Privacy Policy

    Effective Date: 1 July 2026 · Version: 1.0 · Last Updated: 1 July 2026

    EntityFlo Pty Ltd

    ABN: 12 692 755 614

    Level 2/14 Edgewater Court, Robina QLD 4226, Australia

    Email: privacy@entityflo.com

    EntityFlo provides a cloud-based corporate governance, entity-management and compliance platform (the "Platform"). This Privacy Policy explains how we collect, hold, use, disclose and protect personal information, and the rights and choices available to individuals whose personal information we handle.

    This policy is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and — where they apply to our handling of personal information — the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the New Zealand Privacy Act 2020, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA) and comparable laws in the jurisdictions in which the Platform operates. Region-specific terms are set out in Sections 16–18; if those terms conflict with the rest of this policy for an individual in the relevant region, the region-specific terms prevail.

    1. About this policy

    1.1 Two distinct roles — please read this first

    EntityFlo handles personal information in two capacities, and the distinction governs which rules apply:

    • As a processor (service provider) acting for our customers. When a customer organisation uses the Platform, it uploads and generates records about its own group — including personal information about directors, officers, shareholders, members, beneficial owners, signatories and other individuals ("Customer Data"). For Customer Data, the customer is the controller (in APP terms, the entity that determines the purpose of handling) and EntityFlo acts on the customer's documented instructions as its processor. Our handling of Customer Data is governed by our agreement with the customer and our Data Processing Agreement (DPA), not by this policy. Individuals whose personal information appears in Customer Data should direct privacy requests to the relevant customer organisation as controller; we will refer such requests on and assist that customer as required by the DPA.
    • As a controller in our own right. When we decide why and how personal information is handled — for example, account-holder and Platform-user details, website-visitor data, prospect and marketing data, billing and support information, and our own business records — EntityFlo is the controller and this Privacy Policy governs.

    The remainder of this policy concerns personal information we handle as controller, except where stated.

    2. The personal information we collect

    The categories of personal information we collect as controller include:

    • Identity and contact data — name, job title, employer, business email address, business phone number, and business postal address of Platform users, account administrators, billing contacts and prospects.
    • Account and authentication data — username, hashed credentials, multi-factor authentication details, single-sign-on identifiers, role and permission settings.
    • Usage, device and log data — IP address, device and browser type, pages and features accessed, actions taken, timestamps, and diagnostic and performance logs.
    • Billing and transaction data — billing entity, purchase history, and limited payment-administration data (card and bank details are handled by our payment processor, Stripe; we do not store full card numbers).
    • Support and communications data — correspondence, support tickets, call and meeting records, and feedback you provide.
    • Marketing data — preferences, event registrations, and engagement with our communications.
    • Cookies and analytics data — see Section 12.

    We do not seek to collect sensitive information (as defined in the Privacy Act, e.g. health, racial or political information) about our users as controller. We may incidentally hold sensitive or special-category information that appears within Customer Data; that is handled under the DPA, not this policy.

    3. How we collect personal information

    We collect personal information: directly from you (when you register, configure an account, contact us, attend an event or subscribe); from the customer organisation that authorises your access; automatically through your use of the Platform and website (cookies, logs); and from third parties such as our resellers, referral partners, and publicly available business sources.

    Where it is reasonable and practicable, we collect personal information directly from the individual concerned (APP 3).

    4. Why we use personal information, and our lawful bases

    We use personal information we hold as controller to: provide, administer, secure and support the Platform and user accounts; authenticate users and manage access and permissions; process billing and manage the customer relationship; respond to enquiries and provide support; maintain the security, integrity and availability of our systems and detect and prevent fraud, misuse and security incidents; improve and develop our products and services; send service, administrative and (where permitted) marketing communications; and comply with our legal, regulatory and audit obligations.

    Where the GDPR or UK GDPR applies, we rely on the following lawful bases: performance of a contract (to provide the Platform to account-holders and administer the customer relationship); legitimate interests (to secure, support, improve and market our services, and to run our business, balanced against your rights); consent (for certain marketing and non-essential cookies, which you may withdraw at any time); and legal obligation (to meet tax, accounting, security-disclosure and regulatory duties). Where we rely on legitimate interests, you may ask for details of the balancing assessment.

    5. Automated decision-making and artificial intelligence

    The Platform includes AI-assisted features (including FloSec AI / Flo) that draft resolutions, minutes, filings, reports and similar outputs from a customer's entity data, and a compliance engine that scores obligations and renewals. These features operate on Customer Data, under the customer's control and at the customer's direction, to produce drafts and prompts for human review. They are decision-support tools: EntityFlo does not use them to make decisions producing legal or similarly significant effects about individuals on its own account. These features are optional — the Platform's core functionality operates without them, and a customer that does not wish to send data to an AI provider can choose not to use them.

