Privacy Policy

1. About this policy

This Privacy Policy explains how Ramp & Co Pty Ltd, trading as Ramp & Co Automations (referred to in this policy as Ramp & Co, we, us, or our) collects, holds, uses, discloses, stores, and otherwise handles personal information.

We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs), and the Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA Act).

For the avoidance of doubt, the statutory tort for serious invasions of privacy introduced by the POLA Act (which commenced on 10 June 2025) applies to all persons and organisations regardless of turnover, and we acknowledge its application to our business.

This policy applies to all personal information collected by us through our website, our services, and our business operations. By engaging our services or interacting with us, you acknowledge that you have read and understood this Privacy Policy.

We may update this policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. The current version will be published at https://rampandco.com.au/privacy.

2. About us

Ramp & Co Pty Ltd is an AI operations, automation, and advisory consultancy based in Melbourne, Victoria, Australia. We trade under the registered business name Ramp & Co Automations. We provide advisory, audit, AI operations, automation, systems review, integration, and workflow design services to organisations.

Our services may involve accessing and processing data within our clients’ business systems. We handle this data under the terms of our agreements with our clients (including our Master Services Agreement, Statements of Work, and Mutual Non-Disclosure Agreement) and in accordance with this Privacy Policy.

3. Personal information we collect

The personal information we collect depends on how you interact with us. We collect only the personal information that is reasonably necessary for our business functions and activities (APP 3).

3.1 Business contacts and prospects

We may collect:

• name;
• employer or business name;
• job title or role;
• email address;
• phone number;
• business address;
• records of communications, meetings, inquiries, and proposals; and
• billing, payment, and contract administration details.

3.2 Information processed on behalf of clients

In delivering our services, we may access or process personal information contained in client systems or client data, such as:

• employee, contractor, customer, supplier, or site contact details;
• job, project, ticket, scheduling, and service records;
• financial or operational records;
• emails, notes, attachments, or system metadata; and
• other personal information reasonably necessary to perform the agreed services.

In those situations, we generally handle the information on behalf of or in connection with the client’s instructions and the relevant contract. Our clients are responsible for ensuring they have the necessary consents and legal bases to share this information with us.

3.3 Website and marketing interactions

If you use our website or sign up for updates, we may collect:

• information you submit through forms;
• subscription preferences;
• correspondence you send us; and
• usage or analytics information collected through cookies or similar technologies, where those technologies are used.

3.4 Sensitive information

We do not generally collect sensitive information (as defined in the Privacy Act). If we need to collect sensitive information, we will only do so where reasonably necessary and with your consent, unless an exception under the APPs applies (APP 3.3).

3.5 AI-generated or inferred personal information

Where our services use artificial intelligence to generate or infer information about an identifiable individual (including through data analysis, classification, or automated processing), that information constitutes personal information under the Privacy Act and is handled in accordance with this policy. This includes information that may be inaccurate or incomplete, such as AI-generated summaries or probabilistic outputs.

4. How we collect personal information

We collect personal information:

• directly from you, when you contact us, engage our services, visit our website, or communicate with us;
• from your employer or business where you are their representative or contact person;
• from our clients when they provide us with access to their business systems and data for the purpose of delivering our services;
• from publicly available sources such as business directories and company websites;
• through the operation of artificial intelligence systems, where those systems generate or infer personal information as part of our service delivery; and
• from third parties, such as referral partners, with your knowledge or where you would reasonably expect us to do so.

Where it is lawful and practicable, we collect personal information directly from the individual concerned (APP 3.5).

5. Why we collect, use, and disclose personal information

We collect, hold, use, and disclose personal information to:

• respond to inquiries;
• assess or prepare proposals;
• enter into and administer contracts;
• provide our services, including AI-assisted advisory, audit, automation, and integration services;
• carry out audits, reviews, advisory work, integrations, or automation-related services;
• manage our business operations, accounts, billing, and record keeping;
• maintain security, logs, backups, and service quality;
• comply with legal, regulatory, insurance, or professional obligations;
• improve our website, communications, or services; and
• send marketing or informational communications where lawful and permitted.

We will not use or disclose personal information for a purpose other than the purpose for which it was collected, unless you consent, the secondary purpose is related and you would reasonably expect us to do so, or an exception under the APPs applies (APP 6). We do not sell, rent, or trade personal information to third parties for their marketing purposes.

6. Direct marketing and newsletters

If we send you marketing communications, we will do so in accordance with applicable law, including the Spam Act 2003 (Cth) (APP 7).

Where required, we will seek your consent before sending commercial electronic messages. Our marketing messages will identify us as the sender and provide a functional unsubscribe method.

You can opt out of marketing communications at any time by using the unsubscribe link in the message or contacting us using the details in clause 19.

7. Artificial intelligence and automated processing

Our services involve the use of artificial intelligence technologies and automated processing. We are committed to transparency about how we use AI in connection with personal information, consistent with the OAIC’s guidance on privacy and the use of commercially available AI products (October 2024) and our obligations under the APPs.

