Privacy & Cookie Policy

Privacy and Cookie Policy

Effective Date: 27 November 2025 · Last Updated: 10 April 2026

1. About This Policy

Moyne Ross ("we," "us," "our") is committed to protecting your privacy in accordance with the Australian Privacy Act 1988 and Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website and services.

Important: Our services involve processing your information through third-party artificial intelligence providers located outside Australia. By submitting building documentation or other personal information for analysis, you provide informed consent to the processing of that information by third-party AI services as described in this policy and in our Terms & Conditions.

Please read this policy carefully before using our services.

2. Personal Information We Collect

2.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, business address
• Payment Information: Credit card details, billing address (processed securely through Stripe; card details never touch our servers)
• Portal Account Data: Login email, password hash, authentication tokens, and session data required to access the Moyne Ross portal and the Capital Strategy Viewer
• Building Documentation: Property details, plans, photos, maintenance records, compliance certificates, and any other documents you upload for analysis
• Strategy Chat Transcripts: Questions, requests, and conversational inputs you submit to the Strategy Chat feature within the portal. Chat transcripts are stored in your account for continuity across sessions and to support methodology audit of your Capital Strategy
• Communication Records: Emails, support requests, feedback, and correspondence

2.2 Information Collected Automatically

• Website Usage: IP address, browser type, device information, pages visited on moyneross.com
• Portal Usage: Access logs, viewer interactions, filter and search events, export activity, and session duration within the Moyne Ross portal
• Cookies and Tracking: Analytics data, session information, user preferences
• Technical Logs: Access logs, error reports, performance data

2.3 Building Information and Documentation

When you submit building documentation for analysis, this may include:

• Property addresses and location details
• Technical specifications and system information
• Maintenance records and compliance certificates
• Photos, plans, and technical drawings
• Financial information related to building operations

2.4 Information We Generate About Your Building

In the course of delivering Capital Strategy, we generate structured analytical outputs based on the documentation and data you provide. This information is stored in your account within the Moyne Ross portal and includes:

• Capital Strategy records: The full 10-year capital expenditure programme produced for your building, including register items, cost specifications, condition assessments, confidence ratings, and executive summary narrative
• MR Index scores: Six-dimension composite scores and the overall MR band assigned to your asset
• Version history: Previous versions of your Capital Strategy, retained so you can compare assessments over time
• Methodology audit records: Quality gate outputs, validation checks, and any amendments applied during or after delivery

This generated information remains confidential to your account. It is not shared with other clients in identifiable form. See Section 4.3 for how aggregated, anonymised intelligence derived from many assets may be used for platform improvement and benchmarking.

3. Third-Party AI Processing

3.1 AI Services We Use

Your information is processed by a single third-party artificial intelligence service:

• Anthropic (Claude) — US-based AI analysis service, accessed via a commercial Anthropic plan under terms that prohibit the use of customer data for model training.

Our platform is designed to be model-agnostic and may introduce additional AI providers in future. If we do, we will update this Privacy & Cookie Policy, our Terms & Conditions, and our Approach to AI page before the new provider processes any client data. Clients engaged at that time will be notified in writing.

3.2 What Information is Shared with AI Providers

• Building documentation and technical information you provide
• Property details and specifications
• Analysis requests and processing instructions
• Technical metadata required for AI processing

3.3 Cross-Border Data Transfers

Your information will be transferred to and processed in:

• United States (primary location for AI services)
• Other countries where AI service providers operate servers
• Countries where AI service providers have data processing facilities

3.4 Third-Party Data Handling

AI service providers may:

• Store your data on their servers for processing and analysis
• Retain data according to their own privacy policies and retention schedules
• Apply their own security measures and data protection protocols
• Be subject to foreign government data access requirements

Model Training: Claude is accessed via a commercial Anthropic plan under terms that prohibit the use of customer data for AI model training. We regularly review provider terms to ensure these protections remain in place. Should the provider change its terms in a way that affects client data use for model training, or should we introduce any additional AI provider, we will notify affected clients and update this policy accordingly.

Data Preparation: Building documentation submitted for analysis may inherently contain personal information such as property addresses, owner details, and contact information. Where practicable, we remove or redact personal information that is not relevant to the technical analysis before submitting documentation to AI services. However, some personal information (such as property addresses) is integral to the analysis and cannot be removed without compromising the service.

