Privacy Policy

Effective 5 April 2026 · Last updated 5 April 2026

This Privacy Policy explains how Cable Water Pty Ltd (ABN 89 695 763 538) (Cablewater, we, us, our) collects, uses, holds, discloses and protects personal information when you use the Cablewater platform, our website at cablewater.com.au, and any related services (together, the Service).

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Policy describes how we comply with those obligations. By using the Service you acknowledge that you have read and understood this Policy.

1. Special notice — AML/CTF records

The Service is an AML/CTF compliance platform. Customers use it to record information that the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act) requires them to collect and retain. This includes identity documents, beneficial ownership information, customer due diligence records, screening results, risk assessments and reports.

Where personal information has been collected, used or generated by a customer for the purpose of complying with the AML/CTF Act:

  • the customer (the reporting entity) is the entity responsible to the individual under the Privacy Act for that information, and Cablewater processes that information on the customer's behalf as a service provider;
  • the customer is required by law to retain that information for at least seven (7) years after the end of the relevant relationship or transaction;
  • that retention obligation overrides any right an individual might otherwise have to request deletion of the information during the retention period; and
  • the AML/CTF Act and its tipping-off provisions (s 123) restrict who may access certain information (including suspicious matter report data). The Service is configured to enforce those restrictions.

If you are an end-client of one of our customers and you wish to exercise privacy rights in relation to AML/CTF records held about you, you should contact the customer in the first instance. We will assist that customer to respond as required.

2. Information we collect

2.1 Account information

When you register for the Service, we collect:

  • your name and email address;
  • your role within your organisation;
  • authentication information (we use magic-link sign-in; we do not store passwords); and
  • information you provide when accepting an invitation to join an organisation.

2.2 Business information

When you set up an organisation in the Service, we collect:

  • business name, ABN/ACN, address and contact details;
  • information about the designated services your business provides;
  • information about your governance structure (compliance officer, senior manager, governing body);
  • information you provide in questionnaires used to generate your AML/CTF program; and
  • your AUSTRAC enrolment details once provided.

2.3 Customer due diligence and AML/CTF records

As part of using the Service, customers upload, enter or generate information relating to their own clients and transactions. This may include:

  • personal information about individuals (full name, date of birth, residential address, nationality, occupation, contact details);
  • government-issued identity documents and verification results (driver's licence, passport, Medicare card numbers and images);
  • beneficial ownership information for entity clients;
  • sanctions, PEP and adverse-media screening results;
  • risk ratings, customer due diligence assessments, and enhanced due diligence records;
  • matter and transaction information; and
  • draft and submitted reports to AUSTRAC.

Some of this information is sensitive information within the meaning of the Privacy Act. We handle it in accordance with the APPs and we only use it to provide the Service to the customer that uploaded it.

2.4 Payment information

Payments are processed by Stripe Payments Australia Pty Ltd. We do not store full payment card details on our systems. We receive limited billing metadata (last four digits, card brand, expiry, billing address, transaction status) from Stripe to operate your subscription.

2.5 Communications

If you contact us (by email, support form or otherwise) we collect the contents of those communications and any information you choose to provide.

2.6 Technical and usage information

We automatically collect:

  • IP address, browser type and version, operating system, device identifiers;
  • pages viewed, features used, time spent, clickstream and referrer data;
  • error logs, performance data and security telemetry; and
  • authentication and audit-trail information (which user took which action and when).

3. How we collect information

We collect information:

  • directly from you when you register, configure your organisation, use the Service, or contact us;
  • from other users in your organisation (for example, when they add you as a team member);
  • automatically through your use of the Service (technical and usage data);
  • from third parties used to provide the Service, including identity verification providers, sanctions and PEP screening providers, the Australian Business Register, and ASIC, where you have asked us to look up information on your behalf; and
  • from publicly available sources where reasonably necessary to provide the Service.

4. Why we collect and how we use information

We collect, hold, use and disclose personal information for the following purposes:

  • to provide, maintain, secure and improve the Service;
  • to authenticate users and protect accounts from unauthorised access;
  • to generate AML/CTF programs, risk assessments, policies and other compliance artefacts;
  • to enable customers to perform their AML/CTF obligations;
  • to process payments and manage subscriptions;
  • to communicate with you about the Service, including sending service notices, security alerts and support responses;
  • to monitor and improve performance, fix bugs and develop new features;
  • to detect, investigate and prevent fraud, abuse and security incidents;
  • to comply with our legal obligations, respond to lawful requests, and enforce our terms; and
  • with your consent, to send marketing communications about features and offerings (you can opt out at any time).

We do not sell personal information. We do not use customer content (the information you upload to the Service about your clients and matters) to train third-party AI models.

