Agrinodes

Privacy Policy

This policy explains what personal information we collect, why we collect it, how we retain it, and how we respond to privacy and data breach obligations.

Last updated: Friday 3rd April 2026legal@agrinodes.com.auAgrinodes Pty Ltd, ACN 676 989 352, ABN 84 676 989 352.

1. Introduction

This Privacy Policy describes how we collect, use, disclose, store, and manage personal information in connection with our products and services.

We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What is Personal Information

"Personal information" has the meaning given in the Privacy Act 1988 (Cth), being information or an opinion about an identified individual or an individual who is reasonably identifiable.

3. Information We Collect

We may collect the following categories of personal information:

  • (a) Identity and Contact Information: Name, email address, phone number, and account credentials.
  • (b) Account and Service Information: Account identifiers, subscription status, service configuration, and support records.
  • (c) Device and Operational Data: Information generated by or relating to connected devices, including identifiers, configuration data, telemetry, and operational metrics.
  • (d) Usage and Technical Data: Application usage data, logs, diagnostics, and performance information.
  • (e) Payment and Transaction Information: Billing history, subscription records, invoices, and transaction references. Payment details are processed by third-party providers and are not stored by us except as required for record-keeping.

4. How We Collect Personal Information

We collect personal information directly from you when you:

  • purchase products or services;
  • create or use an account;
  • connect or operate devices;
  • contact us or request support; and
  • interact with our applications or systems.

We may also collect information automatically through your use of our services.

5. Purposes of Collection

We collect, hold, use, and disclose personal information for the following purposes:

  • providing, operating, and maintaining our products and services;
  • managing connected devices and infrastructure;
  • processing payments, subscriptions, and related transactions;
  • customer support and service communications;
  • maintaining system security, integrity, and fraud prevention;
  • improving our products, analytics, and performance;
  • complying with legal and regulatory obligations; and
  • any other purpose reasonably related to the above.

6. Disclosure of Personal Information

We may disclose personal information to:

  • service providers, including cloud hosting, analytics, and payment processors;
  • professional advisers, including legal and accounting services;
  • regulatory authorities where required by law; and
  • other parties where permitted or required by law.

We do not sell personal information.

7. Overseas Disclosure

Personal information may be stored or processed in jurisdictions outside Australia, including where our service providers operate.

We take reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with Australian privacy law.

8. Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include administrative, technical, and physical safeguards appropriate to the nature of the information.

9. Data Retention

We retain personal information only for as long as necessary for:

  • the purposes for which it was collected;
  • compliance with legal obligations;
  • contractual requirements; and
  • legitimate interests, including security, fraud prevention, and audit.

When personal information is no longer required, we will take reasonable steps to destroy it or de-identify it.

"De-identified" information is information that has been processed such that an individual is no longer reasonably identifiable.

10. Account Deletion

You may request deletion of your account at any time from within the application.

Upon receiving a deletion request:

  • your account access will be disabled promptly;
  • services associated with your account will be ceased; and
  • we will commence a process to delete or de-identify your personal information, subject to legal, contractual, and legitimate retention requirements.

Some information may be retained where required for:

  • legal or regulatory compliance;
  • taxation and financial record-keeping;
  • security, fraud prevention, and audit purposes; or
  • dispute resolution.

Completion of deletion may take a reasonable period where required to finalise these processes.

11. Access and Correction

You may request access to, or correction of, your personal information by contacting us. We will respond in accordance with applicable law.

12. Complaints

If you believe we have breached the Privacy Act or the APPs, you may contact us. If your complaint is not resolved, you may lodge a complaint with the Office of the Australian Information Commissioner.

13. Contact

Agrinodes Pty Ltd

ACN 676 989 352 ABN 84 676 989 352

Governor Phillip Tower - Level 36 / 1 Farrer Pl, Sydney NSW 2000

legal@agrinodes.com.au

+61435 222 354

Data Retention & Deletion Policy

1. Purpose

This policy governs how personal information is retained, deleted, or de-identified in accordance with applicable law and operational requirements.

2. Customer Rights

A customer may request account deletion at any time through the application.

The ability to initiate account deletion will not be restricted. However, completion of the deletion process may be subject to operational and legal requirements.

3. Deletion Process

Upon receipt of a deletion request:

  • account access is disabled;
  • services are ceased;
  • connected infrastructure is deprovisioned or scheduled for decommissioning; and
  • the account enters a processing phase to complete settlement, retention classification, and data handling.

4. Retention Principle

Personal information will be destroyed or de-identified when it is no longer required for:

  • a legal obligation;
  • contractual necessity; or
  • legitimate interests, including security, fraud prevention, and audit.

5. Retention Categories

5.1 Data to be Deleted

Information not required for legal, contractual, or operational purposes will be deleted following completion of account closure.

5.2 Data to be De-identified

Where ongoing business value exists, data may be de-identified so that individuals are no longer reasonably identifiable.

This may include telemetry, analytics, and system performance data.

5.3 Data to be Retained

Certain information will be retained for the minimum period required, including:

  • financial and taxation records;
  • billing, subscription, and transaction records;
  • security, audit, and fraud-related logs;
  • records required for dispute resolution or legal claims; and
  • payment authority and mandate records.