7.1 How we use AI

In delivering our services, we may use AI technologies (including third-party AI platforms accessed via application programming interface) to:

• analyse and process client data within automation workflows;
• extract, classify, and transform information from documents and business systems;
• generate reports, summaries, and recommendations;
• assist with research, analysis, and decision support; and
• build, configure, and deploy automated workflows and integrations.

We adopt a privacy-by-design approach to AI, embedding privacy considerations into the selection, configuration, and deployment of AI systems from the outset. We conduct due diligence on AI products before deployment, including assessing their suitability, accuracy, security, and data-handling terms.

7.2 AI model training prohibition

We do not use personal information processed on behalf of our clients to train, fine-tune, improve, benchmark, or otherwise develop any machine learning model, artificial intelligence model, or algorithm, whether owned by us or a third party. This prohibition extends to the use of personal information as training data, evaluation data, reinforcement learning feedback, or as input for any form of model improvement.

Where we use third-party AI services in connection with our services, we take reasonable steps to ensure that personal information submitted to those services is not used by the third-party provider for model training, fine-tuning, or improvement. Reasonable steps include:

1. using API or enterprise-tier access (rather than consumer-tier access) where the third-party provider’s terms distinguish between them;
2. enabling any available opt-out mechanism for model training offered by the third-party provider; and
3. reviewing the data-use terms of each third-party AI service before submitting personal information and taking appropriate action if a service’s terms do not adequately prohibit training use.

For the avoidance of doubt, this clause does not prevent us from submitting data to third-party AI services for the purpose of generating outputs, responses, or inferences as part of performing our services. It prohibits only the use of that data for model training or improvement.

7.3 Automated decision-making

Unless we expressly agree otherwise in writing, our services are intended to support human decision-making, not replace it. Clients remain responsible for reviewing important outputs and decisions before acting on them.

Where our services involve automated processes that use personal information in a way that could reasonably be expected to significantly affect the rights or interests of an individual, we will:

1. inform our clients of the types of personal information used in the operation of those automated processes;
2. inform our clients of the kinds of decisions made solely or substantially by automated means;
3. provide our clients with information about the logic, inputs, and operation of the automated processes to enable them to comply with their own transparency obligations under the Privacy Act; and
4. support our clients in implementing appropriate human oversight and review mechanisms.

We do not use automated processes as the sole basis for decisions that significantly affect individuals without appropriate human review, unless expressly agreed with the client.

7.4 Data minimisation for AI processing

When transmitting data to third-party AI services, we implement data minimisation measures including:

• anonymising or pseudonymising personal information where practicable before transmission;
• using API configurations that minimise data retention by the third-party provider, including zero-data-retention options where available;
• limiting data payloads to the minimum necessary for the specific processing task; and
• performing local pre-processing on our Australian-based infrastructure to reduce the volume of personal information sent externally.

7.5 AI output accuracy and human review

AI-enabled services may produce probabilistic outputs and may contain errors or inaccuracies. We take reasonable steps to ensure the accuracy of personal information generated or processed by AI systems, consistent with our obligations under APP 10. These steps include:

• testing and validating AI outputs for accuracy before delivery to clients;
• clearly communicating any limitations in the accuracy of AI-generated information;
• providing disclaimers where AI outputs are probabilistic or unverified; and
• recommending human review of AI-generated content before it is used for operational, legal, financial, employment, or customer-impacting decisions.

7.6 Privacy impact assessments for AI

Consistent with the OAIC’s guidance, we conduct privacy impact assessments before deploying new AI products or services that involve the handling of personal information, or when materially changing how existing AI systems handle personal information. These assessments consider the nature and sensitivity of the personal information involved, the potential privacy risks and harms, and the safeguards available to mitigate those risks.

8. Disclosure of personal information

We may disclose personal information to:

• our personnel and contractors who need it for business or service delivery purposes, and who are bound by obligations of confidentiality;
• our professional advisers (accountants, lawyers, insurers);
• third-party AI service providers to the extent necessary to deliver our services, subject to their respective data processing terms and the restrictions in clause 7.2;
• cloud hosting and infrastructure providers;
• third-party software, AI, or integration providers used in connection with our services;
• government agencies or regulators, where required by law; and
• any other party with your consent.

We require service providers handling personal information on our behalf to act within appropriate contractual or operational controls, including obligations of confidentiality and data protection no less protective than those in this policy.

9. Overseas disclosure and data residency

Our primary infrastructure is located in Melbourne, Australia. Most personal information is processed and stored in Australia.

Some of the third-party AI services we use may process data outside Australia, including in the United States. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the overseas recipient handles the information in accordance with the APPs or is subject to a law or binding scheme that is substantially similar to the APPs (APP 8).

As at the date of this policy, the principal third-party services we use and their processing locations include:

Service Provider	Service	Processing Location
Anthropic PBC	Claude API (AI language model)	United States
OpenAI LLC	GPT API (AI language model)	United States
Cloudflare Inc	Secure network transit	Global CDN (transit only)

This list may change over time as our toolchain evolves. We will update this policy to reflect material changes. Where a specific client engagement involves additional third-party AI services, those services are identified in the relevant Statement of Work.

10. Cookies, analytics, and website features

Our website may use cookies and similar technologies to improve your browsing experience and to collect analytics data.

