Privacy

Structured learning, best practice and real world advice direct from a CMake co-maintainer

Effective Date: [Insert Date]

 

Crascit Pty Ltd (ACN 635 397 483, ABN 95 635 397 483) and our associated entity Crascit Consulting Pty Ltd (ACN 691 307 687, ABN 86 691 307 687) (“we,” “us,” or “our“) operates the Crascit website (the “Website“) and the Clarivellum software suite (the “Software“). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our Website or use our Software. It applies globally and complies with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable privacy laws.

Our data processing adheres to the following GDPR principles:

  • Lawfulness, fairness and transparency: we process data lawfully, fairly, and transparently.

  • Purpose limitation: data is collected for specified, explicit, and legitimate purposes.

  • Data minimization: we collect only data adequate, relevant, and limited to what is necessary.

  • Accuracy: we take reasonable steps to ensure data is accurate and kept up to date.

  • Storage limitation: data is retained only as long as necessary.

  • Integrity and confidentiality: we implement appropriate security measures.

  • Accountability: we can demonstrate compliance with these principles.

Our data processing adheres to the following APP principles which apply directly to us and the collection of information:

  • APP 1: Open and transparent management of personal information

  • APP 2: Anonymity and pseudonymity

  • APP 3: Collection of solicited personal information

  • APP 4: Dealing with unsolicited personal information

  • APP 5: Notification of the collection of personal information

  • APP 6: Use or disclosure of personal information

  • APP 7: Direct marketing

  • APP 8: Cross-border disclosure of personal information

  • APP 10: Quality of personal information

  • APP 11: Security of personal information

  • APP 12: Access to personal information

  • APP 13: Correction of personal information

If you do not agree with this policy, do not access or use our Website or Software.

What Data Do We Collect?

We collect the following categories of personal information:

  • Personal Identification Information: Name, email address, phone number, billing address, payment details (processed via third-party providers). This constitutes ‘personal information’ under the Privacy Act 1988 (Cth).

  • Purchase and Account Data: Order history, license keys, subscription details, including historical sales data from our operations as a sole trader prior to incorporation as Crascit Pty Ltd.

  • Usage Data: Interactions with the Website and Software, such as pages visited, features used, time spent, and anonymized statistics to improve our services.

  • Device and Technical Information: IP address, browser type, operating system, device identifiers, geolocation data (approximate), referral sources.

  • Server Log Data: Request date/time, pages requested, bytes served, user agent, referrer, error logs for security, troubleshooting, and analytics.

  • Other Data: Feedback, survey responses, communications with us.

We do not collect sensitive personal information (e.g., racial origin, health data) unless required for specific services. Under CCPA/CPRA, “sensitive personal information” includes: social security numbers, driver’s license numbers, passport numbers, financial account login credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data for identification purposes, health information, sex life or sexual orientation, and citizenship or immigration status.

How Do We Collect Your Data?

You provide data directly when you:

  • Register an account.

  • Purchase or download the Software.

  • Subscribe to newsletters.

  • Contact us via forms or email.

  • Provide feedback or participate in surveys.

We collect data automatically via:

  • Cookies, web beacons, and similar technologies (see Cookies section).

  • Server logs during Website visits.

  • Anonymized usage telemetry in the Software (e.g., feature usage without identifying users).

We may receive data indirectly from:

  • Third-party payment processors (e.g., Stripe).

  • Analytics providers (e.g., Google Analytics, including Google Analytics 4, which may collect user behavior data, demographics, interests, cross-device tracking data, and enable advertising features such as remarketing and personalized advertising through Google’s advertising network).

  • Historical records transferred from sole trader operations to the company.

How Will We Use Your Data?

We use your data:

  • To provide, maintain, and improve the Website and Software.

  • To process purchases, manage accounts, and fulfill orders.

  • To send transactional emails (e.g., confirmations, updates).

  • To analyze anonymized usage patterns and server logs to enhance performance, detect issues, and prevent fraud.

  • To communicate with you about products, services, and promotions (with opt-in where required).

  • For record keeping and administrative purposes.

  • To provide information about you to our contractors, employees, consultants, agents or other third parties for the purpose of providing goods or services to you.

  • To improve and optimize our service offering and customer experience.

  • To send you administrative messages, reminders, notices, updates, security alerts, and other information requested by you

  • To comply with legal obligations, resolve disputes, and enforce agreements.

  • To handle historical data from sole trader period under the same protections as current data.

