PRE-LAUNCH DRAFT — NOT YET EFFECTIVE. This is a Version 1.0 draft awaiting independent Australian legal review. Real users will not see this version. The published policy will replace this banner with a confirmed effective date once counsel has signed off.
Urban Pulse Privacy Policy
Last updated: 2026-06-12 Version: 1.0 (pre-launch draft awaiting legal review; factual-accuracy revision 2026-06-12) Effective from: Not yet effective. A confirmed effective date will be inserted here once counsel has signed off.
At a glance
Urban Pulse is an Australian-first construction-network platform. We take Australian privacy law seriously. This policy explains, in plain English:
- Who we are and how to contact us about privacy.
- What personal information we collect, and why.
- Who we share it with — including overseas processors — and the protections we put in place.
- Where it is stored (primarily Australia, AWS Sydney region).
- How long we keep it and how you can ask us to access, correct or delete it.
- How we comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Spam Act 2003 (Cth) and ACMA guidance for SMS marketing.
If you only read one section, read Sections 6 and 9 — they cover the overseas processors we use and the rights you have over your information.
1. Who we are and how to contact us
This policy is issued by:
- Urban Pulse Strategies Pty Ltd (ABN 82 650 700 226; ACN 650 700 226), trading as Urban Pulse.
- Postal address: PO Box 81, Aspley QLD 4034.
- We are the entity responsible for the personal information described in this policy (the "controller" or, under Australian law, the "APP entity").
Privacy enquiries, access requests, corrections and complaints:
- Privacy Officer: Michael Burford, founder.
- Email: privacy@urbanpulse.com.au
- Postal: PO Box 81, Aspley QLD 4034.
We do not yet have a formally appointed Data Protection Officer. Michael Burford (founder) performs the Privacy Officer function while we are pre-launch. We will update this section if and when that changes.
2. The Urban Pulse business, and why context matters
Urban Pulse is a software-as-a-service platform for the Australian construction industry. Our Wave 1 product, "Send & Sign", lets a builder, tradesperson, supplier or homeowner create an envelope of documents (quotes, contracts, variations, dilapidation reports), send them to a counterparty, capture an electronic signature, take a payment via escrow, and store a verifiable record of the transaction.
We compete with established Australian listings and construction-services platforms. We are not affiliated with them.
Cohort zero — AusDilaps. Our first paying customer is AusDilaps Pty Ltd, an Urban Pulse subsidiary that provides pre-construction dilapidation reporting and listing photography services. Urban Pulse engineers are cross-trained as AusDilaps photographers. Where you receive a dilapidation report or property photography from AusDilaps, Urban Pulse Strategies Pty Ltd and AusDilaps Pty Ltd are the same corporate group, and personal information collected through AusDilaps is handled under this policy.
3. What personal information we collect
We collect the following categories of personal information. Not every category applies to every user — what we collect depends on how you interact with us.
Drafting note for counsel (remove before publication). As at 2026-06-12 the platform's collection surfaces are: full name, email address and hashed password at sign-up; recipient name, email address and role when a sender nominates a counterparty; envelope title, amount and uploaded documents (including any personal information embedded in those documents); escrow payer/payee details where an escrow payment is taken; pseudonymised sign-in event records; and truncated network-prefix metadata on document-view events. The remaining categories in this section (business identifiers, phone numbers, postal addresses, billing profiles, marketing preferences) describe collection points planned at or shortly after public launch — disclosed now so the policy does not need re-issue at each activation; they are tagged (collected at/after launch) below. Embedded-document personal information (§3.6) is collected as document content, not as structured fields.
3.1 Identity information
- Full name. (collected today)
- Position or role (e.g. "site supervisor", "owner"). (collected at/after launch)
- Business identity: ABN, ACN, business name, licence numbers where applicable. (collected at/after launch as structured fields; may appear today inside documents you upload — see §3.6)
3.2 Contact information
- Email address. (collected today)
- Mobile or landline phone number. (collected at/after launch)
- Postal and business address. (collected at/after launch)
3.3 Account and authentication information
- Username and hashed password (we never store passwords in plain text).
- When we introduce multi-factor authentication: the factors needed to operate it (e.g. an authenticator-app secret, or a verified phone number for SMS-based MFA). We do not currently offer MFA.
