Privacy Policy

1. About this policy

Whitehat Agency is a Sydney-based digital marketing agency providing SEO, Google Ads, Meta Ads, web design and development, and AI services. Whitehat Agency is operated by 484 Digital Pty Ltd (ABN 81 651 974 006) (“Whitehat”, “we”, “us” or “our”). We respect your privacy and are committed to protecting your personal information.

This policy explains how we collect, use, hold and disclose personal information, and how we comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). It applies to:

• Our public website at whitehatagency.com.au;
• Our client portal at portal.whitehatagency.com.au (where engaged clients sign in to view performance reports, manage billing, refer new business, complete satisfaction check-ins and chat with Halo, our AI agent);
• All services we provide to clients, including SEO, paid media, web design and development, AI services, reporting and consulting.

2. What information we collect

We only collect personal information that is reasonably necessary for our business (APP 3). The information we collect falls into these categories:

• Information you give us via the website — when you submit an enquiry, request a free audit, subscribe to our newsletter, apply for a role, or otherwise contact us. This may include your name, email address, phone number, business name and website, marketing budget, goals and any other details you choose to share. For job applications this also includes your résumé (uploaded as a file attachment) and the contents of any cover note.
• Information we capture automatically when you submit a form — the page you submitted from, your IP address, your country (resolved at our edge from your IP), the browser user-agent string, and the date and time of submission. We use this for fraud prevention, lead-source analytics and to comply with our own Australian-only contact policy.
• Information about engaged clients — if you engage Whitehat, we collect business and billing details needed to deliver and invoice for our services, including ABN, contact details, the names and email addresses of nominated portal users on your account, billing email, and payment information (card payments are handled securely by our payment provider; we do not store full card numbers).
• Performance data we collect on your behalf — with your authorisation we read data from your connected analytics, advertising and SEO accounts (Google Analytics 4, Google Search Console, Google Ads, Meta Ads, Ahrefs and similar) for the purpose of producing your reports and managing your campaigns. This is data about your business; it may include limited personal information (for example, customer identifiers in your CRM).
• Portal account information — when you sign in to portal.whitehatagency.com.au we record your email address (used as your identifier), display name, role within your account (owner, admin, member), session activity (sign-in times) and your notification preferences. We use magic-link sign-in — we do not store passwords for portal users.
• Portal interactions — messages and questions you send to Halo (our AI agent), survey responses you submit to our quarterly Pulse satisfaction check-in (Pulse responses are tied to your client account, but who from your team submitted is not surfaced to teammates), referrals you submit, and internal notes about your account written by our team.
• Information collected automatically when you browse — cookies, analytics events, IP address, device and browser type, the pages you view and how you interact with the site. See “Cookies and analytics” below for the specific tools.
• Information from third parties — to qualify and prepare for business enquiries, we may collect publicly available information about you or your business (for example, your company website, professional networks, news, Google search results and the Australian business registers).

3. How we use your information

We use personal information (APP 6) to:

• respond to your enquiry, send you an acknowledgement, and follow up about your enquiry or free audit;
• provide, manage, report on and improve our services to you;
• give you secure access to your client portal, deliver your scheduled performance reports (by email and in the portal), let you chat with Halo, run the quarterly Pulse check-in, and process referrals you submit;
• assess job applications and manage recruitment (your résumé is forwarded to our careers inbox; we do not publish or share it externally);
• process billing and payments, issue invoices, apply referral discounts where earned, and meet our accounting and tax obligations under Australian law;
• operate, secure, analyse and improve our website, portal and services (including server-side aggregate analytics, error monitoring and rate limiting to detect abuse);
• use AI tools (most notably Halo, powered by Anthropic’s Claude API) to qualify enquiries, score referrals for fit, draft outreach emails, analyse your performance data and write your reports. A person at Whitehat reviews material decisions before they reach you, and you can ask your account manager to disable AI-generated content for your account at any time;
• send you marketing communications and our newsletter where you have requested them or where otherwise permitted by law (see “Direct marketing” below); and
• comply with our legal obligations, enforce our terms, and protect our and your legal rights.

4. When we disclose your information

We do not sell your personal information. We disclose it only as set out in this policy — mainly to the service providers we use to run the business, to your account manager, to your professional advisers where relevant, and where required by law.

Specifically, we may disclose your information to:

• Whitehat staff — your account manager and the team supporting your account;
• Service providers — hosting, database, email delivery, payment processing, authentication, analytics, error monitoring and AI providers, under arrangements that require them to protect your information and use it only for the services they provide to us (the full list is in the next section);
• Professional advisers — our lawyers and accountants where reasonably necessary;
• Government agencies, regulators or law enforcement where required or authorised by law;
• A purchaser or successor in the event of a sale, merger or restructure of our business (your information would transfer with the business and remain protected by this policy or an equivalent).

