Privacy Policy

Last updated: 17 October 2025 (AEST)

1. Overview#

This Privacy Policy explains how New Horizon Code PTY LTD (ABN 61 634 659 804) ("New Horizon Code", "we", "us", or "our") collects, uses, discloses, and protects personal information across our websites, products, and services.

This Policy applies to all New Horizon Code services except Diversity Sync'd, which is governed by its own Privacy Policy available at https://www.diversitysync.com/privacy.

Company details

Suite 121 Level 14, 167 Eagle Street, Brisbane QLD 4000 Australia

Phone: 1300 980 034 | Email: privacy@newhorizoncode.io

Website: https://www.newhorizoncode.io

2. Scope#

This Policy covers data collected through:

Corporate websites and web applications (including Carey, TobyHR, Profile Dock, Syrup, and other platforms developed or maintained by New Horizon Code);
Support and communication channels (email, chat, phone, ticketing); and
Marketing, analytics, and social-media interactions.

3. Legal Framework#

We comply with:

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);

4. Our Role#

Controller: We act as controller for our websites, billing, marketing, analytics, and support records.

Processor: For customer-submitted data stored within our hosted products (excluding Diversity Sync'd), we act as processor on the customer's instructions.

Our Data Processing Addendum (DPA) (including EU SCCs / UK IDTA) is available on request.

5. Information We Collect#

We may collect:

Identity & contact data – name, email, phone, company, address.
Account & billing data – login IDs, invoices, payment records (handled via secure third parties).
Technical & usage data – IP address, device/browser details, session logs, performance metrics, cookies/local storage.
Communications & support data – emails, chat logs, call recordings/transcripts, feedback.
Platform content (processor context) – information entered by customers and users within our apps.

Sensitive information (e.g. health/disability data) is only processed under customer direction and subject to explicit consent and lawful purpose under the APPs and GDPR Art. 9.

6. How We Use Information & Legal Bases#

Purpose	Legal Basis (GDPR)
Provide and operate services (accounts, billing, authentication)	Contract Art 6(1)(b)
Communicate and support customers	Contract / Legitimate interest Art 6(1)(f)
Maintain security, prevent fraud, ensure availability	Legitimate interest Art 6(1)(f)
Comply with legal and regulatory obligations	Legal obligation Art 6(1)(c)
Marketing with consent (emails, cookies)	Consent Art 6(1)(a) / Spam Act 2003

7. Cookies & Marketing#

We use:

Essential cookies – for core functionality and security.
Analytics & marketing cookies – only with your consent.

You can manage preferences via our cookie banner or browser settings.

All electronic marketing complies with the Spam Act 2003 (Cth) and includes an unsubscribe link.

8. AI Features#

Some services include AI-assisted tools (e.g. summarisation or text analysis).

AI outputs are assistive only and not a substitute for professional judgment.

We do not use customer content to train external AI models.

See our AI Usage Statement.

9. Disclosure & Sub-Processors#

We do not sell personal information.

We may share data with:

Authorised sub-processors under written agreements;
Professional advisers (legal, accounting, audit) under confidentiality;
Regulators or law-enforcement where legally required; and
Successor entities in case of merger or acquisition.

Current sub-processors and infrastructure partners

Provider	Purpose	Data Location
Supabase	Database hosting & auth	Australia (Sydney)
Vercel	Web hosting & CDN	Global
Stripe	Payments & billing	Australia & USA
Resend	Transactional email	USA
Intercom	Support desk & live chat	USA & EU
Linear	Issue tracking	USA
Twilio	Voice & SMS services	Global
ElevenLabs	Voice services	USA & EU
SendGrid	Transactional email (contact forms & confirmations)	USA
Vercel Analytics	Website analytics & performance monitoring	Global
Google Fonts	Font hosting (Inter font)	Global
jsDelivr	CDN for JavaScript libraries	Global
Statuspage.io	Status page hosting	Global
Unicorn Studio	3D graphics & animations	USA
Cloudflare	Security, DDoS protection & content delivery	Global

An up-to-date list is available upon request.

We notify customers of material sub-processor changes where required.

10. International Transfers#

Personal information may be processed outside Australia.

We apply appropriate safeguards – Standard Contractual Clauses, UK IDTA, adequacy decisions – and take reasonable steps under APP 8 to ensure overseas recipients handle data lawfully and securely.