Important Limitations:

• We cannot control third-party AI providers' data handling practices
• We cannot guarantee deletion of your data from third-party AI systems
• Third-party providers may have different privacy standards than ours
• Cross-border transfers may involve countries with different privacy laws

3.5 Your Rights Regarding AI Processing

In addition to the privacy rights set out in Section 8, you have the following rights in relation to AI processing of your information:

• Explainability: You may request written information about the type of AI system used, its basic ways of working and limitations, the due diligence carried out before its adoption, and the way relevant risks are identified and managed. See our Terms & Conditions (Section 2.4) for full details.
• Contest and Redress: You may contest the use of AI in the delivery of your service and seek redress if you believe you have been negatively affected. See our Terms & Conditions (Section 2.4) for the full process and timeframes.
• Opting Out: Capital Strategy cannot be delivered without AI processing. If you are not comfortable with AI processing, Capital Strategy is not suitable for you. Our Due Diligence and Retained Advisory service tiers involve direct professional analysis and carry professional indemnity insurance. Contact us to discuss alternatives.

4. How We Use Your Information

4.1 Primary Purposes

• Service Delivery: Providing our services
• AI Processing: Analyzing your building documentation through third-party AI services
• Communication: Responding to inquiries, providing support, sending service updates
• Payment Processing: Processing payments through secure third-party payment processors
• Quality Improvement: Enhancing our services and analysis methodologies

4.2 Secondary Purposes

• Legal Compliance: Meeting regulatory requirements and legal obligations
• Business Operations: Record keeping, accounting, business management
• Marketing: Sending relevant information about our services (with consent)
• Research: Improving our analysis methodologies and service offerings

4.3 Aggregated Intelligence Library

Moyne Ross operates a structured intelligence library that compounds with every asset assessed on the platform. When you commission a Capital Strategy, the structured analytical outputs generated for your asset — including register items, cost specifications, MR Index dimension scores, condition patterns, and methodology records — become part of this library in an anonymised and aggregated form. Your asset-specific data, identifying information, and commercially sensitive details remain confidential to your account and are not visible to other clients.

The aggregated library is used for:

• Benchmarking: Comparing capital positions across vintages, building classes, typologies, and regions
• Pattern recognition: Identifying systemic risks, lifecycle tendencies, and cost signals that inform the methodology
• Platform improvement: Refining the built-asset-intelligence engine and its assessment logic
• Industry intelligence: Producing aggregated, anonymised market reporting and thought leadership (published through our Insights platform)

Participation in the aggregated library is a core part of the Moyne Ross value proposition: every asset you assess through us benefits from the structured intelligence of every asset that came before, and contributes to every asset that comes after. If you are not comfortable with your asset's anonymised structured outputs contributing to this library, Capital Strategy is not the right service for you. Please contact us to discuss whether Due Diligence or Retained Advisory may be more appropriate.

5. Information Disclosure

5.1 Third Parties We May Disclose To

• AI Service Providers: For analysis and processing services
• Payment Processors: Stripe and other secure payment platforms
• Professional Advisors: Lawyers, accountants, insurance providers
• Service Providers: IT support, website hosting, analytics providers
• Regulatory Authorities: When required by law or regulation

5.2 Circumstances of Disclosure

• With your explicit consent
• To provide our services (including AI processing)
• When required or authorized by law
• To protect our rights or safety
• In connection with business transfers or restructuring

5.3 We Will NOT Disclose

• Your information for marketing by third parties (without consent)
• Building-specific details to competitors
• Personal information for unrelated commercial purposes
• Information to unauthorized parties

6. Data Security and Protection

6.1 Our Security Measures

• Secure data transmission using encryption protocols
• Access controls and authentication requirements
• Regular security reviews and updates
• Staff training on privacy and security obligations
• Secure storage and backup procedures

6.2 Third-Party Security Limitations

Important: We cannot guarantee the security measures of third-party AI providers. While we select reputable providers with strong security practices, we cannot control:

• Third-party security protocols and procedures
• Data breaches at third-party AI providers
• Unauthorized access to third-party systems
• Foreign government access to overseas data