We may also use your personal information for:

  • secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use;

  • such purposes where we reasonably believe that use of your personal information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent;

  • any other purpose for which we receive consent from you; or

  • any other purpose which is permitted or required under applicable privacy laws.

Legal bases under GDPR for specific processing activities:

  • Contract performance (Article 6(1)(b)): providing the Website and Software, processing purchases, managing accounts, fulfilling orders, sending transactional emails.

  • Legitimate interests (Article 6(1)(f)): analyzing anonymized usage patterns and server logs for performance enhancement, issue detection, fraud prevention, and security (we have assessed that these legitimate interests do not override your rights and freedoms).

  • Consent (Article 6(1)(a)): marketing communications, non-essential cookies.

  • Legal obligation (Article 6(1)(c)): compliance with tax, accounting, and legal requirements, retaining transaction records.

How Do We Share Your Data?

We share data with:

  • Service providers who act as data processors under GDPR Article 28 (e.g., hosting, payment processing, analytics including Google LLC and its affiliates, cloud storage and backup services including Apple iCloud and Google Drive/Workspace) bound by data processing agreements with appropriate technical and organizational security measures and confidentiality obligations.

  • Affiliated entities and related companies: We may share your personal information with consulting services, business entities, or other companies under common ownership or control with Crascit Pty Ltd (collectively, “Affiliates“). Such Affiliates act as data processors under GDPR Article 28 and are bound by data processing agreements with the same technical, organizational, and security measures as third-party service providers. Sharing with Affiliates is based on our legitimate interests (GDPR Article 6(1)(f)) in operating an efficient business, improving our services, and providing integrated offerings. Affiliates may only use your data: (1) to provide services that support or enhance the Website and Software; (2) for business operations directly related to your use of our services; (3) to fulfill contractual obligations to you; and (4) in compliance with this Privacy Policy. Affiliates are prohibited from using your data for independent purposes unrelated to your relationship with Crascit or from further disclosing your data except as permitted under this Privacy Policy.

  • Affiliates or successors in a business transfer (see Business Transfers section).

  • Our professional advisors such as lawyers, accountants and auditors.

  • Any third parties you have consented personal information to be disclosed to.

  • Legal authorities if required by law or to protect rights.

We do not sell personal information under CCPA/CPRA definitions. Sharing with Affiliates for the operational purposes described above does not constitute a “sale” or “sharing” under CCPA/CPRA as no monetary or other valuable consideration is received and the purpose is to provide services you reasonably expect. Anonymized or aggregated data may be shared without restriction.

We may also disclose personal information to third party contractors as required for us to provide our goods and services to you, such as cloud-service providers, IT professionals, marketing agencies and debt collection agencies.

We take care to work with such third parties who we believe maintain an acceptable standard of data security and require them not to use your personal information for any purpose except for those activities we have asked them to perform on our behalf.

We will not otherwise disclose your personal information unless:

  • you have consented to us disclosing your personal information for particular circumstances;

  • as needed in an emergency or in investigation of suspected criminal activity;

  • we are required to disclose under a subpoena, court order or other mandatory reporting requirements;

  • we reasonably believe that disclosure of your information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent;

  • it is reasonably necessary for the establishment, exercise or defence of a legal claim; or

  • it is authorised or required by law.

Business Transfers

If we undergo a merger, acquisition, reorganization, bankruptcy, or sale of assets (including transition from sole trader to Crascit Pty Ltd), your personal information, including historical data, may be transferred. The new entity will adhere to this Privacy Policy unless you are notified of changes and given opt-out options. We will notify you via email or Website notice before transfer.

How Do We Store and Secure Your Data?

Data may be stored securely on servers in Australia, Singapore, and EU-compliant cloud providers, including cloud backup and document storage services such as Apple iCloud and Google Drive/Workspace. We use industry-standard measures like encryption, access controls, and firewalls to protect against unauthorized access, loss, or misuse. However, no system is 100% secure.

Retention: We retain personal information for specific periods based on legitimate business purposes and legal requirements:

  • Account data: retained while account is active, plus 7 years after account closure or subscription cancellation for legal compliance and to defend potential claims.

  • Transaction and order history: 7 years for accounting, tax, and legal compliance.

  • Server logs: 1 year for security and troubleshooting.

  • Marketing communications data: until you unsubscribe, plus 6 months.

  • Support communications: for the duration of the customer relationship (while account is active or customer holds a valid license/purchase), plus 3 years after last interaction or account closure, or longer if required to defend legal claims.

