Privacy Policy

1. Types of Information Collected

1.1 We collect Personal Information and Anonymised Data through the following touchpoints on our Site and associated services:

• Consulting enquiry and "confidential conversation" forms on our services pages;
• Case study and resource pages (browsing is anonymous; downloads require name and email);
• Free Resource download requests, including the “Free Guide for Optimising Learning” (name and email required);
• Mailing list and Updates subscriptions;
• E-Learning Product enrolments via our Teachable school;
• Blog comments and Platform interactions; and
• General browsing of our Site (Anonymised Data only).

1.2 "Personal Information" has the same meaning as in the Privacy Act 1988 (Cth): information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in material form or not. This includes but is not limited to: name, email address, postal address, phone number, job title, organisation, date of birth, payment details, and e-learning enrolment and course completion records.

1.3 "Anonymised Data" refers to information that is not associated with or linked to your Personal Information and cannot be used to identify you.

2. Collection of Anonymised Data

2.1 We collect Anonymised Data when you access or use our Site and Platform via generally acceptable web technologies including “cookies”, “web beacons”, “clear GIFs”, “HTML5”, and third-party web analytics such as Google Analytics (collectively "Acceptable Technologies"). This automatic collection includes: your IP address, browser type, pages viewed, and third-party websites visited prior to our Site. Our purpose is to understand visitor preferences to enhance your experience.

2.2 If you do not consent to our collection of Anonymised Data, please adjust your device settings to block or disable the Acceptable Technologies. Continued access without doing so constitutes your consent.

2.3 Key technologies explained:

"Cookies" – small files stored on your device. Our Site uses session cookies (expire when your browser closes) and persistent cookies (remain until deleted). You can control cookies via your browser settings.

"Web beacons / clear GIFs" – electronic images used to track page access patterns and email open rates, to help us understand content appeal and the effectiveness of our communications.

"Google Analytics" – a third party web analytics service. Information generated by cookies about your use of our Site is transmitted to and stored by Google on servers which may be located outside Australia. Google’s use of this data is governed by Google’s privacy policy.

3. Your Consent to Collection, Retention and Use of Personal Information

3.1 You consent to our Company collecting, using and retaining your Personal Information in the following circumstances:

• Consulting and confidential conversation enquiries: when you submit an enquiry via our “Request a confidential conversation” function or any other contact form or email in relation to our services, we collect your name, email address, organisation, job title, phone number and the nature of your enquiry. Given the sensitive subject matter of our work (which may include workplace investigations, harassment and discrimination matters, and organisational culture issues), you should exercise care about the personal information you include in any initial enquiry. Any Personal Information disclosed in an enquiry is used solely to assess and respond to your request and is treated as strictly confidential.
• Free Resource downloads: when you request a Free Resource (including the “Free Guide for Optimising Learning” or any other guide, template or checklist published on our Resources section), we collect your name and email address. In doing so, we will add you to our mailing list for Updates unless you opt out at the point of request or subsequently via the unsubscribe mechanism in our emails. All such electronic marketing communications comply with the Spam Act 2003 (Cth), which requires us to: (i) identify our Company as the sender; (ii) include a functional unsubscribe mechanism in every commercial email; and (iii) honour unsubscribe requests within 5 business days.
• Case studies: case studies published on our Site are authored by our Company and may identify client organisations by name. Note: the Privacy Act 1988 (Cth) applies to information about individuals, not to the names of organisations — naming a client company does not itself constitute collection of personal information. Where a case study contains information that would not ordinarily be in the public domain and was disclosed by the client in the course of the engagement — including internal organisational matters, the circumstances giving rise to the engagement, diagnostic or survey findings, investigation outcomes, or recommendations made to the client ("Confidential Information") — our Company seeks the agreement of the relevant client organisation before publication. Case studies that identify a client by name but do not contain Confidential Information as defined above may be published without specific consent. Case studies do not identify individual employees. If you contact us regarding a case study, any Personal Information you provide will be handled in accordance with this Privacy Policy.
• Testimonials: where we publish a testimonial from an individual on our Site, this constitutes collection and use of Personal Information (including their name, job title, organisation and the content of their statement). Where the testimonial is drawn from a communication not originally provided for publication, we notify the individual of our intention to publish, identifying the specific content and where it will appear, and allow at least 14 days for them to raise an objection. Where no objection is received within that period, we proceed on the basis that the individual has had a genuine and reasonable opportunity to object and has not done so. We retain a record of the notification and non-response. Individuals may request removal of their testimonial at any time after publication by contacting our Privacy Officer at info@cultureplusconsulting.com, and we will action such requests promptly. Withdrawal does not affect the lawfulness of any prior publication.
• Mailing list and Updates subscriptions: when you subscribe to our Updates, we collect your name and email address and any other information you voluntarily provide, in order to send you newsletters, promotions and other Updates. All commercial electronic messages comply with the Spam Act 2003 (Cth) and include a clear unsubscribe mechanism.
• E-Learning Product enrolment: when you enrol in an E-Learning Product via our Teachable school (see section 7 for Teachable-specific provisions), we collect your enrolment records, course progress, assessment results, and certificates of completion, in order to deliver the course and issue completion records. Payment for E-Learning Products is processed by Teachable/Hotmart; our Company does not directly collect or store your payment card details.
• Blog and Platform interactions: if you post comments or otherwise interact with our Platform, we may collect your name, email address (which will not be publicly displayed), and the content of your interaction, in order to operate and moderate our Platform and to facilitate your participation.
• Contract and service delivery: when you enter into a service agreement with our Company for consulting or other services, we will retain your Personal Information for as long as is necessary to provide those services and as required by applicable Australian law, including tax law obligations under the Income Tax Assessment Act 1997 (Cth) and GST obligations under the A New Tax System (Goods and Services Tax) Act 1999 (Cth).