- Session tokens and sign-in event records. Successful and unsuccessful sign-in attempts are recorded with the time, the outcome, and a pseudonymised one-way hash of the attempted identifier — not your raw email address. Document-view events record a truncated network prefix rather than your full IP address, and a hashed user-agent.
3.4 Billing and payment information
- Billing name and address. (collected at/after launch)
- Payment-method tokens issued by Stripe (we never see or store your full card number — Stripe tokenises it in the browser).
- Records of payments made on envelope transactions (amounts, references, receipts). We do not currently offer subscription billing; this section will be updated if we introduce it.
3.5 Escrow and trust-account information
- Where you transact via the Urban Pulse escrow flow, we collect the information required to satisfy our escrow partner Zai's AUSTRAC obligations: payer and payee identification, BSB and account numbers, transaction amounts and references.
3.6 Content you upload
- Documents you upload to the platform: contracts, quotes, variations, dilapidation reports, building inspection reports, photographs, and supporting attachments.
- Metadata about those documents: filename, file type, size, integrity hash, who uploaded them, when, and the result of the automated malware scan we run on every upload.
- Any personal information embedded in those documents — for example a counterparty's name, address, signature, or contract value. You are responsible for the information you put into a document; we are responsible for handling it under this policy once it reaches us.
3.7 Communications
- The content of emails, SMS messages, in-app messages, and support tickets you send to us or via the platform.
- Records of e-signature events (signer name, email, time signed, IP address from which the signature was captured).
3.8 Technical and usage information
- IP address, browser type, device type, operating system.
- For recipients viewing a document via a secure link, we record only a truncated network identifier (not your full IP address) and a one-way fingerprint of your browser type.
- Pages viewed, features used, buttons clicked, and timing data (used to understand product usage in aggregate).
- Error logs and crash reports (scrubbed to remove credential-shaped values and known personal-information fields before they leave our infrastructure).
3.9 Location information
- We do not currently derive your geographic location from your IP address. If we introduce IP-based fraud-detection tooling, we will update this section before it goes live.
- We do not request precise GPS-level location from your device.
3.10 Marketing-preference information
- Whether you have consented to receive marketing emails or SMS, the date you consented, and whether you have since opted out. (collected at/after launch — no marketing opt-in surface exists today and we send no marketing)
3.11 Recipient interactions
When a sender nominates you as the recipient of an envelope and you open the secure link we send you, we collect:
- View events: the time of the view and a truncated network prefix (not your full IP address), with a one-way hashed browser fingerprint.
- Comments you leave on a document.
- If you choose to claim an Urban Pulse account from the recipient surface: the email address and password you set.
4. How we collect personal information
We collect personal information:
- Directly from you — when you create an account, complete onboarding, upload a document, send an envelope, take a payment, contact our support team, or reply to a marketing message.
- From your counterparties — when another Urban Pulse user nominates you as a recipient of an envelope (e.g. a builder sends a contract to a homeowner). In that case, the sender provides us with your name and contact details so we can deliver the document to you.
- From your device — via cookies (see Section 11).
- From third parties — including our payment provider Stripe, our escrow partner Zai, our e-signature provider BoldSign, our authentication provider (Better Auth, hosted via Neon Auth), and our error-monitoring provider where you have generated an event we need to investigate.
We do not buy marketing lists.
5. Why we use your personal information, and our lawful basis
Australia's Privacy Act does not adopt the GDPR's "lawful basis" framework. Instead, the Australian Privacy Principles permit collection and use where it is reasonably necessary for one or more of our functions or activities, and where we have notified you (this policy is part of that notification). For users with overlapping international protections we have noted the equivalent legal basis in brackets.
Drafting note for counsel (remove before publication). APP sub-citations have been deliberately omitted from this section — an earlier draft carried incorrect APP 6 limb references. Counsel to insert the correct citations (primary purpose APP 6.1; reasonably-expected related secondary purpose APP 6.2(a); required or authorised by law APP 6.2(b); consent).
5.1 To deliver the Urban Pulse service to you
Sending envelopes, capturing signatures, storing documents, holding escrow funds, generating receipts and dilapidation reports, providing customer support. Lawful basis: the primary purpose for which the information was collected [GDPR: contract performance].
5.2 To process payments and prevent fraud
Verifying payment methods, settling funds through Stripe and Zai, detecting suspicious activity, complying with AUSTRAC obligations where they apply to our escrow partner. Lawful basis: the primary purpose of collection, and a reasonably expected related secondary purpose (fraud prevention) [GDPR: contract + legitimate interests].
