Last Reviewed: March 2026

This Privacy Policy applies to CommandPost® Pty Ltd and its United Kingdom operations (together, “CommandPost”, “we”, “us” or “our”). It has been prepared in conformance with the Australian Privacy Act 1988 (Cth) and Privacy and Other Legislation Amendment Act 2024, the UK GDPR and Data Protection Act 2018, Saudi Arabia’s Personal Data Protection Law (PDPL), and applicable GDPR principles for government and public sector operations.

1. Introduction

We provide a Command, Control, Communication and Coordination (C4) incident and emergency management software solution to government agencies, councils, emergency services, large-scale event operators, and international clients (collectively, “Services”).

We are committed to protecting personal information in accordance with all applicable privacy and data protection laws in each jurisdiction in which we operate. This Policy explains how we collect, use, hold, disclose, retain and delete personal information, and how individuals may exercise their rights in relation to that information.

This Policy applies to CommandPost® as both a data controller (where we determine the purpose and means of processing) and as a data processor (where we process personal information on behalf of our customers). In either capacity, we maintain the standards set out in this Policy.

2. Definitions

Term Definition
Australian Privacy Principles (APPs) The principles set out in Schedule 1 of the Privacy Act 1988 (Cth), as amended.
Controller An entity that determines the purposes and means of processing personal information. CommandPost® acts as a Controller in respect of information it collects directly.
Data Subject Any identified or identifiable individual whose personal information is processed.
GDPR As applicable: (a) EU General Data Protection Regulation 2016/679; and/or (b) the UK GDPR retained under the European Union (Withdrawal) Act 2018 and Data Protection Act 2018.
OAIC Office of the Australian Information Commissioner.
PDPL Personal Data Protection Law of the Kingdom of Saudi Arabia (Royal Decree No. M/19, amended by Royal Decree No. M/148), enforced by SDAIA.
Personal Information Information or an opinion about an identified individual or an individual who is reasonably identifiable, as defined under applicable law.
Processor An entity that processes personal information on behalf of a Controller.
SDAIA Saudi Data and Artificial Intelligence Authority.
Sensitive Information A subset of personal information afforded higher protection, including health, biometric, racial or ethnic origin, religious, criminal record, and sexual orientation data.
Services The CommandPost® software solution, associated applications, website, support services, and other products offered by CommandPost.

3. Types of Personal Information We Collect

3.1 Customers and Authorised Users

Where you are a customer, prospective customer, or authorised user of our software solution, we may collect:

  • Full name and role or position within your organisation
  • Contact details, including email address, telephone number, and mailing or street address
  • Login credentials (stored using industry-standard encryption and hashing; passwords are never stored in plain text)
  • Payment and billing information, processed through our PCI-DSS compliant third-party payment processor (we do not directly store full card details)
  • Preferences, opinions, and feedback provided through surveys or direct communication
  • Records of service interactions, support requests, and communications with our team

3.2 Individuals Whose Data Is Entered by Customers

Where our customers input personal information about third parties into our software solution (for example, in the course of managing an incident), we may collect:

  • Name and contact details
  • Age and/or date of birth
  • Health and medical information (see Section 3.3)
  • Location data and operational involvement records

3.3 Sensitive Information

We, or our customers, may collect sensitive information including:

  • Health information (medical records, history, current medications, triage and emergency data)
  • Details of medical emergencies and current medical issues relevant to incident management

Sensitive information is collected and handled with heightened care and only where strictly necessary for the delivery of our Services. We rely on explicit consent or a lawful basis under applicable law for any such processing.

3.4 Website and Technical Information

When you interact with our website or solution, we may collect:

  • Browser type, operating system, IP address, and device identifiers
  • Geo-location and session data, page view and navigation statistics
  • Search queries and referral sources via analytics tools
  • Information collected through cookies and similar technologies (see Section 13)

4. How We Collect Personal Information

We collect personal information by the following means:

  • Directly: when you register an account, submit an enquiry or support request, complete a form, or communicate with us by email, telephone, or online chat.
  • Indirectly: through your interaction with our website, solution, and associated applications.
  • From third parties: including analytics providers, marketing partners, and when customers input data about third parties into our solution. We require our customers to warrant that they have the necessary authority and have complied with all applicable privacy laws prior to inputting personal information into our solution.
  • Automatically: through cookies, log files, and other tracking technologies described in Section 13.

