Case360

Privacy Policy

Last updated: 13 April 2026

1. About this policy

Case360 (“we”, “us”, “our”) is committed to protecting the privacy of personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, use, store, and disclose personal information through our workplace investigation management platform at case360.com.au.

2. What information we collect

We collect personal information that is necessary to provide our services, including:

  • Account details: name, email address, and password (hashed).
  • Organisation details: organisation name and subdomain.
  • Case data: names, contact details, and information about individuals involved in workplace investigations entered by you or your team.
  • Usage data: log files, IP addresses, and browser/device information for security and product improvement purposes.
  • Billing data: invoicing details processed by Stripe (we do not store card numbers).

3. How we use your information

  • To provide and improve the Case360 platform.
  • To authenticate users and enforce access controls.
  • To process billing and subscription management via Stripe.
  • To send transactional emails (account setup, invitations, billing notices).
  • To comply with our legal obligations.

4. Data residency and storage

All customer data is stored exclusively in Australia. Our infrastructure providers and their Australian regions are:

  • Database (Firestore): Google Cloud Platform, australia-southeast1 (Sydney)
  • File storage (GCS): Google Cloud Platform, australia-southeast1 (Sydney)
  • Authentication (Supabase): ap-southeast-2 (Sydney)
  • Application hosting (Vercel): syd1 (Sydney)

AI analysis features use Google Vertex AI in australia-southeast1 (Sydney). Document content processed for AI analysis is not retained by Google beyond the scope of the individual API call.

5. Disclosure of information

We do not sell, rent, or trade personal information. We may disclose information to:

  • Our infrastructure providers (Google Cloud, Supabase, Vercel, Stripe, Resend) solely to deliver the service.
  • Law enforcement or regulatory bodies where required by law.
  • Successors in the event of a business transfer, subject to equivalent privacy protections.

6. Data retention

Case data is retained for the duration of your subscription and for 30 days after account closure, after which it is permanently deleted. Audit logs are retained for 7 years in compliance with Australian Privacy Principles. Billing records are retained for 7 years as required by Australian tax law.

7. Security

We implement technical and organisational measures to protect personal information, including TLS encryption in transit, AES-256 encryption at rest, multi-tenant data isolation, role-based access controls, and short-lived signed URLs for file access (15-minute expiry).

8. Your rights

Under the APPs you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or out-of-date information.
  • Request deletion of your personal information (subject to legal retention requirements).
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

9. Cookies

We use essential session cookies to maintain authentication. We do not use third-party advertising or tracking cookies. Analytics, if enabled, uses privacy-respecting tools with Australian data residency.

10. Contact us

For privacy enquiries or to exercise your rights, contact us at privacy@case360.com.au.

11. Changes to this policy

We may update this policy from time to time. We will notify subscribers of material changes via email at least 30 days before they take effect.