5.3 To comply with Australian law
Including responding to lawful requests from courts, regulators (OAIC, ASIC, ATO, ACMA, AUSTRAC, state fair-trading bodies) and law-enforcement agencies; meeting tax record-keeping obligations; meeting consumer-protection obligations. Lawful basis: required or authorised by Australian law [GDPR: legal obligation].
5.4 To improve the product
Analysing aggregated, de-identified usage data (event counts, feature-usage rates, error frequencies) to understand what works, fix bugs, and ship improvements. We do not sell your personal information for any other party's product development. Lawful basis: a reasonably expected related secondary purpose [GDPR: legitimate interests].
5.5 To communicate with you about your account
Service notifications (sign-in alerts, document-status updates, invoices, security incident notices), and replies to your support requests. Lawful basis: the primary purpose of collection, and required by Australian incident-notification law where applicable [GDPR: contract + legal obligation].
5.6 To send you marketing — only if you have consented
Promotional emails and SMS about Urban Pulse features and offers. Lawful basis: your express consent, captured via a clearly labelled opt-in, and consistent with the Spam Act 2003 (Cth) and ACMA guidance [GDPR: consent].
We do not engage in automated decision-making that produces legal or similarly significant effects on you without a human in the loop.
6. Who we share your personal information with
We share personal information only with the third parties listed below, and only to the extent necessary. Each entry tells you the country the recipient operates in. For each overseas recipient we have included the APP 8 disclosure language. As at this version, the overseas countries involved are the United States and, for email delivery in transit, Japan. Providers marked (future state) are not active today; we will update this policy before any of them is switched on.
6.1 Stripe, Inc. (United States) — payments
We use Stripe to process card payments for envelope transactions. Stripe receives the cardholder name, billing address, email address and payment-method token. Your full card number is tokenised in your browser by Stripe before it reaches us — we never see or store it. We do not currently offer subscription billing.
We may disclose your personal information to Stripe, Inc. in the United States. We have taken reasonable steps to ensure they comply with the Australian Privacy Principles, including by accepting Stripe's standard Data Processing Addendum at account creation.
6.2 Zai (Australia) — escrow and trust account
We use Zai (an AUSTRAC-registered Australian payments and custodian platform) to hold escrow funds and operate a trust-account workflow. Zai receives the payer and payee identification we need to satisfy their AUSTRAC obligations, plus transaction metadata.
Zai operates in Australia. APP 8 cross-border disclosure does not apply.
6.3 Resend (United States control plane; Amazon SES Tokyo, Japan data plane) — transactional email
We use Resend to deliver transactional emails (sign-in confirmations, invoices, document-ready notifications, password resets). Resend receives your email address, the email body and metadata. Resend's control plane operates in the United States; outbound email delivery and bounce processing are routed through Amazon SES in Tokyo, Japan (ap-northeast-1), so the recipient address, message headers and content also transit Japan. Resend does not use your data for its own marketing.
We may disclose your personal information to Resend, Inc. in the United States and, via their Amazon SES email-delivery infrastructure, to Amazon Web Services in Tokyo, Japan, for outbound delivery and bounce processing. We have taken reasonable steps to ensure both comply with the Australian Privacy Principles, including Resend's standard Data Processing Addendum and, for the SES leg, AWS's GDPR Data Processing Addendum and ISO 27018 controls.
6.4 Twilio (United States API infrastructure; Australian contracting entity and carrier edge) — transactional SMS (future state)
We are implementing Twilio to deliver transactional SMS (verification codes, urgent document-status notifications). This integration is not yet active: we do not currently collect phone numbers and no SMS is sent today. Twilio's API platform is operated from the United States; Twilio Australia Pty Ltd is the contracting entity for Australian customers; the SMS itself is delivered through Australian mobile carriers. When activated, Twilio will receive the destination phone number and the message content. We will update this policy before the first SMS is sent.
Once activated, we may disclose your personal information to Twilio, Inc. in the United States (contracting via Twilio Australia Pty Ltd, with delivery via Australian mobile carriers). We have taken reasonable steps to ensure they comply with the Australian Privacy Principles.
