Privacy Policy

AL Refs: PRV01


The Privacy Policy is the central and most critical element of your privacy practices. It informs data subjects what data you collect, how you use it, what their rights are, and how to make privacy-related requests or complaints.

Example Privacy Policy

What data do we collect?

We only collect private and data that is required to provide the agreed services and during our free consultations and support. We secure all data that is collected from our potential and existing clients in confidence. This includes non-disclosure to any data to third parties without explicit permission. This may exclude our established partners with confidentiality arrangements in instances where disclosure is required to support the services.

We encourage you to contact us and provide your company details so that we can tailor our responses to your needs and provide accurate quotations and services. Only the name and email address fields are mandatory for these enquiries. You can refrain from submitting any other details you may not wish to disclose.

We use Google Ads, Analytics, Tag Manager, Hubspot and other tools for the website for marketing and to analyse traffic and trends. Our manner of using this does not identify individuals and their user navigation behaviours. We do not export data outside of these applications or share it with any third parties, including our established partners.

Where does your data go?

We may use the data collected in following systems, depending on the stage and requirements of the support we are providing you:

  • the platform used for our free tools, automated SOC 2 assessments and workflows. have completed a SOC 2 Type II report issued by a Big4 firm.
  • A-SCEND: A proprietary platform developed by our CPA firm partner, A-LIGN, used to streamline and secure data sharing for our audits. A-LIGN issues annual SOC 2 Type II reports covering Security, Availability and Confidentiality.
  • G-Suite Enterprise: Google Business products used for our client communications. We secure these systems with multi-factor authentication and Google Business grade security practices. Google issues SOC 1, SOC 2 and SOC 3 reports at least annually.
  • Hubspot: Our customer relationship (CRM) system used for marketing emails, account tracking, and hosting of our website content management system (CMS). Hubspot issues SOC 2 Type II reports annually.
  • Trello: Used for some clients, when preferred, for tracking your requirements and assurance reporting steps. Atlassian issues SOC 2 Type II reports for Trello.
  • Xero: A cloud-based application used for company accounting and invoicing. Xero issues SOC 2 Type II reports annually.

In each of the above, we minimise the data stored in each location based on what is required to effectively support our services to you.


Consent for processing of personal data is implied where data is submitted to AssuranceLab. This privacy policy linked at all points of systematic data collection, serves as the privacy notice of what data is collected and how it is used.

Withdrawal or refusal for consent

Where consent for the required data is not provided, or is withdraw after being provided, the services may be unable to be provided accordingly. This includes historical records of any past services that require deletion upon withdrawal of consent. Personal data may not be deleted where it is required to be retained for legal or compliance purposes. This includes audit files that require retention for 7 years, including any related data that was used for verification in the audit process.

Automated processing activities

No automated processing activities by AssuranceLab are considered to carry a material risk of bias, inappropriate use, or negative impacts. Automated processing activities include tailoring of the software to the user based on the input variables such as company size, industry, type of products and services, and inputs on how the company practices operate. These do not discriminate users, nor use the data in any way beyond provision of the services in a user friendly manner that maximises relevance and tailored guidance.

AssuranceLab Tools

Our free tools, assessments and applications are built in They collect data from your responses to questions to provide automated outputs that help you navigate information security and our services.

We use the data for providing you with our services. We may also use that data at an anonymised and statistical level to provide guidance and benchmarking to our clients, partners and associates. We avoid the use of any statistics that would compromise confidentiality, including any 0% or 100% stats or with specifics that may be used to identify attributes of an individual customer or user. The raw data is stored in, hosted in the Amazon Web Services (AWS) environment. We do not export any data from this environment, except in the output reports sent to you, or after it has been anonymised for statistical analysis.

If you have any concerns over security, privacy or confidentiality, we support the use of an alias contact and company name to prevent your data from being identifiable. This requires the use of a non-business email address and contacting us separately to advise of the alias so we can send the report to the correct person and in a secure manner.

What are your rights?

We support all rights under the EU GDPR, the Australian Privacy Act and any other reasonable requests related to your private data. For any requests related to your data please email, or call +61 (0) 490 086 000.