Your employee data is sensitive. InnerLoop is designed for the Australian Privacy Act from day one — not retrofitted after the fact.
The Office of the Australian Information Commissioner (OAIC) has begun active compliance sweeps under the updated Privacy Act. Civil penalties now reach $66,000 per breach for organisations that can\u2019t demonstrate they\u2019ve met their obligations. InnerLoop handles the compliance layer so you don\u2019t have to.
Every applicable Australian Privacy Principle (APP) that touches email communication, tracking, and employee data is addressed below.
A plain-language privacy policy is auto-served to every organisation’s recipients at the point of first email contact. No legal jargon. No buried links.
Every consent event is timestamped and stored. Records are exportable on demand to satisfy any OAIC audit request within minutes.
Deletion requests trigger a soft-delete immediately, then permanent hard-delete after a 30-day retention window. Fully auditable trail.
Every email includes a privacy footer informing recipients of tracking. One-click opt-out is always available and honoured immediately.
A documented 72-hour OAIC notification workflow is in place. Severity tiers, escalation paths, and notification templates are prepared and tested.
Engagement events are auto-purged after 2 years. Personal data is hard-deleted 90 days after an account or recipient is removed.
Third-party processors are disclosed explicitly: Anthropic (AI, US), Resend (email delivery, US), Supabase (database, ap-southeast-2), Stripe (billing, US).
Recipients can request an export of all personal data held about them. Requests are fulfilled within 30 days in a portable, readable format.
The Australian Cyber Security Centre\u2019s Essential 8 is the baseline security framework for Australian organisations. We\u2019ve mapped our controls to these eight mitigation strategies and document them here.
MFA is mandatory for all organisation admins. It cannot be disabled. We enforce this at the authentication layer, not just encouraged in settings.
Row-Level Security (RLS) enforces four distinct roles: super_admin, org_admin, editor, and viewer. No privilege escalation is possible across boundaries.
Vercel auto-deploys on every merged pull request. Dependabot monitors all dependencies and opens PRs for security patches within 24 hours of disclosure.
Supabase performs daily automated backups with 30-day point-in-time recovery. Backups are tested quarterly. Recovery procedures are documented.
CSP headers enforced on all responses. HTTPS-only with HSTS preloading. No inline scripts. Third-party resources locked to explicit allow-lists.
Every admin action is logged with actor identity, timestamp, IP address, and action type. Logs are immutable and retained for 12 months.
A security events panel in the super-admin dashboard surfaces anomalous activity in real time. Documented runbooks cover the most likely incident types.
No ambiguity. No buried clauses. Here is exactly what we collect, where it lives, who sees it, and how long we keep it.
Email addresses, names, departments, and engagement data: opens, clicks, and read time per block.
Supabase PostgreSQL hosted in ap-southeast-2 (Sydney, Australia). Your data never leaves Australian infrastructure.
Only your organisation’s admins and editors, scoped via Row-Level Security. InnerLoop staff cannot read your data without explicit permission.
Engagement events: 2 years. Personal data: deleted 90 days after a recipient or account is removed.
Anthropic (AI content features), Resend (email delivery), Supabase (database), Stripe (billing). All listed in our privacy policy.
We will never sell your data. We will never use your employees' data to train AI models. Third-party processors are contractually bound to use data only for the service they provide. All agreements are available on request.
Our commitments at a glance
Australian Privacy Act Compliant
ACSC Essential 8 Aligned
Data Stored in Australia
OAIC-Ready Privacy Policy Included
If you\u2019re evaluating InnerLoop for your organisation and need a Data Processing Agreement, security questionnaire responses, or a conversation with our team, reach out.