Privacy Policy

EthicalHub Pty Ltd (ABN: 87 677 816 732) operates the EthicalHub compliance management platform at ethicalhub.co. We are the data controller for personal information collected through the platform and this website.

EthicalHub is based in Melbourne, Victoria, Australia. We build compliance tools for Class 1 childcare centres — helping directors, owners, and staff manage food safety obligations under VECRA, the NQF, and FSANZ standards.

If you have any questions about how we handle your personal information, contact us at hello@ethicalhub.co. We'll respond within 1 business day.

This Privacy Policy explains how EthicalHub Pty Ltd collects, uses, stores, discloses, and protects personal information in connection with:

• Your use of the EthicalHub platform at ethicalhub.co
• Any account you create with us
• Communications you have with us by email, phone, or through the platform
• Your participation in surveys, trials, or feedback programs
• Supplier onboarding and directory listing
• Marketing communications, if you have opted in

It applies to all users of EthicalHub — childcare centre directors, staff members, approved providers, food suppliers, and anyone who visits our website.

This policy does not apply to third-party websites, apps, or services that we link to. Those services have their own privacy policies and we are not responsible for them.

We collect personal information in three ways: information you give us directly, information generated by your use of the platform, and information we receive from third parties.

Information you give us directly

Information generated by your use of the platform

• Usage data: Pages visited, features used, actions taken, session duration, click paths
• Device and browser data: IP address, browser type and version, operating system, screen resolution, time zone
• Log data: Access timestamps, error logs, API request logs
• Audit trail data: Record of who created, edited, or viewed compliance records within your centre account

Information from third parties

• Payment processors: Confirmation of payment success or failure (not card details)
• Referral sources: If you were referred to EthicalHub by a partner or another centre, we may note that referral source
• Demo bookings: If you book a demo or onboarding call with us, we receive your name, email, and selected time

We collect only what we need for a specific, legitimate purpose. Here is why we collect each category of information:

• Account details — to create and manage your account, verify your identity, and communicate with you about your subscription
• Centre information — to configure the platform correctly for your centre's licence type, capacity, and regulatory obligations
• Compliance records — to provide the core compliance tracking, audit preparation, and reporting features of EthicalHub
• Staff records — to support FSS certificate tracking, training records, and user access management
• Dietary and allergy data — to power the allergy management and purchase-blocking feature that helps keep children safe
• Supplier details — to manage the supplier directory, verify certifications, and enable centres to connect with compliant suppliers
• Billing information — to process subscription payments and maintain billing records as required by law
• Communications — to respond to your enquiries, provide customer support, and handle complaints
• Usage data — to understand how the platform is being used, identify bugs, improve features, and ensure platform security
• Device and log data — to maintain platform security, investigate suspicious activity, and diagnose technical issues

EthicalHub operates under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We collect, use, and disclose personal information only where we have a lawful reason to do so.

Our lawful reasons include

• Contract performance: Processing is necessary to provide you with the EthicalHub platform under the Terms of Use you agreed to
• Legitimate interests: We have a legitimate interest in operating and improving our platform, securing our systems, and communicating with customers — provided this does not override your privacy rights
• Legal obligation: We may need to process certain information to comply with applicable Australian law, including tax obligations, financial record-keeping requirements, and responses to lawful regulatory demands
• Consent: For optional activities such as marketing emails or analytics cookies, we will ask for your consent and you may withdraw it at any time
• Vital interests: In rare circumstances where processing is necessary to protect someone's life or safety — for example, where a serious food safety incident involving children is reported to us

We use your information only for the purposes it was collected. We do not use it for anything you wouldn't reasonably expect.

