Privacy Policy

How Amora Group Pty Ltd (trading as Amora Digital) collects, uses and protects your personal information. Australian Privacy Act compliant.

In short: we collect only the information we need to run the business and serve you, we store your data in Australia by default, we never sell it, and you can ask for a copy or deletion at any time. Everything below is the long-form version of that promise.

Last updated: 17 April 2026 · Version 1.0

1. Who this policy applies to

This Privacy Policy applies to all personal information collected by Amora Group Pty Ltd (ABN 83 112 177 885), trading as Amora Digital, whether through our website at amoradigital.com.au, through our contact channels (email, phone, messaging), through our products and services, or during any commercial engagement.

Registered office: Level 4, 90 Pitt Street, Sydney NSW 2000, Australia.

In this policy, “we”, “us” and “our” refer to Amora Digital. “You” and “your” refer to any individual whose personal information we collect or handle.

2. The law we follow

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we handle personal information belonging to individuals in the European Union, United Kingdom or other jurisdictions with additional privacy requirements, we apply the higher standard to that information.

3. What personal information we collect

We collect only the information we actually need to run our business and serve our clients. That typically includes:

  • Identity information — your name, job title and the company you work for.
  • Contact information — your email address, phone number and business address.
  • Engagement information — messages you send us, enquiry form content, notes we take during discovery, scopes and proposals we prepare for you.
  • Billing information — invoicing details, ABN, and payment references (we do not store full credit card numbers; those are tokenised by our payment processor).
  • Technical information — IP address, browser type and version, operating system, referring URL, pages visited, time spent, and device information, collected automatically when you visit our website.
  • Communications records — copies of correspondence (email, SMS, chat) between us and you, kept for the duration of our engagement and a reasonable period afterwards.
  • Sensitive information — we don’t intentionally collect sensitive information (as defined under the Privacy Act). If we need to in the context of a specific project, we’ll ask for your explicit consent first.

4. How we collect it

  • Directly from you — when you fill in a contact form, email us, speak with us on a call, or engage us for a project.
  • From your authorised representatives — your colleagues or agents acting on your behalf.
  • Automatically — through cookies, analytics tools and server logs when you use our website (see Section 10 on cookies).
  • From publicly available sources — your company website, LinkedIn profile, or public business registers, to inform context before a meeting.

5. Why we collect it — lawful purposes

We collect and use personal information for these specific purposes:

  • To respond to your enquiries and deliver the services you engage us for.
  • To send scopes, proposals, contracts, invoices and service updates.
  • To operate, maintain and improve our own website and internal systems.
  • To comply with legal, tax, accounting and regulatory obligations.
  • To run targeted marketing to people who’ve specifically opted in (we don’t spam; see Section 11).
  • To resolve disputes and enforce our terms.

Where we rely on your consent as a lawful basis for processing, you can withdraw that consent at any time by contacting us (Section 13).

6. Who we share your information with

We share personal information only with parties who need it to help us deliver our services or meet our legal obligations. Our current subprocessors are:

  • SiteGround — website hosting (servers located in Australia by default).
  • Google LLC — Google Workspace for email, Google Analytics 4, and Google Ads campaign management.
  • Anthropic PBC & OpenAI OpCo, LLC — for AI-assisted workflows used in delivery (only anonymised or explicitly consented data is ever sent).
  • Stripe Payments Australia Pty Ltd — payment processing.
  • Xero Australia Pty Ltd — invoicing, accounting and GST compliance.
  • Microsoft Corporation — LinkedIn for professional communications and targeted advertising.
  • Meta Platforms, Inc. — Facebook, Instagram and WhatsApp for marketing and client communications (where explicitly agreed).
  • Twilio Inc. / Messagebird B.V. — SMS and voice communications infrastructure (only for projects that require it).
  • HubSpot, Inc. — CRM for client relationship management.
  • Professional advisers — our accountant, solicitor and insurance provider, where relevant to a specific matter.
  • Australian government authorities — where required by law (tax, regulatory, court orders).

We do not sell personal information. We do not rent, licence or otherwise commercialise personal information.

7. Overseas disclosure and data sovereignty

Our default position is that Australian client data is stored and processed in Australia. Where a subprocessor listed above operates overseas (most of them do, since they are multinational service providers), we take the following steps:

  • We select Australian data centre regions wherever the provider offers them.
  • We rely on the subprocessor’s standard contractual clauses and binding corporate rules for international transfers.
  • We assess whether the recipient country has privacy protections substantially similar to the APPs.
  • For sensitive engagements we will contract with you separately on in-country residency requirements.