5. Purposes of Collection and Lawful Basis for Processing

5.1 Service Delivery

  • To enable access to and use of our Services, including provision of login credentials
  • To provide crisis, incident, and emergency management capabilities to our customers and their end users
  • To fulfil contractual obligations and manage customer accounts

5.2 Operational and Administrative

  • Internal record keeping, invoicing, billing, and financial administration
  • Technical support, troubleshooting, and system maintenance
  • Security monitoring, fraud prevention, and integrity of our solution

5.3 Improvement and Analytics

  • Analytics, market research, and business development to improve our Services
  • Evaluating usage patterns to enhance solution functionality

5.4 Communications and Marketing

  • To contact and communicate with you in relation to your use of our Services
  • To send promotional information about our products, services, and updates where you have provided consent or where we have a legitimate interest in doing so, subject to your right to opt out at any time

5.5 Legal and Regulatory Compliance

  • To comply with applicable laws, regulations, and government or regulatory directions
  • To establish, exercise, or defend legal claims
  • To respond to Freedom of Information, subject access, or equivalent requests

Lawful Basis: Under UK GDPR and GDPR, our lawful bases include contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interests (Art. 6(1)(f)), and explicit consent (Art. 6(1)(a)) for sensitive data. Under the PDPL, we rely on necessity of processing for contract, public interest, legal obligation, or explicit consent. Under the APPs, we collect and use personal information as reasonably necessary for our functions and activities.

6. Disclosure of Personal Information to Third Parties

We may disclose personal information to the following categories of third parties:

  • IT infrastructure, cloud hosting, and data storage providers operating within the same jurisdiction as the data was collected
  • Payment processing providers (PCI-DSS certified)
  • Professional advisors, including legal, accounting, and audit firms
  • Analytics and marketing service providers, subject to contractual data processing agreements
  • Our employees, contractors, and related entities, on a need-to-know basis
  • Regulatory authorities, courts, and law enforcement agencies, where required or authorised by law
  • Prospective acquirers of our business or assets, subject to appropriate confidentiality obligations
  • Any other party where disclosure is required or permitted by applicable law

We do not sell personal information to third parties. We do not permit third-party advertisers to target individuals based on personal information we hold without your explicit consent.

7. Data Residency

CommandPost® is committed to keeping your personal information within the jurisdiction in which it was collected. We do not transfer personal information across borders.

  • Australia: Personal information collected from Australian customers and users is stored and processed exclusively on infrastructure located within Australia.
  • United Kingdom: Personal information collected from UK customers and users is stored and processed exclusively on infrastructure located within the United Kingdom.
  • Kingdom of Saudi Arabia: Personal information collected from customers and users in the Kingdom of Saudi Arabia is stored and processed exclusively on infrastructure located within the Kingdom, in accordance with PDPL data localisation requirements.

Each region’s data is logically and physically separated. Authorised CommandPost personnel may access data across regions solely for the purpose of providing technical support or system administration, and only where permitted by applicable law and your service agreement.

8. Data Retention, Storage, and Deletion

8.1 Our Retention Principles

We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, to comply with applicable legal, regulatory, contractual, or statutory obligations, or to defend legal claims. We do not retain personal information indefinitely or without justification.

This approach is consistent with Australian Privacy Principle 11, the UK GDPR Storage Limitation Principle (Article 5(1)(e)), and the PDPL data minimisation and retention requirements.

8.2 Retention Schedule

The following table sets out our standard retention periods by data category. These periods may be extended where required by law or active legal proceedings, and may be reduced upon a valid deletion request where no legal obligation prevents erasure.

