Aplas Pty Ltd | ABN 17 625 144 461
Version 2.0 — February 2026
Aplas Pty Ltd ACN 625 144 461 ("we", "us" or "our") has adopted this Privacy Policy to ensure that we have standards in place to protect the Personal Information that we collect about individuals that is necessary and incidental to:
Providing the Aplas platform and related services; and
The normal day-to-day operations of our business.
This Privacy Policy follows the standards of:
The Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy Act 1988 (Cth) ("Privacy Act");
The regulations and principles set by the European Union's General Data Protection Regulation (EU) 2016/679 ("GDPR") for the handling of Personal Data; and
The UK General Data Protection Regulation ("UK GDPR") as retained in UK law.
By publishing this Privacy Policy, we aim to make it easy for our customers, their authorised users, and the public to understand what Personal Information we collect and store, why we do so, how we receive, obtain, store and/or use that information, and the rights of control an individual has with respect to their Personal Information in our possession.
We are committed to the principles of data protection by design and by default (Article 25 GDPR). This means we integrate data protection considerations into our processing activities and business practices from the design stage and throughout the lifecycle of data processing.
This Privacy Policy deals with how we handle "personal information" and "personal data" as defined in the Privacy Act and the GDPR respectively ("Personal Information").
The Aplas platform operates in a multi-layered data model. It is important to understand our role in each context:
As a Data Controller: We are the data controller for Personal Information that we collect directly, such as account registration details, billing information, website visitor data, and marketing communications.
As a Data Processor: When our customers use Aplas to store software asset metadata that contains or references Personal Information (such as system owner names, team lead contact details, or integration contact persons), we process this data on behalf of our customer (the data controller) under a written Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR.
Our customers are responsible for ensuring that they have a lawful basis for any Personal Information they input into or sync with the Aplas platform.
The primary data stored within Aplas is organisational software asset metadata --- information about applications, systems, integrations, technologies, and architectural patterns. This data is not, in itself, Personal Information. However, metadata records may reference individuals (e.g., application owners, team contacts, project leads). Where such references constitute Personal Information, this policy applies.
This Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information about the people in those businesses or companies which we store.
The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hardcopy.
If, at any time, an individual provides Personal Information or other information about someone other than himself or herself, the individual warrants that they have that person's consent to provide such information for the purpose specified.
We consider the protection of privacy of children very important. We do not knowingly collect Personal Information from children under the age of 16 without obtaining verifiable parental consent. Aplas is a business-to-business platform not intended for use by children. If we learn that Personal Information has been collected from persons under 16 years of age without verifiable parental consent, we will take the appropriate steps to delete such information without undue delay.
We apply the principle of data minimisation and only collect Personal Information that is adequate, relevant and limited to what is necessary for the purposes for which it is processed. The categories of Personal Information we collect are set out in clauses 3.2 to 3.7 below.
When an individual registers for or uses the Aplas platform, we collect:
Full name;
Business email address;
Job title and organisational role;
Organisation name;
Password (stored in hashed form); and
Profile preferences and platform settings.
For paying customers, we collect:
Billing contact name and address;
Payment method details (processed and stored by our third-party payment processor; we do not store full credit card numbers); and
Transaction history and invoicing records.
When individuals use the Aplas platform, we automatically collect:
IP address and approximate geolocation;
Browser type, device information and operating system;
Pages visited, features used and interaction patterns within Aplas;
Session duration and frequency of use; and
Error logs and performance data.
Our customers may input or sync software asset metadata into Aplas that incidentally contains Personal Information. This may include:
Names and contact details of system owners, team leads and project contacts;
Usernames or identifiers from integrated third-party systems (e.g., GitHub commit authors, ServiceNow ticket assignees, Jira users); and
Team membership and organisational structure information.
We process this data solely on the instructions of our customer (the data controller) and in accordance with the applicable DPA.
We collect any correspondence that an individual sends us, including support requests, feedback, and enquiries.
When an individual subscribes to our newsletter, requests a demo, or attends an event, we may collect their name, email address, organisation, and job title.
