Privacy Policy

Rubii Technology Pty Limited ACN 627 769 180 (Rubii, we, us or our) is committed to protecting the privacy of personal information and to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).This Privacy Policy explains how we collect, hold, use, disclose, and protect personal information in the course of providing our products and services.

1. Personal information

Personal information is information or an opinion about an identified or reasonably identifiable individual, whether true or not, and whether recorded in a material form.

2. Information we collect

2.1 Personal Information

We may collect and hold personal information relating to our clients, prospective clients, and their authorised representatives, including:

- Names
- Email addresses
- Telephone numbers
- Job titles
- Company names
- Business contact details, including ABN

We do not actively seek to collect sensitive information. However, data accessed through connected third-party platforms may incidentally contain sensitive information, which we process and protect in accordance with Section 7.6 of this policy.

2.2 Platform, Usage, and Technical Data

In addition to personal information, we may collect non-personal data relating to use of the Rubii platform, including:
- System logs and usage data
- Performance and diagnostic data
- Aggregated or anonymised analytics
- Error reports and security logs

This information is used to operate, secure, maintain, and improve the Rubii platform.

3. How we collect information

We may collect information:

- Directly from you or your organisation (for example, via registration forms, contracts, emails, or support requests)
- Through authorised access to third-party platforms via APIs that you connect to Rubii
- Automatically through use of the Rubii platform (for example, usage and log data)

Where we access third-party platforms, this occurs only with client authorisation.

4. How we use information

We use personal information for purposes reasonably necessary to operate our business and provide our services, including to:

- Provide, operate, and support the Rubii platform
- Deliver campaign operations, reporting, and end-of-month finance workflows
- Communicate with clients about services, updates, and support
- Improve product functionality and performance
- Conduct internal administration, planning, research, and product development
- Comply with legal and regulatory obligations

We do not use or disclose personal information for unrelated secondary purposes without consent, unless permitted by law.

5. AI and Automated Processing

Rubii uses automated systems and algorithms to analyse data and generate insights, recommendations, and operational outputs.

These systems are designed to support human decision-making, not replace it.Rubii does not sell personal information and does not use client data to train any AI or machine learning models.

6. Third party platforms and APIs

Rubii integrates with third-party platforms through APIs at the direction and authorisation of clients.Rubii does not control how those third-party platforms collect or use data, and clients remain responsible for complying with the terms and privacy obligations of those platforms.

7. Data Security (Updated)

We take the security and protection of personal information very seriously and implement reasonable and appropriate technical, administrative, and physical safeguards to protect data from unauthorized access, misuse, disclosure, alteration, and destruction.

7.1 Encryption

Encryption in Transit: Personal information and Customer Data are encrypted using industry-standard protocols (such as TLS) when transmitted between systems and over networks.

Encryption at Rest: Where applicable, Customer Data is stored in encrypted form using industry-standard encryption technologies provided by our cloud service providers. These encryption measures help safeguard sensitive information against interception or unauthorized access.

7.2 Access Controls and Authentication

We enforce strict access control measures to limit access to personal information to individuals who require it for authorised business functions. These controls include:

- Role-based access restrictions
- Strong authentication requirements
- Regular review of permissions and access logs
- Multi-factor authentication (2FA) enforcement for all user access

7.3 Secure Infrastructure and Monitoring

We utilise trusted cloud infrastructure and security best practices to help protect Customer Data, including but not limited to:

- Reputable cloud service providers with robust physical and logical security controls
- Monitoring and logging of system activity to detect and respond to potential security incidents
- Regular vulnerability assessment and risk monitoring.
- AWS Web Application Firewall (WAF) protection
- API Gateway with rate limiting
- Microservices architecture with isolated data processing
- Automated backup systems

7.4 Incident Response and Reporting

We maintain procedures to identify, respond to, and mitigate security incidents. In the unlikely event of a data breach involving personal information, we will comply with applicable legal notification requirements.

7.5 Security Standards and Best Practice

While not all services are directly certified, our cloud infrastructure leverages widely recognised information security standards and controls (such as those aligned with ISO/IEC 27001-series principles) that support strong data protection practices.

