Your happiness our mission

Privacy Policy

Privacy Policy

Last Updated:

1. Introduction

Felix Group Pty Ltd (ACN 690 393 634) (“we,” “our,” or “us”) operates Beyhond (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including our integration with Google APIs and Microsoft Graph APIs for email and calendar functionality.

This Privacy Policy complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using our Service, you consent to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, company information, and profile details
  • Authentication Credentials: OAuth tokens for Google and Microsoft services (encrypted and securely stored)
  • Service Configuration: Settings, preferences, and customizations you make within our Service
  • Support Communications: Information you provide when contacting our support team
  • NDIS-Related Information (where applicable): NDIS participant numbers, plan information, provider registration details, service agreements, and other information necessary for NDIS service delivery and compliance

2.2 Information Collected Through Third-Party APIs

Google Services Integration

When you connect your Google account, we may access and collect:

  • Gmail Data:
    • Email messages, headers, attachments, and metadata
    • Folder/label information and organization
    • Read/unread status and email classifications
    • Sender and recipient information
  • Google Calendar Data:
    • Calendar events, meetings, and appointments
    • Event details including titles, descriptions, locations, and attendee lists
    • Calendar metadata and sharing permissions
    • Free/busy information
  • Google Account Information:
    • Basic profile information (name, email, profile picture)
    • Account permissions and access levels

Microsoft Services Integration

When you connect your Microsoft account, we may access and collect:

  • Outlook/Exchange Email Data:
    • Email messages, headers, attachments, and metadata
    • Folder organization and email classifications
    • Read/unread status and importance levels
    • Contact information from emails
  • Microsoft Calendar Data:
    • Calendar events, meetings, and appointments
    • Event details including titles, descriptions, locations, and attendee lists
    • Meeting room and resource bookings
    • Calendar permissions and sharing settings
  • Microsoft Account Information:
    • Basic profile information and organisational details
    • Directory information (if applicable)

2.3 Automatically Collected Information

  • Usage Data: How you interact with our Service, feature usage, and performance metrics
  • Technical Information: IP address, browser type, device information, and operating system
  • Log Data: Server logs, error reports, and diagnostic information
  • Cookies and Tracking: Session data, preferences, and analytics information

3. How We Use Your Information

We collect, hold, use and disclose personal information for the following purposes:

3.1 Core Service Functionality

  • Provide, operate, and maintain our Service
  • Process and manage your email and calendar data as directed by you
  • Enable integration between different email and calendar platforms
  • Synchronise data across connected accounts
  • Provide search, organisation, and productivity features

3.2 Service Improvement and Analytics

  • Analyse usage patterns to improve our Service
  • Develop new features and functionality
  • Conduct research and analytics (using aggregated, anonymised data)
  • Monitor service performance and reliability

3.3 Communication and Support

  • Respond to your inquiries and provide customer support
  • Send important service updates and notifications
  • Communicate about new features and improvements
  • Provide technical assistance and troubleshooting

3.4 Security and Compliance

  • Detect, prevent, and investigate security threats
  • Enforce our Terms of Service and prevent abuse
  • Comply with legal obligations and regulatory requirements under Australian law
  • Protect the rights and safety of our users and third parties
  • Support NDIS compliance and reporting requirements where applicable

3.5 NDIS and Disability Service Support

Where applicable, we may use your information to:

  • Facilitate coordination with NDIS providers and support services
  • Assist with plan management and service delivery
  • Support quality and safeguarding requirements under the NDIS Act 2013
  • Enable reporting to the NDIA as required for service provision
  • Coordinate care and support across multiple service providers

4. Legal Basis for Collection and Use

Under the Privacy Act 1988 (Cth), we collect and use personal information where:

  • Consent: You have provided consent for the collection and use
  • Contract Performance: It is necessary to provide the services you’ve requested
  • Legitimate Business Purposes: For business operations, security, and service improvement
  • Legal Obligation: Required or authorised by Australian law, including:
    • Privacy Act 1988 (Cth)
    • NDIS Act 2013 and related regulations
    • Aged Care Act 1997
    • Disability Discrimination Act 1992
    • Other relevant Commonwealth, State, or Territory legislation

5. Disclosure of Personal Information

5.1 We Do Not Sell Your Personal Information

We do not sell, trade, or rent your personal information to third parties for monetary consideration.