To provide and operate EthicalHub

• Delivering the compliance management features you subscribed to
• Generating audit packs, compliance reports, and certificate expiry reminders
• Managing your account, subscription, and billing
• Providing customer support and responding to your questions
• Sending transactional emails — account confirmations, invoices, password resets, and platform notifications

To improve the platform

• Analysing aggregated, de-identified usage data to understand which features are most valuable
• Identifying bugs, performance issues, and security vulnerabilities
• Developing new features based on how the platform is used and feedback we receive

To communicate with you

• Sending service updates, change notifications, and important compliance reminders
• Sending marketing emails if you have opted in — you can unsubscribe at any time
• Conducting user research, surveys, or satisfaction checks (always optional)

To meet legal and compliance obligations

• Maintaining financial records as required by Australian tax law
• Responding to lawful regulatory requests, court orders, or legal proceedings
• Enforcing our Terms of Use and protecting the platform from fraud or misuse

We do not sell, trade, or rent your personal information. We share it only in the following limited circumstances:

Service providers and subprocessors

We use a small number of trusted third-party service providers to help us operate EthicalHub — for example, cloud hosting, payment processing, and email delivery. These providers act on our instructions and are contractually required to protect your data. See Section 8 for the full subprocessor list.

Within your centre

Staff members you authorise to use EthicalHub can see the compliance records, supplier data, and centre information held within your account. You are responsible for managing which staff members have access and at what permission level.

Supplier directory

If you are a supplier listed in the EthicalHub directory, your business name, certification status, and product categories are visible to childcare centres using the platform. Personal contact details (name, email, phone) are shared only with centres you connect with directly.

Legal and regulatory requirements

We may disclose personal information if required to do so by Australian law, court order, or lawful demand from a regulatory authority — including the Department of Education, Safer Care Victoria, local council environmental health officers, or the Australian Tax Office. Where legally permissible, we will notify you before complying.

Business transfers

If EthicalHub is involved in a merger, acquisition, asset sale, or restructure, your data may be transferred to the new entity. We will notify you in advance and ensure the receiving party is bound by equivalent privacy protections.

With your consent

We will share your information with any other party only where you have given us explicit consent to do so.

These are the third-party services we use to operate EthicalHub. All subprocessors are contractually bound to handle your data securely and only for the purposes we specify. We review this list regularly.

To request the current full subprocessor list, including details of applicable data protection agreements, email hello@ethicalhub.co.

Your compliance records, account information, and centre data are stored on servers located in Australia (Sydney), hosted by Supabase on AWS infrastructure. This means your data is subject to Australian law.

Cross-border data flows

Some of our subprocessors — including Stripe and our email provider — are based in the United States. When your data is processed by these providers, it may be transferred outside Australia. We ensure this only occurs where:

• The receiving party is subject to a law or binding scheme that provides substantially similar protections to the Australian Privacy Principles, or
• We have entered into data processing agreements that require equivalent protections

Credit card and payment data is processed entirely by Stripe and never transmitted to or stored by EthicalHub's own systems.

We keep your personal information only for as long as it is needed for the purpose it was collected, or as required by Australian law.

After the applicable retention period, personal information is deleted or irreversibly anonymised. We do not archive data "just in case."

We take data security seriously. Childcare compliance records are sensitive — and we treat them that way.

Technical safeguards

• All data is encrypted in transit using TLS 1.2 or higher
• All data at rest is encrypted using AES-256 encryption
• Passwords are hashed using bcrypt — we cannot see your password
• Access to production systems is restricted to authorised personnel only, with multi-factor authentication required
• Automated daily backups with tested restoration procedures
• Regular security vulnerability scanning and dependency updates

Organisational safeguards

• All staff and contractors with access to personal data are bound by confidentiality obligations
• Data access is granted on a least-privilege basis — staff only see what they need to do their job
• We conduct periodic access reviews and remove access when it is no longer needed
• Incidents and security events are logged and reviewed

Your responsibilities

Security is a shared responsibility. Use a strong, unique password for your account. Enable two-factor authentication if available. Remove staff access promptly when someone leaves your centre. If you suspect your account has been compromised, contact us immediately at hello@ethicalhub.co.

EthicalHub uses cookies and similar technologies to keep the platform running, understand how it is used, and remember your preferences.

What cookies we use

Your cookie choices

Essential cookies are required for the platform to function and cannot be turned off. Analytics and preference cookies are optional. You can manage your cookie preferences through your browser settings or by contacting us.

Note that disabling non-essential cookies will not affect your ability to use EthicalHub's compliance features.

EthicalHub is designed to help childcare centres keep children safe — and we take the handling of any data related to children extremely seriously.

What we collect (and don't collect)

EthicalHub does not collect, store, or process children's names, dates of birth, photos, family details, or any other information that directly identifies a child in care.