    Where they are used, the necessary Customer Data is processed by our AI provider in the United States as a sub-processor (see Section 6 and Section 7).

    We do not subject individuals to solely automated decisions that produce legal or similarly significant effects without human involvement (GDPR Art 22). Customers configuring AI features within their own workflows are responsible, as controller, for any automated decision-making they implement.

    Australian transparency note (commencing 10 December 2026). From 10 December 2026, APP 1.7 (introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth)) requires APP entities that use computer programs to make, or do a thing substantially and directly related to making, decisions that could reasonably be expected to significantly affect an individual's rights or interests, to describe that use in their privacy policy. Where any EntityFlo feature falls within APP 1.7 as in force, this Section will set out the kinds of personal information used and the kinds of decisions made. We are reviewing our AI features against APP 1.7 ahead of commencement and will update this Section accordingly.

    6. When we disclose personal information

    We disclose personal information as controller to:

    • Service providers and sub-processors who host, support, secure and operate the Platform on our behalf (e.g. cloud hosting and email, application monitoring, AI processing and payment processing), bound by contract to protect the information and use it only for the services they provide to us. Our current sub-processor list is available at entityflo.com/sub-processors (or on request).
    • Registry and integration partners where you direct the Platform to transmit data, including ASIC, NZBN / NZ Companies Office, Companies House (UK) and equivalent registries, and connected workspace tools. Such transmissions occur on the customer's instruction.
    • Professional advisers (lawyers, auditors, accountants, insurers) where reasonably necessary.
    • Acquirers in connection with a corporate transaction (merger, acquisition, financing or asset sale), subject to confidentiality.
    • Regulators, courts and law-enforcement where required or authorised by law, or to protect our rights, users or the public.

    We do not sell personal information, and we do not disclose it for third-party direct marketing.

    7. International data transfers

    EntityFlo hosts and processes the personal information it holds in Australia — on Amazon Web Services infrastructure in the Sydney region (ap-southeast-2), with immutable (write-once) backups held within Australia. Some of our service providers process limited personal information overseas on our behalf, currently: application performance and error monitoring in the European Union, and AI-assisted features through a provider in the United States. Our sub-processor list ( Section 6) identifies each provider and its location.

    Before disclosing personal information overseas, we take steps reasonable in the circumstances to ensure the overseas recipient handles it consistently with the APPs (APP 8), including through contractual data-protection commitments.

    Where personal information protected by the GDPR or UK GDPR is transferred outside the EEA or UK to a country without an adequacy decision, we rely on appropriate safeguards — the EU Standard Contractual Clauses and, for the UK, the International Data Transfer Agreement / UK Addendum — together with any transfer risk assessment required. A copy of the relevant safeguards is available on request ( Section 19).

    8. Data security

    We maintain technical and organisational security measures appropriate to the risk, including: encryption of data in transit (TLS enforced end-to-end) and at rest (using managed, regularly-rotated encryption keys); single-sign-on identity management with multi-factor authentication and no static access keys; role-based access controls and logical tenant isolation; network segmentation with an isolated data tier and a web application firewall; immutable audit logging and network-traffic logging; immutable (write-once) backups; and personnel confidentiality obligations. EntityFlo is building towards SOC 2 and ISO 27001 and is not yet certified; further detail on our security posture is available to customers on request. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; users must keep their credentials confidential and notify us of any suspected compromise.

    9. Data breach notification

    We maintain a data-breach response plan. Where an eligible data breach occurs that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988). Where the GDPR or UK GDPR applies, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, and affected individuals where the breach is likely to result in a high risk to their rights and freedoms. For breaches affecting Customer Data, our notification obligations to the customer are governed by the DPA, which generally requires us to notify the customer (as controller) without undue delay so that the customer can meet its own obligations.

    10. How long we keep personal information

    We keep personal information only for as long as necessary for the purposes for which it was collected, to provide the Platform, to meet legal, tax, accounting and regulatory retention requirements, and to resolve disputes and enforce our agreements. When no longer required, we de-identify or securely destroy it. Retention of Customer Data (including on termination, with return and deletion timeframes) is governed by the Terms of Service and DPA.

    11. Your privacy rights and choices

    Subject to the applicable law and to verification of your identity, you may:

    • access the personal information we hold about you and ask for a copy;
    • correct information that is inaccurate, out of date, incomplete or misleading;
    • opt out of marketing communications at any time (via the unsubscribe link or by contacting us); and
    • complain about how we have handled your personal information ( Section 20).

