TitanRDM Privacy Policy

Effective Date: 25 May 2025

Last Updated: 25 May 2025

This Privacy Policy describes how Willow Box Pty Ltd ATF Willow Box Trust ("we", "us", "our", "the Company"), operating as TitanRDM, collects, uses, discloses, and protects personal information in connection with the TitanRDM platform ("the Service").

We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For individuals in the EU/EEA/UK, we also comply with the General Data Protection Regulation (GDPR) as set out in our Data Processing Agreement.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, organisation name, job title, and password when you register for the Service.
• Billing Information: Payment details are collected and processed by our payment processor, Stripe. We store a reference to your Stripe customer ID but do not store credit card numbers or bank details on our servers.
• Customer Data: Data you upload, import, or enter into the Service (reference data tables, column definitions, import mappings, etc.). This is your content and we process it solely to provide the Service.
• Communications: Information you provide when contacting support or communicating with us.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, actions performed, timestamps, and session duration.
• Device Information: Browser type and version, operating system, screen resolution, and device identifiers.
• Log Data: IP address, access times, referring URLs, and server logs.
• Cookies and Similar Technologies: See Section 7 below.

1.3 Information from Third Parties

• OAuth Providers: If you authenticate using a third-party provider, we receive limited profile information as authorised by you.
• Stripe: Subscription status, payment success/failure notifications, and invoice data.

2. How We Use Your Information

We use your personal information for the following purposes:

• Service Delivery: To provide, maintain, and improve the Service, including account management, authentication, and technical support.
• Billing: To process payments, manage subscriptions, and track usage for billing purposes.
• Communication: To send transactional emails (account confirmations, password resets, billing receipts), service notifications, and usage alerts.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
• Analytics: To understand how the Service is used and to improve features, performance, and user experience.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We do not sell your personal information. We do not use Customer Data for advertising or marketing purposes.

3. Legal Basis for Processing (GDPR)

For individuals in the EU/EEA/UK, we process personal data on the following legal bases:

• Contract: Processing necessary to perform our contract with you (providing the Service).
• Legitimate Interests: Improving the Service, ensuring security, and preventing fraud.
• Legal Obligation: Compliance with applicable laws.
• Consent: Where you have given specific consent (e.g., marketing communications), which you may withdraw at any time.

4. Sharing and Disclosure

We may share personal information with:

• Service Providers: Third-party providers who assist us in operating the Service, subject to confidentiality obligations. These include:
  • Amazon Web Services (AWS) — cloud infrastructure and hosting
  • Stripe — payment processing
  • Email delivery services — transactional and notification emails
• Legal Requirements: When required by law, regulation, legal process, or governmental request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
• With Your Consent: When you have explicitly authorised sharing.

We do not share Customer Data with third parties except as necessary to provide the Service (e.g., storing data on AWS infrastructure).

5. International Data Transfers

5.1. Our primary infrastructure is hosted in the USA. Customer Data is stored within the USA unless you explicitly configure otherwise.

5.2. Some service providers (e.g., Stripe) may process data in jurisdictions outside the USA. Where data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (for EU/EEA/UK data)
• The provider's compliance with applicable data protection frameworks
• Contractual obligations requiring equivalent levels of data protection

6. Data Retention

• Active Accounts: We retain personal information and Customer Data for the duration of your Subscription.
• After Cancellation: Customer Data is retained for 90 days following Account cancellation to allow for reactivation or data export, then permanently deleted.
• Billing Records: Payment and invoice records are retained for 7 years to comply with Australian tax and accounting obligations.
• Logs and Analytics: Server logs are retained for up to 12 months. Aggregated, anonymised analytics may be retained indefinitely.

7. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for the Service to function (session management, authentication, CSRF protection). These cannot be disabled.
• Functional Cookies: Remember your preferences (e.g., current branch selection, UI settings).
• Analytics Cookies: Help us understand how the Service is used to improve performance and features.

We do not use third-party advertising or tracking cookies. You can manage cookie preferences through your browser settings.

8. Data Security

We implement appropriate technical and organisational measures to protect personal information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Tenant isolation — each customer's data is stored in a logically separated database schema
• Role-based access controls and the principle of least privilege
• Regular security assessments and monitoring
• Secure credential storage (encrypted credentials)
• Automated backups with point-in-time recovery

While we take reasonable precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information (subject to legal retention obligations).
• Data Portability: Request an export of your data in a machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, withdraw consent at any time.

To exercise these rights, contact us at support@titanrdm.com. We will respond within 30 days (or as required by applicable law).

10. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before the changes take effect.

13. Complaints

If you are unsatisfied with our handling of your personal information, you may lodge a complaint with:

• Us: Contact support@titanrdm.com and we will investigate and respond within 30 days.
• The Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
• EU/UK Data Protection Authority: If you are in the EU/EEA/UK, you may also lodge a complaint with your local supervisory authority.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: support@titanrdm.com
• Entity: Willow Box Pty Ltd ATF Willow Box Trust
• Jurisdiction: Queensland, Australia