Privacy Policy | Books on Cloud

Effective Date: 1 June 2025 | Last Updated: 1 June 2025

1. About This Policy and Our Global Operations

Books on Cloud ("we", "us", "our") is a risk, compliance, and governance (GRC) consultancy Australia, providing advisory services to clients across multiple jurisdictions globally. Our practice encompasses regulatory compliance architecture, enterprise risk management, governance framework design, and assurance services.

This Privacy Policy governs all personal information we collect and process through our website booksoncloud.com and in the course of delivering our professional services internationally. It applies regardless of where you are located.

As a global GRC consultancy, we recognise that privacy and data protection obligations vary by jurisdiction. We are committed to meeting the highest applicable standard across all jurisdictions in which we operate, and to full transparency about our data handling practices.

2. Applicable Privacy Frameworks

Depending on your location and the nature of your engagement with us, one or more of the following frameworks may apply to our handling of your personal information:

Australia — Privacy Act 1988 Australian Privacy Principles (APPs) apply to all personal information we collect in Australia

European Union / EEA — GDPR General Data Protection Regulation applies where we process personal data of EU/EEA residents

United Kingdom — UK GDPR UK GDPR and Data Protection Act 2018 apply to processing of UK residents' personal data

Singapore — PDPA Personal Data Protection Act 2012 applies to personal data collected in Singapore

Canada — PIPEDA Personal Information Protection and Electronic Documents Act applies to Canadian engagements

Other Jurisdictions We comply with applicable local privacy laws in all jurisdictions where we operate

3. Personal Information We Collect

We collect the following categories of personal information:

Identity data: Full name, job title, professional role, and organisation name
Contact data: Business email address, telephone number, office address, and country of location
Enquiry and engagement data: Details of your GRC requirements, service areas of interest, and information you provide through our contact form, by email, or during an engagement
Professional data: Information about your organisation's regulatory environment, risk profile, and compliance posture — collected solely for the purposes of delivering advisory services
Technical data: IP address, browser type, device information, pages visited, and session data — collected automatically through standard web server mechanisms

We do not collect special categories of sensitive personal data (as defined under GDPR and equivalent frameworks) through this website.

4. Legal Basis for Processing (GDPR / UK GDPR)

For individuals located in the EU, EEA, or United Kingdom, we process personal data under the following lawful bases:

Legitimate interests — responding to business enquiries and maintaining client relationships
Performance of a contract — processing necessary to deliver agreed professional services
Legal obligation — processing required to comply with applicable law
Consent — where you have expressly consented to specific processing activities

5. How We Use Personal Information

To respond to your enquiries and provide information about our GRC advisory services
To deliver professional services under an engagement agreement
To send service-related communications including proposals, reports, and invoices
To maintain and improve our website and service delivery
To comply with our legal, regulatory, and professional obligations across all applicable jurisdictions
To protect our legitimate business interests and legal rights

We will not use your personal information for unsolicited direct marketing without your express prior consent.

6. International Data Transfers

As a global consultancy, we may transfer personal information across international borders in the course of delivering our services. Where such transfers occur, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission for EU/EEA data transfers
International Data Transfer Agreements (IDTAs) for UK data transfers post-Brexit
Binding Corporate Arrangements or equivalent mechanisms as required by applicable local law
Transfer impact assessments where required under applicable frameworks

We do not transfer personal data to jurisdictions that do not provide an adequate level of protection without implementing appropriate contractual or technical safeguards.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, subject to any longer retention periods required by applicable law or professional obligation. In general:

Enquiry data: 2 years from date of enquiry if no engagement proceeds
Client engagement data: 7 years from completion of the engagement, consistent with professional indemnity and legal record-keeping obligations
Financial records: As required by applicable taxation and corporate law in the relevant jurisdiction

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: The right to request a copy of personal information we hold about you
Correction / Rectification: The right to correct inaccurate or incomplete information
Erasure: The right to request deletion of your personal information (subject to legal retention obligations)
Restriction: The right to restrict our processing of your personal information in certain circumstances
Portability: The right to receive your personal data in a structured, machine-readable format (GDPR/UK GDPR)
Objection: The right to object to processing based on legitimate interests
Withdrawal of consent: Where processing is based on consent, the right to withdraw at any time

To exercise any of these rights, please contact us using the details below. We will respond within the timeframe required by applicable law (generally 30 days, extendable to 60 days for complex requests).

9. Complaints and Regulatory Authorities

If you have concerns about our privacy practices that we have not resolved to your satisfaction, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:

Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
European Union: The data protection authority (DPA) of your EU member state
United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg
Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca

10. Changes to This Policy

We review this Privacy Policy periodically and update it to reflect changes in our practices, applicable law, or regulatory guidance. Material changes will be notified by publishing an updated Policy with a revised effective date. We encourage you to review this Policy regularly.

Privacy Officer — Contact Details

For all privacy enquiries, data subject requests, or complaints, please contact our Privacy Officer:

Books on Cloud
info@booksoncloud.com
booksoncloud.com

We will acknowledge your enquiry within 5 business days and respond fully within the timeframe required by applicable law.