Countries to which your personal information may be transferred include the United States, Ireland, Singapore and the United Kingdom.

8. How long we keep your information

We keep personal information only for as long as we need it:

  • Enquiries that don’t progress — 24 months from last contact, then deleted.
  • Active client records — for the duration of the engagement and for 7 years afterwards, to meet our tax and contractual record-keeping obligations.
  • Financial records — 7 years, per the Income Tax Assessment Act 1936 (Cth) and related legislation.
  • Marketing list subscribers — until you unsubscribe or we retire the list.
  • Website analytics — standard retention, anonymised or aggregated after 26 months.

9. Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. Our controls include:

  • Encrypted connections (HTTPS) for every page and form on our website.
  • Two-factor authentication on administrative accounts.
  • Least-privilege access — team members see only what they need for their role.
  • Regular backups of production data, kept encrypted and off-site.
  • Security monitoring, firewall and malware scanning on our website.
  • Incident response — we notify affected individuals and the Office of the Australian Information Commissioner (OAIC) where required under the Notifiable Data Breaches scheme.

No system is perfectly secure. If you believe an incident involving your information has occurred, please contact us immediately (Section 13).

10. Cookies and similar technologies

Our website uses cookies and similar technologies. A separate Cookie Notice sets out exactly which cookies we use, why, and how you can control them. The short summary:

  • Essential cookies — required for the site to work (session, security). These cannot be disabled without breaking the site.
  • Analytics cookies — Google Analytics 4 and Microsoft Clarity, set only after you accept the cookie banner.
  • Marketing cookies — Meta Pixel, LinkedIn Insight Tag and Google Ads conversion tracking, set only with your consent.

You can withdraw consent at any time from the cookie-settings link in the footer.

11. Marketing and direct communications

We only send you marketing messages (email newsletters, product announcements) if you’ve specifically opted in, or if you’re an existing client and the communication relates to services similar to those we’ve provided you. Every marketing message contains an unsubscribe link. Honouring your unsubscribe takes effect immediately.

We comply with the Spam Act 2003 (Cth). We will not send you commercial SMS or voice messages without your consent.

12. Your rights

Under the Privacy Act, you have the following rights. Where you are an EU or UK resident, you may also have additional rights under the GDPR / UK GDPR.

  • Right of access — you can request a copy of the personal information we hold about you.
  • Right of correction — you can ask us to correct information you believe is inaccurate, out-of-date or incomplete.
  • Right of erasure — you can ask us to delete your personal information, subject to our legal retention obligations.
  • Right to withdraw consent — where we process your information based on consent, you can withdraw it at any time.
  • Right to object — you can object to certain processing activities, including direct marketing.
  • Right to complain — you can lodge a complaint with us, and with the Office of the Australian Information Commissioner (OAIC) if you’re not satisfied with our response.

We respond to rights requests within 30 days. We may need to verify your identity before acting on a request, to protect against impersonation.

13. How to contact us about privacy

For any privacy-related question, request or complaint:

14. Complaints to the OAIC

If you believe we have breached our obligations under the Privacy Act, please let us know first (Section 13) so we can try to resolve it. If you’re not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner:

  • Website: oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

15. Children

Our services are intended for businesses and adults. We do not knowingly collect personal information from anyone under 16 years of age. If you believe a minor has provided us with personal information, please contact us so we can delete it.

16. Changes to this policy

We may update this policy from time to time. When we do, we’ll update the “Last updated” date at the top and, for material changes, notify you by email or a prominent notice on the website. The current version is always available at amoradigital.com.au/privacy/.

17. Definitions

  • Personal information — information or opinion about an identified or reasonably identifiable individual, as defined in section 6 of the Privacy Act 1988 (Cth).
  • Sensitive information — a subset of personal information including health, racial or ethnic origin, political opinion, religious beliefs, sexual orientation, biometric data, and criminal record.
  • Subprocessor — a third party that processes personal information on our behalf.
  • Notifiable Data Breaches scheme — the legal regime under Part IIIC of the Privacy Act requiring notification of eligible data breaches.

Ready to stop guessing and start growing?

Book a 30-minute strategy call. No pitch, no pressure — just a clear read on what's working, what isn't, and where the lift is.

Book your strategy call