Privacy Policy

Before After Digital
A trading name of Monika Andrea Almasy, sole trader.
ABN: 44 137 669 949
Postal address: PO Box 233, Runaway Bay QLD 4216, Australia
Contact: monika@beforeafterdigital.com

Effective date: 8 June 2026
Version: 1.1
Last reviewed: 8 June 2026
Governing law: Queensland, Australia

Plain-language summary. This document explains what personal information Before After Digital collects, why we collect it, who we share it with, where it is stored, how long we keep it, and what rights you have under Australian privacy law. We run a cold-email outreach program to find new clients, so this policy also covers the data we collect about businesses and people we have not yet spoken to. We try to be straight about that, including how to opt out.

1. About this policy and who we are

1.1 Plain-language summary

Before After Digital is a one-person Australian web design business. This policy applies to every interaction you have with us: visiting our website, receiving a cold email from us, becoming a client, or contacting us for any reason. The kinds of personal information we collect are summarised in Section 2 and described in detail through the rest of this policy.

1.2 The entity covered

This policy is published by Monika Andrea Almasy, an Australian sole trader, ABN 44 137 669 949 ("we", "us", "our"). We use "Before After Digital" as the public name for our web design service. The legal entity responsible for the data handling described in this policy, and the entity you contract with, is Monika Andrea Almasy, ABN 44 137 669 949.

1.3 What we do

We provide one-off website redesign services to small and medium businesses. Our work is project-based, not a subscription. We may also provide an optional ongoing hosting and maintenance retainer after a redesign project is delivered. We are not a software-as-a-service company. We do not run a platform that you log into.

1.4 What this policy covers

This policy covers the personal information we collect, hold, use, and disclose:

a. when we identify and contact prospective clients through our cold-email outreach program;
b. when you visit our website at beforeafterdigital.com or any subdomain we operate;
c. when you contact us by email, web form, phone, or any other channel;
d. when you become a client and we deliver a website redesign or hosting retainer to you;
e. when you receive transactional emails from us (proposals, invoices, project updates, support replies);
f. when third parties we use to run our business handle your information on our behalf.

1.5 The legal framework we operate under

We are bound by:

a. the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) set out in Schedule 1 to that Act;
b. the Spam Act 2003 (Cth) and the Spam Regulations 2021, which govern commercial electronic messages including our cold-email program;
c. the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act;
d. any other Australian Commonwealth, State, or Territory law that applies to our handling of personal information.

We are a small business operator with annual turnover under three million Australian dollars. The Privacy Act gives some small business operators a partial exemption. We have voluntarily chosen to comply with the Privacy Act and the Australian Privacy Principles in full, and this policy is intended to be enforceable as if we were a covered APP entity. We make this commitment because we handle business contact data, payment data, and client website credentials, and because we consider full compliance the right baseline for any business that sends commercial email.

If you are in the European Union or the United Kingdom and you believe the GDPR or the UK GDPR applies to our handling of your personal data, see Section 13 below.

2. The kinds of personal information we collect

2.1 Plain-language summary

We collect three different kinds of information depending on how we meet you. Information about businesses we are trying to reach, information about visitors to our website, and information about clients who have signed a contract with us. Each of these has a different scope and a different retention period.

2.2 Prospect information (collected before any consent or contact from you)

To run our cold-email outreach program, we collect the following kinds of information about businesses and the people who represent them:

a. business name and trading name;
b. the website URL of the business;
c. a publicly listed business email address (for example, info@, hello@, contact@, or a named owner address listed on the business website or directory listing);
d. business location, including suburb, state, and country;
e. industry or service category;
f. the name and role of the business owner or principal contact, where this is publicly listed;
g. an automatically captured screenshot of the business's existing website;
h. an automatically generated visual mock-up of a redesigned version of that website (HTML, CSS, and rendered images), produced with the assistance of the Anthropic Claude API;
i. an automatically generated short video (typically 15 to 30 seconds) showing a transition from the existing website design to our proposed redesign;
j. a quality score and notes about the existing website (for example, mobile responsiveness, page load, visual dating).

We collect this information from public web sources only. We do not buy contact lists. We do not scrape data from behind logins. We do not collect information from sources that have an enforceable term of service prohibiting collection. The collection is automated and uses third-party tools listed in Section 6.

