Privacy Policy
Effective Date: 24/07/2025
Old: v1 — View here
1. Introduction
Nik Nak IT upholds a strict commitment to Australian data sovereignty and individual privacy. Personal information is not treated as a commodity, and our services are deliberately designed to minimise the collection, exposure, and transmission of personally identifiable information (PII). We avoid third-party dependencies wherever possible, favouring in-house, self-hosted solutions to maintain full control over data handling. Where subprocessors are used, they operate exclusively within Australian jurisdictions under the same privacy obligations. All practices align with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Privacy isn't a settings toggle. It's a foundational design choice.
2. What Personal Information We Collect
We collect only Service Delivery Personal Information, including:
- Clients & contacts (name, email, phone, postal address) for billing, service delivery, and contracts.
- Service data (invoices, service records, diagnostic logs, system data from hosting, repair, or support).
- Communications you initiate via phone, email, or web contact form.
- We do not collect sensitive personal information (e.g., health or financial details).
“Service Delivery PI” refers to the personal information necessary to deliver services (e.g. contact details, service-related communications, and records).
When collecting personal information, we inform clients of the purpose of collection, our contact details, and their rights regarding access, correction, and complaints.
3. How We Collect Information
- When you request or engage our services.
- When you provide billing or contract details.
- When you correspond with us via phone, email, or our web contact form.
4. How We Use Your Information
We use your personal information solely for:
- Delivering and managing requested IT services (including diagnostics, repairs, hosting).
- Generating invoices and managing payments.
- Complying with legal or regulatory obligations. ExamplesTax Reporting, Notifiable Data Breach, Employment Law, Consumer Protection, Law Enforcement, Health And Safety, Australian Privacy Principles, PCI-DSS, APRA CPS 234, My Health Records Act, Software License Agreements, Copyright Law
- Internal record-keeping and quality assurance.
5. Disclosure of Personal Information
We will not disclose your personal information to third parties except:
- Where required by law or court order.
- With your consent.
6. Storage and Security
We implement appropriate technical and organisational measures (encryption, access controls, physical security) to protect your information from misuse, loss, or unauthorized access. All data is stored on systems within Australia, ensuring compliance with Australian data sovereignty laws.
Physical records are securely stored in a locked filing cabinet with restricted access.
7. Data Ownership and Confidentiality
All client data remains the property of the original owner. During service delivery, we may access technical logs (system, access, diagnostic) solely for troubleshooting, security, or compliance purposes. We maintain strict confidentiality. When a data transfer is requested, we comply with the Privacy Act 1988 (Cth) and provide raw data exports where applicable. While we ensure your data is made available, we do not offer analysis, configuration, or implementation services as part of this process.
8. Data Categories and Retention Periods
| Data Type | Retention Period | Legal Basis / Purpose |
|---|---|---|
| Service Delivery PI | Retained until request for removal or project end + 2 years | For service continuity, project history, or client support. |
| Invoices and Financial Records | Minimum 5 years from date of issue | Required by the ATO under tax law obligations. |
| Diagnostic and System Logs | Up to 2 years post-service or termination | Security best practice and operational integrity. |
| Emails and Communications | Retained for as long as required for record-keeping or contract fulfilment | Used to confirm instructions and protect both parties. |
9. Review and Destruction
Data is reviewed at scheduled intervals and securely destroyed when:
- The retention period has expired, and no ongoing business or legal justification exists for keeping it.
- Destruction methods include secure erasure (for digital files) and physical shredding (for paper records).
10. Subprocessors
Nik Nak IT engages Serversaurus exclusively for email hosting services. All data is retained within Australia and remains under Australian sovereignty, in full compliance with Australian privacy laws. Serversaurus does not transfer data outside Australia.
11. Access and Correction of Personal Information
You may request access to or correction of your personal information by contacting us as per Section 17. Requests will be handled within 30 calendar days, in accordance with APP 12 and APP 13.
12. Anonymity and Communication Options
The following principles apply to client identity and communication preferences:
- Pseudonyms are permitted for non-binding enquiries or informal work <$82.50 per ATO requirements.
- Legally binding services require your legal name.
- While we permit pseudonyms for informal or preliminary contact, we may be unable to provide certain services without verifying your identity as required by law or for contractual obligations.
- Non-digital records can be made available for collection or delivery upon request. Any formal service of documents remains the responsibility of the requesting party unless otherwise agreed.
- No “no-reply” email addresses are used. We always provide a human-readable, monitored email address to ensure you can reach a real person when you contact us.
13. Marketing
We do not send promotional, or unsolicited marketing emails. However, we welcome and appreciate word-of-mouth referrals and personal recommendations from our clients.
14. Ethical Data Boundary
Our website does not use cookies, analytics, tracking scripts, or profiling tools. We do not share, sell, or broker personal data. Services that transmit user data to jurisdictions with weak privacy protections — including common third-party trackers — are not compatible with our standards — regardless of convenience or popularity.
15. Voluntary Commitment to Privacy and Data Integrity
Although we are a small business and not legally required to comply with the Privacy Act 1988 (Cth), we choose to follow and be held to its Australian Privacy Principles because protecting your personal information is a core value for us. Unlike many companies that trade or monetise personal or even anonymised data—often necessitating formal privacy policies by law—we do not trade, sell, or rent any data relating to you. This commitment reflects our dedication to your privacy and trust.
16. Policy Review
We review this Privacy Policy periodically to ensure ongoing compliance with the Privacy Act 1988, APPs, and industry guidance. Any changes will be published on our website with an updated Effective Date.
17. Complaints and Dispute Resolution
If you believe we have breached the Australian Privacy Principles (APPs) or mismanaged your personal information, please contact us using the methods outlined in Section 18. We maintain a structured and auditable record-keeping practice for all privacy-related matters. Upon receiving a complaint, we will acknowledge receipt, identify the appointed Privacy Officer responsible, and provide a channel for ongoing correspondence. We aim to provide a substantive response or resolution within 30 days.In the event of an eligible data breach, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Privacy Act 1988 (Cth). If you are not satisfied with our response, you may escalate the matter to the Office of the Australian Information Commissioner (OAIC).
18. Contact Us
If you have engaged our services and have any questions or concerns about your privacy or this policy, you may contact us via our web contact form, by email, or by post to our business address. For general enquiries, we recommend using the contact form, as our email address is protected to prevent automated scraping.