5. Service providers and overseas disclosure (APP 8)

Some of the service providers we use store or process data outside Australia. We take reasonable steps to ensure these providers handle personal information consistently with the Australian Privacy Principles, including by using providers with appropriate certifications (such as SOC 2 Type II and ISO 27001) and contractual commitments to data protection.

Primary database — in Australia:

• Supabase (Sydney, ap-southeast-2) — our primary database. Stores your portal account, your client record, your performance reports, your referrals, your Pulse responses, your goals, and the leads submitted through our website. Data sovereignty is preserved — this data does not leave Australia at rest.

6. Overseas service providers we use

The following providers may store or process personal information outside Australia. Each is contractually bound to protect that information and has its own published privacy and security commitments, linked below.

• Vercel, Inc. (USA) — hosts and serves the website and portal. Traffic is served from edge locations including Sydney, but processing infrastructure is operated globally. vercel.com/legal/privacy-policy
• Anthropic, PBC (USA) — processes data submitted to Halo, our AI agent, for the purpose of generating your reports, scoring referrals, drafting outreach emails and answering chat questions. Under Anthropic’s commercial terms, your data is not used to train Anthropic’s models. anthropic.com/legal/privacy
• Stripe Payments Australia Pty Ltd / Stripe, Inc. (Australia, USA, Ireland) — processes card and direct-debit payments and stores billing-related personal information. PCI-DSS Level 1 certified. We do not see or store your full card number. stripe.com/au/privacy
• Resend (USA) — delivers transactional and notification emails from our website and portal (lead acknowledgements, portal invites, reminders, scheduled performance reports). SOC 2 Type II. resend.com/legal/privacy-policy
• Clerk, Inc. (USA) — authenticates portal users (issues magic-link sign-in emails, manages sessions). SOC 2 Type II. clerk.com/legal/privacy
• Google LLC (USA / Ireland) — Google Analytics 4 (website usage analytics), Google Tag Manager (tag management), Google Search Console (organic search performance), Google Ads API (paid campaign data). policies.google.com/privacy
• Ahrefs Pte. Ltd. (Singapore) — SEO data and backlink intelligence used in client reports, and Ahrefs Web Analytics on our website. ahrefs.com/privacy
• Microsoft Corporation (USA) — Microsoft Clarity provides anonymised session replays and heatmaps of website visits so we can improve the site experience. privacy.microsoft.com
• LinkedIn Corporation (USA) — the LinkedIn Insight Tag measures the effectiveness of our LinkedIn advertising. linkedin.com/legal/privacy-policy
• Meta Platforms Ireland Limited (Ireland) — Meta Ads API for clients running Facebook and Instagram campaigns through us (rolling out progressively per client). facebook.com/privacy/policy
• Tina Cloud (USA) — lets our marketing team edit content on the public website. Does not handle client portal data. tina.io/legal/privacy-policy
• GitHub, Inc. (USA) — source-code repository for the website and portal. Holds the application code, not client data. GitHub Privacy Statement

7. Cookies and analytics

Our website uses cookies and similar technologies, loaded through Google Tag Manager, to understand how visitors use the site, measure our advertising and improve the experience. The tools we run are: Google Analytics 4 (site usage analytics), Google Ads conversion tracking (measures enquiries generated by our advertising), Microsoft Clarity (anonymised session replays and heatmaps showing how visitors interact with pages), the LinkedIn Insight Tag (advertising measurement) and Ahrefs Web Analytics (aggregate usage statistics). These tools may collect information such as your IP address (anonymised where supported), the pages you visit, the buttons you click and the time you spend on the site.

Our client portal uses cookies set by Clerk to keep you signed in securely (these are essential and cannot be disabled while you are signed in).

You can control or disable non-essential cookies through your browser settings. Disabling cookies may affect how the website functions. For more on how Google handles data, see Google’s privacy policy.

8. How AI is used (Halo)

We use AI (most notably Halo, our AI agent built on Anthropic’s Claude API) to make reporting and account management faster and more useful. Specifically, Halo:

• writes your scheduled performance report from your connected analytics, advertising and SEO data, judged against the goals your account manager has recorded for you;
• answers questions you ask in the “Ask Halo” chat panel in your portal, using the same data your latest report was written from;
• scores incoming referrals 0–100 for fit and drafts a first outreach email to the referred prospect (your account manager reviews and edits before sending — nothing is sent automatically);
• tags Pulse survey comments with sentiment and theme labels to help our leadership team spot patterns across clients.