2.3 Website visitor information

When you visit our website at beforeafterdigital.com:

a. we collect standard server-side request information, including your IP address, the page you requested, the time of the request, your user agent (browser and operating system), and the referring URL;
b. if you submit a contact form, we collect the information you provide in that form, which typically includes your name, business name, email address, optional phone number, and your message;
c. we use Cloudflare Web Analytics (see Section 6.4), a privacy-respecting analytics tool that does not set cookies, does not use client-side storage, does not fingerprint visitors, and does not collect personally identifiable information. It measures aggregate traffic only, such as page views, referrers, and country-level location.

We do not use Google Analytics, Meta Pixel, or any third-party advertising or tracking pixel on our website at the date of this policy. If we add one in future, we will update this policy and provide a cookie consent mechanism.

2.4 Client information (collected after you engage us)

When you sign a contract with us and pay your deposit, we may collect and hold the following:

a. your full legal name, business name, ABN or ACN, business address, and billing address;
b. your contact details, including email, phone number, and any preferred messaging channel;
c. your brand assets, including logos, fonts, brand guidelines, photographs, and copy;
d. content from your existing website that we are migrating or rewriting;
e. credentials and access to your website, hosting, domain registrar, content management system, email accounts, and any third-party platforms we need access to in order to deliver the project;
f. correspondence between us, including emails, project notes, meeting summaries, and uploaded files;
g. payment-related information sufficient to issue invoices and reconcile payments. We do not store credit card numbers or full bank account details. Card payments are processed by Stripe (see Section 6.6) and remain with Stripe at all times.

We only request access to live client systems after a written contract is signed and the deposit is paid. We do not act on informal access offered before that point. If you do not provide the client information described above, we may be unable to enter into or deliver a project for you.

2.5 Sensitive information

We do not deliberately collect sensitive information as defined in section 6 of the Privacy Act. This includes information about racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, health, or genetic data. If you provide sensitive information to us in the course of a contact form submission or a project, we will treat it with the additional protection required by APP 3.3 and APP 6, and we will not use or disclose it except as required by law.

2.6 Children

Our services are intended for businesses, not for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has submitted personal information to us, contact us at monika@beforeafterdigital.com and we will delete it.

Some businesses we contact have customers who are children. Examples include childcare centres, paediatric practices, and tutoring services. Their public websites may contain photographs of, or information about, children. When our automated pipeline crawls a prospect website, we treat any incidentally captured imagery of children with extra care. We do not extract, index, embed, or otherwise reuse images or names of children from these websites. The screenshot and mock-up are produced only to demonstrate a visual redesign of the business's own website to the business owner. Every mock-up is reviewed by a person before it is sent. If that review finds a recognisable image of a child, we crop or blur the image before the mock-up is sent, or we purge the screenshot and the derived mock-up entirely. If you believe a child's image or information has been captured by our pipeline, contact us at monika@beforeafterdigital.com and we will purge the relevant artefacts immediately.

3. How we collect personal information (APP 3 and APP 4)

3.1 Plain-language summary

We collect prospect information from the public web in an automated way. We collect everything else directly from you, either through our website, our email, or our project work.

3.2 Direct collection

We collect personal information directly from you when:

a. you submit a contact form on our website;
b. you reply to a cold email or any other email we send you;
c. you call us, message us, or speak with us through any other channel;
d. you sign a contract or proposal with us;
e. you grant us access to your business systems for the purposes of project delivery;
f. you pay an invoice through Stripe.

3.3 Indirect collection (prospect program)

We collect prospect information indirectly, from public web sources, using the following methods:

a. automated crawling of publicly accessible websites using Firecrawl (see Section 6.2);
b. automated capture of website screenshots using a headless browser;
c. enrichment of business records from publicly available business directories, search engine results, and the businesses' own published contact pages;
d. processing of the collected data using the Anthropic Claude API to score website quality, generate redesign mock-ups, and draft personalised outreach copy.

We do not purchase, lease, or trade contact lists. We do not use credential-based scrapers that bypass logins, paywalls, or rate-limit protections. We do not collect personal information about employees who are not listed publicly as a contact for the business.

3.4 Why we do not seek consent before initial collection of prospect data

Under APP 3, we may collect personal information that is reasonably necessary for our business activities. Where we collect it about you from a source other than you (for example, your business's public website), APP 3.6 permits this where it is unreasonable or impracticable to collect it directly from you. APP 5 then requires us to notify you of the collection at or before the time of collection, or as soon as practicable afterwards. We provide that notification, and an immediate functional opt-out, in every cold email (see Section 5).