3.2 We will also retain your Personal Information where necessary to comply with applicable laws and regulations, assist in legal investigations, meet demands from regulatory or law enforcement bodies, minimise fraud, resolve disputes, and enforce contractual obligations.

4. Sensitive Information

4.1 The Privacy Act 1988 (Cth) defines "sensitive information" as a category of Personal Information that attracts a higher level of protection. It includes information about an individual’s: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; sexual orientation or practices; criminal record; health information; genetic information; and biometric information.

4.2 In the course of delivering certain services – including DEI Diagnostics, Workplace Culture Reviews, Anti-Racism training, focus groups, survey-based assessments, and workplace investigations – our Company may collect sensitive information about participants, including information about racial or ethnic origin, disability status, gender identity, or health and wellbeing. This may occur:

• directly from you, as a participant in a survey, focus group, diagnostic exercise, or training programme; or
• indirectly, through information shared with us by a client organisation about its employees or workplace, as part of a consulting engagement.

4.3 We will only collect sensitive information with your explicit consent, or where collection is otherwise permitted under APP 3.3 (for example, where the information is reasonably necessary for establishing, exercising or defending a legal claim, or for the prevention of a serious threat to health or safety). Where a client organisation engages our Company to collect sensitive information about its employees as part of a consulting engagement, the client is responsible for ensuring that appropriate consents and collection notices have been provided to employees in accordance with applicable law.

4.4 We handle all sensitive information with heightened care. Sensitive information collected as part of consulting engagements is used only for the specific purpose for which it was collected, is not disclosed to third parties except as required by the terms of the relevant engagement, and is de-identified or destroyed once it is no longer required for that purpose or as required by law.

5. Third-Party Personal Information

5.1 In the course of our business – particularly when you submit an enquiry or when we deliver workplace investigations, culture reviews, DEI diagnostics, or similar consulting services – we may receive Personal Information about third parties (that is, individuals who are not our direct clients or website users). Examples include:

• information about a colleague, employee, or other individual mentioned in an enquiry you submit to us (for example, in the context of a workplace complaint or harassment matter);
• information about employees of a client organisation that is provided to us as part of a consulting engagement (for example, as part of a workplace investigation, focus group, or diagnostic exercise); and
• information about individuals that arises during the course of a training programme or workshop.

5.2 We will handle all such third-party Personal Information in accordance with this Privacy Policy and the Australian Privacy Principles. We will not use that information for any purpose other than the specific service for which it was provided, and we will not disclose it to any person other than as required for delivery of the relevant service, or as required by law.

5.3 Where you provide us with Personal Information about a third party, you represent and warrant that: (i) you have authority to do so; (ii) you have informed that individual that their information may be provided to us; and (iii) where required by applicable law, you have obtained that individual’s consent to the collection, use and disclosure of their information for the purposes described in this Privacy Policy.