We may also collect non-Personal Information about an individual such as information regarding their computer, network and browser. Where non-Personal Information is collected, the Australian Privacy Principles and the GDPR do not apply.
Personal Information is collected through the following means:
Account Registration. When an individual creates an Aplas account or is invited to an organisation's Aplas workspace;
Platform Use. Automatically through the individual's use of the Aplas platform, including through cookies and analytics services (see Section 8);
Third-Party Integrations. When a customer configures Aplas connectors to synchronise data from third-party systems such as GitHub, ServiceNow, LeanIX, Confluence, Jira, or other metadata repositories. Personal Information may be included in the metadata transferred through these integrations. The customer (as data controller) is responsible for ensuring a lawful basis for this transfer;
APIs and Webhooks. When data is pushed to or pulled from Aplas via its APIs or webhook endpoints, which may contain Personal Information as part of the software asset metadata;
Direct Contact. When an individual contacts us via email, support channels, phone, or in person;
Website. When an individual visits our website, submits a form, subscribes to communications, or requests a demo; and
Third-Party Sources. From business partners, advertising platforms, public records, and recruitment agencies.
We will endeavour to ensure that an individual is always aware of when their Personal Information is being collected.
Where we obtain Personal Information without an individual's knowledge (such as by accidental acquisition from a client's data sync) we will either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Australian Privacy Principles and the GDPR.
Under the GDPR, we will only process Personal Information when we can identify a lawful basis to do so. It is always our responsibility to ensure that we can demonstrate which lawful basis applies to each particular processing purpose.
The lawful bases we may rely upon, and their application to our processing activities, are:
Contractual Necessity (Art. 6(1)(b)): Processing is necessary for the performance of a contract to which the individual is party, or in order to take steps at the request of the individual prior to entering into a contract. This applies to providing the Aplas platform, managing accounts, processing payments, and delivering support.
Consent (Art. 6(1)(a)): We will only rely upon express, clear and informed consent. This applies to marketing communications, newsletters, non-essential cookies and analytics, and demo requests. Any consent provided may specify and/or restrict the purpose, and can be withdrawn at any time without penalty. Withdrawal of consent must be as easy as giving consent. We will keep a record of when and how we obtained consent.
Legitimate Interests (Art. 6(1)(f)): We will only rely upon an identifiable legitimate interest where we can demonstrate that the processing of Personal Information is necessary to achieve it, by balancing it against the individual's interests, rights and freedoms. This applies to platform security, fraud prevention, product improvement, aggregated usage analytics, and business communications. We will keep a record of our legitimate interests assessments.
Legal Obligation (Art. 6(1)(c)): Processing is necessary for compliance with a legal obligation to which we are subject. This applies to tax and accounting records, regulatory compliance, and responding to lawful requests from authorities.
Vital Interests (Art. 6(1)(d)): Processing is necessary to protect the vital interests of the data subject or another natural person. This is relied upon only in rare, emergency circumstances.
Public Interest (Art. 6(1)(e)): Processing is necessary for a task carried out in the public interest. This is not typically applicable to our business operations.
The primary principle is that we will not use any Personal Information other than for the purpose for which it was collected, other than with the individual's permission. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
Information is used to enable us to operate the Aplas platform and our business. This may include:
Provisioning and maintaining Aplas platform access and functionality;
Authenticating users and verifying identity;
Processing subscriptions, billing and payments;
Providing technical support and responding to enquiries;
Communicating platform updates, maintenance notices and security alerts;
Sending marketing communications (where consented to);
Improving the platform through aggregated and anonymised usage analysis;
Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or has been engaged in any unlawful activity; and/or
As required or permitted by any law (including the Privacy Act).
The individual shall have the right to object at any time to the processing of their Personal Information for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. If we receive such a request, we will stop the processing immediately without charge or penalty.
There are limited circumstances in which we must disclose an individual's information:
Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;
As required by any law (including the Privacy Act and the Notifiable Data Breaches scheme);
In order to sell or transfer our business (in which case we will notify affected individuals and ensure the acquiring entity is bound by equivalent privacy obligations); and
To our professional advisors (lawyers, accountants, auditors) who are bound by professional confidentiality obligations.
