ActualCo Privacy Policy

ActualCo provides software and related services that help organisations create an operational record across experience signals, work, assets, vendors, standards, incidents, risks, evidence and operational follow-through.

Depending on the context, ActualCo may act as:

• a service provider or processor, where we process personal information on behalf of a customer organisation
• a business operator or controller, where we collect information directly through our website, forms, marketing activity, sales activity, support activity or evaluation workflows

Customer organisations remain responsible for ensuring that information they collect and enter into ActualCo is lawful, accurate and appropriate for the relevant operating environment.

Authorised users cannot usually use ActualCo anonymously because operational records require accountability, ownership, auditability and evidence of follow-through.

The information we collect depends on how a person interacts with ActualCo.

Website, marketing and request-access information may include:

• name
• business email address
• organisation name
• role or job title
• phone number, if provided
• operating environment or vertical of interest
• request type, such as Actual Experience access, workflow mapping, product walkthrough or general conversation
• messages, notes or form responses submitted to ActualCo
• website analytics, device information and usage events

Evaluation, Actual Experience and workflow-mapping information may include:

• participant names and business contact details
• organisation profile information
• operating environment information
• workflow information shared during evaluation
• notes, requirements and success criteria discussed during walkthroughs or mapping sessions
• access logs and product usage activity in evaluation environments

Production software information may include:

• authorised user names
• business email addresses
• roles, permissions and team information
• authentication and access records
• operational records created or updated by users
• work orders, tasks, issues, incidents, checklists, approvals, vendor records, evidence and audit trails
• asset, location, site, facility or store information
• comments, attachments and operational notes
• system audit logs showing actions performed by users

Vendor, contractor and compliance information may include:

• company details
• ABN or equivalent business identifiers
• insurance records
• induction status
• compliance documents
• safety or access-related credentials relevant to the customer organisation's operating environment

Actual Campus is designed for school operations, not for student information management or learning management.

Actual Campus is not intended to hold student academic records, student profiles, health records or sensitive child data. Schools should use asset, location or operational identifiers where possible instead of student names.

Where child-safety, contractor, site-access or safeguarding information is relevant to a school environment, the customer organisation remains responsible for ensuring that collection, use and disclosure of that information is lawful and appropriate.

ActualCo uses personal information to:

• operate and improve the website
• respond to enquiries
• route prospective customers to the relevant Actual Experience, workflow-mapping or product path
• provide guided walkthroughs, demos and evaluation environments
• configure and deliver software services
• authenticate users and manage permissions
• maintain operational records, audit trails and evidence
• provide customer support
• send service, security and administrative notices
• send product or marketing updates where permitted
• monitor platform security, reliability and performance
• comply with legal, accounting and regulatory obligations

ActualCo does not sell personal information to advertisers.

ActualCo may use privacy-conscious analytics tools, including PostHog, to understand website usage, improve navigation, measure engagement with pages and forms, and diagnose website issues. Analytics events are configured to avoid collecting sensitive personal information or free-text form content.

ActualCo may send product updates, event invitations, educational content or service information to business contacts and nominated administrators.

Recipients can opt out of marketing emails using the unsubscribe link or by contacting ActualCo. Security, support, transactional and service notices may still be sent where required to provide the service.

ActualCo uses reasonable technical, organisational and administrative measures to protect personal information.

These measures may include:

• encrypted data transmission using TLS
• encryption at rest where supported by production infrastructure
• access controls and role-based permissions
• authentication controls, including SSO or SCIM where configured
• audit logs
• tenant separation and logical access controls
• monitoring, backups and operational security processes

No system can be guaranteed to be completely secure. Customers and users must also take reasonable steps to protect their accounts, credentials and authorised access.

ActualCo may use third-party service providers to host, secure, operate, analyse and support its website, evaluation environments and software services.

These providers may support functions such as:

• cloud hosting and infrastructure
• authentication and identity management
• email delivery
• analytics
• customer relationship management
• support and communication tools
• security monitoring

Production hosting arrangements may vary by customer agreement and product environment. Where ActualCo uses international service providers, personal information may be processed or stored outside Australia. ActualCo takes reasonable steps to ensure that service providers are subject to appropriate confidentiality, security and privacy obligations.

ActualCo retains personal information for as long as reasonably needed to provide services, manage customer relationships, maintain security, comply with legal obligations and resolve disputes.

For production customer environments:

• active subscription data is retained while the customer agreement remains active
• customers may request export or deletion in accordance with their agreement
• production data is usually deleted or de-identified after termination, subject to agreed retention periods, backup cycles and legal requirements
• audit logs, billing records and security records may be retained where required for legal, accounting, compliance or security purposes

For website, marketing and evaluation data:

• enquiry, request-access and sales records may be retained for business relationship management
• analytics and usage records may be retained in aggregated, de-identified or pseudonymised form where appropriate

Individuals may request access to, or correction of, personal information held by ActualCo.

Where information is held on behalf of a customer organisation, ActualCo may refer the request to that customer organisation or assist the customer organisation to respond.

Requests can be sent to:

Privacy Officer
privacy@actualco.com

If you believe ActualCo has breached this Privacy Policy or the Australian Privacy Principles, contact:

Privacy Officer
privacy@actualco.com

ActualCo will aim to:

• acknowledge the complaint within 5 business days
• investigate and respond within a reasonable period, usually within 30 days

If a complaint is not resolved, individuals may contact the Office of the Australian Information Commissioner.

ActualCo may update this Privacy Policy from time to time. Material changes will be published on the website and, where appropriate, notified to customer administrators or relevant contacts.