Last Updated: 6 December 2025

Impact Connex Pty Ltd ("Impact Connex," "we," "our," or "us") is committed to protecting the privacy and security of the personal and organizational data we process. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI-powered ESG impact reporting platform and related services (collectively, the "Services").

This policy applies to all users of our Services, including social enterprises, corporate clients, and visitors to our website. By using our Services, you acknowledge that you have read and understood this Privacy Policy.

When organizations engage with our platform, we collect:

• Organization Information: Legal name, ABN/ACN, address, industry sector, size, and contact details
• User Account Information: Names, email addresses, phone numbers, job titles, and login credentials of authorized users
• Social Enterprise Data: Impact metrics, operational data, beneficiary statistics (anonymized), and project outcomes
• Corporate Client Data: ESG objectives, procurement data, partnership information, and reporting preferences

With your explicit authorization, we collect:

• Social Media Data: Posts, engagement metrics, and content from authorized organization accounts
• Financial System Data: Transaction data, procurement information, and supplier details from integrated systems (e.g., Xero)
• CRM Data: Stakeholder information and relationship data from authorized CRM systems (e.g., HubSpot)
• Project Management Data: Project status, timelines, and outcomes from integrated tools (e.g., Monday.com)
• Document Management Data: ESG documentation and reports from authorized systems (e.g., SharePoint)

Our platform automatically collects:

• Usage Data: How you interact with our platform, features used, time spent, and actions taken
• Device Information: IP address, browser type, device type, and operating system
• Log Data: Error reports, platform performance metrics, and feature usage statistics
• Cookies and Similar Technologies: Information collected through cookies, web beacons, and similar tracking technologies

We use the collected information for the following purposes:

• Generate ESG impact reports and analytics dashboards
• Calculate social return on investment (SROI) and other impact metrics
• Create and maintain impact frameworks based on global standards
• Facilitate connections between social enterprises and corporate partners
• Provide insights and recommendations for maximising social impact

• Enhance platform functionality and user experience
• Develop new features and capabilities
• Fix bugs and technical issues
• Train and improve our AI models (using anonymised data)
• Conduct research and analysis on impact reporting trends

• Respond to inquiries and support requests
• Provide updates about our Services
• Send notifications about platform changes or maintenance
• Share educational content about ESG reporting and best practices

We implement robust security measures to protect your information, including:

• Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.3+)
• Access Controls: Role-based access control (RBAC) with multi-tenant isolation
• Database Security: Row-level security (RLS) policies in our PostgreSQL database
• Authentication: Multi-factor authentication for administrative access
• Regular Security Audits: Periodic security assessments and penetration testing
• Automated Backups: Regular data backups with defined retention periods
• Monitoring: Intrusion detection and security monitoring systems
• Incident Response: Comprehensive procedures for security incident detection and response

We may share information in the following circumstances:

• When social enterprises authorise sharing of impact data with specific corporate clients
• When corporate clients authorise sharing of procurement data with specific social enterprises
• When you explicitly request us to share your information with a third party

We engage the following types of service providers who may have access to your data:

• Cloud infrastructure providers for hosting services
• AI processing services for data analysis and reporting
• Vector embedding services for data processing
• Email communication services for notifications
• Automation platforms for data integration

We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government requests).

If Impact Connex is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction.

We retain your information for as long as:

• Your account is active
• The data is necessary to provide our Services
• Required to fulfil our legal obligations
• Essential for legitimate business purposes

Upon termination of services or at your request:

• All personal data will be permanently deleted within 30 days
• Backup copies will be deleted within 90 days
• We will provide written confirmation of deletion

• Data required by law to be retained
• Anonymized aggregated data (with your consent)

Depending on your location, you may have certain rights regarding your information:

• Access: Request copies of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (right to be forgotten)
• Restriction: Limit how we use your data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to certain types of processing

To exercise these rights, please contact us at privacy@impactconnex.ai. We will respond to all legitimate requests within 30 days.

All data processing occurs within Australia. We do not transfer your data internationally without your explicit consent. If international transfers become necessary, we will implement appropriate safeguards in compliance with applicable data protection laws.

Our Services are not directed to children under 18. We do not knowingly collect personal information from children. If we discover that a child has provided us with personal information, we will delete it immediately.

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on our website and, where appropriate, sending an email notification. We encourage you to review this Privacy Policy periodically.

Impact Connex may request developer access to organisation platforms (such as LinkedIn, Facebook, or other social media platforms) to facilitate data collection for impact reporting. This access:

• Is obtained only with explicit authorisation from the organisation
• Is limited to the specific data needed for impact reporting
• Follows all platform-specific developer policies and terms of service
• Can be revoked by the organisation at any time

When using Make.com or similar integration platforms:

• We authenticate using your authorised credentials
• We monitor only the specific data streams you've authorised
• We maintain the security and confidentiality of all API keys and access tokens
• We implement rate limiting to comply with platform requirements

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Privacy Officer Impact Connex Pty Ltd  Email: privacy@impactconnex.ai 

This Privacy Policy is governed by the laws of Australia and is subject to the Australian Privacy Act 1988 and the Australian Privacy Principles.