Privacy Policy

Draft, pending legal counsel review. This policy was prepared on 10 May 2026 as a faithful reflection of how Smart Digital Services handles personal information. It awaits a final read by an Australian privacy lawyer before publication. If you spot something that needs to change, email privacy@smdservices.com.au.

Last updated: 10 May 2026.

Smart Digital Services Pty Ltd (ABN 66 666 024 193) (“SDS”, we”, “us”, “our”) respects your privacy. This policy explains how we collect, use, store, disclose and protect your personal information, and how you can access or correct it. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. About this policy

This policy applies to personal information we handle in the course of running our website (smdservices.com.au), our customer portal (portal.smdservices.com.au), and delivering managed IT, cyber security, cloud, telephony, web development, AI and related services. We update this policy as our practices evolve; the effective date above tells you when the current version came into force.

2. Who we are and how to reach us

  • Legal entity: Smart Digital Services Pty Ltd
  • ABN: 66 666 024 193
  • Registered office: obtainable via the public ASIC register using the ABN above. We do not operate a public office address; refer to the contact channels below for all correspondence.
  • Privacy enquiries: privacy@smdservices.com.au · Attention: Privacy Officer
  • General contact: 1300 111 737 · hello@smdservices.com.au

3. What personal information we collect

The kinds of information we collect depend on how you interact with us:

  • Website enquiries. Name, email address, phone number (optional), company name (optional), and the message you send through the contact form, plus your IP address (for abuse and rate-limiting purposes only) and the user agent of your browser. We use Cloudflare Turnstile to detect automated submissions; Turnstile does not capture personal information beyond the challenge token.
  • Portal accounts. If you sign in to our customer portal we record your name, work email address, the company you represent, your role, your sign-in history, and the proposals, signed contracts and supporting documents you create or access in the portal.
  • Service delivery telemetry. When SDS manages your IT environment under a Managed Services Agreement we collect operational data necessary to deliver the service, workstation and server health metrics, identity sign-in events, security alerts, support-ticket content, and system-configuration data. This is your organisation's data; we hold it as a service provider, not as the data controller.
  • Sales and onboarding records. If you become a customer we collect the details required to contract with you and to manage the engagement (signatory name, business address, billing details, financial-reporting contact), plus a record of meetings, proposals and decisions.
  • Sensitive information. We do not deliberately collect sensitive information (health, racial origin, political opinion, criminal history, biometric data) from website visitors or sales prospects. Where managed-service delivery requires us to handle a customer's sensitive information (for example, a healthcare practice's patient data), we do so only under contract and only to the extent necessary to provide the service.

4. How we collect it

We collect personal information directly from you whenever practical, through forms on our website, by phone, by email, in meetings, and through documents you submit (proposals, signed contracts, supporting evidence). For service delivery we collect telemetry through agents installed on your managed devices and through the cloud platforms you authorise us to access (Microsoft 365, Microsoft Defender, Microsoft Sentinel, Microsoft Entra ID, Microsoft Azure, and similar). We collect website analytics through your browser's normal interaction with our pages; the website does not currently set tracking cookies, and a future change to enable analytics will be reflected here before the change goes live.

5. Why we collect it

We use personal information for the following purposes:

  • responding to your enquiry and providing the information or proposal you asked for;
  • establishing, managing and administering your customer relationship with SDS;
  • delivering the IT, cyber security, cloud, telephony, web development and AI services you have engaged us for;
  • monitoring service quality, security posture and compliance with the agreement;
  • billing and credit management;
  • communicating about service changes, security incidents and maintenance windows;
  • direct marketing where you have a current customer relationship with SDS or where you have opted in (you can opt out at any time, see section 10);
  • satisfying our legal, regulatory, audit and insurance obligations.

6. How we use and disclose your information

We do not sell personal information to third parties. We disclose your information only as follows:

  • Inside SDS. Our employees and contractors who need access to deliver the service or operate the business, under written confidentiality obligations.
  • Service partners for onsite delivery. SDS does not operate a physical office; onsite work in your suburb is delivered by a vetted partner network. Where a partner technician needs access to your environment, we extend our confidentiality and privacy obligations to them by contract; they only see what they need to complete the agreed work.
  • Software platforms we run on your behalf. Microsoft 365, Microsoft Defender, Microsoft Sentinel, Microsoft Entra ID, Microsoft Azure, our PSA / RMM tooling, and our finance and billing systems. These vendors process data on our (or your) instructions; their privacy obligations are governed by their published terms and by the data-processing addenda we hold with them.
  • Professional advisers. Our lawyers, accountants, auditors and insurers , under professional confidentiality obligations.
  • Where required by law. Australian regulators, courts, or law enforcement when we are legally compelled to provide information; a notifiable data breach to the Office of the Australian Information Commissioner where the scheme applies; cooperation with the Australian Cyber Security Centre during a serious incident.