11. Security#

We use administrative, technical and physical safeguards, including:

Encryption in transit (TLS) and at rest;
Multi-factor authentication and role-based access controls;
Logging and monitoring;
Regular vulnerability testing and vendor assessments.

No system is completely secure, but we maintain industry-standard protections.

12. Retention#

Category	Typical Retention
Account & billing records	Life of account + 7 years
Support tickets & attachments	24 months after closure
Logs & telemetry	90–180 days (then aggregated/anonymised)
Call recordings / transcripts	≤ 90 days unless required by law
Backups	Rolling expiry cycles (auto-deleted)

When data is no longer required, it is securely deleted or de-identified.

13. Call Recording & Monitoring#

When you contact our support number (1300 980 034):

Calls may be recorded or transcribed for quality and compliance;
You receive a pre-call notice and can opt out via email support;
Recordings are securely stored and retained per § 12.

14. Your Rights#

You may request access, correction, deletion, restriction or data portability (subject to law).

Requests: privacy@newhorizoncode.io

We verify identity and respond within 30 days.

If you are an end user of a customer organisation, please contact that organisation first; we will assist under our DPA.

15. Children#

Our services are not directed to individuals under 18.

We do not knowingly collect personal information from children directly.

Customers handling child data must obtain lawful consent and authority.

16. Data Breaches#

We promptly assess any suspected breach and within 30 days determine if serious harm is likely.

If so, we notify affected individuals and the OAIC as soon as practicable and take remedial action.

17. Third-Party Links#

Our websites and apps may link to external sites not controlled by us.

We are not responsible for their content or privacy practices; please review their policies.

18. Updates to This Policy#

We may revise this Policy to reflect legal or operational changes.

Material updates will be communicated via email or in-app notice.

Continued use after changes signifies acceptance.

19. Contact & Complaints#

Privacy Officer

New Horizon Code PTY LTD

Suite 121 Level 14, 167 Eagle Street, Brisbane QLD 4000 Australia

Email: privacy@newhorizoncode.io | Phone: 1300 980 034

If unsatisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

www.oaic.gov.au | 1300 363 992 | enquiries@oaic.gov.au

20. Jurisdiction#

This Policy is governed by the laws of Queensland, Australia, and any dispute arises under the exclusive jurisdiction of Queensland courts.

1. Overview#

This Policy applies to all New Horizon Code services except Diversity Sync'd, which is governed by its own Privacy Policy available at https://www.diversitysync.com/privacy.

Company details

Suite 121 Level 14, 167 Eagle Street, Brisbane QLD 4000 Australia

Phone: 1300 980 034 | Email: privacy@newhorizoncode.io

Website: https://www.newhorizoncode.io

2. Scope#

This Policy covers data collected through:

Corporate websites and web applications (including Carey, TobyHR, Profile Dock, Syrup, and other platforms developed or maintained by New Horizon Code);
Support and communication channels (email, chat, phone, ticketing); and
Marketing, analytics, and social-media interactions.

3. Legal Framework#

We comply with:

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);

4. Our Role#

Controller: We act as controller for our websites, billing, marketing, analytics, and support records.

Processor: For customer-submitted data stored within our hosted products (excluding Diversity Sync'd), we act as processor on the customer's instructions.

Our Data Processing Addendum (DPA) (including EU SCCs / UK IDTA) is available on request.

5. Information We Collect#

We may collect:

Identity & contact data – name, email, phone, company, address.
Account & billing data – login IDs, invoices, payment records (handled via secure third parties).
Technical & usage data – IP address, device/browser details, session logs, performance metrics, cookies/local storage.
Communications & support data – emails, chat logs, call recordings/transcripts, feedback.
Platform content (processor context) – information entered by customers and users within our apps.

Sensitive information (e.g. health/disability data) is only processed under customer direction and subject to explicit consent and lawful purpose under the APPs and GDPR Art. 9.

