CACodex Analytica
CACodex Analytica
Legal · Privacy

Your data, handled with care.

Plain-English answers to what we collect, why, who we share it with, and the rights you have. Compliant with the Australian Privacy Act 1988 (APPs) and the GDPR.

Codex Analytica ('we', 'us', 'our') is committed to protecting the privacy of every visitor, prospect, and client. This policy explains what we collect, how we use it, who we share it with, and the rights you have over your data.

We comply with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and where applicable the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. What we collect

We collect only the information necessary to respond to enquiries, deliver consulting services, run our website, and run our business.

  • Contact details you submit via our contact form, calendar bookings, or email: typically name, work email, company, role, and the project context you share.
  • Engagement data during paid work, including files, schemas, and dashboards you share with us under our service agreement, plus any data necessary to perform the work.
  • Usage analytics: anonymised, aggregated metrics about how the site is used (page views, referrers, device class, country) collected via privacy-respecting analytics tools.
  • Cookies and similar technologies (see our separate Cookies Policy).
  • Communications: emails, calendar invites, and meeting notes from our exchanges.

2. How we use it

We use your information for the following purposes, and only for these purposes:

  • Responding to your enquiry and following up on a discovery call.
  • Delivering and supporting the services you have engaged us for.
  • Sending you essential project communications.
  • Sending you our newsletter, only if you have explicitly opted in. You can unsubscribe at any time.
  • Improving the website (analytics, performance, accessibility).
  • Meeting our legal, tax, and accounting obligations.

3. Lawful basis (GDPR / UK GDPR)

Where the GDPR applies, our lawful bases for processing are: (a) performance of a contract for engagement-related processing; (b) legitimate interests for responding to enquiries and improving the site; (c) consent for marketing emails and non-essential cookies; and (d) legal obligation for tax, accounting, and regulatory record-keeping.

4. Who we share with

We are a small studio. Your data stays with us except for a tightly-scoped set of reputable processors, each contracted under data processing terms equivalent to the APPs / GDPR Art. 28.

  • Hosting & infrastructure: Vercel (USA), Supabase (Singapore region), Cloudflare (global edge).
  • Email: Google Workspace.
  • Analytics: Vercel Analytics, PostHog (EU region).
  • Calendar / scheduling: Cal.com.
  • Payments & invoicing: Stripe and Xero.
  • Accounting & tax: our registered Australian accountant.

5. International transfers

Some of the processors above are located outside Australia. Where we transfer personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs and, where the GDPR applies, under Standard Contractual Clauses or an equivalent transfer mechanism.

6. How long we keep it

We retain personal information only for as long as we need it for the purposes described above, or as required by law (Australian Tax Office record-keeping is typically 5–7 years).

Discovery enquiries that don't proceed are deleted within 12 months. Engagement records are retained for 7 years from the end of the engagement to satisfy tax obligations.

7. Security

We apply industry-standard safeguards: encryption in transit (TLS 1.3), encryption at rest, principle of least privilege, MFA on every privileged account, hardware-key-backed admin access, and regular access reviews. No system is perfect. If a breach occurs, we will notify you and the OAIC in line with the Notifiable Data Breaches scheme.

8. Your rights

You can ask us to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate, out of date, or incomplete.
  • Delete information where there's no overriding legal reason to keep it.
  • Object to or restrict processing for direct marketing purposes.
  • Port your data to another provider (where the GDPR applies).
  • Withdraw consent for any processing that relies on it.

9. Children

Our services are aimed at businesses. We do not knowingly collect personal information from anyone under 16. If you believe we have, please contact us and we will delete it.

10. Complaints

If you believe we have mishandled your information, please contact us first. We take this seriously and will investigate within 30 days. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or your local data protection authority if you are in the EU/UK.

11. Changes to this policy

We will post the date the policy was last updated at the top. For material changes (a new processor, a new purpose, or a change in legal basis), we will notify active clients by email.

12. Contact

For privacy questions, data subject requests, or breach reports, write to admin@codexanalytica.com. Postal address: Melbourne VIC, Australia.