Privacy Policy

Bravishi Advisory (“we”, “us”, “our”) respects your privacy and is committed to handling personal information in a transparent, fair, and secure way. This Privacy Policy explains what personal information we collect and hold, how and why we collect it, how we use and disclose it, how we protect it, and how you can access or correct it or make a complaint.

This policy is intended to align with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). It is written to be clear and practical, and to explain what we do in the ordinary course of running a professional consulting business.

Because we provide professional consulting and advisory services, we may receive documents and evidence from clients that contain personal information about their staff, contractors, customers, or other stakeholders. We handle that information in accordance with this policy and any confidentiality terms agreed with the client.

1) What this policy applies to

This Privacy Policy applies to personal information we handle when you interact with us online or offline. This includes when you visit our website, contact us (by email, web form, phone, or social media), request a proposal, quote, or capability information, engage us for consulting/advisory services, participate in meetings, workshops, events or webinars (if any), or apply to work with us (including as a subcontractor).

It also applies where personal information is provided to us by a client or another party as part of an engagement. For example, if a client shares audit evidence, registers, training records, or operational documentation that includes personal information, this policy applies to how we handle that information while delivering the agreed services.

2) What personal information we collect

The personal information we collect depends on the nature of your interaction with us. In most cases, we collect business contact details and engagement-related information so we can communicate with you, provide proposals, and deliver services. We may also collect personal information embedded within documents shared with us as part of service delivery.

We may collect and hold the following categories of personal information (where relevant):

• Identity and contact details such as your name, job title, organisation/employer, business address, email address, and phone number.
• Enquiry and engagement details such as the nature of your enquiry, proposals/quotes, meeting notes, communications, feedback, and preferences (for example, preferred contact method).
• Service delivery information that is reasonably necessary to perform the agreed work. This may include personal information contained in client materials such as policies, registers, incident logs, audit evidence, risk documentation, organisational charts, training records, and related documents.
• Billing and administrative information such as invoicing details, purchase order references, payment status, and accounts contact details. We generally do not store full card details; where online payments are used, they are typically processed by third-party payment providers.
• Website and technical information such as IP address, device identifiers, browser type, pages visited, time/date of visit, approximate location (derived from IP), referring pages, and interaction data collected through cookies and similar technologies.
• Recruitment/subcontractor information such as CV/resume, qualifications, work history, professional memberships, referee details, and right-to-work information.

Sensitive information

“Sensitive information” includes information such as health information. We do not seek to collect sensitive information unless it is reasonably necessary for a specific purpose and collected and handled in a way permitted by law (and, where required, with your consent).

If you do not provide personal information

You can choose not to provide personal information. However, if you do not provide information that is reasonably necessary, we may not be able to respond to your enquiry, prepare a proposal/quote, verify your authority to act for an organisation, deliver the agreed services, or meet administrative and legal obligations.

3) How we collect personal information

We collect personal information in a number of ways. Most commonly, we collect it directly from you when you contact us, submit a form, request a proposal, engage our services, attend a session, or provide information during delivery of services.

We may also collect personal information from your organisation where you are nominated as a project contact, stakeholder, or authorised representative, or where your organisation provides documents to support an engagement.

In some cases, we may collect personal information from third parties where relevant and lawful, such as professional referees (for recruitment), professional advisers, or publicly available sources (for example, professional networking profiles).

We also collect certain information automatically when you use our website or systems. This may include cookies, analytics tools, tracking technologies, and standard server logs.

4) Unsolicited personal information

Sometimes individuals or organisations send us personal information we did not request (for example, attaching documents that include more personal information than needed for an initial enquiry). If we receive unsolicited personal information, we will assess whether it is reasonably necessary for our functions or activities and whether we could have collected it under the Privacy Act. If we determine we could not have collected it (and it is not required by law to retain it), we will take reasonable steps to destroy or de-identify it where lawful and practicable.

5) Why we collect, hold, use and disclose personal information

We collect, hold, use and disclose personal information to operate our business and deliver services. This commonly includes responding to enquiries, preparing proposals and engagement documents, delivering consulting services (including analysis, drafting and workshops), and managing our operations such as invoicing, payments, recordkeeping, insurance, risk management, and quality improvement.

