Privacy Policy

1. Who we are

This Privacy Policy is issued by Capallo Pty Ltd (ABN 99 693 901 307) (“Capallo,” “we,” “us,” or “our”). Our registered office address is available on request — contact us at hello@capallo.io.

Capallo provides a software-as-a-service treasury governance platform (the “Service”) accessible at capallo.io and the application at app.capallo.io. This Privacy Policy explains how we handle personal information when you visit our website, when our customers use the Service, and when you correspond with us.

2. Scope and our role

Capallo plays two roles in respect of the personal information we handle:

Data controller

Where we determine the purposes and means of processing — for example, information collected through our website, marketing communications, our own staff and contractor records, and prospective customer enquiries. This Privacy Policy describes how we act in that role.

Data processor (or APP entity acting for our customer)

Where our customers (businesses subscribing to the Service) upload personal information into their Capallo workspace, the customer is the controller of that information and we process it on their behalf pursuant to our agreement with the customer (typically our Data Processing Addendum). This Privacy Policy does not describe how customers themselves handle personal information they upload — please contact the relevant customer for their own privacy practices.

3. The personal information we collect

The categories of personal information we may collect include:

3.1 Information you provide to us

• Account and contact information — name, email address, phone number, job title, employer, and similar information you provide when you create an account, contact us, or correspond with us.
• Authentication information — credentials managed by our authentication provider, including login identifiers and authentication tokens. Capallo does not store user passwords directly.
• Communications — the content of emails, support requests, demo recordings, and other communications you send to us.
• Marketing and event information — information you provide when subscribing to updates, attending events, or completing forms on our website.

3.2 Information our customers upload into their workspace

Our customers may upload personal information about their staff, contractors, beneficiaries, signatories, or counterparties into their Capallo workspace, including names, work email addresses, role designations, and approval signatures. We process this information as the customer's data processor, in accordance with the customer's instructions.

3.3 Information we collect automatically

• Device and usage data — IP address, browser type and version, operating system, referring URLs, pages visited, and interactions with our website and Service.
• Cookies and similar technologies — small data files stored on your device to provide essential website functionality and, where consented to, analytics. See Section 9 below.
• Application audit information — Capallo's core service records an immutable audit log of actions taken within a customer workspace. This is part of the Service's governance function and is accessible only to the relevant customer and authorised Capallo personnel.

3.4 Information from third parties

We may receive limited information from public sources, professional networks (such as LinkedIn), and referral partners where you have been introduced to us through them. We also receive technical information from our service providers (e.g., authentication, hosting, analytics) as set out in this Policy.

4. How we use personal information

We use personal information to:

• provide, operate, maintain, and improve the Service;
• authenticate users, manage subscriptions, and provide customer support;
• communicate with you about your account, the Service, and updates;
• send marketing communications where you have consented or where we are permitted by law (you can opt out at any time);
• conduct research and analytics to improve the Service and our website;
• comply with legal obligations, enforce our Terms of Service, and protect our rights, property, and the safety of others;
• investigate, prevent, and respond to security incidents, fraud, and other unlawful activity.

4.1 Legal bases under GDPR / UK GDPR

Where the EU GDPR or UK GDPR applies to our processing of your personal data, our legal bases are:

• Performance of a contract with you or your employer — to provide the Service.
• Legitimate interests — to operate, secure, and improve our business, including direct marketing to existing business customers and prospective business contacts (subject to your right to object).
• Consent — where you have given consent, for example, to receive marketing communications or to set non-essential cookies. You may withdraw consent at any time.
• Legal obligation — to comply with applicable law.

5. Disclosure of personal information

We do not sell personal information. We may disclose personal information to:

• Our customers — where you are an authorised user of our customer's workspace, we disclose your activity information to the relevant customer as part of providing the Service to them.
• Service providers and sub-processors — third parties who provide services to us, including cloud hosting, authentication, email, analytics, customer support tooling, and payment processing. Our current sub-processor list is available on request at privacy@capallo.io.
• Professional advisors — lawyers, accountants, auditors, and similar advisors bound by confidentiality obligations.
• Government and regulators — where required by law, court order, or in response to a lawful request from a public authority.
• Successors in interest — in connection with a merger, acquisition, financing, reorganisation, or sale of assets.

6. International transfers

Capallo is based in Australia. Our primary hosting and data storage infrastructure is located in AWS Sydney (ap-southeast-2). Some of our service providers may process personal information in other countries.

Where personal information is transferred outside the country where it is collected, we take reasonable steps to ensure that an appropriate level of protection is in place, including by using contractual safeguards (such as Standard Contractual Clauses for transfers from the EU/UK) and selecting providers with appropriate security and privacy practices.

7. How we store and secure personal information

We take the security of personal information seriously and implement technical and organisational measures appropriate to the risk, including:

• encryption of data in transit using TLS;
• encryption of data at rest where provided by our infrastructure;
• role-based access controls and the principle of least privilege;
• separation of duties enforced within the Service, including maker-checker and approval workflows;
• immutable audit logging of significant actions taken within the Service;
• regular reviews of access, controls, and incident response practices.

See our Security page for more detail.

No method of transmission or storage is 100% secure. While we work to protect personal information, we cannot guarantee absolute security.

8. Data retention

We retain personal information only for as long as is necessary for the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Customer workspace data is retained for the term of the customer's subscription and in accordance with the customer's instructions following termination, subject to our standard backup and deletion timelines, which can be provided on request.

9. Cookies and analytics

Our website uses cookies and similar technologies to provide essential functionality (such as remembering your session) and, where you have consented to non-essential cookies, to measure how visitors interact with our website.

We do not currently use a third-party web analytics provider on our website. You can manage your cookie preferences through your browser settings or, where provided, through a cookie banner on the website.

10. Your rights

10.1 Rights under the Australian Privacy Act

Under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

• request access to the personal information we hold about you;
• request that we correct personal information that is inaccurate;
• make a complaint about our handling of your personal information.

10.2 Rights under the EU GDPR and UK GDPR

If the GDPR or UK GDPR applies to you, you also have the right to:

• request erasure of your personal data (in certain circumstances);
• request restriction of processing;
• object to processing (including for direct marketing purposes);
• data portability (where applicable);
• withdraw consent (where processing is based on consent);
• lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office; in the EU, the supervisory authority of your habitual residence.

10.3 How to exercise your rights

To exercise any of these rights, please contact us at privacy@capallo.io. We may need to verify your identity before we can process your request, and we will respond within the timeframes required by applicable law.

11. Children

The Service is intended for use by businesses and their authorised personnel. We do not knowingly collect personal information from children under the age of 16. If you believe a child has provided us with personal information, please contact us so we can take appropriate action.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The most current version will always be posted on our website with the “Last updated” date at the top. For material changes, we will provide additional notice — for example, by email to our customers.

13. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

• By email: privacy@capallo.io
• By post: please email us at privacy@capallo.io and we will provide the postal address for written correspondence.

If you are unsatisfied with our response to a privacy complaint, you may also contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.