  • Book sales with lifetime access rights: for the duration of those access rights (to fulfill our contractual obligation to provide updates), then 7 years for accounting and legal compliance.

  • Historical sales data from sole trader operations: up to 7 years for accounting and compliance, or longer where ongoing contractual obligations exist.

Data is securely deleted or anonymized when retention periods expire unless extended retention is required by law.

Third-Party System Limitations: Some personal data is stored in third-party systems (e.g., payment processors, licensing platforms, email services) where we may not have direct technical capability to delete data immediately. In such cases, we will request deletion from the third-party provider, or delete data when technically feasible, in accordance with our retention policy and upon your request. We work with providers who offer data deletion capabilities and maintain data processing agreements requiring them to honor deletion requests.

Data Breach Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will comply with applicable breach notification requirements. Under GDPR Articles 33-34, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk. Where the breach poses a high risk to your rights and freedoms, we will notify affected individuals without undue delay, describing the nature of the breach, likely consequences, and measures taken or proposed to address it. You may contact us at privacy@crascit.com to inquire about any data breaches affecting your information.

International Data Transfers

Data may be transferred to countries outside your residence, including Australia, EU, and US. For GDPR, we use Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions where available. For transfers to countries without adequacy decisions (including the US), we may implement supplementary measures including encryption in transit and at rest, strict access controls, contractual commitments from recipients to resist overly broad governmental access requests, and transparency obligations. Where we use cloud service providers subject to foreign surveillance laws, we employ technical and organizational measures to minimize risks to data subjects’ rights. For CCPA, transfers comply with applicable laws.

Your Data Protection Rights General Rights
  • Access, correct, update, or delete your data.

  • Object to or restrict processing.

  • Data portability.

  • Withdraw consent: Where processing is based on consent (e.g., marketing communications, non-essential cookies), you may withdraw consent at any time. Withdrawal is as easy as giving consent initially. You can withdraw marketing consent by clicking unsubscribe links in emails or contacting privacy@crascit.com. You can withdraw cookie consent via our cookie consent tool or browser settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

Contact us to exercise rights; we respond within one month (extendable under GDPR).

GDPR-Specific Rights (EU/UK Residents)

As above, plus lodge complaints with supervisory authorities. For EU residents, you may lodge a complaint with the supervisory authority in your habitual residence, place of work, or place of alleged infringement. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. For UK residents, contact the Information Commissioner’s Office (ICO) at ico.org.uk.

We are the data controller; contact privacy@crascit.com.

CCPA/CPRA-Specific Rights (California Residents)
  • Right to Know: Categories/sources of data collected, purposes, shared parties (twice per year, free).

  • Right to Delete: Request deletion, subject to exceptions.

  • Right to Opt-Out of Sale/Sharing: We do not sell/share personal information; therefore, no opt-out mechanism is currently required. Should our practices change, we will provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on our Website homepage and in our privacy policy, and will honor Global Privacy Control (GPC) signals.

  • Right to Correct Inaccurate Data.

  • Right to Limit Use of Sensitive Data: Not applicable.

  • Non-Discrimination: No penalties for exercising rights. We do not use dark patterns or deceptive design practices that manipulate, coerce, or substantially interfere with your ability to exercise your privacy rights.

To submit a request, please contact us at privacy@crascit.com . To protect your privacy, we will verify your identity using the email address associated with your account before fulfilling your request.

You may also designate an authorized agent to make a request on your behalf; however, we will require written proof of their authority and may verify your identity directly. We aim to respond to all valid requests within 45 days. If we require more time (up to 90 days total), we will notify you in writing of the reason for the extension.

In the last 12 months, we collected categories listed above for business purposes, shared with service providers (no sales).

Privacy Act/APP Specific Rights (Australia Residents)
  • Right to Anonymity and Pseudonymity: You have the choice of not identifying yourself, or using a pseudonym, when dealing with us unless it is impracticable for us to do so or we are required by law to deal with identified individuals.

  • Right to Access: You have a general right to request access to the personal information we hold about you and we must respond within a reasonable period being within 30 days.

  • Right to Correction: If you believe the information we hold is inaccurate, out-of-date, incomplete, irrelevant, or misleading, you have the right to ask us to correct it.

  • Right to Stop Direct Marketing: You have an absolute right to opt-out of receiving direct marketing communications from us at any time.