5.4 If you are an employee of a client organisation participating in a consulting engagement (such as a survey, investigation, focus group or training programme), and you have questions about how your Personal Information is being collected and used, please contact either the client organisation that engaged our services or our Privacy Officer at info@cultureplusconsulting.com.

6. Disclosure of Personal Information

6.1 We may disclose your Personal Information to:

• Teachable, Inc. / Hotmart Company: as described in section 7 below;
• Email marketing service providers: platforms used to manage our mailing lists and send Updates (e.g. Mailchimp, ActiveCampaign or similar providers). These providers are bound by data processing agreements consistent with the APPs;
• Website hosting, maintenance and technology providers: who require access to Personal Information in order to operate and maintain our Site;
• Professional advisors: our bookkeepers, accountants, auditors, lawyers and other advisors maintaining our records in accordance with Australian law;
• Government and regulatory bodies: including the Australian Taxation Office (ATO), ASIC, and other bodies with a legal right to demand your Personal Information;
• Payment processors: financial institutions and online payment providers required to facilitate payment for our services (noting that payments for E-Learning Products are processed by Teachable/Hotmart, as described in section 7); and
• Successors in business: third parties to whom we may sell, divest, transfer or assign some or all of our Company’s assets, in the course of a corporate transaction.

6.2 We do not sell, rent, licence or otherwise disclose your Personal Information to third parties except as set out in this Privacy Policy. All third party providers are bound by contractual data protection obligations consistent with this Policy and applicable law.

7. Teachable Platform – Data Processing and Your Rights

7.1 Our E-Learning Products are hosted on the Teachable platform (teachable.com), operated by Teachable, Inc., a Delaware corporation and member of the Hotmart Company group. When you enrol in our Teachable school at cultureplusconsulting.teachable.com, you are interacting with the Teachable platform and will be required to create a Teachable account and accept Teachable’s own Terms of Use and Privacy Policy.

7.2 Data controller relationship: under Teachable’s terms, our Company and Teachable are each independent data controllers (in the context of Australian privacy law, each is an APP entity) in relation to the student data collected through the Teachable platform ("Student Data"). This means both our Company and Teachable determine the purposes for which Student Data is used, subject to Teachable’s Privacy Policy, its Data Processing Agreement (DPA), and applicable law.

7.3 What Teachable shares with us: upon your enrolment in one of our courses, Teachable provides us with a limited set of your personal data: your name, email address, IP address, and the specific course in which you have enrolled. Teachable does not disclose any other personal information about you to us, and does not sell or transfer Student Data to us for monetary consideration. You assume full responsibility for any additional personal information you choose to disclose to us directly on or off the Teachable platform.

7.4 Our obligations as a Teachable Creator: as a Creator on the Teachable platform, our Company has agreed to Teachable’s Data Processing Agreement and House Rules, which require us to: (i) provide this privacy notice to our students; (ii) handle Student Data in accordance with applicable privacy laws; (iii) not sell, trade or rent Student Data; and (iv) notify Teachable within three business days of receiving a privacy request from a student that involves data held by Teachable.

7.5 Data held by Teachable independently: Teachable also independently collects and processes data about you as a user of their platform (including registration information, payment details, device information, course progress, and usage data) in accordance with Teachable’s own Privacy Policy. For information about how Teachable handles your data, including how to exercise your rights with Teachable directly, please review Teachable’s Privacy Policy at teachable.com/privacy-policy.

8. Cross-Border Disclosure of Personal Information

8.1 Your Personal Information may be transferred to, and processed in, countries outside Australia in the following circumstances:

• United States: Teachable, Inc. is incorporated in Delaware, USA. Personal Information processed through our Teachable school (including Student Data) is stored and processed on servers which may be located in the United States.
• Brazil and other countries: the Teachable platform is owned by Hotmart Company, a Brazilian group. Hotmart’s sub-processors, as described in Teachable’s Privacy Policy and DPA, may process your Personal Information in various countries.
• Other service providers: our email marketing, web hosting, analytics and other service providers may also store and process Personal Information outside Australia.