6.5 BoldSign (Syncfusion Inc.) — e-signature envelopes (Australian residency region)
We use BoldSign as our electronic-signature provider for the Send & Sign envelope flow, via BoldSign's Australian residency endpoint (api-au.boldsign.com, Sydney data centre). BoldSign's Australian region stores and processes the signed documents, audit trails, signer details and contract data in Australia. BoldSign receives the signer's name, email address, the content of the document being signed, and signature event metadata (IP address, timestamp). Where the document contains a counterparty's personal information, BoldSign receives that information too. BoldSign's standard Data Processing Addendum governs this processing.
Your signing information is processed by BoldSign in its Australian residency region (Sydney). BoldSign's parent, Syncfusion Inc., is United States–domiciled; to the extent any personal information is accessible to the United States parent, we have taken reasonable steps to ensure compliance with the Australian Privacy Principles, including via BoldSign's standard Data Processing Addendum.
6.6 Salesforce (United States) — CRM and attribution (future state)
We are implementing Salesforce as our customer-relationship-management and attribution system. The dispatcher that pushes data to Salesforce is currently scaffolded and not active. Once activated, Salesforce will receive envelope lifecycle metadata only — event identifiers, envelope state-transition names, timestamps, and recipient-role labels. It will not receive your contact details, signer names, signer email addresses, document contents, or payment amounts: this is enforced by a strict schema in our code that rejects any other field. We will update this policy when the dispatcher goes live; if you would prefer to know before that happens, email privacy@urbanpulse.com.au and we will let you know in advance.
Once activated, we may disclose envelope lifecycle metadata to Salesforce, Inc. in the United States. We have taken reasonable steps to ensure they comply with the Australian Privacy Principles, including by accepting Salesforce's standard Data Processing Addendum.
6.7 Amazon Web Services Australia (AWS Sydney, ap-southeast-2) — hosting and file storage
We use AWS Sydney (ap-southeast-2) as the primary infrastructure for the Urban Pulse platform — compute, file storage (S3), and secrets management. Our infrastructure is single-region (Sydney) today; AWS Melbourne (ap-southeast-4) is the designated future disaster-recovery pair, and both are Australian regions. AWS Australia is the Australian subsidiary of Amazon Web Services and operates in Australia.
AWS Australia operates in Australia. APP 8 cross-border disclosure does not apply for ordinary processing.
6.8 Neon (Sydney region) — Postgres database
We use Neon as our managed Postgres database provider. Our Neon project is configured in the Sydney region; your account data, document metadata and audit log rows reside on Australian infrastructure.
Our Neon database resides in Sydney, Australia. APP 8 cross-border disclosure does not apply for ordinary processing. The Neon corporate group includes US-based personnel who may, under their published support model, access aggregated diagnostic data; we will update this section if customer personal information ever falls into that scope.
6.9 Better Auth via Neon Auth — authentication
We use Better Auth (hosted via Neon Auth) to manage your account credentials and sessions. Sign-up is handled server-side by our own application: our sign-up form submits to Urban Pulse servers, which call our Australian-hosted authentication service. Credentials and session records are held on Neon Auth infrastructure in AWS Sydney (ap-southeast-2). We do not currently offer social sign-in (for example, Google); if we introduce it, we will add the provider to this section before it goes live.
Where the supporting infrastructure resides outside Australia we will update this entry. As at the date above, account credentials and session records are held in Australia.
6.10 AusDilaps Pty Ltd (Australia) — dilapidation and photography services
AusDilaps is the Urban Pulse vertically-integrated dilapidation-reporting and photography arm. Where you have engaged AusDilaps to produce a report or to photograph a property, AusDilaps personnel will collect the property address, the personal details of the on-site contact, photographs of the property (which may incidentally capture residents or vehicles), and the report findings. AusDilaps personnel may include Urban Pulse engineers cross-trained as photographers under our internal training programme.
AusDilaps operates in Australia and is part of the Urban Pulse corporate group. Personal information collected by AusDilaps is handled under this policy.
6.11 Sentry (Functional Software, Inc.) — error monitoring (future state)
We are preparing Sentry to monitor and diagnose errors in the platform. Sentry is not yet wired into the platform this policy covers; no error payloads are sent to Sentry today. When activated, Sentry will receive stack traces, request URLs, IP addresses, user-agent strings and any user or organisation identifier captured in an error context; before activation we will wire a runtime scrubber so that customer personal information (names, emails, document content) is removed at source before any payload leaves our infrastructure. A CI gate already prevents secret-shaped values from being committed to source code, and our log pipeline already scrubs credential-shaped values.