Where we collect personal information about you indirectly (for example, from your business's public website or directory listing), we notify you of that collection as soon as practicable after collection. The notification is delivered through three connected channels:

a. the first cold email we send you, which contains our identity and contact details, the fact that we have collected your business contact information from a public source, the purpose of our contact, the consequences if you do not engage (none, beyond not receiving further messages from us), a link to this Privacy Policy in the email signature, and a one-click unsubscribe;
b. this Privacy Policy itself, which sets out the matters listed in APP 5.2 in full, including the third parties to whom we may disclose the information (Section 6), the right to access and correct your information (Section 9), how to complain (Section 15), and our overseas disclosure practices (Section 6 and Section 13);
c. the privacy page on our brand website, which links to this policy and is published before any cold-email outreach is sent.

Together, the email, the policy link in its signature, and the published policy on our website are intended to satisfy our APP 5 notification obligations.

3.5 What we do if collection is unsolicited (APP 4)

If we receive personal information that we did not ask for and that we could not have collected lawfully under APP 3, we will, within a reasonable period, destroy or de-identify the information, unless it is contained in a Commonwealth record or we are required by law to retain it.

When we crawl a prospect's public website, we will routinely encounter incidental personal information about people who are not the intended recipient of our outreach. Common examples are named staff on About pages, customer testimonials including author names, customer photographs, and embedded social media handles. We do not need this incidental personal information for our outreach, and we do not use it. The screenshot and HTML capture are used only to generate the redesign mock-up that is sent back to the business owner. Incidental personal information that is not required for the outreach is not extracted from the page, not added to our prospect database as a separate record, and not retained beyond the lifetime of the underlying screenshot or scraped page. For the outreach itself, we use only the business name and a publicly listed business contact email address. If we become aware that incidental personal information has been retained outside this rule, we will destroy or de-identify it as soon as practicable.

4. Why we collect personal information and how we use it (APP 6)

4.1 Plain-language summary

We use prospect information to send a small number of relevant cold emails. We use website visitor information to run the website. We use client information to deliver the project we have been hired to deliver. We do not use your information for any unrelated purpose without telling you.

4.2 Primary purposes

We collect, hold, and use personal information for the following primary purposes:

a. Prospect outreach. To identify businesses whose existing websites we believe we could meaningfully improve, to generate a personalised demonstration of that improvement, and to send a small sequence of cold emails offering our services. This includes generating screenshots, mock-ups, and short videos that show a before-and-after preview of the redesign we are proposing.
b. Delivering services to clients. To prepare proposals, sign contracts, plan and deliver website redesign projects, deliver hosting and maintenance retainers, and provide post-launch support.
c. Operating our website. To run beforeafterdigital.com, respond to enquiries, and measure aggregate website traffic.
d. Billing and accounting. To issue invoices, accept payments, reconcile our books, and meet our tax and record-keeping obligations under the Income Tax Assessment Act 1936 (Cth), the Income Tax Assessment Act 1997 (Cth), the A New Tax System (Goods and Services Tax) Act 1999 (Cth), and related laws.
e. Communicating with you. To send you transactional emails about your project (proposals, invoices, status updates, file deliveries, support responses) and to reply to enquiries.
f. Compliance and legal obligations. To meet our obligations under the Privacy Act, the Spam Act, Australian consumer law, tax law, and any other applicable law.
g. Improving our services. To analyse aggregate, de-identified information about how our outreach performs, how visitors use our website, and how projects are delivered, so that we can improve.

4.3 Secondary purposes

We may use or disclose personal information for a secondary purpose where the secondary purpose is related to the primary purpose and you would reasonably expect us to use or disclose the information for that secondary purpose, or where we have your consent, or where another exception in APP 6 applies.

4.4 What we will not do

a. We will not sell, rent, trade, or otherwise disclose your personal information to any third party for marketing purposes.
b. We will not use prospect information to send messages on behalf of any other business.
c. We will not use client project content (your website copy, brand assets, internal documents) for any purpose other than delivering your project, without your written consent.
d. We will not use your personal information to train any general-purpose machine learning model, including any model operated by Anthropic, OpenAI, Google, or any other third party. The Anthropic Claude API is used at inference time only, under a commercial agreement that prohibits Anthropic from training on our API inputs and outputs.

5. Cold-email program: full disclosure

5.1 Plain-language summary

This is the part of our business that involves the most novel data flow, so we are spelling it out in detail. We send commercial emails to businesses we have not previously contacted. Every one of those emails complies with the Spam Act 2003 (Cth). Every email has a working unsubscribe link. If you opt out, we keep a minimal record of that opt-out so we do not contact you again.