We will not disclose or sell an individual's Personal Information to unrelated third parties under any circumstances, unless the prior written consent of the individual is obtained.
We retain Personal Information for no longer than is necessary for the purposes for which it was collected, unless a longer retention period is required by law. Our retention schedule is as follows:
| Data Category | Retention Period | Lawful Basis | Deletion Method |
|---|---|---|---|
| Account and user data | Duration of account + 90 days | Contractual necessity | Logical deletion from production database; removed from backups within 30 days of production deletion |
| Billing and transaction data | 7 years from transaction date | Legal obligation (Australian tax law) | Automated purge after retention period |
| Customer content (software asset metadata) | Duration of subscription + 30 days | Contractual necessity (DPA) | Soft delete, purge, S3 export expiry, backup rotation (see clause 7.2) |
| Platform usage and analytics data | 90 days from collection | Legitimate interests | Automated log rotation and deletion |
| CDN access logs | 90 days from collection | Legitimate interests | Automated log rotation and deletion |
| Marketing and communications | Until consent withdrawn | Consent | Removal from marketing lists within 5 business days |
| Support correspondence | 24 months from last interaction | Legitimate interests | Automated purge |
| Security and audit logs | 90 days from creation | Legitimate interests / legal obligation | Automated log rotation and deletion |
Aplas uses a shared PostgreSQL database with logical tenant separation (tenant ID per record). When a customer's subscription is terminated or a deletion request is received, the following procedure is executed:
Soft Delete. All records associated with the tenant ID are flagged as deleted in the production database. From this point, the data is no longer accessible through the Aplas platform or API.
Data Export. A final export of the tenant's data is created and stored in Amazon S3 in encrypted form. This export is retained for 30 days as a safety net (e.g., in case of accidental cancellation) and is automatically deleted by an S3 lifecycle policy after 30 days.
Purge. A scheduled purge job permanently removes all soft-deleted records for the tenant from the production database. The purge job logs the outcome, including the tenant identifier, number of rows removed, and timestamp of completion. Purge audit logs are retained for 90 days.
Ephemeral Systems. Search indexes and caches are ephemeral and are automatically rebuilt from the production database. Once records are purged from the database, they no longer appear in any regenerated index or cache.
Backup Expiry. Database backups (PostgreSQL) are retained on a 30-day rolling basis. After purge, the deleted data will be automatically rotated out of all backup snapshots within 30 days.
The maximum time from a deletion request to complete removal from all systems is as follows:
| System | Maximum Time to Full Removal |
|---|---|
| Production database (soft delete) | Immediate --- data inaccessible via platform and API |
| Production database (hard purge) | 30 days from termination |
| S3 data export | 30 days (automatic lifecycle expiry) |
| Search indexes and caches | Automatic --- rebuilt from production database |
| Database backups | 30 days after hard purge (60 days total from termination) |
| CDN access logs (IP addresses only) | 90 days from collection (automatic rotation) |
Upon termination of a customer's subscription, we will soft-delete all customer content (including any Personal Information contained within software asset metadata) from the production database immediately, rendering it inaccessible. Hard purge from production will occur within 30 days. All data will be fully removed from all systems (including backups and S3 exports) within 60 days of termination. Customers may request an export of their data in a machine-readable format prior to termination.
The purge job produces an auditable log confirming successful deletion, retained for 90 days. This log does not contain any of the deleted Personal Information.
The Aplas platform and website use cookies and similar tracking technologies. We categorise these as follows:
| Category | Purpose | Examples | Consent Required |
|---|---|---|---|
| Strictly Necessary | Essential for platform operation, authentication, security | Session cookies, authentication tokens, CSRF protection | No (required for service) |
| Functional | Remember user preferences and settings | Language preferences, display settings | No (legitimate interests) |
| Analytics | Understand platform usage and improve the service | Page views, feature usage, error rates | Yes |
| Marketing | Deliver relevant advertising and measure campaign effectiveness | Advertising pixels, conversion tracking | Yes |
For users within the EEA and UK, we will obtain consent before placing non-essential cookies via a cookie consent mechanism. Users can manage their cookie preferences at any time through their browser settings or our cookie consent tool. Blocking certain cookies may affect platform functionality.
