Standardise
PricingSupportSign inGet started

Privacy Policy

Last updated: 8 April 2026

1. Introduction

Maxwell Technologies Pty Ltd (ABN 23 155 857 293) trading as Standardise ("we", "us", "our") operates the Standardise platform ("the Service"). We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

2. Information We Collect

2.1 Account Information

When you register, we collect your name, email address, and organisation name. Passwords are hashed using PBKDF2 (SHA-512, 100,000 iterations) and never stored in plaintext.

2.2 Billing Information

Payment processing is handled by Stripe. We do not store credit card numbers or full payment details. We retain your Stripe customer ID and subscription status for billing purposes.

2.3 Service Data

Data you create within the Service (documents, risk assessments, audit records, etc.) is your content. We process this data solely to provide the Service.

2.4 Usage and Log Data

We collect limited technical data for security and service operation, including IP addresses (one-way hashed for privacy), user agent strings, and action timestamps. This data is used for audit logging and security monitoring only.

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service.
  • Process subscriptions and billing through Stripe.
  • Send transactional emails (account verification, password resets). We do not send marketing emails.
  • Maintain security audit logs as required for ISO 27001 compliance.
  • Respond to support requests and communicate about service changes.

4. Data Security

4.1 Encryption

All sensitive data is encrypted at rest using AES-256-GCM with per-tenant envelope encryption. Each organisation has unique encryption keys derived from a master key using PBKDF2. Data in transit is protected by TLS 1.2 or higher.

4.2 Access Controls

The Service implements role-based access control (RBAC) with five permission levels. All data access is scoped to your organisation through row-level security. Multi-factor authentication (TOTP) is available for all accounts.

4.3 Infrastructure

The Service is hosted on Amazon Web Services (AWS) in the ap-southeast-2 (Sydney) region. All data, including backups, is stored exclusively within Australia.

5. Data Residency

In compliance with Australian Privacy Principle 8 (APP 8), all personal information and service data is stored and processed within Australia. We do not transfer your data overseas. Our infrastructure is located in AWS ap-southeast-2 (Sydney), and we do not use overseas sub-processors for data storage or processing.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share limited information with:

  • Stripe— for payment processing (Stripe's privacy policy applies to payment data).
  • Amazon Web Services — as our infrastructure provider (data remains in Australia).

We may disclose information if required by law, regulation, or legal process, or to protect the rights, safety, or property of our users or the public.

7. Data Retention

We retain your account and service data for the duration of your subscription. Upon account termination, you may request a data export within 30 days. After 30 days, your data will be permanently deleted from our systems, including backups, within 90 days.

Audit logs are retained for a minimum of 12 months as required for ISO 27001 compliance, after which they are permanently deleted.

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access your personal information held by us (APP 12).
  • Correct inaccurate or out-of-date personal information (APP 13).
  • Request deletion of your personal information, subject to legal obligations.
  • Export your data in a machine-readable format (CSV export is available within the Service).
  • Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

To exercise any of these rights, contact us at privacy@standardise.au.

9. Cookies

The Service uses essential cookies only for authentication session management. We do not use analytics cookies, tracking cookies, or third-party advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies.

10. Notifiable Data Breaches

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will notify affected individuals and the OAIC as required by Part IIIC of the Privacy Act 1988. We maintain an internal breach register and incident response procedures.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The latest version is always available at this page.

12. Contact

For privacy-related enquiries or to exercise your rights, contact us at:

Privacy Officer
Maxwell Technologies Pty Ltd (ABN 23 155 857 293)
Trading as Standardise
privacy@standardise.au

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.