5.2 Legal basis for sending

Our cold-email program operates on the basis of inferred consent under section 16(2) and Schedule 2 of the Spam Act 2003 (Cth). Under Schedule 2, inferred consent is only available where the recipient's role and responsibilities are reasonably relevant to the content of the message. Three conditions must therefore be met for us to send: the business has conspicuously published a work-related electronic address; the message we send is directly relevant to the work-related responsibilities of the role; and the address has not been published with a statement that the recipient does not want to receive unsolicited messages.

In practice, this means we only send to addresses where the published role of the recipient (owner, principal, practice manager, marketing manager, or the general enquiry inbox of a small business where the owner is also the operator) makes a website redesign offer directly relevant to their work-related responsibilities. We do not send to role addresses such as accounts@, billing@, support@, or careers@, where a website redesign pitch would not be directly relevant to the role. We do not send to personal email addresses that have no business context. We do not send to any address that has been published with a "no marketing" or "no commercial messages" statement. The role-relevance test is applied at the point of list build and re-checked immediately before each send.

5.3 What every cold email from us contains

Every commercial email we send includes:

a. the sender's identity (Monika Andrea Almasy, ABN 44 137 669 949, operating the Before After Digital web design service);
b. our business address (PO Box 233, Runaway Bay QLD 4216, Australia);
c. a clear, functional unsubscribe mechanism, both as a one-click unsubscribe link and as a List-Unsubscribe header (RFC 2369 and RFC 8058 compliant), so that mail clients that support one-click unsubscribe (Gmail, Apple Mail, Outlook) can honour it natively;
d. a plain-text statement that the message is a commercial message;
e. a link to this Privacy Policy.

5.4 What happens when you unsubscribe

When you click the unsubscribe link, or use your mail client's one-click unsubscribe option, or reply with the words "unsubscribe", "remove", "stop", or any equivalent, the following happens:

a. Your email address is added to a suppression list within five business days, which is the maximum the Spam Act allows. In practice the suppression is usually applied within minutes, and always within 24 hours.
b. We retain a minimal record of your suppression status. This record consists of your email address, the date of the opt-out, and the source of the opt-out (link click, header, or reply). It is held both in our cold-email platform (Instantly.ai, see Section 6.5) and in a local suppression list under our control, so that the opt-out survives even if we change platforms. We retain this record indefinitely. We do this so that we never contact you again, even if your business reappears in our prospecting data later. We treat the indefinite retention of the suppression record as the most privacy-respecting option, because the alternative is a meaningful risk of recontacting someone who has asked us not to.
c. We do not retain any other prospect information about you after a suppression, except that suppression record. Screenshots, mock-ups, and outreach drafts associated with your business are deleted within 30 days of the opt-out.

5.5 Frequency and volume

A typical prospect receives no more than three emails from us across an outreach sequence that runs over two to three weeks. If there is no reply by the end of that sequence, the prospect is removed from active outreach and the data is moved to the retention schedule in Section 8.

5.6 Mock-ups and videos generated for prospects

Because our outreach includes a personalised mock-up and short video derived from your existing website, we want to be specific about what that means:

a. The mock-up is a static visual representation of how your website might look after a redesign by us. It is generated with the assistance of the Anthropic Claude API. It is not published on the public web. It is hosted on a private link sent only to you.
b. The video is a short before-and-after animation. It is rendered locally with FFmpeg (see Section 6.10). It is hosted on a private link sent only to you.
c. We do not publish, share, or use mock-ups and videos for any purpose other than the cold email that contains them, without your written consent.
d. If you opt out, the mock-up and video are deleted within 30 days, in line with the suppression process in Section 5.4.

5.7 Complaints about our cold email

If you believe a message we sent breaches the Spam Act, you can:

a. contact us at monika@beforeafterdigital.com and we will investigate within 30 days;
b. lodge a complaint with the Australian Communications and Media Authority (ACMA) at acma.gov.au.

6. Third-party processors and overseas disclosures (APP 8)

6.1 Plain-language summary

We use third-party tools to run our business. Most of those tools are based in the United States, which means some of your information leaves Australia. We list each provider, what they do, what data they touch, and where they are based. We have taken reasonable steps to satisfy ourselves that each of these providers handles personal information consistently with the APPs.