6. Retention Periods

Unless otherwise required:

  • financial and business records are retained for at least five (5) years;
  • security and audit records are retained for as long as reasonably necessary;
  • payment authority records are retained in accordance with legal and provider requirements; and
  • de-identified data may be retained longer where it is no longer personal information.

7. Completion of Account Closure

Account closure is considered complete once:

  • subscriptions are cancelled or settled;
  • payment authorities are revoked;
  • devices are deprovisioned or managed appropriately; and
  • data is processed in accordance with retention classifications.

8. Delayed Completion

Completion of account deletion may be delayed where necessary to:

  • finalise billing or settlement processes;
  • complete infrastructure or device deprovisioning; or
  • comply with legal obligations.

During this period, the account remains inaccessible.

9. Transparency

Users will be provided with clear information regarding:

  • what data is deleted;
  • what data is retained and the reasons for retention; and
  • expected timeframes for completion of deletion.

Notifiable Data Breach Policy

1. Purpose

This policy establishes the framework for identifying, assessing, responding to, and notifying eligible data breaches in accordance with the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme.

2. Scope

This policy applies to:

  • all personal information held by the organisation;
  • all employees, contractors, and service providers; and
  • all systems, infrastructure, and services operated by or on behalf of the organisation.

3. Definitions

3.1 Personal Information

Has the meaning given in the Privacy Act 1988 (Cth).

3.2 Data Breach

A data breach occurs where personal information held by the organisation is:

  • accessed or disclosed without authorisation; or
  • lost in circumstances where unauthorised access or disclosure is likely.

3.3 Eligible Data Breach

A data breach is an eligible data breach if:

  • there is unauthorised access, disclosure, or loss of personal information;
  • the breach is likely to result in serious harm to one or more individuals; and
  • remedial action has not prevented the likelihood of serious harm.

3.4 Serious Harm

Includes physical, psychological, emotional, financial, or reputational harm.

4. Responsibilities

The organisation will:

  • maintain processes to detect and respond to data breaches;
  • ensure personnel are trained to identify and escalate incidents;
  • assess suspected breaches promptly;
  • notify affected individuals and the OAIC where required; and
  • take steps to contain and remediate breaches.

5. Identification and Reporting

All personnel must immediately report any suspected data breach to the designated incident response contact or team.

Examples include:

  • unauthorised access to systems or accounts;
  • accidental disclosure of personal information;
  • lost or stolen devices containing personal information; and
  • security vulnerabilities resulting in potential exposure.

6. Containment and Preliminary Assessment

Upon becoming aware of a suspected data breach, the organisation will take immediate steps to:

  • contain the breach and prevent further unauthorised access or disclosure;
  • secure systems and data;
  • revoke compromised credentials or access; and
  • preserve evidence for investigation.

7. Assessment of Suspected Breach

The organisation will assess whether a suspected breach constitutes an eligible data breach as soon as practicable, and in any event within 30 days.

The assessment will consider:

  • the type and sensitivity of the information involved;
  • whether the information is protected, for example through encryption;
  • who has obtained or may obtain the information;
  • the likelihood of misuse; and
  • the potential harm to affected individuals.

8. Remedial Action

Where possible, the organisation will take remedial action to reduce or eliminate the risk of serious harm.

If effective remedial action prevents the likelihood of serious harm, notification may not be required.

9. Notification Obligations

9.1 When Notification is Required

If an eligible data breach is identified, the organisation will:

  • notify the OAIC; and
  • notify affected individuals or, where appropriate, publish a notification.

9.2 Content of Notification

Notifications will include:

  • the identity and contact details of the organisation;
  • a description of the breach;
  • the types of information involved; and
  • recommended steps individuals should take in response.

9.3 Timing of Notification

Notification will occur as soon as practicable after becoming aware of an eligible data breach.

10. Communication with Affected Individuals

Where notification is required, the organisation will:

  • communicate clearly and in plain language;
  • provide guidance on steps individuals can take to mitigate harm; and
  • provide contact details for further information or assistance.

11. Record Keeping

The organisation will maintain records of:

  • all suspected and confirmed data breaches;
  • assessments conducted;
  • decisions regarding notification; and
  • remedial actions taken.

Records will be retained in accordance with applicable legal and operational requirements.

12. Post-Incident Review

Following a data breach, the organisation will:

  • review the cause and response;
  • identify any control or process weaknesses; and
  • implement improvements to prevent recurrence.

13. Security Measures

The organisation maintains administrative, technical, and physical safeguards designed to protect personal information, including:

  • access controls and authentication mechanisms;
  • encryption and secure communication protocols where applicable;
  • monitoring and logging; and
  • regular review of security practices.

14. Third-Party Data Breaches

Where a data breach involves a third-party service provider, the organisation will:

  • coordinate with the provider to assess and respond to the breach;
  • determine notification obligations; and
  • ensure compliance with applicable legal requirements.

15. Policy Review

This policy will be reviewed periodically to ensure continued compliance with legal and operational requirements.