Data Category Retention Period Basis / Notes
Account & contact information Duration of contract + 7 years Contractual obligation; tax and legal compliance
Incident & operational records 7 years post-incident closure Statutory/regulatory obligations; legal claims limitation periods (AU/UK/KSA)
Sensitive health / medical data 7 years post-incident, or as directed by applicable health legislation APP 11; UK GDPR Art. 9; KSA PDPL sensitive data provisions
System logs & audit trails 3 years Security monitoring; contractual requirements
Website analytics & cookies 13 months (session) / 2 years (persistent) UK ICO guidance; GDPR/APP 3
Marketing communications Until opt-out + 1 year Consent-based; Spam Act 2003 (AU)
Support & correspondence 3 years post-resolution Legitimate interests; dispute resolution
Job applications (unsuccessful) 6 months post-decision Fair and reasonable collection (AU APP 3)
Payment / billing records 7 years Tax Act obligations (AU, UK, KSA)

KSA Note: In accordance with the PDPL Implementing Regulations, Records of Processing Activities (RoPAs) must be retained for five years after the relevant processing activity ceases, and must be made available to SDAIA upon request.

8.3 Secure Deletion and De-identification

When personal information is no longer required under our retention schedule, we take the following steps to ensure its secure and verifiable destruction:

  • Electronic data is deleted from active systems and, within 90 days, from backup systems in accordance with our backup rotation schedule.
  • Where immediate deletion from backups is technically impracticable (for example, encrypted disaster-recovery backups), the data is flagged and will be deleted at the next scheduled backup cycle. It will not be processed for any other purpose in the interim.
  • Physical records are destroyed by accredited destruction methods providing an auditable destruction certificate.
  • Cloud and SaaS storage is subject to automated lifecycle policies that enforce deletion at the end of the applicable retention period.
  • Where de-identification is used in place of deletion (for example, for anonymised analytics), we apply irreversible techniques such that the data can no longer be re-identified.

We maintain an auditable destruction log documenting each deletion event, including the data category, date of deletion, deletion method, and the responsible person.

8.4 Deletion Requests

Individuals may request deletion of their personal information at any time (see Section 10). Upon receipt of a valid deletion request, we will:

  • Acknowledge receipt within 5 business days
  • Assess the request against applicable legal obligations that may require continued retention
  • Confirm deletion or provide a written explanation of any grounds for retention within 30 days, or within the timeframe required by applicable law
  • Where we are acting as a Processor on behalf of a customer, direct the request to that customer as the Controller with prompt notification

9. Information Security

We implement and maintain appropriate technical and organisational security measures to protect personal information from unauthorised access, disclosure, alteration, destruction, or misuse. Our security controls include:

  • Encryption of personal information in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Role-based access controls and multi-factor authentication for system access
  • Regular penetration testing, vulnerability assessments, and security audits
  • Incident response procedures, including data breach notification protocols
  • Data Loss Prevention (DLP) controls and continuous monitoring
  • Staff training on data protection and security obligations
  • Vendor due diligence and contractual data processing obligations for all sub-processors

Notwithstanding our security measures, no transmission over the internet is completely secure. We cannot guarantee the absolute security of information transmitted to us electronically. Transmission occurs at your own risk.

In the event of an eligible data breach, we will notify affected individuals and relevant regulators in accordance with the Australian Notifiable Data Breaches scheme, UK GDPR Articles 33 and 34 (within 72 hours of awareness), and PDPL breach notification requirements.

10. Your Rights and How to Exercise Them

10.1 Rights Available in All Jurisdictions

  • Access: You may request access to the personal information we hold about you, including a description of the data, the purposes for which it is held, and the categories of recipients to whom it has been disclosed.
  • Correction: You may request that inaccurate, incomplete, or out-of-date personal information be corrected.
  • Complaints: You may lodge a complaint with us, or with the relevant privacy regulator in your jurisdiction (see Section 12).