  • Right to Lodge a Complaint: If you believe we have breached the Australian Privacy Principles, you can lodge a complaint with us. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Children’s Privacy

Our services are not for children under 16 (or 13 under COPPA). We do not knowingly collect their data. Contact us if aware of such collection for deletion.

Cookies and Tracking

We use cookies and similar tracking technologies. For detailed information about the cookies we use, your choices, and how to manage your preferences, please see our Cookie Policy available on our Website footer or via our cookie consent banner.

Analytics: We use analytics services including Google Analytics to understand how users interact with our Website and Software. This may include user behavior tracking, page views, session duration, demographics and interests data, device information, and cross-device tracking. Google Analytics may use cookies and other identifiers to track your activity across websites and devices. If you enable certain features in your account, we may track identified user behavior to improve your experience. Google may also use this data for its own purposes, including to improve and market its services, and to provide aggregated and anonymized reporting.

Advertising and Remarketing: We may use Google Analytics advertising features, including remarketing, interest-based advertising, demographics and interests reporting, and audience targeting. This allows us and Google to serve targeted advertisements to you on third-party websites based on your visit to our Website. You can opt out of Google Analytics advertising features through Google Ads Settings, the Google Analytics opt-out browser add-on, or the Network Advertising Initiative opt-out tool. To find out more see How Google uses data when you use our partners’ sites or apps.

Server logs and anonymized stats are used for security and improvements, not linked to individuals where possible.

Marketing – Australia

We may at times send you marketing communications which will be done in accordance with the Spam Act 2003 (Cth) (“Spam Act“). If we do, we may use email, SMS, social media, phone or mail to send you direct marketing communications.

Where consent is needed, we will ask you for your consent before sending you marketing communications, except where you:

  • have explicitly opted-in to receiving email marketing from us in the past; or

  • were given the option to opt-out of email marketing when you initially signed up for one of our platforms and you did not do so.

You can, at any time, opt out of receiving marketing materials from us by using the opt-out facility provided (e.g., an unsubscribe link on emails we send you) or by contacting us via the details provided at the end of this privacy policy. We will implement such a request as soon as possible, however, cannot guarantee that such a response will be immediate.

De-identified information

The information we collect may have analytical, educational, or commercial value to us. Where we have de-identified the information we have collected, we reserve the right to process and distribute such information.

Automated Decision-Making and Profiling

We do not engage in automated decision-making (including profiling) that produces legal effects or similarly significantly affects you, as defined under GDPR Article 22. Our analytics and usage data analysis is used only for service improvement and is based on anonymized or aggregated data. Should our practices change to include automated decision-making with legal or significant effects, you will have the right to: (1) obtain human intervention; (2) express your point of view; (3) contest the decision; and (4) receive an explanation of the decision and its significance.

Links to Other Sites

This policy applies only to our Website and Software. Review third-party policies for linked sites.

Changes to This Privacy Policy

We may update this policy; changes will be posted here with the revised date. Significant changes will be notified via email or notice.

Contact Us

We are committed to preventing serious invasions of privacy and ensuring the protection of your personal information, so you can contact us using the details below if you have any questions or concerns.

For questions or to exercise your privacy rights, you may submit requests by email to privacy@crascit.com .

Complaints

For complaints:

  • GDPR: Contact your local data protection supervisory authority in your EU member state or the UK ICO. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

  • CCPA: California Attorney General.

  • Australia (OAIC): If you wish to complain about how we handle your personal information held by us, please contact us using privacy@crascit.com including your name and contact details. We will investigate your complaint promptly and respond to you within a reasonable timeframe. Alternatively, you may wish to directly contact the Office of the Australian Information Commissioner (OAIC) via https://www.oaic.gov.au/privacy/privacy-complaints.

International Representatives (EEA and UK)

As we are located outside of the European Economic Area (EEA) and the United Kingdom, we have appointed representatives to act as a point of contact for data subjects and supervisory authorities in those jurisdictions.

European Union (EEA) Representative:

Pursuant to Article 27 of the EU GDPR, our representative in the European Union is:

  • Name: [Name of EU Representative Service]

  • Address: [Insert Local Office Address provided by the service]

  • Contact Email: [Insert dedicated email]

  • Inquiry Webform: [Insert link to their request portal if applicable]

United Kingdom Representative:

Pursuant to Article 27 of the UK GDPR, our representative in the United Kingdom is:

  • Name: [Name of UK Representative Service]

  • Address: [Insert UK Office Address]

  • Contact Email: [Insert UK-specific contact email]

General Provisions

This policy covers Website, Software, and historical data practices.