Privacy policy.

This policy explains how Yuma IT Pty. Ltd. (“we”, “us”, “our”), the publisher of Compliance On Demand, handles personal information collected through this website and through commercial relationships with prospects, customers and partners.

Compliance On Demand is a self-hosted, single-tenant product. Customers run their own instance on infrastructure they control. This policy does not cover personal information that customers collect, store or process inside their own deployments — that material remains under the customer’s control and their own privacy notice.

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We deliberately keep the personal information we collect to the minimum needed to respond to enquiries and run the commercial relationship. The categories we collect are:

• Names of individual contacts at prospect, customer and partner organisations
• Company names and trading names
• Business postal addresses
• Business email addresses

We do not request or store credit card numbers, financial account details, government identifiers, health information or other sensitive information through this website.

We collect the categories above directly from you when you contact us, request a product briefing, exchange commercial correspondence, sign an order form or licence, or otherwise communicate with us about Compliance On Demand.

We do not run lead-tracking pixels, advertising networks or behavioural profiling cookies on this website. The site is a static export with no first-party analytics tracking embedded at publication.

Compliance On Demand runs inside the customer’s own infrastructure. We do not operate a managed SaaS control plane for the product, and we do not have routine access to the data inside a customer’s instance.

That means the following stay inside the customer’s deployment and outside our possession or control in the ordinary course of operation:

• Cloud and SaaS credentials configured for posture scanning
• Scan results, control evidence, drift records and audit artefacts
• Generated policies, reports, questionnaire responses and Trust Portal material
• Auditor engagement records, comments and verification status
• Identity records of end users created inside the customer’s instance

If a customer chooses to share product data with us — for example, by sending a diagnostic bundle for support — we treat that material as confidential to the engagement and use it only for the purpose it was shared.

We use the personal information we collect to:

• Respond to enquiries and product briefings
• Issue quotes, order forms, licences and renewal notices
• Provide customer support, deployment guidance and release communications
• Manage commercial, partner and MSP relationships
• Meet legal, regulatory and accounting obligations

Billing for Compliance On Demand is handled by an accredited third-party payment provider. Card numbers, bank account details and other payment instrument data are submitted directly to that provider and are not collected, stored or processed by us.

We retain only the minimum billing context we need for our own records, such as the company name, billing address, contact email and invoice history.

We do not sell personal information. We disclose personal information only where it is necessary to operate our business or where we are required to by law, including to:

• Our accredited payment provider, for the purpose of processing payments
• Professional advisers such as accountants and lawyers, under confidentiality obligations
• Service providers used to send invoices, contracts or commercial correspondence
• Government agencies, regulators or law enforcement where lawfully required

We are an Australian business and prefer to keep records in Australia where practical. Some service providers (for example, email and document delivery tools) may store data overseas. Where that occurs, we take reasonable steps to ensure the recipient handles personal information consistently with the APPs.

We retain personal information only for as long as needed to fulfil the purposes set out in this policy and to meet legal, tax and contractual record-keeping obligations. When information is no longer required, we take reasonable steps to delete or de-identify it.

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. These steps include access controls on internal systems, encryption in transit, and contractual confidentiality with service providers.

No method of electronic storage or transmission is fully secure. We cannot guarantee absolute security, but we work to reduce risk and respond promptly to any incident.

Under the APPs you have the right to:

• Request access to the personal information we hold about you
• Request correction of personal information that is inaccurate, out of date or incomplete
• Make a complaint about how we have handled your personal information

To exercise any of these rights, contact us at [email protected]. We will respond within a reasonable time.

If you are not satisfied with our response to a privacy complaint, you may escalate the matter to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We may update this policy from time to time. The version in force is the version published at this URL. The “Last updated” date below indicates when the current version was published.

Questions about this policy or about how we handle personal information can be sent to [email protected].

Yuma IT Pty. Ltd. is the publisher of Compliance On Demand.