Sentry's corporate domicile is the United States, with EU data-residency available. Once activated, we may disclose your personal information to Functional Software, Inc. in the United States. We have taken reasonable steps to ensure they comply with the Australian Privacy Principles, including by accepting Sentry's standard Data Processing Addendum at account creation. We are reviewing whether to use Sentry's EU region; we will update this section before activation.
6.12 PostHog (PostHog, Inc.) — product analytics (future state)
We are preparing PostHog to capture anonymous product-usage events (page views, feature usage). Analytics is not yet enabled — no events are sent to PostHog today. When enabled, PostHog will receive an anonymous user identifier (not linked to personal information at PostHog's end), IP address (auto-anonymised after geographic derivation), URL, and user-agent. No customer personal information will be sent in event payloads — the event schema will be enforced in code before activation.
PostHog offers both US and EU data residency. As at the version date of this policy, our PostHog account is configured against the US region. Once analytics is enabled, we may disclose your personal information to PostHog, Inc. in the United States. We have taken reasonable steps to ensure they comply with the Australian Privacy Principles. We will update this policy before analytics is enabled.
6.13 Anthropic (United States) — AI document extraction (not yet active; automatic on activation)
We have built an AI document-extraction pipeline (for example, extracting structured fields such as names, addresses and report dates from an uploaded dilapidation report). It is not yet active: the activation switch is unset and no customer document content has been sent to Anthropic.
When activated, the pipeline runs automatically after an uploaded PDF passes our malware scan — there is currently no per-document opt-in or consent prompt. The document is first processed by AWS Textract in Sydney (the file itself does not leave Australia); the extracted text transcript — which may include personal information embedded in the document, such as counterparty names and addresses — is then sent to Anthropic's Claude API in the United States. An in-flow consent prompt with a manual field-entry alternative is planned but has not been built; whether activation waits for that consent surface is a decision recorded for our founder and counsel (Annex A Q15).
Anthropic also processes information in connection with our internal business operations (staff tooling and a nightly security scan of our own source code). These internal uses do not involve customer personal information.
Anthropic operates under a Zero Data Retention amendment with us; prompts and completions are not retained by Anthropic after the API call.
Once activated, we may disclose extracted document text (including personal information embedded in uploaded documents) to Anthropic, PBC in the United States. We have taken reasonable steps to ensure they comply with the Australian Privacy Principles, including a Data Processing Addendum, a Zero Data Retention amendment, and Anthropic's active certification under the EU-US Data Privacy Framework. We will update this policy before activation.
6.14 Other situations in which we may share information
- Counterparties you nominate. When you send a document via Urban Pulse, the recipient you nominate receives a time-limited link to view or sign that specific document.
- Professional advisers. Our lawyers, accountants and auditors, under duties of confidentiality, where reasonably necessary.
- Regulators and law enforcement. Where required or authorised by Australian law, in response to a lawful request.
- A successor business. If Urban Pulse Strategies Pty Ltd is sold or restructured, your information may pass to the acquirer under equivalent privacy commitments. We will tell you before that happens unless prevented by law.
We do not sell your personal information.
7. Where your information is stored, and how we secure it
7.1 Storage location
Urban Pulse stores customer personal information in Australia by default:
- Database: Neon, Sydney region (
ap-southeast-2equivalent). - File storage: AWS S3, Sydney (
ap-southeast-2). Our storage is single-region (Sydney) today; AWS Melbourne (ap-southeast-4) is the designated future disaster-recovery pair, and both are Australian regions. - Compute: AWS ECS, Sydney (
ap-southeast-2). - Secrets: AWS Secrets Manager, Sydney (
ap-southeast-2).
We are deploying a daily automated audit that will verify our storage, compute and secrets remain in Australian regions, and will keep a durable record of each day's result.
Where personal information is disclosed to an overseas processor listed in Section 6, that disclosure is the only path by which the information leaves Australia in the ordinary course of operating the service.
7.2 Security measures
We take reasonable steps to protect personal information from loss, misuse, unauthorised access, modification or disclosure, including:
- Encryption in transit — TLS 1.2 or higher for all browser-to-server, server-to-server, and server-to-database traffic. HTTP Strict Transport Security is enforced on the customer-facing site.