6.2 Anthropic (Claude API)

Location: United States.
Purpose: Vision-based scoring of prospect websites, generation of personalised redesign mock-ups, drafting of personalised outreach copy, and assistance with client copywriting where the client has agreed.
Data shared: For prospect outreach: prospect business name, website URL, website screenshot, the publicly listed business contact email used for outreach, and content extracted from the prospect's website. For client work: only content the client has provided to us, including brand assets, copy, and instructions.
Safeguard: Anthropic's commercial API agreement prohibits Anthropic from using API inputs and outputs to train its models. Anthropic publishes a Data Processing Addendum and security documentation at anthropic.com. We rely on the no-training contractual commitment as our primary safeguard for this disclosure.

6.3 Firecrawl

Location: United States.
Purpose: Automated crawling of publicly accessible websites to discover prospect businesses and to extract content from prospect and client websites.
Data shared: URLs we ask Firecrawl to crawl, and the content Firecrawl returns from those URLs. The returned content may include publicly listed business contact information and incidental personal information as described in Section 3.5. We do not send Firecrawl any prospect database we have already built.
Safeguard: Firecrawl's terms of service include data protection commitments and limit Firecrawl's use of crawled content to the operation of the service. We rely on those terms together with the minimisation of inputs (URLs only, never our internal records).

6.4 Cloudflare

Location: Cloudflare Inc. (United States), with global edge infrastructure. Personal information disclosed to Cloudflare is disclosed to a recipient in the United States for the purposes of APP 8.
Purpose: DNS, content delivery, edge security (firewall, bot mitigation, DDoS protection), object storage for our website and teaser landing pages (Cloudflare R2), and privacy-respecting web analytics for our website (Cloudflare Web Analytics).
Data shared: Inbound HTTP requests to our website, our teaser landing pages, and any client website we host on Cloudflare, including the visitor's IP address, user agent, and requested URL. For Cloudflare Web Analytics, a lightweight in-page beacon reports aggregate page-view data; this tool does not set cookies, does not use client-side storage, does not fingerprint visitors, and does not collect personally identifiable information.
Safeguard: Cloudflare publishes a Data Processing Addendum and Standard Contractual Clauses, and is certified under the EU-US Data Privacy Framework. We rely on Cloudflare's published data protection terms and on the minimisation of personal information disclosed.

6.5 Instantly.ai

Location: United States.
Purpose: Cold-email sending infrastructure, including delivery, list management, sequencing, suppression list management, reply detection, and storage of inbound replies routed to the cold-email inbox.
Data shared: Prospect business name, prospect first name (where used in personalisation), prospect role title (where used in personalisation), the publicly listed business contact email address, personalisation variables including the link to the personalised mock-up and video, the contents of the cold emails we send, the contents of any replies received to those emails, and unsubscribe events.
Safeguard: Instantly's terms of service include confidentiality and data-protection commitments. We rely on those terms, together with strict scope (Instantly handles only outreach data, not client project data) and the suppression workflow described in Section 5.4.

6.6 Stripe

Location: United States and Australia. Stripe Payments Australia Pty Ltd is the contracting entity for Australian customers.
Purpose: Payment processing for invoices issued to clients.
Data shared: Client name, client business name, billing address, billing email, and the amount and currency of the invoice. Stripe handles card data directly. We do not see or store card numbers, CVCs, or full bank account details.
Safeguard: Keeping the contracting entity in Australia keeps the primary processing relationship within Australian jurisdiction. Stripe is PCI DSS Level 1 certified and publishes a Data Processing Agreement covering its global infrastructure.

6.7 Transactional email

How we send it: Transactional emails such as proposals, project updates, file delivery notifications, and support replies are sent manually from our Google Workspace mailbox (see Section 6.8). Invoices are issued through Xero (see Section 6.9). We do not currently use a separate bulk transactional email provider (such as Resend, Postmark, or Amazon SES).
Data shared: Recipient email address, recipient name, the subject line, and the contents of the transactional email, including any attachments referenced in the message body. This data is handled by Google Workspace and Xero as described in their entries below.
Safeguard: If we adopt a separate transactional email provider in future, we will add it to this list with its location, the data shared, and a stated safeguard, and update this policy before any data is sent.