We use Amazon CloudFront as our content delivery network for serving static web application assets (JavaScript, CSS, HTML). CloudFront does not serve API responses or process Personal Information. CloudFront access logs, which may contain IP addresses of website visitors, are retained for 90 days for security monitoring and performance analysis purposes.
We may also use pixel tags in email communications to determine whether emails have been opened and which links have been clicked.
Aplas is designed to synchronise with third-party metadata repositories. When a customer configures an integration, data flows between Aplas and the third-party system may include Personal Information. The integrations currently supported include (but are not limited to):
GitHub (repository metadata, commit authors);
ServiceNow (CMDB records, ticket assignees);
LeanIX (enterprise architecture metadata, fact sheet owners);
Confluence (page metadata, content authors);
Jira (project metadata, assignees and reporters); and
Custom integrations via the Aplas API and webhooks.
When a customer enables an integration, they do so in their capacity as data controller. We process the data received through integrations solely on the customer's instructions and in accordance with the applicable DPA. We do not independently access, use, or share integration data for purposes other than providing the Aplas platform services.
Customers are responsible for ensuring they have a lawful basis for transferring Personal Information to Aplas through integrations, and for informing their data subjects accordingly.
Aplas is an Australian-based service. Our production infrastructure is hosted in Sydney, Australia (AWS ap-southeast-2), with database backups replicated to Melbourne, Australia (AWS ap-southeast-4). All Personal Information is processed and stored exclusively within Australia. We use Amazon CloudFront to deliver static web application assets (JavaScript, CSS, HTML) only; no Personal Information is served through, processed by, or stored on the CDN. All API traffic containing Personal Information is routed directly to our Australian servers. Our customers are located globally, which means Personal Information may be transferred to and from Australia.
We will not transfer Personal Information to any country outside the European Economic Area (EEA) unless one or more of the following safeguards is in place:
The receiving country has been deemed to provide an adequate level of protection by the European Commission (adequacy decision);
We have entered into Standard Contractual Clauses (SCCs) as approved by the European Commission with the data recipient;
Binding Corporate Rules (BCRs) are in place;
The transfer falls within a specific derogation under Article 49 GDPR (e.g., explicit consent, contractual necessity); or
Other appropriate safeguards as permitted by the GDPR are implemented.
For transfers from Australia, we comply with Australian Privacy Principle 8 and will take reasonable steps to ensure that any overseas recipient handles Personal Information consistently with the APPs.
An individual who uses Aplas from outside of Australia will be sending information (including Personal Information) to Australia where our servers are located. Our collection, storage and use of Personal Information will at all times be governed by this Privacy Policy.
We engage a limited number of third-party sub-processors to assist in providing the Aplas platform and our services. These sub-processors may process Personal Information on our behalf.
We maintain a list of our current sub-processors, including their name, location, and the processing they perform, which is available upon request by emailing dpo@aplas.com.
We will:
Only engage sub-processors that provide sufficient guarantees to implement appropriate technical and organisational measures;
Enter into written agreements with each sub-processor that impose equivalent data protection obligations to those in our DPAs with customers;
Notify customers of any intended changes to sub-processors, giving them a reasonable opportunity to object; and
Remain fully liable to customers for the performance of our sub-processors' obligations.
Where we process Personal Information on behalf of our customers (i.e., where we act as a data processor for customer content), we will enter into a written Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR. Each DPA will include:
The subject matter, duration, nature and purpose of the processing;
The type of Personal Information and categories of data subjects;
The obligations and rights of the data controller;
Our obligation to process Personal Information only on documented instructions from the controller;
Confidentiality obligations on all persons authorised to process the data;
Security measures in accordance with Article 32 GDPR;
Conditions for engaging and changing sub-processors;
Assistance obligations regarding data subject rights and breach notification; and
Obligations regarding deletion or return of data upon termination of the agreement.