The only child-related data held in EthicalHub is:

• Allergy and dietary categories — for example, "nut allergy", "gluten free", "halal" — recorded at a category level for the purpose of the purchase-blocking and procurement safety feature
• This data is not linked to any named child within EthicalHub

Your obligations as the centre director

You may hold children's personal information separately in your own systems (enrolment software, medical records, etc.). EthicalHub is not an enrolment platform. You are responsible for the privacy and security of any children's data you hold in your own systems, in accordance with the Privacy Act 1988 (Cth) and your obligations as an approved provider under the NQF.

The Privacy Act 1988 (Cth) and the Australian Privacy Principles give higher protection to certain categories of "sensitive information" — including health information, racial or ethnic origin, religious beliefs, and biometric data.

Allergy and dietary information

Allergy and dietary category information (for example, "nut allergy" or "halal dietary requirement") may constitute health information under the Privacy Act. We handle this information with heightened care:

• It is collected only for the purpose of preventing unsafe food procurement at your centre
• It is not shared with any third party except as required to operate the platform
• It is not used for marketing, research, or analytics
• It is deleted when your account is closed

Health information about staff

EthicalHub does not require or store health information about your staff. If you choose to add notes about a staff member's food handling restrictions in the staff records module, that information is treated as sensitive and handled accordingly.

Religious or cultural certifications

If your centre or suppliers hold halal, kosher, or similar certifications, those certifications may be stored in EthicalHub's supplier vault. This information is treated as sensitive and shared only with users within your authorised account.

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have clear rights in relation to your personal information. We respect them and make them easy to exercise.

How to exercise your rights

Email us at hello@ethicalhub.co with "Privacy Request" in the subject line. Tell us what you'd like — access, correction, deletion, or something else. We'll verify your identity and respond within 30 days.

There is no fee for making a privacy request. If a request is complex or you make multiple requests in a short period, we may ask for more time — we'll tell you if that's the case and explain why.

We take data breach prevention seriously. But if a breach occurs, we will act quickly and transparently.

Our obligations under the NDB scheme

Australia's Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth) requires us to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm.

What we'll do if a breach occurs

• Contain the breach and assess its scope as quickly as possible
• Notify affected users by email with a clear description of what happened, what data was involved, and what steps we are taking
• Notify the OAIC as required under the NDB scheme
• Provide guidance on any steps you should take to protect yourself
• Conduct a post-incident review to prevent recurrence

Reporting a suspected breach

If you believe your EthicalHub account has been accessed without your authorisation, or that your data may have been compromised, contact us immediately at hello@ethicalhub.co with "Security Incident" in the subject line. We will respond as a priority.

EthicalHub may contain links to third-party websites, tools, or resources — for example, links to FSANZ standards, regulatory documents, or supplier websites. We also integrate with third-party services like Stripe for payments and Calendly for scheduling.

Once you leave ethicalhub.co or interact with a third-party integration, their privacy policy applies — not ours. We do not control, endorse, or take responsibility for the privacy practices of any third-party service.

We encourage you to read the privacy policy of any third-party service before providing your personal information to them.

We may update this Privacy Policy from time to time. We'll do this when the law changes, when we introduce new features that affect how data is processed, or when we update our subprocessors.

How we'll tell you

• For material changes — those that significantly affect your rights or how your data is used — we'll email you at least 14 days before the change takes effect
• We'll also display an in-app notification for material changes
• We'll always update the "Last updated" date at the top and bottom of this page

Your continued use of EthicalHub after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree with a material change, you may close your account before it takes effect.

Previous versions of this policy are available on request by emailing hello@ethicalhub.co.

If you believe EthicalHub has mishandled your personal information, we want to know. We take privacy complaints seriously and will investigate every one.

Step 1 — Contact us first

Email us at hello@ethicalhub.co with "Privacy Complaint" in the subject line. Tell us what happened and what outcome you are seeking. We will acknowledge your complaint within 2 business days and aim to resolve it within 30 days.

Step 2 — Contact the OAIC

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

• Website: oaic.gov.au
• Phone: 1300 363 992
• Mail: GPO Box 5218, Sydney NSW 2001

Privacy questions, data requests, complaints, or anything else — reach out. We'll give you a straight answer.