6.3 Data Breach Response — Notifiable Data Breaches Scheme

Moyne Ross is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of a suspected or actual data breach involving your personal information, we will:

• Contain and assess: Take immediate containment action and commence an assessment of whether the breach is an "eligible data breach" under the NDB scheme. This assessment will be completed within 30 days of becoming aware of the suspected breach, as required by section 26WH of the Privacy Act, unless a shorter timeframe is practicable.
• Notify the OAIC: If we determine that the breach is an eligible data breach (likely to result in serious harm to one or more individuals), we will notify the Office of the Australian Information Commissioner as soon as practicable, using the OAIC's prescribed notification form.
• Notify affected individuals: Where an eligible data breach has occurred, we will notify affected individuals as soon as practicable after the OAIC notification, including a description of the breach, the kinds of information involved, and the steps we recommend affected individuals take in response.
• Remediate: Take such further remediation steps as are reasonable in the circumstances, including where appropriate the review and strengthening of our security measures.

Nothing in this clause limits our other obligations under the Privacy Act 1988, the Australian Privacy Principles, or any applicable law.

7. Data Retention and Deletion

7.1 Our Retention Periods

• Service Records: 7 years for legal and business purposes
• Payment Information: As required by taxation and business laws
• Communication Records: 3 years unless longer retention required
• Website Analytics: 26 months (Google Analytics default)

7.2 Data Deletion Requests

You may request deletion of your personal information. We will:

• Delete information from our primary systems within 30 days
• Retain information only where required by law or legitimate business needs
• Cannot guarantee deletion from third-party AI provider systems

Important Limitation: Once information is processed by third-party AI services, we cannot control or guarantee its deletion from their systems. Each AI provider has its own data retention and deletion policies.

7.3 Anonymization and Aggregation

We may retain anonymized, aggregated data for:

• Service improvement and research purposes
• Industry benchmarking and analysis
• Statistical reporting and trend analysis

8. Your Privacy Rights

8.1 Access and Correction Rights

You have the right to:

• Access personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request details about how your information is used and disclosed
• Receive information in a commonly used electronic format

8.2 Complaint and Objection Rights

You have the right to:

• Complain about our handling of your personal information
• Object to certain uses or disclosures of your information
• Request restriction of processing in certain circumstances
• Withdraw consent where we rely on consent for processing

8.3 Limitations on Rights

Your rights may be limited where:

• Information is required for legal or regulatory purposes
• Deletion would impact our ability to provide services
• Information is held by third-party AI providers beyond our control
• Exercise of rights would unreasonably impact others' rights

9. Cookies and Website Tracking

9.1 Types of Cookies We Use

• Essential Cookies: Required for website functionality and security
• Analytics Cookies: Google Analytics for website performance measurement
• Functional Cookies: User preferences and session management
• Payment Cookies: Secure payment processing through Stripe

9.2 Third-Party Cookies

Our website may include cookies from:

• Google Analytics (performance tracking)
• Stripe (payment processing)
• Other service providers essential for website operation

9.3 Managing Cookies

You can control cookies through:

• Browser settings (disable/delete cookies)
• Google Analytics opt-out tools
• Privacy preference centers (where available)
• Direct contact with us for assistance

10. International Considerations

10.1 Overseas Data Processing

Your information will be processed overseas, primarily in the United States. Other countries involved may include:

• Countries where AI service providers operate data centers
• Countries where our service providers are located
• Countries involved in data routing and processing

10.2 Privacy Law Differences

Important: Overseas countries may have different privacy laws and protections than Australia. Your information may be:

• Subject to foreign government access requirements
• Protected by different privacy standards
• Governed by foreign privacy laws and regulations

10.3 Australian Privacy Principle 8 — Reasonable Steps for Overseas Disclosure

Australian Privacy Principle 8 (APP 8) of the Privacy Act 1988 requires that before personal information is disclosed to an overseas recipient, we must take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to that information, unless a permitted exception applies.

We rely on our commercial agreement with Anthropic (the provider of Claude, our current AI service) as the reasonable steps under APP 8. The agreement contains contractual commitments that prohibit the use of customer data for AI model training and require Anthropic to handle data in a manner consistent with our obligations. We review this assessment at least annually and whenever the provider's terms materially change.