- Encryption at rest — file storage is encrypted at rest with AWS-managed keys; our managed database provider (Neon) encrypts database storage at rest on Australian infrastructure.
- Identity and access management — role-based access control, multi-factor authentication on the cloud-provider and code-hosting accounts our staff use, least-privilege IAM roles in our cloud environment.
- Audit logging — every state-changing action against an envelope, document or payment is recorded in a durable, append-only audit log retained for the periods stated in Section 8.
- Secret management — credentials and API keys are stored in AWS Secrets Manager with least-privilege access controls, and rotated when personnel change, on suspected exposure, or as vendor requirements dictate.
- Code-level controls — runtime scrubbing of credential-shaped values before any error payload leaves our infrastructure; CI gates against secret commits; tenant-isolation enforced at the database row level.
- Vulnerability and incident response — a defined incident-response playbook; recurring third-party security audits (our first independent audit landed June 2026); a programme of remediation against any finding.
No system is perfectly secure. If we become aware of a data breach that meets the threshold for notification under Part IIIC of the Privacy Act, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.
8. How long we keep your information
| Category | Retention period |
|---|---|
| Transactional and financial records (envelopes, signatures, payments, escrow events, invoices) | 7 years after the transaction completes, in line with Australian tax and consumer-protection record-keeping conventions. |
| Document files you uploaded | For as long as the associated project or envelope is active, plus 7 years where the document forms part of a regulated transaction record. |
| Audit log of state-changing actions | 7 years from the date of the action. |
| Account profile and contact details | Standalone profile data is purged within approximately 90 days after account closure (allowing account recovery and pending reconciliation). Contact details embedded in transactional and financial records follow the 7-year retention above. |
| Web-tier session and request logs | 90 days rolling. |
| Sign-in and sign-up outcome events | Recorded in the append-only security audit log and retained 7 years with other audit records. No email address or IP address is stored in these events; failed attempts are recorded only against a one-way hash of the attempted identifier. |
| Recipient view links (tokens) | Valid for 14 days by default; the sender can shorten or extend this per envelope (1 hour to 30 days). Expired tokens cannot be used to view documents. |
| Recipient comments and sender-supplied recipient details | Retained with the associated envelope record (see the transactional-records row above). |
| Marketing consent and opt-out records | Retained for the life of the marketing relationship plus a reasonable period to evidence the opt-out, in line with Spam Act 2003 (Cth) record-keeping. |
| Analytics events (PostHog — once analytics is enabled) | 24 months, anonymised, per our internal retention policy. |
Where the law requires us to keep information for longer, the legal obligation overrides the table above. Where you exercise your right to deletion (Section 9), we will honour it to the extent permitted, subject to those legal-retention exceptions.
9. Your rights
Under the Australian Privacy Principles, you have the following rights. Equivalent international rights are noted where applicable.
- Right to access the personal information we hold about you (APP 12).
- Right to correct information you believe is inaccurate, out of date, incomplete, irrelevant or misleading (APP 13).
- Right to delete your personal information, to the extent that we are not required by law to retain it (for example, tax records).
- Right to data portability — where technically practicable, we will provide a structured, commonly used, machine-readable export of the personal information you have provided to us.
- Right to object to direct marketing — see Section 10.
- Right to complain — see Section 14.
To exercise any of these rights, email privacy@urbanpulse.com.au with your request. We will respond within a reasonable period (no later than 30 days for an access or correction request) and will not charge you to make a request. We may need to verify your identity before acting on a request.
10. Marketing communications
We will only send you marketing emails or SMS if you have expressly consented via a clearly labelled opt-in. The sign-up flow does not currently include a marketing opt-in, and we send no marketing today; we email you only about your sign-and-send activity. We will introduce an explicit opt-in prompt before any marketing is sent.
10.1 Emails
Every marketing email we send will:
- Be clearly identifiable as a commercial electronic message, sent on behalf of Urban Pulse Strategies Pty Ltd, with our ABN and a physical Australian postal address in the footer (Spam Act 2003 (Cth) requirements).
- Include a working unsubscribe link in the footer that processes your opt-out within five business days.
- Reference this Privacy Policy in the footer.
10.2 SMS
Every marketing SMS we send will:
- Identify Urban Pulse as the sender.
- Include an opt-out instruction — typically "Reply STOP to opt out" — consistent with ACMA's Industry Guidance Note on SMS marketing.