5.2 Disclosure to Third Parties

We may disclose your personal information in the following circumstances:

  • With Your Consent: When you explicitly authorise us to disclose your information
  • Service Providers: To trusted third-party vendors who assist in operating our Service (under strict confidentiality agreements)
  • Related Entities: To other companies within the Felix Group
  • Business Transfers: In connection with mergers, acquisitions, or asset sales (with notice to affected users)
  • Legal Requirements: When required or authorised by Australian law, court order, or government request
  • Government Authorities: To Australian government authorities including but not limited to:
    • National Disability Insurance Agency (NDIA) for NDIS-related services and compliance
    • Department of Social Services for disability service provision
    • Australian Taxation Office for taxation compliance
    • Other relevant Commonwealth, State, or Territory authorities as required by law
  • NDIS Compliance: Where you are an NDIS participant or provider, we may share relevant information with the NDIA to:
    • Facilitate service delivery and coordination
    • Ensure compliance with NDIS requirements and quality standards
    • Support plan management and reporting obligations
    • Assist with audits, reviews, or investigations as authorised under the NDIS Act 2013
  • Safety and Security: To protect our rights, property, or safety, or that of our users or the public

5.3 Cross-Border Disclosure

Your personal information may be disclosed to overseas recipients, including:

  • Cloud service providers in the United States, Europe, and Asia-Pacific
  • Google and Microsoft for API functionality (subject to their privacy policies)
  • Support and development teams who may be located overseas

We take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles in relation to your personal information.

Note: Information shared with Australian government authorities (including NDIA/NDIS) remains within Australia and is subject to Australian privacy and security requirements.

5.4 NDIS-Specific Data Sharing

If you are an NDIS participant or provider using our Service:

  • Participant Information: We may share information necessary for service coordination, plan management, and quality assurance with the NDIA and authorised NDIS providers
  • Provider Information: For NDIS providers, we may share information required for compliance, auditing, and quality monitoring purposes
  • Service Delivery: Information may be shared to facilitate seamless service delivery across multiple NDIS providers
  • Quality and Safeguarding: We may share information as required under NDIS Quality and Safeguarding Framework
  • Consent: Where possible, we will seek your explicit consent before sharing NDIS-related information, except where disclosure is required by law

5.5 API Data Sharing

  • Google Data: We comply with Google API Services User Data Policy and do not share Google user data with unauthorised third parties
  • Microsoft Data: We adhere to Microsoft API Terms of Use and protect Microsoft user data according to their requirements
  • Cross-Platform: Data may be synchronised between connected Google and Microsoft accounts only as directed by you

6. Data Security

6.1 Security Measures

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure:

  • Encryption: All data transmitted is encrypted using industry-standard TLS protocols
  • Data Storage: Personal information is encrypted at rest using AES-256 encryption
  • Access Controls: Strict access controls and authentication mechanisms for our systems
  • OAuth Security: Secure OAuth 2.0 implementation for third-party API access
  • Regular Audits: Periodic security assessments and penetration testing
  • Employee Training: Regular security awareness training for all personnel

6.2 Token Management

  • API access tokens are encrypted and securely stored
  • Tokens are automatically refreshed and revoked when appropriate
  • We implement token scope limitations to minimise data access
  • Tokens are deleted when you disconnect your accounts

6.3 Data Breach Response

In accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988:

  • We will assess whether a data breach is likely to result in serious harm
  • If so, we will notify the Office of the Australian Information Commissioner (OAIC) within 72 hours
  • We will notify affected individuals if the breach is likely to result in serious harm
  • We will cooperate with the OAIC as required
  • We will implement additional safeguards to prevent future incidents

7. Data Retention and Deletion

7.1 Retention Periods

  • Account Data: Retained while your account is active and for a reasonable period thereafter (typically 7 years for business records)
  • Email and Calendar Data: Processed in real-time and cached temporarily for performance (typically 30 days or less)
  • Usage Analytics: Aggregated data may be retained indefinitely (anonymised)
  • Support Communications: Retained for up to 7 years for quality assurance and legal compliance
  • NDIS-Related Records: Retained in accordance with NDIS requirements, typically 7 years from the end of service provision or as required by the NDIS Act 2013 and related regulations

7.2 Data Deletion

You may request deletion of your personal information at any time. Upon account deletion:

  • Your account and profile information will be permanently deleted within 30 days (unless retention is required by law)
  • Cached email and calendar data will be immediately purged
  • API access tokens will be revoked and deleted
  • Some anonymised analytics data may be retained for business purposes
  • NDIS-related information may be retained where required by the NDIS Act 2013, NDIA policies, or other legal obligations, even after account deletion

8. Your Rights Under Australian Privacy Law

8.1 Access and Correction Rights

Under the Privacy Act 1988, you have the right to:

  • Access: Request access to the personal information we hold about you
  • Correction: Request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)

8.2 Account Control

  • Access and Update: View and modify your account information and preferences through your account dashboard
  • Data Portability: Request a copy of your data in a portable format
  • Account Deletion: Delete your account and associated data at any time

8.3 API Permissions

  • Connect/Disconnect: Link or unlink Google and Microsoft accounts at any time
  • Scope Management: Control which data types our Service can access
  • Revoke Access: Revoke API permissions directly through Google/Microsoft account settings

