled directly by Stripe. We don't see or store your full card number; Stripe gives us a customer ID and payment-method token to charge later.
- Communications — emails you send us, replies in support threads, any feedback you provide.
Information we collect automatically
- Device and browser data — IP address, user agent, screen size, operating system, browser version.
- Usage data — pages viewed, links clicked, time on page, referrer URL, session duration.
- Marketing attribution — Google Ads click IDs (gclid, gbraid, wbraid), UTM parameters, landing URLs, referring source. Used to measure ad performance and attribute conversions.
- Cookies and similar technologies — see Section 6 below.
Information from third parties
- Stripe — when you complete payment setup, Stripe provides your name, email, billing country, and tokenised payment method to us.
- Google & Meta — when you arrive from a Google or Meta ad, the click ID lets us match your subsequent conversion back to the original ad click.
3. Why we collect it
| Purpose | What we use it for |
|---|---|
| Build delivery | Building your website from your intake answers; uploading your logo and photos into the design; setting up hosting on your domain. |
| Account management | Sending preview links, charging your card on approval, sending receipts, providing dashboard access. |
| Customer communications | Replying to your questions; sending lifecycle emails (preview ready, reminders, paid receipt, handover); operating customer support. |
| Service improvement | Understanding which features customers use, where the funnel drops off, what marketing channels bring quality leads. |
| Marketing & analytics | Measuring ad campaign performance; retargeting visitors who didn't convert (Meta Pixel); attributing conversions back to Google Ads campaigns. |
| Legal & security | Preventing fraud (Stripe Radar), detecting bot submissions, maintaining audit trails, responding to legal requests. |
4. Lawful basis (APP 3)
We collect personal information only by lawful and fair means, and only when reasonably necessary for one or more of our functions or activities. The lawful bases we rely on:
- Performance of contract — to deliver the service you've engaged us for.
- Legitimate interests — to operate, improve, and market our business in ways that don't unreasonably override your interests.
- Consent — for direct marketing communications and certain optional tracking (you can withdraw at any time).
- Legal obligation — to comply with Australian tax, anti-money-laundering, and consumer protection laws.
5. Who we share it with
We share the minimum amount of personal information needed with the following service providers and partners:
| Provider | What we share | Why |
|---|---|---|
| Stripe, Inc. (US) | Name, email, billing details, payment method | Payment processing — we use Stripe's hosted Checkout, so they receive your card data directly without it passing through our servers. |
| Resend, Inc. (US) | Email address, name, content of transactional emails | Sending order confirmations, preview links, receipts, and lifecycle emails. |
| Twilio, Inc. (US) | Phone number, message content | SMS notifications for customer site lead capture (where enabled by you). |
| Vercel, Inc. (US) | Server logs, IP address, request headers | Hosting our website and serverless API functions. |
| DigitalOcean LLC (Singapore region for AU/APAC traffic) | Customer record data (PocketBase database) | Hosting the database where build records, intake answers, and uploaded files are stored. |
| Google LLC (US) | Hashed email + phone (for Enhanced Conversions), click IDs, attribution data | Google Ads conversion tracking; Google Analytics; Google Tag Manager. |
| Meta Platforms, Inc. (US) | Hashed contact identifiers, browsing events, conversion events | Facebook/Instagram ad targeting and conversion measurement (Meta Pixel). |
| Our internal operators dashboard ("Pulse") | Build records, intake answers, file uploads | So Cal and team can see new builds and operate the workflow. |
Each of these providers is bound by their own privacy commitments and, where applicable, contractual data processing agreements with us. We do not sell your personal information to anyone.
6. Cookies and tracking technologies
We use the following cookies and similar technologies:
| Type | Purpose | Duration |
|---|---|---|
| Essential (first-party) | Marketing attribution (`cc_attr` cookie storing your gclid/gbraid/wbraid so we can attribute your conversion back to the original ad click); session continuity. | 90 days |
| Analytics (third-party) | Google Analytics, Google Tag Manager — measure aggregated site usage. | Up to 2 years |
| Marketing (third-party) | Google Ads conversion tracking; Meta Pixel for retargeting and conversion measurement. | Up to 90 days (Google), up to 90 days (Meta) |
You can disable third-party cookies through your browser settings or via opt-out tools provided by Google (Google Analytics opt-out) and Meta (your Meta ad preferences). Disabling cookies won't prevent you from using our website but may affect your experience and our ability to measure ad effectiveness.
