Privacy Policy (Australia)
Effective date: 25 December 2025
Operator: Planthtropic Pty Ltd ("Kortado", "we", "us", "our")
Privacy contact: info@kortado.com.au
1. What this Privacy Policy covers
This Privacy Policy explains how we collect, store, use, and disclose personal information when you:
· visit our website;
· enquire with us;
· subscribe to or use our software platform and related services (the "Services"); or
· interact with us in any way.
We comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme.
2. Key terms
· Personal information has the meaning given in the Privacy Act.
· Sensitive information includes health information and other protected categories under the Privacy Act.
· Customer means an organisation that has subscribed to the Services.
· End User means an individual authorised by a Customer (for example, employees, contractors, and auditors).
· Customer Data means all data uploaded to or generated within the Services by or on behalf of a Customer.
3. What we collect
We may collect the following categories of information:
A. Information you provide
· name, business email, organisation, role/title, phone number;
· account and authentication information (including verification details where applicable);
· billing contact details (payments may be handled by a secure third-party processor);
· communications (support tickets, emails, requests, feedback); and
· Customer Data you upload, generate, or otherwise make available through the Services.
B. Information collected automatically
· IP address, device identifiers, browser type and settings;
· usage logs, access logs, and security telemetry;
· pages visited, time on site, referral source; and
· cookies and similar technologies (see section 10).
C. Sensitive information
We do not intentionally collect sensitive information via our public marketing website. However, Customers may upload sensitive information (including health information) into the Services. Where we handle such data, we treat it with heightened controls.
4. How we use personal information
We collect and use personal information to:
· operate, secure, maintain, and improve the Services;
· create and administer accounts, permissions, and access controls;
· provide support, training, onboarding, and service communications;
· detect, prevent, and respond to fraud, misuse, and security threats;
· manage subscriptions, billing, and contractual administration; and
· comply with legal obligations and enforce our rights.
5. Service-provider handling of Customer Data
In many cases, we handle Customer Data on behalf of a Customer as a service provider. Customers remain responsible for deciding what information to upload, ensuring they have appropriate authority to do so, and meeting any sector-specific obligations that apply to them.
6. How we disclose personal information
We may disclose personal information to:
· Customers and authorised End Users (as part of providing the Services);
· vetted service providers that help us operate the Services (for example, infrastructure, monitoring, analytics, support tooling, and payment processing), under confidentiality and security obligations;
· professional advisers (lawyers, accountants, auditors);
· regulators, law enforcement, or courts where required or authorised by law; and
· a purchaser or successor in the event of a restructure, merger, or sale (with appropriate safeguards).
We do not sell personal information.
7. Data residency (Australia only)
All personal information and Customer Data processed through the Services is stored and processed on-shore in Australia. We do not transfer, disclose, store, or process personal information or Customer Data outside Australia, and we do not use off-shore storage, backup, or processing for Customer Data. Access to Customer Data is tightly controlled, logged, and limited to authorised personnel and systems for the purposes described in this Policy.
8. Security posture and data protection
We operate a security program designed for high-trust environments and apply layered administrative, technical, and organisational controls proportionate to the sensitivity of data commonly present in regulated care ecosystems.
Our controls may include:
· least-privilege access and role-based permissions;
· multi-factor authentication (MFA) support and privileged access controls;
· encryption in transit and encryption at rest where applicable;
· audit logging and tamper-resistant records of sensitive actions;
· monitoring and alerting for suspicious activity;
· secure development practices, dependency management, vulnerability management, and patching; and
· backup, resilience, and recovery controls.
We design these controls to align with obligations under APP 11 (security of personal information) and to be consistent with recognised Australian cyber security guidance such as the ACSC Essential Eight maturity approach. No system can be guaranteed as completely secure; however, we continuously improve controls based on risk and evolving threats.
9. Notifiable Data Breaches (NDB)
If we become aware of an eligible data breach likely to result in serious harm, we will respond consistent with the NDB scheme, including notifications to affected parties and/or the Office of the Australian Information Commissioner (OAIC) where required.
10. Cookies and analytics
We use cookies and similar technologies for functionality, analytics, and (where enabled) marketing measurement. You can manage cookies via browser settings; disabling cookies may affect website functionality.
11. Access and correction
You may request access to, or correction of, personal information we hold by contacting info@kortado.com.au. We may need to verify your identity.
Where your information is held as Customer Data, we may direct you to the relevant Customer (your organisation) to action the request.
12. Retention
We retain personal information only as long as necessary for the purposes described, unless a longer period is required or permitted by law. Customer Data retention and deletion are governed by the Customer agreement and configuration.
13. Complaints
To make a privacy complaint, contact us at info@kortado.com.au. We will investigate and respond within a reasonable timeframe.
If you are not satisfied with our response, you may contact the OAIC.
14. Updates to this Policy
We may update this Policy from time to time. The latest version will be published on our website with the updated effective date.