8.2 Before disclosing your Personal Information to any overseas recipient, we take reasonable steps consistent with APP 8 to ensure that the recipient does not breach the APPs, or that the recipient is subject to a law or binding scheme providing privacy protection substantially similar to that afforded by the APPs. By using our Site, Platform and E-Learning Products, you consent to cross-border transfers on this understanding.

8.3 Under POLA, the Australian Government may “whitelist” countries with substantially similar privacy protections. We will monitor and apply any such determinations as they are made.

9. Email Marketing and the Spam Act 2003 (Cth)

9.1 We send commercial electronic messages (including newsletters, promotions and Updates) in compliance with the Spam Act 2003 (Cth). Specifically:

• we only send commercial emails to individuals who have consented to receive them (either expressly, or inferred from an existing business relationship);
• every commercial email we send clearly identifies our Company as the sender and includes our contact details;
• every commercial email includes a clear and functional unsubscribe mechanism; and
• we will honour all unsubscribe requests within 5 business days, as required by the Spam Act.

9.2 Unsubscribing from our Updates will not affect our ability to send you essential transactional emails relating to services you have purchased or contracted for (e.g. enrolment confirmations, tax invoices, and notifications regarding changes to E-Learning Products you are enrolled in).

10. Do Not Call Register

10.1 We respect your preferences regarding marketing contact. If you have registered your telephone and/or fax number with the Australian Do Not Call Register (administered by ACMA), we will not send marketing communications via those channels unless you have separately consented. If you have previously consented to us contacting you via telephone or fax, we will continue to do so until you withdraw your consent by contacting our Privacy Officer at info@cultureplusconsulting.com.

11. Your Privacy Rights Under the Privacy Act and POLA

11.1 Under the Privacy Act 1988 (Cth) and the APPs, as amended by POLA, you have the following rights:

• Access: to request access to the Personal Information we hold about you (APP 12);
• Correction: to request correction of Personal Information that is inaccurate, out-of-date, incomplete, irrelevant or misleading (APP 13);
• Erasure/Deletion: to request deletion or de-identification of your Personal Information where it is no longer necessary for the purposes for which it was collected, subject to our legal obligations to retain certain records;
• Complaint: to make a complaint to us and/or to the OAIC if you believe we have mishandled your Personal Information; and
• Direct legal action: under the statutory tort for serious invasions of privacy introduced by POLA (in force from 10 June 2025), individuals may take direct legal action where their privacy has been seriously invaded by intrusion upon seclusion or misuse of personal information. Maximum compensation is $500,000.

11.2 You may withdraw consent to our use of your Personal Information at any time by emailing info@cultureplusconsulting.com. Note that withdrawal may result in our inability to continue providing certain services, including access to E-Learning Products and receipt of Updates.

12. Notifiable Data Breaches

12.1 We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth), as strengthened by POLA. In the event of an eligible data breach (likely to result in serious harm to any affected individual), we will:

• notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable after becoming aware of the breach. The law requires notification “as soon as practicable”; OAIC guidance encourages prompt action, and Tranche 2 reforms are expected to introduce a more prescriptive timeframe. We aim to notify within 72 hours of becoming aware of a significant breach;
• notify affected individuals whose Personal Information is involved where the breach is likely to result in serious harm; and
• take all reasonable remedial action.

12.2 Where a data breach involves Student Data held on the Teachable platform, we will also comply with our obligations under Teachable’s DPA, including notifying Teachable within three business days of becoming aware of the breach.

13. Automated Decision-Making (APP 1.8)

13.1 Under APP 1.8 (inserted by POLA, with a two-year transition period to 10 December 2026), organisations that use automated decision-making that significantly affects individuals must disclose this in their privacy policy. At present, our Company does not use automated decision-making systems that make decisions that significantly affect your rights, access to services, or other important interests. If this changes, we will update this Privacy Policy prior to implementing any such systems.

13.2 The Teachable platform may use automated systems in relation to platform functionality (e.g. content recommendations, fraud detection). For information on Teachable’s use of automated decision-making, please refer to Teachable’s Privacy Policy.

14. Access, Correction and Complaints

14.1 To access, update or correct the Personal Information we hold about you, please email our Privacy Officer at info@cultureplusconsulting.com. We will respond within a reasonable time, generally within 30 days, as required by the APPs.