7. Direct marketing (Spam Act 2003)
If you've engaged with us as a customer, lead, or prospect, we may send you marketing emails about new services, articles, or special offers. We comply with the Spam Act 2003 by:
- Only contacting you where you've given consent (express, or implied through an existing business relationship).
- Clearly identifying CalnetCorp as the sender.
- Providing a functional unsubscribe link in every marketing email.
Transactional emails (order confirmations, preview links, receipts) are not marketing — they're required for service delivery — and you can't opt out of them while remaining an active customer.
8. Data security (APP 11)
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure:
- Encryption in transit — all traffic to and from our servers uses HTTPS/TLS.
- Encryption at rest — sensitive data in our database is stored on encrypted volumes.
- Tokenisation of payment data — full card numbers never touch our servers; Stripe handles them.
- Access controls — only Cal and authorised team members can access the operator dashboard and database; access is logged.
- Pre-hashing of identifiers — when sharing data with Google Ads (Enhanced Conversions) and Meta (CAPI), we send SHA-256 hashed identifiers rather than plaintext.
- Vendor due diligence — we use established providers (Stripe, Resend, Google, Meta, Vercel) with strong security postures and data processing agreements where required.
9. Data retention
We retain personal information only for as long as needed for the purposes we collected it, or as required by law:
- Active customer records — retained for the duration of your engagement plus 7 years after termination (for tax and legal compliance under Australian law).
- Inactive leads — retained for 2 years from last interaction, then deleted unless you've explicitly opted into ongoing marketing.
- Email logs and support communications — retained for 3 years.
- Marketing attribution cookies — 90 days from your most recent visit.
- Anonymous/aggregated analytics data — retained indefinitely.
10. Your rights (APP 12 & 13)
You have the right to:
- Access the personal information we hold about you.
- Correct information that's inaccurate, incomplete, or out of date.
- Delete your personal information, subject to our retention obligations (e.g. we must retain transaction records for 7 years under tax law).
- Object to or restrict certain processing, such as direct marketing.
- Withdraw consent at any time where processing relies on consent.
- Complain if you believe we've mishandled your personal information.
To exercise any of these rights, email cal@calnetcorp.com.au. We'll respond within 30 days. There's no fee for reasonable requests; we may charge a reasonable fee for unusually large or repetitive requests.
11. International data transfers (APP 8)
Several of our service providers (Stripe, Resend, Twilio, Vercel, Google, Meta) are headquartered in the United States. By using our services, you acknowledge that your personal information may be transferred to and stored in the US or other countries where these providers operate.
Where we transfer personal information overseas, we take reasonable steps to ensure the recipient handles your information in line with the Australian Privacy Principles, primarily through contractual data processing terms with each provider.
12. Notifiable data breaches
We comply with Australia's Notifiable Data Breaches scheme. If we experience a data breach likely to result in serious harm to you, we'll notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, in line with the Privacy Act 1988.
13. Children's privacy
Our services are intended for use by businesses and adults aged 18 or older. We don't knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact us so we can delete it.
14. Lead data on delivered websites
Websites we deliver to customers typically include lead capture forms. The data submitted through your delivered website (from your own end customers) is your responsibility, not ours. You're acting as the data controller for that data; we provide the infrastructure to collect, route, and store it on your behalf. You should publish your own privacy policy on your delivered site covering how you handle that lead data.
15. Third-party links
Our site and emails may include links to third-party websites (social media profiles, partner sites, articles, etc.). We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before sharing personal information with them.
16. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. We'll post the updated version on this page with a new "Last updated" date. Material changes will be communicated to active customers by email at least 14 days before they take effect.
17. Contact & complaints
If you have questions about this policy, want to exercise any of your rights, or wish to lodge a complaint:
CalnetCorp Pty Ltd
ABN: 55 697 522 204
Brisbane, Queensland, Australia
Email: cal@calnetcorp.com.au
We'll acknowledge your complaint within 5 business days and provide a substantive response within 30 days.
If you're not satisfied with our response, you can refer your complaint to the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au