Third-party service providers we use also maintain robust security programs to protect data and comply with applicable regulations.

7.5 Sensitive Data Protection

We implement additional protections around sensitive data (as defined under applicable laws or platform requirements). Security procedures are in place to protect the confidentiality and integrity of sensitive personal data, consistent with industry expectations for secure cloud-based services.

8. Data Retention

We retain personal information only for as long as reasonably necessary to fulfil the purposes for which it was collected, or as required by law.
When personal information is no longer required, it is securely deleted or anonymised.

Indicative retention periods include:

- Account and contact data: Duration of business relationship plus 7 years
- Transaction and billing records: 7 years for tax and legal compliance
- System logs and usage data: 12 months
- Marketing preferences: Until consent is withdrawn

9. Marketing Communications

We may send communications about our products and services that may be of interest to you. You may opt out of receiving marketing communications at any time by using the unsubscribe mechanism provided or by contacting us.

10. Overseas Disclosure

Rubii may use reputable cloud infrastructure, software, and service providers that store data in Australia or overseas.
Where personal information is disclosed outside Australia, we take reasonable steps to ensure the recipient complies with privacy protections substantially similar to Australian privacy law, or as otherwise permitted under the Privacy Act.

11. International Users and GDPR

Rubii is based in Australia, and our primary operations are governed by Australian privacy law. However, we may provide services to organisations and users located outside Australia, including in the European Economic Area (EEA) and the United Kingdom.Where the General Data Protection Regulation (GDPR) or equivalent international data protection laws apply, Rubii will process personal data in accordance with those laws and our contractual obligations

Legal Bases for Processing

Where applicable under the GDPR, Rubii processes personal data on the following legal bases:Performance of a contractLegitimate interests (such as operating, securing, and improving our services)Compliance with legal obligationsConsent, where required by law

Data Controller and Processor Roles

In most cases, Rubii acts as a data processor on behalf of its clients, who act as data controllers in relation to personal data processed through the Rubii platform.
Rubii processes such personal data only in accordance with client instructions and applicable law.
Rubii acts as a data controller for personal data processed for its own business purposes, such as account management, product improvement, and compliance.

International Data Transfers

Where personal data subject to the GDPR is transferred outside the EEA or the United Kingdom, Rubii takes reasonable steps to ensure appropriate safeguards are in place, including contractual protections and the use of reputable service providers with recognised data protection standards.

Data Subject Rights

Where applicable, individuals located in the EEA or the United Kingdom may have rights under the GDPR, including the right to:

- Access personal data
- Request correction or erasure
- Restrict or object to processing
- Request data portability
- Withdraw consent where processing is based on consent

Requests to exercise these rights may be submitted to support@rubii.io. We may need to verify identity before responding.

12. Access and Correction

You may request access to personal information we hold about you, or request correction of inaccurate or outdated information.

We will respond to access and correction requests within a reasonable timeframe, generally within 30 days.
We may charge a reasonable administrative fee for providing access where permitted by Australian law.

For individuals in the EEA or United Kingdom, the first copy of personal data will be provided free of charge in accordance with GDPR requirements.

Requests should be directed to support@rubii.io and we will attempt to resolve your complaint.

13. Children's Privacy

Rubii is not directed to children under the age of 16, and we do not knowingly collect personal information from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations.
The current version will always be available on our website.

15. Complaints

If you believe we have breached the Privacy Act 1988 (Cth), you may contact us at support@rubii.io and we will attempt to resolve your complaint.If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) via www.oaic.gov.au or on 1300 363 992.

For individuals located in the EEA or the United Kingdom, you may also have the right to lodge a complaint with your local data protection supervisory authority.

16. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact:

Rubii Technology Pty Limited
Suite 3, Level 4, 109 Pitt Street Sydney NSW 2000
Australia

Email: support@rubii.io

Suite 3, Level 4, 109 Pitt Street, Sydney NSW 2000

+61 415 111 769