8.4 Communication Preferences

  • Opt-out: Unsubscribe from marketing communications
  • Notification Settings: Control which service notifications you receive
  • Essential Communications: Cannot opt-out of essential service communications required for the operation of your account

8.5 Making a Privacy Complaint

If you have concerns about how we handle your personal information:

  1. Contact our Privacy Officer using the details in Section 14
  2. We will investigate your complaint and respond within 30 days
  3. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC)

OAIC Contact Details:

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Email: enquiries@oaic.gov.au

9. Third-Party Services and APIs

9.1 Google API Services

Our use of Google APIs is subject to:

  • Google APIs Terms of Service
  • Google API Services User Data Policy
  • We only access Google data as necessary to provide our Service
  • Google data is not used for advertising or similar commercial purposes

9.2 Microsoft Graph API

Our use of Microsoft APIs is subject to:

  • Microsoft API Terms of Use
  • Microsoft Privacy Statement
  • We comply with Microsoft’s data handling requirements
  • Access is limited to authorised organisational users

9.3 Other Third-Party Services

We may integrate with other services (analytics, hosting, support) that have their own privacy policies. We recommend reviewing their privacy practices. These may include services provided by:

  • Amazon Web Services (AWS)
  • Google Cloud Platform
  • Microsoft Azure
  • Analytics and monitoring services

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

  • Essential Cookies: Required for the Service to function properly
  • Performance Cookies: Help us understand how users interact with our Service
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Provide insights into Service usage and performance

10.2 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may affect the functionality of our Service.

11. Children’s Privacy

Our Service is designed for business use and is not directed to children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information immediately and may terminate the associated account.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes:

  • We will notify you by email and/or through our Service at least 30 days before the changes take effect
  • We will update the “Last Updated” date at the top of this policy
  • Continued use of the Service after changes take effect constitutes acceptance of the new policy

13. Australian Privacy Compliance

13.1 Privacy Act Compliance

We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as other relevant Australian legislation including:

Privacy Act 1988 (Cth) – Australian Privacy Principles:

  • APP 1: Open and transparent management of personal information
  • APP 2: Anonymity and pseudonymity
  • APP 3: Collection of solicited personal information
  • APP 4: Dealing with unsolicited personal information
  • APP 5: Notification of the collection of personal information
  • APP 6: Use or disclosure of personal information
  • APP 7: Direct marketing
  • APP 8: Cross-border disclosure of personal information
  • APP 9: Adoption, use or disclosure of government related identifiers
  • APP 10: Quality of personal information
  • APP 11: Security of personal information
  • APP 12: Access to personal information
  • APP 13: Correction of personal information

Additional Australian Legislation:

  • NDIS Act 2013 and NDIS (Quality and Safeguarding) Rules
  • Aged Care Act 1997 (where applicable)
  • Disability Discrimination Act 1992
  • My Health Records Act 2012 (where applicable)

13.2 Industry Standards

Where applicable, we maintain compliance with:

  • Australian Government Information Security Manual (ISM)
  • ISO 27001 Information Security Management
  • SOC 2 Type II controls for relevant cloud services

14. Contact Information

14.1 Privacy Officer

For privacy-related questions, to exercise your rights, or to make a complaint:

Felix Group Pty Ltd
Privacy Officer
Email: privacy@felix.group
Phone: +61 [Phone Number]
Address: [Your Australian Business Address]

14.2 General Support

Email: support@beyhond.com
Website: beyhond.com

14.3 Business Information

Company Name: Felix Group Pty Ltd
ACN: [ACN Number]
ABN: [ABN Number]
Registered Office: [Registered Office Address]

15. Definitions

  • Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not
  • Sensitive Information: A subset of personal information including health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, criminal record, biometric information, and genetic information
  • Use: Any handling of personal information, including collection, storage, processing, and disclosure
  • Disclosure: Providing access to personal information or releasing it to others
  • User: Any individual who uses our Service
  • Service: Beyhond and all related features and functionality provided by Felix Group Pty Ltd
  • NDIS: National Disability Insurance Scheme established under the NDIS Act 2013
  • NDIA: National Disability Insurance Agency, the independent statutory agency responsible for implementing the NDIS
  • NDIS Participant: A person who has been determined eligible for the NDIS and has an approved plan
  • NDIS Provider: An organisation or individual registered to provide supports and services to NDIS participants
  • Australian Government Authorities: Commonwealth, State, and Territory government agencies, departments, and statutory bodies

Effective Date: [Date]

This Privacy Policy is effective as of the date listed above and supersedes all previous versions. This Privacy Policy is governed by Australian law and any disputes will be subject to the jurisdiction of Australian courts.