6. How We Use Information & Legal Bases#

Purpose	Legal Basis (GDPR)
Provide and operate services (accounts, billing, authentication)	Contract Art 6(1)(b)
Communicate and support customers	Contract / Legitimate interest Art 6(1)(f)
Maintain security, prevent fraud, ensure availability	Legitimate interest Art 6(1)(f)
Comply with legal and regulatory obligations	Legal obligation Art 6(1)(c)
Marketing with consent (emails, cookies)	Consent Art 6(1)(a) / Spam Act 2003

7. Cookies & Marketing#

We use:

Essential cookies – for core functionality and security.
Analytics & marketing cookies – only with your consent.

You can manage preferences via our cookie banner or browser settings.

All electronic marketing complies with the Spam Act 2003 (Cth) and includes an unsubscribe link.

8. AI Features#

Some services include AI-assisted tools (e.g. summarisation or text analysis).

AI outputs are assistive only and not a substitute for professional judgment.

We do not use customer content to train external AI models.

See our AI Usage Statement.

9. Disclosure & Sub-Processors#

We do not sell personal information.

We may share data with:

Authorised sub-processors under written agreements;
Professional advisers (legal, accounting, audit) under confidentiality;
Regulators or law-enforcement where legally required; and
Successor entities in case of merger or acquisition.

Current sub-processors and infrastructure partners

Provider	Purpose	Data Location
Supabase	Database hosting & auth	Australia (Sydney)
Vercel	Web hosting & CDN	Global
Stripe	Payments & billing	Australia & USA
Resend	Transactional email	USA
Intercom	Support desk & live chat	USA & EU
Linear	Issue tracking	USA
Twilio	Voice & SMS services	Global
ElevenLabs	Voice services	USA & EU
SendGrid	Transactional email (contact forms & confirmations)	USA
Vercel Analytics	Website analytics & performance monitoring	Global
Google Fonts	Font hosting (Inter font)	Global
jsDelivr	CDN for JavaScript libraries	Global
Statuspage.io	Status page hosting	Global
Unicorn Studio	3D graphics & animations	USA
Cloudflare	Security, DDoS protection & content delivery	Global

An up-to-date list is available upon request.

We notify customers of material sub-processor changes where required.

10. International Transfers#

Personal information may be processed outside Australia.

11. Security#

We use administrative, technical and physical safeguards, including:

Encryption in transit (TLS) and at rest;
Multi-factor authentication and role-based access controls;
Logging and monitoring;
Regular vulnerability testing and vendor assessments.

No system is completely secure, but we maintain industry-standard protections.

12. Retention#

Category	Typical Retention
Account & billing records	Life of account + 7 years
Support tickets & attachments	24 months after closure
Logs & telemetry	90–180 days (then aggregated/anonymised)
Call recordings / transcripts	≤ 90 days unless required by law
Backups	Rolling expiry cycles (auto-deleted)

When data is no longer required, it is securely deleted or de-identified.

13. Call Recording & Monitoring#

When you contact our support number (1300 980 034):

Calls may be recorded or transcribed for quality and compliance;
You receive a pre-call notice and can opt out via email support;
Recordings are securely stored and retained per § 12.

14. Your Rights#

You may request access, correction, deletion, restriction or data portability (subject to law).

Requests: privacy@newhorizoncode.io

We verify identity and respond within 30 days.

If you are an end user of a customer organisation, please contact that organisation first; we will assist under our DPA.

15. Children#

Our services are not directed to individuals under 18.

We do not knowingly collect personal information from children directly.

Customers handling child data must obtain lawful consent and authority.

16. Data Breaches#

We promptly assess any suspected breach and within 30 days determine if serious harm is likely.

If so, we notify affected individuals and the OAIC as soon as practicable and take remedial action.

17. Third-Party Links#

Our websites and apps may link to external sites not controlled by us.

We are not responsible for their content or privacy practices; please review their policies.

18. Updates to This Policy#

We may revise this Policy to reflect legal or operational changes.

Material updates will be communicated via email or in-app notice.

Continued use after changes signifies acceptance.

19. Contact & Complaints#

Privacy Officer

New Horizon Code PTY LTD

Suite 121 Level 14, 167 Eagle Street, Brisbane QLD 4000 Australia

Email: privacy@newhorizoncode.io | Phone: 1300 980 034

If unsatisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

www.oaic.gov.au | 1300 363 992 | enquiries@oaic.gov.au

20. Jurisdiction#

This Policy is governed by the laws of Queensland, Australia, and any dispute arises under the exclusive jurisdiction of Queensland courts.