6.8 Google Workspace

Location: Google LLC (United States), with global infrastructure. Personal information disclosed to Google Workspace is disclosed to a recipient in the United States for the purposes of APP 8.
Purpose: Mailbox hosting for our brand domain (for example, monika@beforeafterdigital.com), inbound and outbound email handling, reply management, and storage of client and supplier correspondence. Google Workspace is also the mailbox from which the transactional emails described in Section 6.7 are sent.
Data shared: All inbound and outbound email to and from our brand domain mailboxes, including subject lines, message bodies, and any attachments. This includes client correspondence, supplier correspondence, and any prospect replies that are forwarded to or stored in the brand mailbox.
Safeguard: Google publishes a Data Processing Addendum and Standard Contractual Clauses and is independently certified to recognised information security standards (ISO 27001 and SOC 2). We rely on those terms together with the minimisation of personal information disclosed.

6.9 Xero

Location: Australia.
Purpose: Accounting, invoicing, and bookkeeping. Xero holds invoice records, contact details for clients we have invoiced, and reconciliation data. Xero does not hold prospect information.
Data shared: Client business name, contact name, billing address, email, ABN where applicable, and invoice line items.

6.10 FFmpeg (local video rendering)

Deployment mode: Open-source software run locally, not a hosted service. The short before-and-after videos used in our cold-email program are rendered with FFmpeg on infrastructure under our control (the operator's local machine, or a server we operate). FFmpeg is therefore used as local software and is not an overseas recipient of personal information for the purposes of APP 8.
Data shared with any third party: None. Video rendering does not transmit the screenshot, the mock-up, or any prospect data to an external service.
Future change: If we ever move video rendering to a hosted service, we will add that service to the APP 8 list with its country, the data shared (mock-up content, including any captured screenshots and generated assets), and a stated safeguard, and update this policy before any data is sent.

6.11 Cross-border disclosure under APP 8

Several of the providers listed above are located in the United States. By using them, we are disclosing personal information about you to overseas recipients. Under APP 8, we have taken reasonable steps to ensure that each overseas recipient does not breach the APPs in relation to that information. The specific safeguard relied on for each provider is named in that provider's entry above. In addition, across the program as a whole we apply the following:

a. we select providers with published privacy and security documentation that we have reviewed before adoption;
b. we rely on the providers' commercial terms, which generally include data protection obligations consistent with the APPs and, where relevant, with the GDPR;
c. we minimise the categories of personal information disclosed to each provider, and we keep prospect data, client project data, transactional email data, and accounting data in separate systems wherever possible;
d. we prefer providers that offer regional data residency where this is available and useful for our use case.

We do not currently rely on the exception in APP 8.2 to avoid the accountability requirements of APP 8.1. We remain accountable for any breach of the APPs by these overseas providers in relation to information we have disclosed to them.

6.12 Other disclosures

We may also disclose personal information to:

a. our professional advisers, including accountants and lawyers, where this is necessary for them to advise us;
b. a court, tribunal, regulator, or law enforcement agency where we are required or authorised by Australian law to do so;
c. a successor to our business, in the event of a sale, merger, or other transfer, subject to the successor agreeing to handle the information consistently with this policy.

7. How we hold and protect personal information (APP 11)

7.1 Plain-language summary

We take reasonable steps to keep your information secure. That means encrypted connections, access controls, password managers, two-factor authentication, and a small number of carefully chosen tools.

7.2 Storage

Personal information we hold is stored in:

a. the systems of the third-party processors listed in Section 6;
b. our own laptop and any backup devices, which are encrypted at rest;
c. our password manager, which holds credentials for the third-party tools and for client systems we have been authorised to access;
d. our project management and notes tools, which hold meeting notes, project plans, and correspondence summaries.

7.3 Security measures

We take the following security measures:

a. all of our accounts with third-party providers are protected by strong, unique passwords stored in a password manager;
b. multi-factor authentication is enabled on every account that supports it;
c. all devices we use to handle personal information are encrypted at rest;
d. all network traffic to and from our website and our third-party providers uses HTTPS or an equivalent encrypted transport;
e. we follow a principle of least privilege when configuring access to client systems and revoke our access promptly when a project ends;
f. we keep our operating systems, browsers, and other software up to date.

7.4 What we cannot guarantee

No method of storing or transmitting information is completely secure. We take reasonable steps under APP 11.1, but we cannot guarantee absolute security. If you believe an account or system used to interact with us has been compromised, contact us immediately at monika@beforeafterdigital.com.

7.5 Notifiable data breaches

We comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act. If we believe there has been an eligible data breach involving your personal information, that is, unauthorised access, unauthorised disclosure, or loss of personal information that is likely to result in serious harm, we will:

a. carry out a reasonable and expeditious assessment, completed within 30 days, of whether the breach is an eligible data breach, beginning when we become aware that there are reasonable grounds to suspect one may have occurred;
b. notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable if the breach is confirmed as eligible;
c. include in the notification a description of the breach, the kinds of information involved, and the steps you can take to protect yourself.