If we introduce additional AI providers in future, each new provider will be subject to an equivalent assessment under APP 8 before any client data is disclosed, and this Privacy Policy will be updated accordingly.

11. Changes to This Policy

We may update this Privacy Policy to reflect:

• Changes to our services or AI providers
• New legal requirements or regulations
• Improvements to our privacy practices
• Business changes or service enhancements

We will notify you of material changes by:

• Email notification to registered users
• Prominent website notices
• Updated effective date on this policy

12. Contact Information

12.1 Privacy Officer Contact

For privacy matters, please use our contact form.

12.2 Complaints Process

If you have privacy concerns:

• Contact our Privacy Officer using details above
• We will acknowledge your complaint within 5 business days
• We will investigate and respond within 30 days
• If unsatisfied, you may contact the Office of the Australian Information Commissioner (OAIC)

12.3 OAIC Contact Details

Office of the Australian Information Commissioner:

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: [email protected]

This Privacy Policy was last updated on 10 April 2026. Please review it regularly as we may update it from time to time.

Cookie Policy

Effective Date: 27 November 2025 · Last Updated: 10 April 2026

1. About This Policy

This Cookie Policy explains how Moyne Ross ("we," "us," "our") uses cookies and similar technologies on our website at moyneross.com ("Website"). By using our Website, you consent to our use of cookies as described in this policy.

2. What Are Cookies

2.1 Definition

Cookies are small text files that are stored on your device (computer, tablet, smartphone) when you visit a website. They help websites remember information about your visit and preferences.

2.2 Types of Cookies

• Session Cookies: Temporary cookies deleted when you close your browser
• Persistent Cookies: Remain on your device until they expire or you delete them
• First-Party Cookies: Set by our website directly
• Third-Party Cookies: Set by external services we use (e.g., Google Analytics)

3. Cookies We Use

3.1 Essential Cookies

• Purpose: Required for basic website functionality and security
• Examples: Session management and user authentication, shopping cart and payment processing, security features and fraud prevention, website performance and error tracking
• Legal Basis: Legitimate interest (essential for website operation)
• Retention: Session duration or as needed for functionality
• Can be disabled: No (website may not function properly)

3.2 Analytics Cookies

• Purpose: Help us understand how visitors use our website
• Service Provider: Google Analytics
• Information Collected: Pages visited and time spent on pages, traffic sources and user navigation patterns, device and browser information, geographic location (city/country level), website performance and error data
• Legal Basis: Consent
• Retention: 26 months (Google Analytics default)
• Can be disabled: Yes (see Section 5)

3.3 Functional Cookies

• Purpose: Enhance your website experience and remember preferences
• Examples: Language and region preferences, display settings and accessibility options, form data retention for user convenience, content personalization
• Legal Basis: Consent
• Retention: Varies (typically 6–12 months)
• Can be disabled: Yes (may affect website functionality)

3.4 Payment Processing Cookies

• Purpose: Secure payment processing through Stripe
• Service Provider: Stripe Inc.
• Information Collected: Payment session security tokens, fraud prevention data, transaction processing information
• Legal Basis: Legitimate interest (secure payment processing)
• Retention: As required for payment security and compliance
• Can be disabled: No (required for payment processing)

4. Third-Party Cookies

4.1 Google Analytics

• Provider: Google LLC
• Purpose: Website traffic analysis and performance measurement
• Privacy Policy: https://policies.google.com/privacy
• Data Processing: May include personal information and cross-site tracking
• Location: Data processed in the United States and other Google locations

4.2 Stripe Payment Processing

• Provider: Stripe Inc.
• Purpose: Secure payment processing and fraud prevention
• Privacy Policy: https://stripe.com/privacy
• Data Processing: Payment and transaction data
• Location: Data processed in the United States and other Stripe locations

4.3 Other Third-Party Services

We may use additional third-party services that set cookies, including:

• Content delivery networks (CDNs)
• Security and anti-fraud services
• Customer support tools
• Marketing and advertising platforms

Important: Third-party cookies are governed by the privacy policies of their respective providers. We recommend reviewing these policies to understand how your information is handled.