At the date of this policy, some website features may still be under development or not fully active. When enabled, these may collect technical information such as IP address, browser type, device identifiers, pages visited, referrer information, and interaction data.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of our website.

If we later add newsletter, blog, or analytics features, we will update this policy and related notices accordingly.

11. Storage and security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure (APP 11). Our security measures include:

• encryption of data in transit (TLS 1.2 or higher) where supported by the relevant systems;
• encryption of data at rest on our managed infrastructure;
• multi-factor authentication on systems that access or process personal information;
• role-based access controls applying the principle of least privilege;
• secure credential handling and key management;
• regular security updates and patching;
• network segmentation and firewall protection;
• regular backup of data with tested restoration procedures; and
• logging and monitoring of access to systems containing personal information.

Personal information processed on behalf of clients is stored on our self-hosted infrastructure located in Melbourne, Australia, secured with encrypted storage, Docker containerisation, VPN access, and firewall protection. Development environments are protected with full-disk encryption and VPN access.

No method of storage or transmission is completely secure. We do not warrant absolute security, but we are committed to maintaining reasonable and industry-appropriate safeguards.

12. Retention

We keep personal information only for as long as reasonably necessary for the purposes for which it was collected, to perform services, to meet contractual obligations, or to comply with legal, tax, accounting, insurance, dispute, or record-retention requirements (APP 11.2).

Business records relating to client engagements are generally retained for up to seven (7) years, consistent with standard record-keeping practice in Australia. Some records may be retained longer where required by law or contract.

When information is no longer reasonably required, we delete it, de-identify it, or allow it to expire in the ordinary course of our backup and retention processes.

13. Access, correction, and deletion

You have the right under the APPs to request access to personal information we hold about you (APP 12), and to request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).

To make an access or correction request, please contact us using the details in clause 19. We will respond to your request within thirty (30) days. We may charge a reasonable fee for providing access, but we will not charge for making a request or for correcting information.

If we refuse an access or correction request, we will provide you with written reasons for the refusal and the mechanisms available to complain about the refusal.

You may also request deletion of personal information. We will comply with deletion requests where we are not required by law, contract, or legitimate business reasons to retain the information. Where we decline a deletion request, we will explain our reasons in writing.

14. Anonymous or pseudonymous dealings

Where lawful and practicable, you may interact with us anonymously or by pseudonym, for example by browsing the public parts of our website (APP 2).

However, we may need your true identity where it is impracticable to deal with you otherwise, including where we are providing services, entering into a contract, handling a complaint, verifying authority, issuing invoices, or maintaining security.

15. Statutory tort for serious invasions of privacy

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a statutory tort for serious invasions of privacy, which commenced on 10 June 2025. This creates a personal right of action for individuals who consider that another person or organisation has seriously invaded their privacy by:

1. intrusion upon their seclusion (such as unauthorised surveillance, monitoring, or accessing private spaces or communications); or
2. misuse of information relating to them (such as collecting, using, or disclosing private information in circumstances where the individual has a reasonable expectation of privacy).

This tort applies to all persons and organisations regardless of size or turnover, and applies to employee records (which are otherwise exempt from the APPs under the employee records exemption). A court may award damages (including for emotional distress), injunctions, correction orders, and other remedies.

We take this obligation seriously. Our privacy governance, security controls, data minimisation practices, and staff training are designed to minimise the risk of any serious invasion of privacy in the course of our business operations and service delivery.

16. Data breach notification

If we become aware that personal information we hold has been subject to unauthorised access, disclosure, loss, or interference, and the breach is likely to result in serious harm to any individual, we will:

1. take all reasonable steps to contain the breach and reduce any potential harm;
2. assess the breach to determine whether it is an eligible data breach under Part IIIC of the Privacy Act (the Notifiable Data Breaches scheme);
3. if the breach is notifiable, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable; and
4. where we process data on behalf of a client, notify the client without undue delay and, where reasonably practicable, within twenty-four (24) hours of becoming aware of the breach, in accordance with the relevant client contract.

We maintain a data breach response plan and conduct regular reviews to ensure our readiness to respond to data incidents.

17. Complaints

If you believe we have breached the APPs, seriously invaded your privacy, or handled your personal information inappropriately, please contact us using the details below. We will acknowledge your complaint within five (5) Business Days and investigate and respond within thirty (30) days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:

• Online: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Post: GPO Box 5218, Sydney NSW 2001

If your complaint relates to a serious invasion of privacy under the statutory tort (clause 15), you may also have the right to commence proceedings in the Federal Court of Australia or the Federal Circuit and Family Court of Australia.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this policy and publish the revised version on our website. Where a change materially affects how we handle personal information, we will take reasonable steps to notify affected individuals.

We recommend reviewing this policy periodically.

19. Contact us

If you have any questions about this Privacy Policy, wish to make an access, correction, or deletion request, or want to lodge a complaint, please contact us:

Ramp & Co Pty Ltd trading as Ramp & Co Automations
Privacy Officer: Kynan Rampling, Director
Email: admin@rampandco.com.au
Phone: 0467 333 791