7.6 Data quality (APP 10)

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, complete, up to date, and relevant for the purpose of the use or disclosure. For prospect data in particular, we re-validate the business email address immediately before each outreach send, and we remove any address that bounces or that has been flagged as invalid. For client data, we rely on the client to keep their billing and contact details current, and we update our records on request. If we become aware that information we hold is inaccurate, incomplete, out of date, or no longer relevant for the purpose for which it was collected, we will correct it, complete it, or delete it as appropriate. You can ask us to correct your information at any time under Section 9.3.

8. How long we keep personal information (APP 11.2)

8.1 Plain-language summary

We delete personal information when we no longer need it, except where the law requires us to keep it for longer.

8.2 Retention periods by category

We apply the following retention periods. These are defaults. We may delete information sooner if we no longer need it.

8.3 Destruction and de-identification

When the retention period for a category expires, we destroy or de-identify the personal information in accordance with APP 11.2, unless we are required by law to retain it for longer.

9. Your rights (APP 12 and APP 13)

9.1 Plain-language summary

You can ask for a copy of the personal information we hold about you. You can ask us to correct it. You can ask us to delete it, subject to a few legal exceptions. We will respond within 30 days.

9.2 Right to access (APP 12)

You can request access to the personal information we hold about you by emailing monika@beforeafterdigital.com. We will:

a. acknowledge your request within seven days;
b. provide access within 30 days of the request, in a format that is reasonable for the kind of information requested;
c. not charge a fee for making the request, although we may charge a reasonable fee for providing access if the request is large or complex, and we will tell you the fee in advance;
d. if we cannot provide access for a reason permitted by APP 12.3, give you written reasons and information on how to complain.

9.3 Right to correction (APP 13)

If you believe the personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you can ask us to correct it. We will:

a. correct the information within 30 days of being satisfied that the correction is appropriate;
b. take reasonable steps to notify any third party we have disclosed the information to, if you ask us to and if it is practicable to do so;
c. if we refuse to correct, give you written reasons and information on how to complain.

9.4 Right to deletion

Australian privacy law does not include a standalone right to erasure equivalent to Article 17 of the GDPR. In practice, where we no longer have a lawful basis or business need to retain your personal information, and we are not required by law to retain it, we will delete or de-identify it on request. For prospect data, the simplest way to have your data deleted is to use the unsubscribe link in any cold email we have sent you. See Section 5.4.

9.5 Right to opt out of marketing

Every cold email we send includes a one-click unsubscribe and a List-Unsubscribe header. You can also email monika@beforeafterdigital.com at any time and ask not to receive further commercial emails from us.

9.6 How to verify your identity

We need to be sure that we are giving information to the right person. For most requests, we will verify your identity by confirming the request from the email address that holds the data. For more sensitive requests, we may ask for additional verification.

9.7 No charge for reasonable requests

We do not charge a fee for the request itself. We will only charge a fee for providing access in cases where the request is genuinely large or complex, and we will agree the fee with you in advance.

10. Cookies and tracking on our website

10.1 Plain-language summary

We use a small number of essential cookies. We do not run third-party advertising trackers.

10.2 What we use

a. Essential cookies and local storage for the operation of the website (for example, to remember a cookie consent preference or to support form submission).
b. Privacy-respecting web analytics through Cloudflare Web Analytics. This tool does not set cookies, does not use client-side storage, does not fingerprint visitors, and does not collect personally identifiable information for general traffic measurement.

10.3 What we do not use

a. We do not use Google Analytics.
b. We do not use Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or any other third-party advertising pixel.
c. We do not use any cross-site tracking cookies on our own website.

10.4 Browser controls

You can configure your browser to block or delete cookies. Doing so may affect the functionality of our website. Detailed instructions for the major browsers are available on the browser vendor's own help pages.

11. Anonymity and pseudonymity (APP 2)

You may interact with us anonymously or under a pseudonym where it is lawful and practicable to do so. This is generally not practicable for client engagements, because we need to issue invoices, sign contracts, and access your business systems. For general enquiries through our website contact form, you may use a pseudonym, although we will not be able to deliver project work to a pseudonymous client.