10.2 Additional Rights Under UK GDPR and GDPR

  • Right to Erasure (‘Right to Be Forgotten’): You may request deletion of your personal information where it is no longer necessary for the original purpose, where you withdraw consent, or where processing is unlawful. This right is subject to legal exceptions including public interest, legal claims, and legal obligation.
  • Right to Restrict Processing: You may request that we limit the processing of your personal information in certain circumstances.
  • Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, you may request a copy of your personal information in a structured, machine-readable format.
  • Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.
  • Rights in Relation to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

10.3 Additional Rights Under the Australian Privacy Act

  • Access and Correction: Under APPs 12 and 13, you are entitled to request access to and correction of personal information we hold about you.
  • Anonymity: Where lawful and practicable, you may interact with us anonymously or using a pseudonym.

10.4 Additional Rights Under the Saudi Arabia PDPL

  • Access and Correction: You have the right to access and correct personal data held about you.
  • Erasure: You have the right to request destruction of personal data when it is no longer necessary or where consent has been withdrawn, subject to PDPL exceptions.
  • Objection: You have the right to object to processing where your interests override our legitimate interests.

10.5 How to Submit a Request

To exercise any of the above rights, please contact our Privacy Officer using the details in Section 20. We will:

  • Acknowledge your request within 5 business days
  • Verify your identity before processing the request
  • Respond within 30 days of receipt, or the applicable statutory timeframe
  • Advise you if an extension is required and the reason for it

We will not charge a fee for processing a request unless the request is manifestly excessive or repetitive, in which case a reasonable administrative fee may apply.

11. Automated Decision-Making and AI

Our solution may use automated processes to assist in incident categorisation, resource allocation, and operational decision support. Where such processes produce legally significant or similarly significant effects on individuals, we will:

  • Disclose the use of automated decision-making in the relevant service documentation or notification
  • Provide a meaningful explanation of the logic involved upon request
  • Offer a mechanism for human review of automated decisions

This approach is consistent with the transparency requirements of UK GDPR (Articles 13–15, 22), the PDPL, and the forthcoming automated decision provisions of the Privacy and Other Legislation Amendment Act 2024 (effective 10 December 2026).

12. Relevant Privacy Regulators

You have the right to lodge a complaint with the relevant supervisory or regulatory authority:

Jurisdiction Regulator Website
Australia Office of the Australian Information Commissioner (OAIC) www.oaic.gov.au
United Kingdom Information Commissioner’s Office (ICO) www.ico.org.uk
Saudi Arabia Saudi Data and Artificial Intelligence Authority (SDAIA) www.sdaia.gov.sa

We encourage you to contact us in the first instance so that we may attempt to resolve any concerns directly.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and within our solution. The categories of cookies we use are:

  • Strictly Necessary Cookies: Essential for the operation of our Services. These cannot be disabled.
  • Functional Cookies: Enable enhanced functionality and personalisation. Disabling these may affect service quality.
  • Analytics Cookies: Allow us to understand how our Services are used to improve performance. These are enabled only with your consent.
  • Marketing Cookies: Used to deliver relevant communications. These are enabled only with your explicit opt-in consent.

You can manage your cookie preferences at any time through the cookie preferences panel on our website. Blocking strictly necessary cookies may impair the functionality of our Services. We do not use cookies for advertising targeting or cross-site tracking.

Cookie retention periods:

  • Session cookies: deleted at the end of your browsing session
  • Persistent analytics cookies: retained for up to 13 months (UK ICO standard)
  • Persistent functional cookies: retained for up to 12 months

14. Mobile Application — Google Play Store and App Stores

14.1 Data Collected Through the Application

The application may collect device identifiers (including Android Advertising ID), push notification tokens, and usage logs. Location data is collected only as described in Section 14.4. All data is used solely for service delivery and security monitoring.

14.2 Data Retention in the Application

Personal information collected through the application is retained in accordance with the retention schedule in Section 8. Application-generated data is stored on our secure cloud infrastructure within your operation’s region. Data is not stored solely on your device.

14.3 Deleting Your Data — In-Application and Account Deletion

In accordance with Google Play Store requirements and applicable privacy law, you may request deletion of your personal information as follows:

  • In-application: Navigate to Account Settings → Privacy → Delete My Data to submit a deletion request directly from within the application.
  • Account deletion: Deleting your account will result in the deletion of your personal profile and associated data, subject to applicable retention obligations (see Section 8).
  • By contacting us: You may also submit a deletion request by emailing support@commandpost.com.au or by contacting your organisation’s CommandPost account administrator.