14.2 No charge will be levied for correcting or updating your Personal Information. A reasonable fee may be charged for access requests as permitted under the Privacy Act 1988 (Cth).

14.3 To complain about how we have handled your Personal Information, please email our Privacy Officer at info@cultureplusconsulting.com. We will respond to complaints within a reasonable time. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

14.4 Privacy requests relating to data held on the Teachable platform should be directed both to us (for data we hold independently of Teachable) and to Teachable directly at privacy@hotmart.com (for data held on the Teachable platform). We will assist in coordinating responses to the extent that the data is held by Teachable.

15. Security Measures

15.1 Consistent with the strengthened security obligations under POLA (amending APP 11), we implement technical and organisational measures to protect your Personal Information against misuse, interference, loss, and unauthorised access, modification or disclosure. These include: encryption of data in transit and at rest, password protection and access controls, firewalls and intrusion detection systems, staff privacy training, and periodic security assessments.

15.2 We do not directly store your payment card details. Payments for E-Learning Products are processed by Teachable/Hotmart, whose security practices are described in Teachable’s Security Overview (support.teachable.com).

15.3 We will not retain Personal Information longer than necessary. Our general retention periods by category are:

• Enquiry and contact form data: 3 years after last contact, unless a consulting engagement follows.
• Consulting engagement and workplace investigation records: 7 years after completion of the engagement, to meet Australian tax law obligations and to allow for any legal claims.
• Sensitive information from consulting engagements: de-identified or securely destroyed as soon as practicable after the relevant purpose is fulfilled, unless longer retention is required by the engagement terms or applicable law.
• E-learning enrolment and completion records: 7 years after completion, for verification of certificates.
• Mailing list subscriber data: until you unsubscribe or withdraw consent, after which contact data is deleted or suppressed within 30 days.

15.4 These periods may be extended where required by law, court order, or legitimate dispute resolution. While we take reasonable steps to protect your Personal Information, no internet transmission or storage system can be guaranteed 100% secure. Please notify us immediately at info@cultureplusconsulting.com if you believe your interaction with us has been compromised.

16. Minors and Children’s Online Privacy

16.1 Our Site, Platform, E-Learning Products and Free Resources are not intended for persons under 18 years of age. We do not knowingly collect Personal Information from minors. Parents and guardians are responsible for ensuring their children do not access our Site or provide Personal Information without consent. If you become aware that a minor has done so, please contact our Privacy Officer at info@cultureplusconsulting.com promptly and we will delete such information.

16.2 Note: Teachable’s Terms of Use require users to be at least 18 years old, or between 13 and 18 with parental/guardian permission. Teachable is in the process of developing a Children’s Online Privacy Code (required to be registered by 10 December 2026 under POLA). We will review and update our practices upon the Code’s commencement.

17. Third Party Sites and Social Media

17.1 Our Site and Platform may contain links to third party websites (including the Teachable platform, social media sites, and other external resources) that are not governed by this Privacy Policy. We are not responsible for the privacy practices of those third party sites. Please review their privacy policies before providing them with any Personal Information.

17.2 Our Company may utilise social media platforms such as LinkedIn, Instagram, Facebook and YouTube to connect with your social networks and promote our services. Links to these platforms from our Site do not constitute any endorsement of those platforms. Please review their terms of use and privacy policies before interacting with them in connection with our Site.

18. Governing Law and Jurisdiction

18.1 This Privacy Policy is governed by the laws of the State of New South Wales, Australia, and by the Privacy Act 1988 (Cth) and the Australian Privacy Principles, as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth), the Spam Act 2003 (Cth), and any successor legislation. To the extent that our data handling practices intersect with our services in diversity, inclusion, and respect at work, the Sex Discrimination Act 1984 (Cth), Anti-Discrimination and Human Rights Legislation Amendment (Respect at Work) Act 2022 (Cth), and the Anti-Discrimination Act 1977 (NSW) also inform the standards we apply to sensitive information collected in that context.

18.2 In the event of any disputes, please first contact our Privacy Officer at info@cultureplusconsulting.com. If no resolution is reached within 30 days, you agree to submit to the exclusive jurisdiction of the Courts of New South Wales, Australia.

18.3 If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with the OAIC at www.oaic.gov.au. Further Tranche 2 reforms to the Privacy Act are expected; we will update this Privacy Policy as those reforms are enacted.