7. Overseas disclosure

By default we configure customer environments in Australian Microsoft regions (Australia East, Sydney; Australia Southeast, Melbourne) so personal information stored in Microsoft 365, Defender, Sentinel, Entra ID and Azure remains onshore. Limited operational metadata may flow through global Microsoft service backbones incidental to running the service; this is governed by Microsoft's published privacy and data-residency commitments. Where a customer specifically requests processing in a non-Australian region (rare) we document the choice in writing and flag the privacy implications before we proceed. Some support tooling we use for our own internal operations (for example, ticketing or CRM) may be hosted internationally; where that is the case the vendor's standard contractual clauses or equivalent mechanism applies.

8. How we store and secure your information

Personal information is stored in our Microsoft 365 tenant (Australian regions), purpose-built portal databases, and the operational tooling required to run the managed service. Access is gated by Microsoft Entra ID identity, conditional access, and role-based permissions. Devices used to access customer data are managed by SDS under endpoint-detection-and-response coverage. We log security-relevant events to Microsoft Sentinel and review them under our SIEM coverage. The retention period for each category is tied to the operational, contractual and legal need:

  • Sales and enquiry records: up to 7 years from last contact, then deleted or de-identified.
  • Customer contract records: for the term of the engagement plus 7 years (Australian Tax Office record-keeping requirement).
  • Operational telemetry: 12 months of searchable security-event history by default; longer where the customer requires it under a Managed Services Agreement.
  • Backup data: per the customer's contracted backup retention (typically 30 days, with longer retention available).
  • Portal sign-in logs: 12 months.

9. Notifiable Data Breaches

If a data breach affecting personal information meets the “eligible data breach” threshold under the Privacy Act, SDS will assess the breach, notify the Office of the Australian Information Commissioner (OAIC) within the statutory timeframe, and notify affected individuals where required. For our customers' managed environments where SDS handles data on the customer's behalf, we coordinate the breach assessment with the customer (who is the entity with the primary notification obligation) and provide the technical evidence required by the OAIC process.

10. Direct marketing and the Spam Act

We send transactional email (proposals, invoices, support replies, security advisories relevant to your environment) under our service relationship with you. Marketing email (newsletters, sales follow-ups, event invitations) is sent only where you have a current business relationship with SDS or have opted in. Every marketing email contains an unsubscribe link; you can also unsubscribe by emailing privacy@smdservices.com.au.

11. How to access or correct your information

You can ask us at any time for a copy of the personal information we hold about you or to correct any inaccuracies. Email privacy@smdservices.com.au with your request. We aim to respond within 30 days. There is no fee for an access or correction request. We may need to verify your identity before releasing information.

12. How to make a privacy complaint

If you think we have mishandled your personal information, please contact our Privacy Officer first at privacy@smdservices.com.au so we have the chance to put it right. Most complaints are resolved through this direct channel. If you are not satisfied with our response, you can escalate the complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints or by phone on 1300 363 992.

13. Cookies, tracking and analytics

The website does not currently set tracking cookies or run a tag manager. Strictly- necessary cookies (session security, anti-abuse, the CSRF token used by our forms) are set as required for the page to function. If we add analytics or marketing cookies in future, we will update this policy and surface a consent banner before the change goes live.

14. Children

Our services are aimed at businesses, not consumers. We do not knowingly collect personal information from individuals under the age of 16. If you believe we hold information about a minor, contact us so we can delete it.

15. Updates to this policy

We update this policy as our practices change or as required by law. The effective date at the top of the page tells you the current version. Material changes (new categories of information, new vendors handling personal data, new overseas disclosure) will be communicated to active customers by email; minor changes (typo fixes, contact-detail updates) take effect on publication.

Contact

Smart Digital Services Pty Ltd · ABN 66 666 024 193 · 1300 111 737 · privacy@smdservices.com.au

Privacy Policy · Smart Digital Services