5. Disclosure to third parties

We disclose personal information only as necessary to provide the Service, to comply with the law, or with your consent. The categories of recipient are:

5.1 Service providers (subprocessors)

We engage trusted third parties to provide infrastructure and supporting services. Each is bound by contractual obligations of confidentiality and security. Current subprocessors include:

  • Hosting and infrastructure — Hetzner Online GmbH (Germany) for application hosting and database storage.
  • Payment processing — Stripe Payments Australia Pty Ltd.
  • Email delivery — our transactional email provider for sign-in links and service notifications.
  • AI generation — Anthropic, PBC for generating AML/CTF documents from the information you provide.
  • Identity verification, sanctions and PEP screening — third-party providers we integrate with, where you choose to use those features.
  • Error monitoring and analytics — providers used to monitor service health and usage.

A current list of subprocessors is available on request. We will provide reasonable notice before adding a new subprocessor that materially affects the processing of personal information.

5.2 Legal disclosures

We may disclose personal information where required or permitted by law, including:

  • in response to a subpoena, court order, warrant or other lawful request;
  • to AUSTRAC, the Australian Federal Police, the Australian Taxation Office or other law enforcement, intelligence or regulatory agencies where required;
  • to enforce our Terms of Service or protect our rights, property and safety, or those of our customers or others.

5.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy or sale of assets, personal information may be transferred as part of that transaction. We will give notice and require any successor to honour this Policy.

6. International disclosures

Some of our subprocessors are located outside Australia. In particular:

  • application hosting and primary database are located in Germany;
  • AI generation services are provided from the United States;
  • payment processing is provided from Australia by Stripe Payments Australia, which may transfer information to Stripe affiliates in the United States and Ireland.

By using the Service you consent to the transfer of personal information overseas for these purposes. We take reasonable steps to ensure overseas recipients handle personal information in accordance with the APPs. To the extent that APP 8.1 still applies, we contractually require recipients to protect personal information consistent with the APPs.

7. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember your preferences, secure the Service, and understand how the Service is used. You can control cookies through your browser settings, but the Service may not function correctly if essential cookies are disabled.

8. Marketing

If you opt in (or where permitted under the Spam Act 2003 on the basis of an inferred consent from your business relationship with us), we may send you product updates, offers and educational content. Every marketing email contains an unsubscribe link, and you can opt out at any time by emailing privacy@cablewater.com.au.

9. How we protect information

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. These steps include:

  • encryption of data in transit (TLS) and at rest;
  • access controls, role-based permissions, and audit logging;
  • magic-link authentication (no passwords to be phished or reused);
  • network isolation and least-privilege access for our infrastructure;
  • regular software updates and security patching;
  • vendor due diligence on subprocessors; and
  • logical separation of customer data so that one customer cannot access another customer's records.

No system is perfectly secure. While we take security seriously, we cannot guarantee absolute security. You are responsible for keeping your account credentials and devices secure and for promptly notifying us if you suspect any unauthorised access to your account.

10. Data retention

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law.

AML/CTF records. Where information is part of a customer's AML/CTF records, the AML/CTF Act requires retention for at least seven (7) years from the end of the relevant business relationship or transaction. During that period we will retain the information even if you ask us to delete it. After the retention period expires, we will delete or de-identify the information at the customer's request, or in accordance with our routine deletion schedule.

Account and business information. Retained for as long as your account is active and for a reasonable period afterwards to handle disputes, comply with legal obligations and enforce our agreements.

Technical and usage logs. Retained for periods consistent with operating and securing the Service.

Cancelled accounts. When an account is cancelled, the account moves to read-only mode so that the customer can continue to access and export records throughout the AML/CTF retention period. Export functionality remains available for cancelled accounts.

11. Your rights

Subject to the exceptions in the Privacy Act, you have the right to:

  • Access the personal information we hold about you (APP 12). We will respond to access requests within a reasonable time, generally within 30 days.
  • Correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading (APP 13).
  • Withdraw consent to marketing communications at any time.
  • Make a complaint about our handling of personal information (see section 14).

We may charge a reasonable cost-recovery fee for access requests where permitted by the Privacy Act. We will not charge for making a request or for correcting information.

Some rights may be limited where the information forms part of AML/CTF records subject to statutory retention requirements, or where disclosure would prejudice an investigation, breach the tipping-off provisions of the AML/CTF Act, or compromise the privacy or safety of others.

12. Notifiable Data Breaches

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If we become aware of an eligible data breach involving personal information that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, in accordance with our obligations.

13. Children

The Service is not directed to individuals under 18 years of age and we do not knowingly collect personal information from minors. If you become aware that a minor has provided us with personal information, please contact us so that we can take appropriate steps.

14. Complaints

If you believe we have breached the APPs, please contact us first at privacy@cablewater.com.au. We will acknowledge your complaint within a reasonable time and aim to investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Mail: GPO Box 5288, Sydney NSW 2001

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in law, our practices or the Service. The updated Policy will be posted on this page with a new "Last updated" date. If we make material changes, we will provide reasonable advance notice (for example, by email or an in-app notice) before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Contact us

If you have any questions about this Policy or our handling of personal information:

Cable Water Pty Ltd
ABN 89 695 763 538 · ACN 695 763 538
Email: privacy@cablewater.com.au