    Individuals in the EEA, the UK and California have additional rights set out in Sections 16–18.

    To exercise a right, contact us using Section 19. We will respond within the time required by the applicable law (generally 30 days under the APPs; one month under the GDPR/UK GDPR). We may decline a request where the law permits, and will give reasons. There is no fee to make a request, though we may charge a reasonable, cost-based fee for access in limited circumstances permitted by law.

    Where your request concerns personal information held within Customer Data, we will refer you to the relevant customer organisation as controller and assist that customer to respond.

    12. Cookies and analytics

    Within the Platform, we use only strictly necessary cookies and similar technologies — for example to keep you logged in, maintain security and remember your preferences. These are required for the Platform to function.

    On our public website (entityflo.com), we use strictly necessary cookies together with Google Analytics, which sets cookies to help us understand how visitors use the site and to improve it. Google Analytics collects information such as your IP address and online identifiers, handled in accordance with Google's privacy terms.

    You can accept or decline non-essential cookies (including Google Analytics) through the cookie-preferences control on our website, and change your choice at any time. You can also control or delete cookies through your browser settings, and opt out of Google Analytics using Google's browser opt-out add-on ( tools.google.com/dlpage/gaoptout). Where the law in your location requires your consent before we set non-essential cookies, we obtain it. Disabling some cookies may affect website functionality.

    13. Direct marketing

    We may send you marketing about our products and services where permitted by law. Each marketing message includes an unsubscribe facility, and we comply with the Spam Act 2003 (Cth) and equivalent laws. We do not use sensitive information for marketing. You can opt out at any time without affecting the services you receive.

    14. Children

    The Platform is a business tool not directed to children, and we do not knowingly collect personal information from individuals under 16. If you believe a child's information has been provided to us, contact us and we will delete it.

    15. Third-party sites

    Our website and Platform may link to third-party sites and services we do not control. This policy does not apply to those services; please review their privacy notices.

    16. EEA and UK individuals (GDPR / UK GDPR)

    Where the GDPR or UK GDPR applies to our handling of your personal information as controller, you have the right to: access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; objection to processing based on legitimate interests or to direct marketing; and to withdraw consent (without affecting prior lawful processing). You also have the right to lodge a complaint with a supervisory authority ( Section 20). Our lawful bases are set out in Section 4, our international-transfer safeguards in Section 7. EntityFlo has no establishment in the EEA or the UK. If and when our processing becomes subject to the GDPR or UK GDPR — for example, when we begin offering the Platform to, or monitoring, customers or data subjects in those regions — we will appoint an Article 27 representative in the relevant region and publish its details here.

    17. New Zealand individuals (Privacy Act 2020)

    Where the New Zealand Privacy Act 2020 applies, you have rights of access to and correction of your personal information, and may complain to the Office of the New Zealand Privacy Commissioner. We comply with the Information Privacy Principles, including IPP 12 in relation to any disclosure of personal information outside New Zealand.

    18. California residents (CCPA / CPRA)

    If you are a California resident, you have the right to: know the categories and specific pieces of personal information we have collected, the sources, purposes and categories of recipients; request deletion; request correction; and not be discriminated against for exercising your rights. We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA, and we do not use or disclose sensitive personal information for purposes requiring an opt-out. The categories of personal information we collect, and the purposes for which we use them, are described in Section 2 and Section 4. You may exercise your rights via Section 19; you may use an authorised agent, and we will verify your request as the law requires.

    19. How to contact us / Privacy Officer

    For any privacy question or to exercise a right, contact our Privacy Officer:

    EntityFlo Pty Ltd

    ABN: 12 692 755 614

    Privacy Officer

    Level 2/14 Edgewater Court, Robina QLD 4226, Australia

    Email: privacy@entityflo.com

    20. Complaints

    If you are concerned about how we have handled your personal information, please contact our Privacy Officer first ( Section 19) so we can try to resolve it. We will acknowledge your complaint and respond within a reasonable time, generally 30 days. If you are not satisfied, you may complain to the relevant regulator:

    • Australia — Office of the Australian Information Commissioner (OAIC), oaic.gov.au, 1300 363 992.
    • United Kingdom — Information Commissioner's Office (ICO), ico.org.uk.
    • EEA — your local Data Protection Authority.
    • New Zealand — Office of the Privacy Commissioner, privacy.org.nz.

    21. Changes to this policy

    We may update this policy from time to time. The current version is always posted at entityflo.com/privacy-policy with the effective date above. Where changes are material, we will take reasonable steps to notify account-holders. Continued use of the Platform after an update takes effect constitutes acknowledgement of the updated policy.

    We use cookies to improve your experience. Essential cookies are always active. You can accept all cookies or choose essential only.