9. AI safeguards

You should know:

• AI outputs are advisory — a person at Whitehat reviews and is responsible for material decisions that reach you (proposals, contracts, outreach to referred prospects, scope changes);
• Anthropic does not train its models on data submitted via the Claude API under their commercial terms;
• you can ask us to disable AI-generated content for your account at any time — email hello@whitehatagency.com.au;
• Halo’s context is limited to your own data — it does not share your numbers, goals or notes with any other Whitehat client.

10. Direct marketing

We may send you marketing communications (such as our newsletter, relevant case studies or service updates) where you have opted in, or where you are an existing contact and we are permitted to under the Spam Act 2003 (Cth).

Every marketing email includes an unsubscribe link, and you can opt out at any time by using that link or by emailing us at hello@whitehatagency.com.au. We will action your request promptly. Unsubscribing from marketing does not stop transactional or service emails (such as your scheduled performance reports or billing notifications) — those continue while you are an engaged client.

11. How we hold and protect your information (APP 11)

We hold personal information in secure systems and take reasonable steps to protect it from misuse, interference, loss, and unauthorised access, modification or disclosure. The specific measures we use include:

• Encryption in transit — TLS 1.3 is enforced on every request to our website and portal (HSTS with includeSubDomains and preload).
• Encryption at rest — our database (Supabase, Sydney) encrypts stored data at rest.
• Authentication — portal access uses magic-link sign-in (no passwords for clients), with multi-factor authentication available for agency staff accounts.
• Row-Level Security — our database enforces per-client isolation at the database layer, so one client cannot read another’s data even if other controls fail.
• Audit logging — sensitive administrative actions (status changes, content edits, report generation) are logged with the actor and timestamp.
• Geo-fencing — public contact and application forms only accept submissions originating in Australia or New Zealand, reducing offshore spam and abuse vectors.
• Input validation — every form submission is server-validated; file uploads (job application résumés) are content-sniffed to confirm file type, not just trusted on the browser-supplied MIME header.
• Vulnerability disclosure — security researchers can contact us via /.well-known/security.txt.

12. Security — what you should know

No method of transmission or storage is completely secure. While we work hard to protect your information, we cannot guarantee absolute security. You play an important part too: keep your portal sign-in email private, sign out from shared devices, and tell us straight away if you suspect any unauthorised activity on your account.

13. Notifiable Data Breach scheme

If a data breach is likely to result in serious harm to individuals whose personal information is involved, we will notify those individuals and the Office of the Australian Information Commissioner as soon as practicable, as required by the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

14. How long we keep it

We keep personal information only for as long as we need it for the purposes described in this policy, or as required to meet legal, accounting, billing or reporting obligations (typically 7 years for financial records under Australian tax law).

• Active client data — retained for the duration of our engagement plus 7 years for tax and audit purposes;
• Lead and enquiry data — retained for up to 24 months from your last contact with us, then deleted or de-identified;
• Job application data — retained for up to 12 months after the role is filled or withdrawn, unless you ask us to delete it sooner;
• Performance reports and analytics caches — retained for the duration of our engagement and a reasonable period after for reference;
• Audit logs — retained for at least 12 months for security and accountability purposes.

15. Accessing and correcting your information (APP 12 and APP 13)

You may request access to the personal information we hold about you, and ask us to correct it if it is inaccurate, out of date, incomplete or misleading. You can also request that we delete personal information about you, subject to our legal obligations to retain certain records.

To make a request, email us at hello@whitehatagency.com.au. We will respond within a reasonable time (generally within 30 days). There is generally no charge for making a request, though we may charge a reasonable fee for giving access in some circumstances. We may need to verify your identity before acting on a request.

If you are an active client, much of your personal and account information is also available directly in your portal under Settings.

16. Complaints

If you have a concern or complaint about how we have handled your personal information, please contact us first at hello@whitehatagency.com.au so we can try to resolve it. We will acknowledge your complaint and respond within a reasonable time.

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.

17. Children

Our website and services are intended for businesses and are not directed at children. We do not knowingly collect personal information from children under 16. If you believe we have, please contact us and we will delete it.

18. Third-party links

Our website and portal may contain links to third-party websites and tools. We are not responsible for the privacy practices or content of those sites. We encourage you to read their privacy policies before providing them with any personal information.

19. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, the services we offer, or our legal obligations. The current version will always be available on this page, with the “last updated” date shown above. Significant changes will be made prominent where appropriate (for example, by notifying portal users by email or by an in-portal banner).

20. Contact us

For any privacy question or request, contact us:

Whitehat Agency (484 Digital Pty Ltd, ABN 81 651 974 006)
136 Epsom Rd, Zetland NSW 2017, Australia
Email: hello@whitehatagency.com.au
Security disclosures: security@whitehatagency.com.au
Phone: 1800 465 300