12. Government related identifiers (APP 9)

We do not collect, use, or disclose government related identifiers (for example, Tax File Numbers, Medicare numbers, driver licence numbers) as identifiers of an individual, except where required or authorised by law. We may collect ABNs and ACNs for invoicing, because they are business identifiers, not personal identifiers under the Privacy Act.

13. Visitors and prospects from outside Australia

13.1 Plain-language summary

Our ideal client is in Australia. If you are in the European Union or the United Kingdom and you receive a cold email from us in error, contact us and we will delete your data immediately.

13.2 Our targeted geography

Our outreach program is targeted at Australian businesses. We prospect by Australian domain, Australian address, and Australian directory source. We do not actively prospect outside Australia. If a non-Australian business is contacted in error, we will treat the relevant data as in scope for this policy and respond to any rights request the recipient makes.

13.3 GDPR and UK GDPR

If you are located in the European Union or the United Kingdom and you believe the GDPR or the UK GDPR applies to our handling of your personal data:

a. our lawful basis for processing prospect data, where it applies, is legitimate interests under Article 6(1)(f) of the GDPR, namely the legitimate interest of identifying potential customers for a small business by sending a small number of relevant business-to-business emails. You can object to this processing at any time by clicking the unsubscribe link or by emailing monika@beforeafterdigital.com, and we will stop and delete your data in line with Section 5.4;
b. our lawful basis for processing client data is the performance of a contract under Article 6(1)(b) of the GDPR;
c. you have the rights of access, rectification, erasure, restriction, portability, and objection under the GDPR. To exercise any of these rights, contact monika@beforeafterdigital.com;
d. we do not have an EU or UK representative under Article 27 of the GDPR. Our processing of EU and UK personal data is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of data subjects within the meaning of Article 27(2)(a). If this position changes, we will appoint a representative and update this policy;
e. you have the right to lodge a complaint with your local supervisory authority.

13.4 California, Canada, and other jurisdictions

We do not actively market to consumers in California or Canada. If you are in one of those jurisdictions and you believe a local privacy law applies to our handling of your data, contact monika@beforeafterdigital.com and we will respond and, where appropriate, delete your data.

14. Direct marketing (APP 7)

We use personal information for direct marketing in two ways:

a. through our cold-email program, as described in Section 5;
b. through occasional follow-up communications with past clients about new services, case studies, or hosting and maintenance options.

In both cases, every direct marketing communication includes a clear and functional opt-out. We honour opt-out requests within five business days of receipt, and in practice within 24 hours. We do not use sensitive information for direct marketing.

If we send you a direct marketing message and your contact details were obtained from a source other than you, you have the right under APP 7.3 to ask us where we obtained those details. On request, we will tell you the source from which we obtained your contact details (typically: your business's own public website, a public business directory listing, or a public LinkedIn business page). We will not charge you for telling you. We will respond to such a request within a reasonable period, and in any event within 30 days.

15. Complaints

15.1 How to complain to us

If you believe we have breached the Privacy Act, the APPs, the Spam Act, or this policy, please contact us first at monika@beforeafterdigital.com. Tell us:

a. what happened;
b. when it happened;
c. what you would like us to do.

We will acknowledge your complaint within seven days and provide a substantive response within 30 days.

15.2 How to complain to the regulator

If you are not satisfied with our response, or if you would prefer to go directly to the regulator, you can complain to:

Office of the Australian Information Commissioner (OAIC)
Website: oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5288, Sydney NSW 2001

For complaints about cold email specifically, you can complain to:

Australian Communications and Media Authority (ACMA)
Website: acma.gov.au

16. Changes to this policy

We may update this policy from time to time, for example when we add or change a third-party processor, when our services change, or when the law changes. The current version is always available at beforeafterdigital.com/privacy. We will indicate the version number and the date at the top of the policy. For material changes, we will take reasonable steps to notify clients with an active engagement by email.

17. Contact us

For any privacy question, request, or complaint:

Email: monika@beforeafterdigital.com
Post: Privacy Officer, Before After Digital, PO Box 233, Runaway Bay QLD 4216, Australia
ABN: 44 137 669 949

This policy is written for an Australian sole trader operating a one-person web design business. It is intended to be reviewed and finalised by an Australian privacy lawyer before publication. Specific items flagged for legal review include: the indefinite retention period for unsubscribe records; the choice not to appoint an EU Article 27 representative; the inferred-consent basis for the cold-email program; the seven-year retention period for client records; and whether to register the "Before After Digital" business name with ASIC before trading publicly under it.