We may also use personal information to maintain and improve our website and client experience, to market our services where permitted, to protect the security and integrity of our systems, and to comply with legal obligations or respond to lawful requests.

6) When we disclose personal information

We may disclose personal information where necessary to run our business and deliver services. This can include disclosure to IT and cloud providers, email/collaboration and scheduling platforms, document management systems, analytics providers, invoicing/accounting platforms, and professional advisers (such as accountants and lawyers). We may also disclose personal information to insurers and to specialist subcontractors or consultants engaged to support service delivery where appropriate.

Where you pay via an online payment method, personal information may be disclosed to payment processors to process the transaction. We may also disclose personal information to regulators, courts, or law enforcement where required or authorised by law.

We take reasonable steps to choose reputable providers and to limit disclosures to what is necessary for the relevant purpose.

7) Authority for client-provided personal information

Where a client provides us with personal information about its staff, contractors, customers, or other individuals as part of an engagement, the client is responsible for ensuring it has the authority to provide that information to us and for ensuring any required notices or consents are provided/obtained, unless we have agreed otherwise in writing.

8) Overseas disclosures

Some third-party providers we use (such as cloud or SaaS platforms) may store or process personal information outside Australia. This may occur as part of ordinary business operations, for example hosting, email delivery, collaboration tools, analytics, or security monitoring.

Where we disclose personal information to an overseas recipient, we take reasonable steps to ensure appropriate safeguards are in place and to handle information consistently with applicable privacy requirements. If you would like information about whether we currently use particular overseas providers for a specific engagement, you can contact us using the details at the end of this policy.

9) Cookies, analytics and tracking technologies

We use cookies and similar technologies to operate and secure our website, understand traffic and usage patterns, and improve site performance and content. Some of these tools may be provided by third parties and may involve the collection and sharing of identifiers and usage information (including via tracking technologies such as pixels).

You can manage cookies through your browser settings and may be able to opt out of certain analytics/tracking through provider controls (where available). If you block cookies, some parts of the website may not function as intended.

10) Direct marketing

Where permitted, we may send you updates about our services, insights, or events. You can opt out at any time by using an unsubscribe function (if provided) or by contacting us.

11) Anonymity and pseudonymity

Where lawful and practicable, you may interact with us anonymously or using a pseudonym (for example, making a general enquiry). However, for most consulting engagements we will need identifying and contact information to communicate with you and deliver services.

12) Security of personal information

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Depending on the circumstances, this may include access controls, multi-factor authentication where available, encryption where supported by our platforms, secure configuration and patching practices, confidentiality obligations for staff/contractors, vendor management practices, and incident response processes.

No method of transmission or storage is completely secure. However, we aim to maintain safeguards proportionate to the sensitivity of the information we hold.

13) Data retention and destruction

We retain personal information only for as long as reasonably necessary to support the purposes set out in this policy, including legal, accounting, insurance, dispute resolution, and business continuity requirements.

For engagement materials, we typically retain what is needed to demonstrate the work performed, support quality assurance, and manage professional risk, then securely delete, destroy or de-identify information when it is no longer required.

14) Accessing and correcting your personal information

You can request access to the personal information we hold about you and request correction if you believe it is inaccurate, out-of-date, incomplete, irrelevant, or misleading. We may need to verify your identity before responding, and we will respond within a reasonable timeframe.

In limited circumstances permitted by law, we may refuse access or correction (for example, where giving access would unreasonably impact the privacy of others). Where required, we will explain the reasons for refusal.

15) Notifiable data breaches

If we experience a data breach involving personal information that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme. We maintain processes to assess suspected breaches and to take steps to contain, investigate, and remediate incidents as appropriate.

16) Small business transparency

Some small businesses may be exempt from parts of the Privacy Act in certain circumstances (for example, based on turnover), but there are important exceptions and the rules can be nuanced. Regardless, we aim to apply APP-aligned practices as a matter of good governance and to meet client expectations.

17) Changes to this Privacy Policy

We may update this Privacy Policy from time to time by publishing the updated version on our website. The “Last updated” date will change accordingly.

18) Contact us (privacy enquiries, access requests, complaints)

For privacy enquiries, access/correction requests, or complaints, please contact:

Bravishi Advisory

Email: [email protected]

Phone: +61 403 729 914