Our standard DPA is available upon request and forms part of our subscription agreement for enterprise customers.
An individual may opt to not have us collect and/or process their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:
Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us. For clarity, consent must involve an unambiguous positive action to opt in; or
Opt Out. Where relevant, the individual will have the right to exclude himself or herself from some or all collection of information and/or receiving information from us. Marketing unsubscribe requests will be processed within 5 business days.
If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us using the details as set out in Section 21 below.
Under the GDPR, UK GDPR and the Privacy Act, individuals have the following rights in relation to their Personal Information. We will respond to all valid requests without undue delay, and in any event within one month (which may be extended by up to two further months for complex requests):
Right of Access (Art. 15). An individual has the right to request a copy of the Personal Information we hold about them. We will provide this within 28 days of receiving a written request in a structured, commonly used, machine-readable format. The individual is free to retain and reuse their Personal Information for their own purposes.
Right to Rectification (Art. 16). If an individual cannot update their own information via the Aplas platform, we will correct any errors in the Personal Information we hold about them within 28 days of receiving written notice, or two months where the request is complex.
Right to Erasure (Art. 17). An individual may request deletion of their Personal Information where: it is no longer necessary for its original purpose; they withdraw consent; they object and there is no overriding legitimate interest; it was processed unlawfully; or to comply with a legal obligation.
Right to Restriction of Processing (Art. 18). An individual may request that we restrict processing of their Personal Information where: they contest its accuracy; the processing is unlawful but they prefer restriction to erasure; we no longer need the data but they require it for legal claims; or they have objected to processing pending verification.
Right to Data Portability (Art. 20). An individual has the right to receive their Personal Information in a structured, commonly used and machine-readable format (such as JSON or CSV), and to transmit it to another controller. We may be required to transmit the Personal Information directly to another organisation if this is technically feasible.
Right to Object (Art. 21). An individual has the right to object to processing based on legitimate interests or public interest grounds. An individual has an absolute right to object to processing for direct marketing purposes at any time.
Automated Decision-Making (Art. 22). An individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. Aplas does not currently engage in solely automated decision-making that produces legal effects.
Where a data subject right request relates to Personal Information that we process as a data processor on behalf of a customer, we will refer the request to the relevant customer (data controller) and assist them in responding to it, unless otherwise instructed.
It is an individual's responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.
Where a request to access Personal Information is manifestly unfounded, excessive and/or repetitive, we may refuse to respond or charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal Information we hold about them. Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within 28 days.
We may refuse to delete or remove all Personal Information we have on an individual where the Personal Information was processed for the following reasons:
To exercise the right of freedom of expression and information;
To comply with a legal obligation for the performance of a public interest task or exercise of official authority;
For public health purposes in the public interest;
Archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
The exercise or defence of legal claims.
We have appointed a Data Protection Officer to oversee the management of this Privacy Policy and compliance with the Australian Privacy Principles, the Privacy Act, the GDPR and the UK GDPR. This officer may have other duties within our business and also be assisted by internal and external professionals and advisors.
We will take all reasonable precautions to protect an individual's Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include:
Encryption of Personal Information in transit (TLS 1.2+) and at rest (AES-256), including encrypted database backups;
Infrastructure hosted entirely within Australia (AWS Sydney and Melbourne regions) with no Personal Information stored outside Australia;
Logical tenant isolation within a shared database architecture, with all data access scoped by tenant identifier;
Static web asset delivery via Amazon CloudFront (no Personal Information is served through the CDN; all API traffic containing Personal Information is routed directly to our Australian servers);
Role-based access controls and least-privilege principles;
Multi-factor authentication for administrative and infrastructure access;
Regular security assessments and penetration testing;
Automated monitoring and alerting for security events;
Employee security awareness training;
Incident response procedures; and
Regular backup and disaster recovery testing, with backups replicated to a geographically separate Australian region.
Despite these measures, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.
We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual's Personal Information to in accordance with this policy or any applicable laws), unless otherwise required by the Privacy Act and the GDPR.
