Privacy

Privacy Policy

Last updated 22 June 2026

Fitzroy Associates Pty Ltd, trading as Surity360 (“Surity360”, “we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share Personal Information, in line with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (the “APPs”).

Surity360 is a compliance and evidence layer for Australian advice practices. The Surity360 platform reconciles data from the practice’s existing systems (such as XPlan, Worksorted, HUB24, North, SharePoint, and MyProsperity) into a single auditable client record, and produces structured evidence for the Best Interests Duty, Annual Advice Agreement, and ongoing fee consent processes. This Policy applies to surity360.com.au (the “Site”) and to the Surity360 platform.

This Privacy Policy may be updated periodically. All changes will be communicated by publishing the updated Policy on this page. We encourage you to review it from time to time.

Contents

  1. Introduction and scope
  2. What we mean by Personal Information
  3. What we collect, how, and why
  4. Anonymised and aggregated data
  5. Cookies and tracking
  6. How we keep information secure
  7. How long we keep your information
  8. Where your information is stored
  9. Who we share your information with
  10. Marketing communications
  11. If you choose not to provide information
  12. Contacting us and complaints
  13. Australian-specific clauses (NDBS & APP rights)
  14. Visitors from the EEA, UK, or elsewhere

1. Introduction and scope

1.1 We are Fitzroy Associates Pty Ltd, trading as Surity360, an Australian-registered company operating from Tasmania, Australia. Surity360 is our compliance and evidence platform for Australian advice practices.

1.2 For the purposes of this Policy, references to “you” and “your” mean any visitor to the Site, any practice or individual who purchases or evaluates the Surity360 platform, and any individual whose Personal Information we hold in the course of running our business.

1.3 In the language of Australian privacy law, Surity360 is the holder of Personal Information that we collect directly — for example, the email address you provide when you request a whitepaper, or the practice contact details on a pilot agreement. Where the Surity360 platform processes the personal information of an advice practice’s clients (for example, fact find data ingested from MyProsperity, or holdings data from HUB24), the practice is the controller of that information and Surity360 is its data processor under the standard Data Processing Agreement that forms part of every Surity360 contract.

2. What we mean by Personal Information

2.1 Under the Australian Privacy Act 1988 (Cth), “Personal Information” means “information or an opinion about an identified individual, or an individual who is reasonably identifiable”, whether the information is true or not and whether it is recorded in a material form or not.

2.2 Where the term “Personal Information” appears in this Policy, it has the meaning set out above. For visitors from the European Economic Area (“EEA”), the United Kingdom, or Switzerland, we treat “Personal Data” as defined in the EU and UK General Data Protection Regulation as having the equivalent meaning.

3. What we collect, how, and why

3.1 The Personal Information we collect from you, and how we collect it, depends on the way you interact with us. The table below summarises the main categories.

What we collectHow we collect itWhy we use it
Name, email address, phone number, organisation, role — provided voluntarily by visitors to the Site. When you request a whitepaper, fill in a contact form, request a licensee briefing pack, or otherwise contact us. To respond to your enquiry, to send the requested document, and (with your consent) to keep you informed about Surity360.
Technical data — IP address, user-agent string, request timing — collected by Cloudflare Pages as part of standard request logs. Automatically when you browse the Site. To deliver the Site, prevent abuse and fraud, monitor service integrity, and produce aggregated traffic measures. We run no advertising or remarketing scripts on the Site.
Usage and device data — pages viewed, referring URL, approximate (city-level) location derived from a truncated IP, browser and device type — collected by Google Analytics 4. Automatically when you browse the Site, via the Google Analytics (gtag.js) script. To understand, in aggregate, how visitors find and use the Site so we can improve it. Google Analytics is configured to use cookies and processes this data on our behalf; see section 5. We do not use it for advertising or remarketing.
Practice contact details — principal name, adviser names, business address, billing details — provided when you sign a Surity360 pilot or subscription agreement. Through the pilot agreement, the discovery call, or direct correspondence. To deliver the Surity360 platform to your practice, to invoice for the service, to provide technical support, and to keep you informed about platform updates.
Authentication data — bcrypt-hashed passwords, session tokens, audit log entries — for users of the Surity360 platform. When a practice user logs in to the platform. To verify identity, enforce role-based access control, and produce per-action audit trails.
Practice client data — reconciled client records, holdings data, fact find data, document references — ingested from the practice’s existing systems. Through OAuth, API, SFTP, and authorised browser automation, in each case configured by the practice. To deliver the Surity360 platform to the practice. Surity360 is the data processor of this information; the practice remains the controller.

