Privacy Policy
Effective Date: 30/05/2025
1. Introduction
Nik Nak IT upholds a strict commitment to Australian data sovereignty and individual privacy. Personal information is not treated as a commodity, and our services are deliberately designed to minimise the collection, exposure, and transmission of personally identifiable information (PII). We avoid third-party dependencies wherever possible, favouring in-house, self-hosted solutions to maintain full control over data handling. Where subprocessors are used, they operate exclusively within Australian jurisdictions under the same privacy obligations. All practices align with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Privacy isn't a settings toggle. It's a foundational design choice.
2. What Personal Information We Collect
We collect only Service Delivery Personal Information, including:
- Clients & contacts (name, email, phone, postal address) for billing, service delivery, and contracts.
- Service data (invoices, service records, diagnostic logs, system data from hosting, repair, or support).
- Communications you initiate via phone, email, or web contact form.
- We do not collect sensitive personal information (e.g., health or financial details).
“Service Delivery PI” refers to the personal information necessary to deliver services (e.g. contact details, service-related communications, and records).
When collecting personal information, we inform clients of the purpose of collection, our contact details, and their rights regarding access, correction, and complaints.
3. How We Collect Information
- When you request or engage our services.
- When you provide billing or contract details.
- When you correspond with us via phone, email, or our web contact form.
4. How We Use Your Information
We use your personal information solely for:
- Delivering and managing requested IT services (including diagnostics, repairs, hosting).
- Generating invoices and managing payments.
- Complying with legal or regulatory obligations. ExamplesTax Reporting, Notifiable Data Breach, Employment Law, Consumer Protection, Law Enforcement, Health And Safety, Australian Privacy Principles, PCI-DSS, APRA CPS 234, My Health Records Act, Software License Agreements, Copyright Law
- Internal record-keeping and quality assurance.
5. Disclosure of Personal Information
We will not disclose your personal information to third parties except:
- Where required by law or court order.
- With your consent.
6. Storage and Security
We implement appropriate technical and organisational measures (encryption, access controls, physical security) to protect your information from misuse, loss, or unauthorized access. All data is stored on systems within Australia, ensuring compliance with Australian data sovereignty laws.
Physical records are securely stored in a locked filing cabinet with restricted access.
7. Data Ownership and Confidentiality
All client data remains the property of the original owner. During service delivery, we may access technical logs (system, access, diagnostic) solely for troubleshooting, security, or compliance purposes.
8. Data Categories and Retention Periods
| Data Type | Retention Period | Legal Basis / Purpose |
|---|---|---|
| Service Delivery PI | Retained until request for removal or project end + 2 years | For service continuity, project history, or client support. |
| Invoices and Financial Records | Minimum 5 years from date of issue | Required by the ATO under tax law obligations. |
| Diagnostic and System Logs | Up to 2 years post-service or termination | Security best practice and operational integrity. |
| Emails and Communications | Retained for as long as required for record-keeping or contract fulfilment | Used to confirm instructions and protect both parties. |
9. Review and Destruction
Data is reviewed at scheduled intervals and securely destroyed when:
- The retention period has expired, and no ongoing business or legal justification exists for keeping it.
- Destruction methods include secure erasure (for digital files) and physical shredding (for paper records).
10. Subprocessors
Nik Nak IT engages Serversaurus exclusively for email hosting services. All data is retained within Australia and remains under Australian sovereignty, in full compliance with Australian privacy laws. Serversaurus does not transfer data outside Australia.
11. Access and Correction of Personal Information
You may request access to or correction of your personal information by contacting us as per Section 17. Requests will be handled within 30 calendar days, in accordance with APP 12 and APP 13.
12. Anonymity and Communication Options
The following principles apply to client identity and communication preferences:
- Pseudonyms are permitted for non-binding enquiries or informal work <$82.50 per ATO requirements.
- Legally binding services require your legal name.
- While we permit pseudonyms for informal or preliminary contact, we may be unable to provide certain services without verifying your identity as required by law or for contractual obligations.
- Non-digital records may be made available for collection or delivery upon request. Any formal service of documents remains the responsibility of the requesting party unless otherwise agreed.
13. Marketing
We do not send promotional, or unsolicited marketing emails. However, we welcome and appreciate word-of-mouth referrals and personal recommendations from our clients.
14. Ethical Data Boundary
Our website does not use cookies, analytics, tracking scripts, or profiling tools. We do not share, sell, or broker personal data. Services that transmit user data to jurisdictions with weak privacy protections — including common third-party trackers — are not compatible with our standards — regardless of convenience or popularity.
15. Policy Review
We review this Privacy Policy periodically to ensure ongoing compliance with the Privacy Act 1988, APPs, and industry guidance. Any changes will be published on our website with an updated Effective Date.
16. Complaints and Dispute Resolution
If you believe we have breached the APPs or mismanaged your personal information, please contact us as per Section 17. We will respond to all complaints within 30 days. If you're not satisfied with our response, you may escalate the matter to the OAIC. In the event of an eligible data breach, we will notify affected individuals and the OAIC in accordance with the Privacy Act 1988 (Cth).
17. Contact Us
If you have engaged our services and have any questions or concerns about your privacy or this policy, you may contact us via our web contact form or by email. For general enquiries, we recommend using the contact form, as our email address is protected to prevent automated scraping. We will respond to all complaints within 30 days. If you're not satisfied with our response, you may escalate the matter to the OAIC.