If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.
We are not liable for any loss, damage or claim arising out of another person's use of the Personal Information where we were authorised to provide that person with the Personal Information.
Where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information, then:
We will immediately establish the likelihood and severity of the resulting risk to the rights and freedoms of natural persons;
If we determine there is a risk from the security breach, then we will immediately notify the relevant supervisory authority and provide all relevant information on the particular breach, and by no later than 72 hours after having first become aware of the breach;
If we determine there is a high risk from the security breach, we will immediately notify the affected individuals and provide all relevant information on the particular breach without undue delay;
Where we act as a data processor, we will notify the relevant data controller without undue delay after becoming aware of a breach;
Under the Australian Notifiable Data Breaches (NDB) scheme, we will also notify the OAIC and affected individuals where there are reasonable grounds to believe that an eligible data breach has occurred; and
We will document the facts relating to any security breach, its effects and the remedial action taken, and investigate the cause of the breach and how to prevent similar situations in the future.
In accordance with Article 35 of the GDPR, we will carry out a Data Protection Impact Assessment (DPIA) prior to any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This includes, but is not limited to:
Systematic and extensive profiling with significant effects;
Processing of special categories of data on a large scale; and
Systematic monitoring of a publicly accessible area on a large scale.
Where a DPIA identifies a high risk that cannot be mitigated, we will consult with the relevant supervisory authority prior to processing.
In accordance with Article 30 of the GDPR, we maintain a Record of Processing Activities (ROPA) that documents all processing activities under our responsibility. This record includes:
The name and contact details of the controller and Data Protection Officer;
The purposes of the processing;
A description of the categories of data subjects and Personal Information;
The categories of recipients to whom Personal Information has been or will be disclosed;
Details of transfers to third countries and the safeguards in place;
Envisaged time limits for erasure of the different categories of data; and
A general description of the technical and organisational security measures in place.
This record is available to the relevant supervisory authority upon request.
If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the details below.
If we have a dispute regarding an individual's Personal Information, we both should first attempt to resolve the issue directly between us.
An individual shall have the right to lodge a complaint with a supervisory authority:
For individuals in Australia: the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au;
For individuals in the EEA: the data protection authority in their Member State of habitual residence, place of work, or place of the alleged infringement; and
For individuals in the UK: the Information Commissioner's Office (ICO) at www.ico.org.uk.
An individual shall also have the right to seek a judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her Personal Information in non-compliance with the GDPR. Any proceedings should be commenced in Victoria, Australia, where we are established, or alternatively in the courts of the EU or UK Member State where the data subject has their habitual residence.
If we become aware of any unauthorised access to an individual's Personal Information we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.
From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies, or security alerts relating to the Aplas platform. Where such information is materially important to the individual's interaction with us, they may not opt out of receiving these communications.
If we decide to change this Privacy Policy, we will post the changes on our website at https://www.aplas.com and notify affected users via email where changes are material. Please refer back to this Privacy Policy to review any amendments.
We may do things in addition to what is stated in this Privacy Policy to comply with the Australian Privacy Principles, the GDPR, and the UK GDPR, and nothing in this Privacy Policy shall deem us to have not complied with those requirements.
All correspondence with regards to privacy should be addressed to:
Aplas Pty Ltd
Level 17, 31 Queen Street, Melbourne VIC 3000, Australia
Email: dpo@aplas.com
Website: https://aplas.com
You may contact the Data Protection Officer via email in the first instance.
| Version | Date | Changes |
|---|---|---|
| V1.01 | October 2019 | Initial release |
| V2.00 | February 2026 | Major revision: Tailored to Aplas B2B SaaS context. Added controller/processor distinction, GDPR lawful bases, complete data subject rights, international transfer mechanisms, DPA requirements, DPIA provisions, data protection by design, ROPA requirements, data retention schedule, tenant data deletion procedure, cookie policy, third-party integration data flows, sub-processor provisions, Australian NDB scheme, UK GDPR coverage, and supervisory authority identification. |