3.2 We may also use your Personal Information to comply with a legal obligation — for example, recording your marketing preferences, responding to a lawful request from a regulator or law-enforcement agency, retaining records to support a legal claim, or notifying an eligible data breach.

4. Anonymised and aggregated data

4.1 We may anonymise Personal Information we hold (so it can no longer identify you) and combine it with other anonymous information to produce aggregated data — for example, average pilot duration, or the proportion of practices using a given platform connector. Australian and overseas data protection laws do not generally apply to aggregated data, and the rights described below do not apply to it.

5. Cookies and tracking

5.1 surity360.com.au (the marketing site) uses Google Analytics 4 to measure aggregate traffic. Google Analytics sets cookies on your device and collects the usage and device data described in section 3 (including a truncated IP address for approximate, city-level location). We use it only to understand how the Site is used in aggregate; we run no advertising pixels, remarketing tags, or any other third-party tracking. Apart from Google Analytics, the Site sets no cookies and runs no other client-side JavaScript, and is otherwise delivered as static HTML, CSS, and inline SVG over Cloudflare Pages.

5.2 Google Analytics processes this data as our service provider. Google may transfer and store the data outside Australia (including in the United States) under its own terms. You can opt out across all sites by installing the Google Analytics Opt-out Browser Add-on, or by blocking cookies in your browser. If we introduce any additional non-essential cookie in the future, we will update this section.

5.3 The Surity360 platform itself (accessed via authenticated practice URLs, separate from this marketing site) uses session cookies that are strictly necessary for login and security. These are set only on authenticated platform domains and do not apply to public visitors of surity360.com.au.

6. How we keep information secure

6.1 We take the security of your Personal Information seriously. Surity360 implements technical and organisational controls that include:

6.2 If we become aware of an incident affecting your Personal Information, we will investigate it, take steps to contain it, notify the appropriate regulator where required, and keep you informed where required under applicable data protection law.

7. How long we keep your information

7.1 We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected, including any legal or accounting obligations. To decide retention periods we consider the volume, nature, and sensitivity of the information, the potential harm from unauthorised use, whether we still need the information to achieve the original purpose, and any minimum retention periods set by law.

7.2 Marketing contact details are retained until you ask us to stop contacting you.

7.3 Practice client data ingested into the Surity360 platform is retained while the practice subscription is active and for the period set out in the practice’s Data Processing Agreement, after which it is deleted or returned to the practice on request.

8. Where your information is stored

8.1 All Personal Information collected by Surity360 in connection with the Surity360 platform is stored in Australia — on Google Cloud (australia-southeast1, Sydney) and MongoDB Atlas (Sydney). No client data leaves Australia.

8.2 Marketing-site form submissions (whitepaper requests and direct contact) are stored in the same Australian-hosted infrastructure.

8.3 A small number of operational sub-processors operate from outside Australia — for example, Cloudflare provides DNS, CDN, and edge protection from a global network. Where this is the case, the data exposed is limited to what is strictly necessary for the service (for example, the IP address of an inbound HTTP request) and is governed by the relevant sub-processor’s contractual commitments. A current list of sub-processors is available on request.

9. Who we share your information with

9.1 We share Personal Information with the following categories of third party, only where necessary and with appropriate contractual protections in place.

RecipientPurpose
Infrastructure providers — Google Cloud (australia-southeast1, Sydney) and MongoDB Atlas (Sydney) for compute, storage, and data services. Cloudflare for DNS, CDN, edge security, and the public marketing site (Cloudflare Pages). To run the Surity360 platform and the public Site.
Identity and access providers — Cloudflare Access for two-factor perimeter authentication. Google Cloud Secret Manager for secrets storage. To verify user identity and protect access to the platform.
AI and language-model providers — Google Gemini (via Google AI Studio / Vertex AI) for document extraction tasks such as fact-find PDF parsing. We use these providers only for narrowly scoped extraction and synthesis tasks initiated by the practice; we do not use any of your Personal Information, practice data, fact-find content, or uploaded documents to train any large language model. To enable specific platform features (for example, extracting structured fields from a fact find PDF or summarising recent file notes).
Communication providers — Gmail SMTP (Google) for transactional and notification email; Microsoft Graph (M365) for ROA-email reading and document filing where the practice has authorised this. To send and receive email on the practice’s behalf.
Practice-authorised third-party platforms — HUB24, North (AMP), Worksorted, MyProsperity, SharePoint, Sharesight, SuiteCRM and others where the practice has elected to integrate them. To ingest and reconcile the practice’s own data on its behalf.
Professional advisers — auditors, accountants, lawyers, and other regulated professional consultants engaged by Surity360. To obtain advice in running our business.
Authorities — any government, regulator, self-regulatory body, or law-enforcement agency. Where we are under a legal obligation to disclose, or where disclosure is necessary to protect the rights, property, or safety of Surity360, our customers, or others.
Successors in a corporate transaction — a buyer, investor, or counterparty in a sale, merger, reorganisation, change of control, or similar transaction. For the purposes of the relevant transaction. Any such successor is bound by the same Privacy Policy or an equivalent one.