5. Managing Your Cookie Preferences

5.1 Browser Controls

All modern browsers allow you to control cookies through settings:

Google Chrome: Settings → Privacy and Security → Cookies and other site data. Choose your preferred cookie settings and manage site-specific permissions.

Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data. Select your cookie preferences and manage exceptions for specific sites.

Safari: Preferences → Privacy → Cookies and website data. Choose your blocking preferences and manage website data.

Microsoft Edge: Settings → Cookies and site permissions. Configure cookie settings and manage site permissions.

5.2 Google Analytics Opt-Out

To specifically opt out of Google Analytics:

• Install Google Analytics Opt-out Browser Add-on
• Available at: https://tools.google.com/dlpage/gaoptout
• Works across all websites using Google Analytics

5.3 Industry Opt-Out Tools

Additional opt-out resources:

• Digital Advertising Alliance: http://optout.aboutads.info/
• Network Advertising Initiative: http://optout.networkadvertising.org/
• European Interactive Digital Advertising Alliance: http://youronlinechoices.eu/

5.4 Mobile Device Controls

• iOS Devices: Settings → Privacy → Advertising → Limit Ad Tracking
• Android Devices: Settings → Google → Ads → Opt out of Ads Personalization

6. Consequences of Disabling Cookies

6.1 Essential Cookies

If disabled, the website may not function properly, including:

• Login and account access issues
• Payment processing failures
• Security features may not work
• Error messages and functionality problems

6.2 Analytics Cookies

If disabled:

• Website functionality unaffected
• We cannot analyze website performance
• User experience improvements may be limited
• Technical issues may be harder to identify

6.3 Functional Cookies

If disabled:

• Website will work but with reduced functionality
• Preferences and settings will not be remembered
• Personalization features unavailable
• May need to re-enter information frequently

7. Cookie Retention Periods

• Essential Cookies: Session or as needed - Website functionality
• Google Analytics: 26 months - Traffic analysis
• Functional Cookies: 6–12 months - User preferences
• Payment Cookies: As required - Transaction security

Note: Some cookies may have shorter or longer retention periods based on specific functionality requirements.

8. Cross-Border Data Transfers

8.1 International Processing

Cookie data may be transferred to and processed in:

• United States (Google Analytics, Stripe)
• Other countries where service providers operate
• Countries involved in content delivery networks

8.2 Data Protection

Third-party cookie providers implement various data protection measures, including:

• Privacy Shield frameworks (where applicable)
• Standard contractual clauses
• Adequacy decisions by relevant authorities
• Internal corporate privacy policies

Important: Different countries may have different privacy laws and data protection standards.

9. Changes to This Policy

9.1 Policy Updates

We may update this Cookie Policy to reflect:

• Changes to cookies we use or third-party services
• New legal requirements or privacy regulations
• Improvements to our privacy practices
• Technical changes to our website

9.2 Notification of Changes

We will notify you of material changes by:

• Email notification (for registered users)
• Prominent website banner or notice
• Updated effective date on this policy

9.3 Continued Use

Continued use of our Website after policy updates constitutes acceptance of the revised Cookie Policy.

10. Contact Information

10.1 Privacy Questions

For questions about this Cookie Policy or our privacy practices, please use our contact form.

10.2 Cookie-Specific Inquiries

If you have specific questions about cookie settings or preferences, disabling specific cookies, third-party cookie policies, or data retention for cookies, please contact us using the details above.

10.3 Complaints

If you have concerns about our cookie practices:

• Contact us using the details above
• We will respond within 30 days
• If unsatisfied, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au

11. Regulatory Compliance

11.1 Australian Privacy Law

This Cookie Policy complies with:

• Australian Privacy Act 1988
• Australian Privacy Principles (APPs)
• Spam Act 2003 (where applicable)

11.2 International Compliance

We also consider requirements under:

• European General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Other applicable privacy laws

11.3 Industry Standards

Our cookie practices align with:

• International Association of Privacy Professionals (IAPP) guidelines
• Industry best practices for data protection
• Security standards for online services

This Cookie Policy was last updated on 10 April 2026. Please review it regularly as we may update it from time to time. For our complete privacy practices, please also review our Privacy Policy and Terms & Conditions.