- Process opt-outs within five business days.
You can manage your marketing preferences at any time by emailing privacy@urbanpulse.com.au. An in-product preferences page is planned; we will update this policy when it ships.
Service messages — sign-in alerts, document-ready notifications, payment receipts, security notices — are not marketing and will continue regardless of your marketing preferences while you have an active account.
11. Cookies and similar technologies
We use cookies for two purposes:
- Strictly necessary cookies. These are required to keep you signed in, remember your security preferences (CSRF token, session token) and protect against attacks. You cannot opt out of these without losing the ability to use the platform.
- Analytics cookies (future state, with consent). We do not currently set analytics cookies. Where we introduce product analytics (PostHog), we will ask for your consent first, and you will be able to withdraw it at any time by emailing privacy@urbanpulse.com.au (or via an in-product control once it ships).
We do not use cookies for advertising, retargeting or cross-site tracking.
Your browser's developer tools and privacy settings let you inspect and clear cookies at any time. Doing so will sign you out and clear your preferences.
12. Children's privacy
Urban Pulse is a business-to-business and business-to-consumer construction-services platform. It is not directed at children. We do not knowingly collect personal information from individuals under 16 years of age. If you believe we have collected information from a child, please email privacy@urbanpulse.com.au and we will delete it.
13. Changes to this policy
We will update this policy from time to time. When we do:
- We will change the "Last updated" date at the top.
- We will increment the version number.
- For material changes that affect what we collect, who we share it with, or your rights, we will notify you by email (to the address on your account) or by an in-app notice at least 14 days before the change takes effect.
- We will keep an archive of previous published versions available at urbanpulse.com.au/privacy/archive so you can see what changed and when.
Continuing to use the platform after a change takes effect means you accept the updated policy. If you do not accept it, you may close your account and ask us to delete your personal information to the extent permitted by law.
14. Complaints
If you believe we have mishandled your personal information, please contact us first so we can try to resolve the issue:
- Email: privacy@urbanpulse.com.au
- We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If it will take us longer, we will explain why and give you a revised timeline.
If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001.
You do not need to pay to make a complaint to the OAIC.
15. Spam Act 2003 (Cth) — commercial electronic messages
To comply with the Spam Act 2003 (Cth) and ACMA's industry guidance:
- Marketing emails and SMS are only sent where you have consented (Section 10).
- Every commercial electronic message identifies Urban Pulse Strategies Pty Ltd as the sender, includes our ABN, includes a current physical Australian postal address, and includes a functional unsubscribe (email) or opt-out (SMS) facility.
- Unsubscribe and opt-out requests are honoured within five business days.
- Marketing email footers reference this Privacy Policy.
- We retain consent and opt-out records sufficient to evidence compliance with the Spam Act.
16. Legal framework references
This policy is drafted with reference to the following Australian instruments and guidance:
- Privacy Act 1988 (Cth), including:
- Australian Privacy Principle 1 — open and transparent management of personal information.
- Australian Privacy Principle 5 — notification of the collection of personal information.
- Australian Privacy Principle 6 — use or disclosure of personal information.
- Australian Privacy Principle 7 — direct marketing.
- Australian Privacy Principle 8 — cross-border disclosure of personal information.
- Australian Privacy Principle 11 — security of personal information.
- Australian Privacy Principle 12 — access to personal information.
- Australian Privacy Principle 13 — correction of personal information.
- Part IIIC — notifiable data breaches scheme.
- Spam Act 2003 (Cth) and the Spam Regulations 2021 (Cth).
- ACMA Industry Guidance Note for SMS marketing (2021).
- OAIC Australian Privacy Principles Guidelines, current edition.
International users:
- Where the EU GDPR or UK GDPR applies, the contract-performance, legitimate-interest, legal-obligation and consent lawful bases identified in Section 5 are the equivalent bases on which we rely.
This policy does not modify, and is in addition to, any rights you have under those laws.
17. Document control
- Last updated: 2026-06-12.
- Version: 1.0 (pre-launch draft awaiting legal review; factual-accuracy revision 2026-06-12).
- Effective from: Not yet effective. Will become effective on the date stated at the top of this document once independent Australian legal review has been completed.
- Privacy Officer of record: Michael Burford (founder).
- Archive of previous versions: none — this is the first published draft.
Questions about this policy? Email privacy@urbanpulse.com.au.