Deletion requests submitted through the application will be processed within 30 days. You will receive a confirmation email upon completion. Where deletion is not possible for legal or contractual reasons, we will advise you of the specific ground and estimated retention period.

14.4 Location Data

Incident logging only (no background tracking):

CommandPost® accesses your device’s GPS location to record and display the precise geographic location of incidents you log. Your location is not collected or stored unless you create an incident log. When you do, your coordinates are securely stored on our servers within your operation’s region, accessible only to authorised users within your organisation, and retained in accordance with our data retention policy.

Active/background location tracking:

CommandPost® accesses your device’s location to display your real-time position to authorised users and administrators within your organisation, supporting operational coordination and resource management. Your location is tracked even when the application is running in the background. To stop sharing your location, you must log out or force quit the application. Location data is stored on our servers within your operation’s region, accessible only to authorised users within your organisation, for a minimum of 30 days before deletion.

14.5 Device Permissions

Permission Purpose
Location Incident geo-tagging and/or real-time operational positioning (see Section 14.4)
Camera Evidence capture (where applicable)
Notifications Operational alerts
Storage Offline data synchronisation

You may revoke permissions at any time through your device settings. Revoking certain permissions may affect solution functionality.

15. Children’s Privacy

Our Services are not directed to children under 18 years of age. We do not knowingly collect personal information from children. If we become aware that personal information of a child has been collected without appropriate parental or guardian consent, we will take steps to delete that information promptly.

In jurisdictions where a Children’s Online Privacy Code applies (including under the Privacy and Other Legislation Amendment Act 2024 for Australia), we will comply with such Code once finalised.

16. Direct Marketing

We may use your personal information to send you promotional materials about our Services where you have provided consent or where we have a legitimate interest in doing so. You may opt out of receiving marketing communications at any time by:

We will action opt-out requests within 5 business days. We will not continue to send marketing communications after you have opted out, except where legally required to communicate with you regarding your account or contractual obligations.

17. Data Breach Response

We maintain a Data Breach Response Plan aligned to the obligations of the Australian Notifiable Data Breaches scheme, UK GDPR Articles 33 and 34, and the PDPL. In the event of an eligible data breach, we will:

  • Take immediate steps to contain the breach and mitigate harm
  • Assess the likelihood and severity of harm to affected individuals
  • Notify the OAIC (Australia) as soon as practicable within any applicable statutory period; notify the ICO (UK) within 72 hours of awareness; and notify SDAIA (Saudi Arabia) in accordance with PDPL requirements
  • Notify affected individuals if the breach is likely to result in serious harm, providing details of the breach and recommended protective steps
  • Document the breach and our response in an internal incident register

18. Third-Party Links and Services

Our website and solution may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services you access through our solution. This Policy does not govern the use of your information by those third parties.

19. Amendments to This Policy

We may update this Policy from time to time to reflect changes in law, our practices, or our Services. Where we make material changes, we will notify affected individuals by email or through a prominent notice within our solution prior to the changes taking effect. The effective date at the top of this Policy will be updated accordingly.

We recommend reviewing this Policy periodically. Continued use of our Services after the effective date of an updated Policy constitutes acceptance of the revised terms.

20. Contact Us — Privacy Officer

For any questions, concerns, or to exercise your privacy rights, please contact our Privacy Officer:

Australia

Entity CommandPost Pty Ltd
ABN 17 641 527 148
Address Suite 12, Level 3, 104 Mount Street, North Sydney NSW 2060
Phone +61 2 8806 0406
Email support@commandpost.com.au

United Kingdom

Company Registration Number 16587979
Address 71–75 Shelton Street, Covent Garden, London WC2H 9JQ
Phone +44 2 4572 0909
Email support@commandpost.app

Response Timeframe: Acknowledgement within 5 business days; substantive response within 30 days.

Last updated: March 2026

Registration

Forgotten Password?