Privacy Policy

Entity: Kicking Pixels Pty Ltd (ABN 13 136 066 496)
Operating: Gatheroo (gatheroo.io)
Contact: privacy@kickingpixels.com.au
Governing Law: New South Wales, Australia
Certification: ISO 27001:2022 certified ISMS

This Privacy Policy explains how Kicking Pixels Pty Ltd collects, uses, discloses, and protects personal information in connection with the Gatheroo platform and website. We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we interact with individuals in the UK or EU, we also comply with the UK GDPR and EU GDPR respectively.

1. Introduction

Gatheroo (gatheroo.io) is a secure document and information collection platform operated by Kicking Pixels Pty Ltd (ABN 13 136 066 496) (“we”, “us”, “our”).

We operate under an ISO 27001:2022-certified Information Security Management System (ISMS), providing a structured framework for continuously managing and improving our security and privacy practices.

2. Understanding Our Role | Data Controller vs Data Processor

This is the most important section of this policy for anyone interacting with Gatheroo. Because Gatheroo is a platform used by businesses to collect information from their own clients, there are two distinct privacy roles at play.

Data collected via the Gatheroo website itself (gatheroo.io) in the context of our own marketing, account management, and support activities is subject to this Privacy Policy in full, with Kicking Pixels Pty Ltd acting as the data controller.

3. Information We Collect

3.1 Gatheroo Customers (Businesses signing up to use Gatheroo)

When you sign up for or use a Gatheroo account, we collect:

• Name and contact details (email address, phone number, business name and address)
• Account information (username, preferences, login credentials)
• Payment information, processed securely by Stripe; we do not store card details
• Usage data relating to your account activity on the Gatheroo platform

3.2 End Users (Clients submitting information through a Gatheroo portal)

When you submit documents or information through a Gatheroo portal at the request of a business, the information you provide is collected and stored on behalf of that business. This may include:

• Personal identification information (name, date of birth, address)
• Contact details (email, phone number)
• Financial or professional documents
• Any other information requested by the business that invited you

The scope and nature of this information is determined by the business using Gatheroo, not by Kicking Pixels. For questions about what data is being collected or why, please contact the business directly.

3.3 Website Visitors (gatheroo.io)

When you visit gatheroo.io, we may automatically collect:

• IP address and approximate location
• Browser type, version, and device information
• Pages visited, time spent, and navigation paths
• Referring URLs

This information is collected via cookies and analytics tools. See Section 8 for details.

3.4 Information You Submit

Information provided through contact forms, support requests, trial sign-ups, or other communications you initiate with us.

We do not collect sensitive information (as defined under the Privacy Act) unless it is strictly necessary and you have provided explicit consent.

4. How We Use Your Information

4.1 Gatheroo Customer Data

We use the personal information of Gatheroo customers to:

• Create and manage your Gatheroo account
• Deliver, operate, and improve the Gatheroo platform
• Process payments securely
• Provide customer support
• Send service-related communications (account notices, security alerts, product updates)
• Send marketing communications — only with your explicit consent
• Meet our legal and regulatory obligations

4.2 End User Data (Submitted Through Portals)

We use end user data solely to operate the Gatheroo platform on behalf of the business customer. Specifically:

• To store and make submitted documents and information available to the business that requested them
• To provide the secure transmission and storage infrastructure that underpins the Gatheroo service

We do not use end user data for our own marketing, analytics, or any purpose unrelated to providing the Gatheroo service to the relevant business.

4.3 Website Visitor Data

We use website visitor data to analyse usage patterns, improve the Gatheroo website and marketing, and deliver relevant advertising where consent has been provided.

We do not sell personal data. We do not use data for purposes unrelated to the services described above.

5. Legal Basis for Processing

5.1 Australian Users (Privacy Act 1988)

We collect and handle personal information in accordance with the Australian Privacy Principles (APPs). Our primary bases for collection are:

• With your consent
• Where necessary to provide services you have requested
• To comply with a legal obligation
• For our legitimate business interests, where these do not override your privacy rights

5.2 UK and EU Users (UK GDPR / EU GDPR)

If you are located in the UK or EU, we rely on the following lawful bases:

• Consent, where you have clearly opted in
• Contract, where processing is necessary to fulfil a service agreement
• Legal obligation, where we are required to process data by law
• Legitimate interests, for example, improving our services, provided this does not override your rights

For end users submitting data through a Gatheroo portal, the lawful basis for processing is determined by the business customer acting as data controller. Queries about the legal basis for collection should be directed to that business.

6. Automated Decision-Making

We do not use automated decision-making or profiling processes that produce legal or similarly significant effects on individuals. If this changes, we will update this Privacy Policy and notify affected users as appropriate.

