Privacy Policy

PROMOSYNC Pty Ltd (ABN 95 687 264 160) ("PROMOSYNC", "we", "us", "our") respects your privacy and is committed to protecting the personal information we collect about you. This Privacy Policy explains how we collect, hold, use, and disclose your personal information when you use our website (www.promosync.ai), platform, and related services (collectively, the "Service").

This Privacy Policy is drafted in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

We collect the following categories of personal information:

Account Information — your name, email address, company name, and login credentials (passwords are stored in hashed form and are never accessible in plain text).

Business Data — trade promotion plans, promotional mechanics (pricing, discounts, multibuy offers), product catalogues, retailer data, and other inputs you upload into the Service. This is your business data and you retain full ownership of it.

Usage Information — activity logs, IP address, device and browser type, session data, and how you interact with our platform. This is collected automatically when you use the Service.

Support Information — when you contact us via our website contact form or email, we collect your name, company name, email address, and the content of your message.

Security and Authentication Data — failed login attempts, account lock status, multi-factor authentication configuration, session tokens, and last login timestamps. This data is collected to maintain the security of your account.

Audit Logs — records of actions performed within the platform, including the user, action type, timestamp, and IP address. These are retained for compliance and security purposes.

We collect personal information in the following ways:

Directly from you — when you create an account, fill out forms on our website, upload data to the platform, or contact us for support.

Automatically — through cookies, analytics tools, server logs, and authentication systems when you use our website or platform.

From your organisation — when a company administrator invites you to join their PROMOSYNC workspace, we receive your email address and assigned role.

We use your personal information for the following purposes:

• Provide, operate, and maintain the Service, including processing your trade promotion data and generating retailer-specific exports.

• Authenticate your identity, manage your account, and enforce access controls.

• Communicate with you about updates, issues, security alerts, or support requests.

• Ensure the security of the Service, detect fraud, and prevent misuse.

• Maintain audit trails for compliance with ISO 27001 and SOC 2 requirements.

• Analyse anonymised usage trends to improve the performance and reliability of the Service.

• Comply with our legal obligations under Australian law.

We process your information on the following legal bases: performance of our contract with you (or your organisation), our legitimate interests in operating and securing the Service, and compliance with legal obligations.

Our website uses cookies and similar tracking technologies. The specific technologies we use are:

Essential Cookies — required for the website and platform to function, including session management and authentication. These cannot be disabled.

Analytics Cookies — we use Google Analytics 4 to understand how visitors interact with our website. Google Analytics sets cookies to collect information about page views, traffic sources, device type, and user interactions. This data is processed by Google LLC and may be transferred to servers in the United States. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout).

We do not use marketing or advertising cookies.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Service.

We do not sell, rent, or trade your personal information. We may share information only in the following circumstances:

• With trusted service providers (sub-processors) who help us deliver the Service, as listed in Section 7 below.

• If required by law, regulation, court order, or government request.

• To enforce our Terms of Service or protect the rights, property, or safety of PROMOSYNC, our users, or others.

• In the event of a merger, acquisition, or sale of assets, in which case affected users will be notified.

We use the following third-party service providers to operate the Service. Each processes data only as necessary to perform their function:

Amazon Web Services (AWS) — Cloud infrastructure, hosting (ECS), database (RDS/PostgreSQL), file storage (S3), email delivery (SES), encryption key management (KMS), logging (CloudWatch, CloudTrail), and web application firewall (WAF). Data is stored in the ap-southeast-2 (Sydney, Australia) region. AWS is our primary infrastructure provider.

Google LLC (Google Analytics 4) — Website analytics and usage tracking. Data may be processed in the United States. Governed by Google’s Privacy Policy.

Google Cloud / Firebase — Website authentication and database services for the marketing website. Data may be processed in the United States. Governed by Google Cloud’s Data Processing Terms.

Vercel Inc. — Website hosting, content delivery, and edge functions for www.promosync.ai. Servers are distributed globally. Governed by Vercel’s Privacy Policy.

Slack Technologies (Salesforce) — Contact form submissions from our website are forwarded to our internal Slack workspace for processing by our team. Governed by Slack’s Privacy Policy.

We review our sub-processors periodically and require each to maintain appropriate security measures. Enterprise customers may request our current sub-processor list and will be notified of material changes.

In accordance with Australian Privacy Principle 8, we disclose that your personal information may be transferred to, or processed in, countries outside Australia:

• Singapore (ap-southeast-1) — Disaster recovery backups of our primary database.

• United States — Google (Analytics and Firebase), Vercel (website hosting), and Slack (contact form processing) may process data in the United States.

Our primary data storage is in Australia (AWS ap-southeast-2, Sydney). We take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the Australian Privacy Principles, including through contractual obligations and selecting providers with robust security and privacy certifications (SOC 2, ISO 27001).

You retain full ownership of all business data you upload to PROMOSYNC. We process it solely to provide the Service to you under our contractual agreement.

We implement industry-standard technical and organisational security measures to protect your data, including:

• Encryption at rest (AES-256 via AWS KMS) and in transit (TLS 1.2+).

• Role-based access controls and multi-factor authentication.

• Web Application Firewall (AWS WAF) with rate limiting and SQL injection / XSS protection.

• Comprehensive audit logging of all platform actions.

• Regular security assessments and penetration testing.

• Account lockout after 5 failed login attempts (30-minute lockout period).

We retain your information for the following periods:

• Business data — for as long as your account is active and you use the Service.

• Account information — for as long as your account exists.

• Audit logs — retained for 2 years for compliance purposes (ISO 27001 A.8.15, SOC 2).

• Security logs (sessions, authentication events) — retained in accordance with our internal log retention policy.

• Website analytics data — governed by Google Analytics’ data retention settings.

If you close your account or your organisation terminates the Service, we will delete or anonymise your personal and business data within 30 days, unless we are required to retain it by law. Backup copies are purged within 60 days of account closure.

Under the Australian Privacy Act 1988, you have the following rights in relation to your personal information:

• Access — you may request access to the personal information we hold about you (APP 12).

• Correction — you may request that we correct inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (APP 13).

• Deletion — you may request that we delete your personal information where it is no longer needed for the purpose for which it was collected.

• Restriction — you may ask us to restrict or stop processing your personal information in certain circumstances.

• Complaint — if you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us (see below) or with the Office of the Australian Information Commissioner (OAIC).

To exercise any of these rights, please contact us at info@promosync.ai. We will respond to your request within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the OAIC at www.oaic.gov.au or by calling 1300 363 992.

In the event of an eligible data breach (as defined under Part IIIC of the Privacy Act 1988), we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

• Notify affected individuals, including a description of the breach, the kinds of information involved, and recommended steps to take.

Our internal incident management process is aligned with ISO 27001 and SOC 2 requirements. We aim to complete our assessment of a suspected breach within 72 hours.

PROMOSYNC is a business-to-business service designed for use by professionals within organisations. We do not knowingly collect personal information from children under the age of 18. If we become aware that we have inadvertently collected such information, we will delete it promptly.

Our website or Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties and encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on our website with a revised "Last updated" date.

For material changes, we will take reasonable steps to notify you (for example, by email or a notice within the platform). Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact us:

Privacy Contact: Chief Technology Officer (acting Chief Information Security Officer)

Email: info@promosync.ai

Address: PROMOSYNC Pty Ltd, Marnirni-apinthi Building, Lot Fourteen, North Terrace, Adelaide SA 5000, Australia

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

Website: www.oaic.gov.au

Phone: 1300 363 992

Address: GPO Box 5218, Sydney NSW 2001, Australia