9.2 Where we share Personal Information with a third party for processing on our behalf, we put a Data Processing Agreement in place that sets out the purpose, security expectations, and retention obligations. The standard practice contract for the Surity360 platform also includes a Data Processing Agreement that governs the practice’s data.

9.3 We do not sell your Personal Information.

10. Marketing communications

10.1 Where you have consented (for example, by ticking a marketing-opt-in box on a whitepaper request form), we may send you occasional updates about Surity360, including new product capabilities and relevant sector commentary. You can opt out at any time by replying with the word “unsubscribe”, by clicking the unsubscribe link in any marketing email, or by emailing pilot@surity360.com.au.

10.2 We may still send you administrative messages (for example, a contract update or a security notice) even if you have unsubscribed from marketing.

11. If you choose not to provide information

11.1 Where we ask for Personal Information so that we can provide a service to you (for example, your name and email to deliver a whitepaper), and you choose not to provide it, we may not be able to provide that service. We will tell you at the point of collection where this is the case.

12. Contacting us and complaints

12.1 If you have a question, request, or complaint about your Personal Information or this Policy, please contact us by email at pilot@surity360.com.au or by post at 9 St Johns Ave, New Town TAS 7008, Australia.

12.2 Our aim is to resolve your complaint as soon as possible and within five (5) business days. If we need more time, we will let you know. We will investigate the matter, keep you informed, and tell you in writing about the steps we have taken and the outcome.

12.3 Our privacy and complaints contact details are:

Surity360 — Privacy and Complaints
9 St Johns Ave, New Town TAS 7008
Email: pilot@surity360.com.au

12.4 Surity360 is a data and software provider; it does not give personal financial advice. A complaint about financial advice itself is a matter for your licensed financial adviser and their AFS licensee, who are responsible for the advice provided to you.

12.5 Under the Privacy Act 1988 (Cth) you may also complain to the Office of the Australian Information Commissioner (“OAIC”) if you are not satisfied with our response to, or our handling of, your complaint. We would encourage you to contact us first so that we have an opportunity to address your concerns directly.

12.6 The OAIC’s contact details are:

Office of the Australian Information Commissioner
GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Online: oaic.gov.au

13. Australian-specific clauses

13.1 Notifiable Data Breach Scheme

If we become aware of a data breach that is likely to result in serious harm and that triggers the Notifiable Data Breach Scheme under the Australian Privacy Act, we will follow the process and timing set out by the OAIC: contain the breach where possible, complete a risk assessment within 30 days, and notify affected individuals and the OAIC where required.

13.2 Your rights under the Australian Privacy Principles

If you are an Australian resident, the APPs give you the following rights, subject to certain exceptions in the Privacy Act:

To exercise any of these rights, email pilot@surity360.com.au with the details of your request. We will respond within a reasonable period and, where required, explain any reason we are not able to comply in full.

13.3 Automated decision-making

The Surity360 platform produces structured evidence and surfaces compliance flags — for example, an Annual Advice Agreement nearing expiry, or a Best Interests Duty step that is missing evidence. These outputs are designed to be reviewed by a qualified human adviser. Surity360 does not make automated decisions about individuals that have legal or similarly significant effects on them.

14. Visitors from the EEA, UK, or elsewhere

14.1 Surity360 provides its platform to Australian advice practices, and our customer base is Australian. The Site is, however, accessible from anywhere in the world, and we may collect limited Personal Information (for example, name and email submitted on a whitepaper form) from visitors based outside Australia.

14.2 If you are a resident of the EEA, the United Kingdom, or Switzerland, the EU and UK General Data Protection Regulation give you rights that are broadly equivalent to the Australian rights set out in section 13.2 — including the right to access, rectify, erase, restrict, port, and object to the processing of your Personal Data, and the right to withdraw consent at any time. To exercise any of these rights, email pilot@surity360.com.au. You may also lodge a complaint with your local supervisory authority, but we encourage you to contact us first.

14.3 Where we transfer Personal Data from the EEA, the UK, or Switzerland to Australia or to one of our sub-processors, the transfer is made on the basis of an adequacy decision, the relevant Standard Contractual Clauses, or another lawful transfer mechanism.

← Back to surity360.com.au