7. Your Rights

7.1 Australian Users

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you (APP 12)
• Request correction of inaccurate or incomplete information (APP 13)
• Make a complaint about how we have handled your personal information

7.2 UK and EU Users

In addition to the above, if you are in the UK or EU you also have the right to:

• Request erasure of your personal data (“Right to be Forgotten”)
• Restrict or object to certain processing activities
• Receive a portable copy of your data
• Withdraw consent at any time, without affecting the lawfulness of prior processing

7.3 End Users | Important Note

If you have submitted information through a Gatheroo portal and wish to access, correct, or delete that information, your primary point of contact is the business that invited you to use Gatheroo. They are the data controller for that information.

If you believe Kicking Pixels has mishandled your data in its capacity as data processor, you may contact us directly and we will assist in accordance with our obligations under applicable law.

To exercise any rights directly with Kicking Pixels, please contact us at privacy@kickingpixels.com.au. We aim to acknowledge all requests within 5 business days and respond in full within 30 days. Where a request is complex or involves a large volume of data, we may extend this period by a further 30 days and will notify you accordingly.

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help websites function correctly, remember your preferences, and provide analytics information.

8.2 Cookies We Use on gatheroo.io

8.3 Managing Your Cookie Preferences

When you first visit gatheroo.io, you will be presented with a cookie consent banner. You can choose which categories of cookies to accept and may update your preferences at any time through the consent manager or your browser settings. Disabling essential cookies may affect platform functionality.

9. Data Security

We take the security of personal information seriously. Our security measures for the Gatheroo platform include:

• Encryption of data in transit (TLS) and at rest (AES-256 on AWS infrastructure)
• Strict access controls and multi-factor authentication
• Regular security assessments and vulnerability reviews
• Staff training on data protection and security awareness
• Documented incident response procedures

Kicking Pixels Pty Ltd is certified to ISO 27001:2022 (Information Security Management). Our certification scope specifically covers the Gatheroo SaaS platform and supporting infrastructure, meaning our security practices are independently verified against an internationally recognised standard.

Notwithstanding these measures, no system is completely immune to risk. We encourage Gatheroo customers to use strong, unique passwords and to contact us promptly at security@kickingpixels.com.au if you suspect any unauthorised activity.

10. Data Breach Notification

We maintain an Incident Response Policy that sets out how we detect, contain, and respond to data security incidents.

In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify those individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act 1988). Where required, we will also notify relevant authorities in the UK or EU.

Where a breach involves data submitted through a Gatheroo portal, we will notify the relevant business customer promptly so they can fulfil their own notification obligations to their clients.

We will provide notification as soon as practicable, including a description of the breach, the types of information involved, and the steps you can take to protect yourself.

11. Data Retention and Deletion

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

After the applicable retention period, personal data is securely deleted or anonymised. Gatheroo customers may request deletion of their account and data at any time by contacting help@gatheroo.io. End users wishing to request deletion of their submitted data should contact the business that collected it.

12. Third-Party Services and Subprocessors

We work with trusted third-party providers to deliver the Gatheroo platform. Where these providers process personal data on our behalf, we ensure they are subject to appropriate contractual data protection obligations and security requirements. Our full subprocessor list is maintained at our Trust Centre.

In the event of a business restructure, merger, or acquisition, personal data may be transferred to the relevant parties under confidentiality obligations consistent with this policy.

13. International Data Transfers

All Gatheroo customer data is stored on AWS infrastructure located in Australia. We do not transfer customer data outside Australia in the ordinary course of operating the Service.

Some subprocessors (including Stripe) are based outside Australia. However, Stripe processes only billing data — no documents or information uploaded to Gatheroo are shared with Stripe. Where any transfer of personal information outside Australia occurs, we ensure appropriate safeguards are in place, including contractual protections requiring the recipient to maintain privacy standards equivalent to the Australian Privacy Principles.

14. Privacy Complaints

If you believe we have not handled your personal information in accordance with this policy or the Australian Privacy Principles, we encourage you to contact us first so we can resolve your concern.

Our complaint process:

1. Submit your complaint to privacy@kickingpixels.com.au, describing the issue and the outcome you are seeking.
2. We will acknowledge your complaint within 5 business days.
3. We will investigate and respond with our findings and any remediation steps within 30 days.
4. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, or for UK/EU matters, to the relevant supervisory authority in your jurisdiction.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The current version will always be available at gatheroo.io/privacy with the effective date shown at the top of the page.

Where we make material changes, we will notify Gatheroo customers by email or by a prominent notice on the platform prior to the changes taking effect.

16. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or how we handle your personal information, please contact us: