Skip to Content
Australian support
1300 195 055 support@truevault.com.au Mon–Fri · 9am–5pm AEST
TrueVault Identity Manager
Protect me

Privacy policy.

Published 30 June 2025
Updated 21 May 2026
Reading time 1 min read

Privacy Policy

TrueVault Pty Ltd (ACN 675 835 966)
Last updated: 21 May 2026

 

1. Our Commitment to Privacy

TrueVault Pty Ltd ACN 675 835 966 (“TrueVault”, “we”, “us”, or “our”) is committed to protecting the privacy of your personal information.

This Privacy Policy explains how we collect, use, store, manage and disclose your Personal and Sensitive Information — information that identifies you or from which your identity can reasonably be ascertained, including any opinion about you.

We manage all Personal Information in accordance with this Privacy Policy and the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (“Privacy Act”).

By providing Personal Information and Sensitive Information to us (including through our website, TrueVault application, social media channels or otherwise), you consent to our collection, use, disclosure and storage of that information as described in this Privacy Policy.

 

2. Updates to this Privacy Policy

We may review and update this Privacy Policy from time to time to take account of new laws and technology, changes to our functions and activities and to ensure that it remains appropriate. The latest version will always be available at www.truevault.com.au and we recommend you visit our website regularly to keep up to date with any changes.

Changes take effect immediately upon posting. By continuing to use our website, application or services after an update, you are deemed to have accepted the revised policy.

For material changes (including changes to the categories of personal information we collect, the purposes for which we use it, or the overseas recipients to whom we disclose it), we will endeavour to give you advance notice by email or in-app notification before those changes take effect. 

 

3. What Personal Information We Collect

The Personal Information we collect depends on your interaction with us and may include:

3.1 General information

  • First, middle and last names
  • Phone number
  • Email address
  • Current and previous addresses
  • Identity documents (e.g. driver’s licence, passport, marriage certificates, change-of-name documentation, other government-issued IDs)
  • Government or bank correspondence
  • Any other Personal Information you provide to us

3.2 Demographic information

  • Date of birth
  • Age
  • Gender
  • Marital status

3.3 Sensitive information

We may collect “sensitive information” as defined under the Privacy Act, including:

  • Biometric information (e.g. facial images for verification)
  • Signature samples
  • Photos captured during verification
  • Health or organ donor information shown on identity documents
  • Professional, religious or political affiliations appearing in documentation
  • Sexual orientation information contained in marriage or divorce certificates

By providing personal information, you consent to its collection, use and disclosure as permitted by law and as outlined in this Privacy Policy. 

References to Personal Information in this policy include Sensitive Information except where otherwise indicated. 

We collect Sensitive Information only where it is reasonably necessary or one or more of our functions or activities, and only with your express consent. Where the collection involves biometric, health or other sensitive categories, we will seek your specific, informed consent at the point of collection (for example, via a dedicated consent step that is separate from your acceptance of this Privacy Policy) and explain the purpose for which the information is collected and the consequences if it is not provided. Where we receive unsolicited Personal Information, we will, within a reasonable period, determine whether we could have lawfully collected the information under APP 3. If we could not, and it is lawful and reasonable to do so, we will destroy or de-identify the information as soon as practicable. Where retention is required by law, we will retain the information only for as long as is required.

3.4 Other information

We may also collect:

  • Transaction and service history with TrueVault
  • Records of communications and interactions with us
  • Website analytics data (see Section 6 – Cookies and Tracking Technologies)
  • Technical details such as IP addresses or device identifiers
 

4. How We Collect Personal Information

We collect Personal Information when you:

  • Create a TrueVault account or use our application or website
  • Communicate with us via phone, email, online chat or social media
  • Participate in surveys or provide feedback
  • Engage with our digital marketing or social media pages

We may also receive information from:

  • Third-party service providers (e.g. document verification, payment processors)
  • Publicly available sources or social media platforms

If we are unable to collect Personal Information relating to you, we may be unable to provide you with access to TrueVault or our services or continue our relationship with you. 

4.1 Choosing Not to Provide Personal Information

Where it is lawful and practicable, you may interact with us anonymously or by use of a pseudonym (for example, when making a general enquiry about our services). This option does not apply where we are required by law, or by a court or tribunal, to deal only with individuals who have identified themselves, or where it is impracticable for us to deal with you on an unidentified basis. Because our identity-verification services depend on verified identity, we will be unable to provide those services if you do not provide the information necessary to verify your identity.

 

5. When You Visit Our Website

When you visit our website without registering, we may collect limited non-personal information such as:

  • IP address and server details
  • Browser type
  • Pages visited and time spent
  • Referring website

This information assists us to analyse traffic and improve your browsing experience.
We do not attempt to identify you unless required by law (for example, through a valid warrant). This information will be collected, used and disclosed in accordance with this policy and any applicable law.

 

6. Cookies and Tracking Technologies

A cookie is a data file that a website transfers to your computer or device. This enables the website to track the pages you have visited. A cookie only contains information you supply. It cannot read data on your computer or device. There are many types of cookies that may be used for different purposes. 

We use cookies and similar technologies to enhance your experience.

Types of cookies we use:

  • Necessary cookies: Essential for basic website functionality.
  • Analytical cookies: Collect aggregated data to improve site performance and user experience (no personally identifiable information).
  • Third-party cookies: Used by integrated services such as social media or analytics tools.

We may also use Facebook Pixel or equivalent tools to measure the effectiveness of our digital advertising campaigns.

You can adjust your browser settings to refuse cookies, though this may limit certain functionality.

 

7. How We Use Your Personal Information

We may use your Personal Information to:

  • Provide and manage our services
  • Verify your identity and issue credentials
  • Respond to queries, feedback or complaints
  • Improve our systems, products and user experience (using aggregated or de-identified data wherever practicable)
  • Conduct internal analysis and reporting on matters directly related to the purposes for which the information was collected
  • Send service updates or notifications
  • Carry out marketing or promotional activities in accordance with Section 8 (Direct Marketing)
  • Comply with our legal and regulatory obligations

We will only share your Personal Information with third party organisations with your express consent for Identification and Identity Verification purposes.

We will not use your Personal Information for any unrelated purpose without your consent. 

 

8. Direct Marketing

We may use your Personal Information, including your contact details to contact you with information about our services or those of related entities that we believe may interest you.  Identity information obtained through an official records holder will not be used for direct marketing purposes.

You may opt out of direct marketing at any time by:

  • Using the “unsubscribe” link in our emails; or
  • Contacting us directly using the details in Section 13 – Contact Us.

We will not use or disclose personal information about you to third parties for their direct marketing purposes unless you have consented to that kind of use or disclosure. 

On request, we will advise you of the source of any contact details we have used for direct marketing where those details were collected from someone other than you, and where it is reasonable and practicable for us to do so. 

 

9. Disclosure of Personal Information

We may disclose your Personal Information to trusted third parties who assist us in delivering our services, including:

  • Official Government Document Issuers
  • 3rd party identity service providers
  • Official record holders
  • Payment processors
  • Hosting and cloud storage providers (within Australia)
  • IT and cybersecurity providers
  • Professional advisers (lawyers, accountants, auditors)
  • Regulatory authorities or law enforcement agencies, where required by law

We take reasonable steps to ensure these third parties comply with the APPs or equivalent standards.
We do not sell, rent or trade Personal Information.

9.1 International Transfers / Overseas recipients 

We do not generally transfer or store Personal Information outside Australia. We will not transfer your Sensitive Information outside Australia.

We may disclose your Personal Information to overseas recipients where the overseas recipient provides services to us, such as software as a service or cloud based storage solutions. 

The counties in which recipients are located will depend on the nature of the services being provided by us and the particular matter involved. We will, where practicable, advise you of the counties in which overseas recipients are likely to be located. 

Please note that the use of overseas service providers to store Personal Information will not always involve a disclosure of Personal Information to that overseas provider. Where we disclose Personal Information to an overseas recipient, we will, before doing so, take reasonable steps to ensure the recipient does not breach the APPs in relation to that information, in accordance with the APPs. We will not seek to rely on the consent exception in APP 8.2(b) unless you have separately and expressly consented to the disclosure after being clearly informed that, by giving consent, APP 8.1 will not apply to that disclosure.

9.2 Government-related identifiers

We do not adopt a government-related identifier (such as a Medicare number, drivers licence number, passport number or tax file number) as our own identifier of you. We will only use or disclose a government-related identifier where permitted by APP 9, including where it is reasonably necessary to verify your identity, where required or authorised by law, or where reasonably necessary for one or more enforcement-related activities. Where we participate in the Document Verification Service or the Australian Government Digital ID System, we do so in accordance with all mandatorily applicable rules in relation to that participation.
]

 

10. How we hold Personal Information and Data Security

We take reasonable steps to protect your Personal Information from misuse, interference, loss, and unauthorised access or disclosure, including by:

  • Encrypting sensitive data in transit and at rest
  • Maintaining secure access controls and multi-factor authentication
  • Restricting staff access to authorised personnel only
  • Regularly reviewing and testing security systems
  • Storing data within secure Australian-based servers
  • Secure infrastructure and network isolation
  • Software security and compliance practices
  • Data retention and privacy safeguards

In addition, TrueVault employs per-person encryption keys, segregated AWS environments, continuous infrastructure monitoring, immutable audit logging, and has implemented controls aligned with the requirements of the Australian Digital ID Act, ISO 27001, and ASD Essential Eight.

We may hold Personal Information in different ways, including in paper form, electronic form and/or in other mediums. 

While we take these precautions, no system is entirely secure. We cannot guarantee against all unauthorised access or misuse, but we act promptly to investigate and contain any breach.10.1 Data Retention and Destruction

We retain Personal Information only as long as necessary for the purposes described in this Privacy Policy or as required by law.
When no longer needed, we securely destroy or permanently de-identify the information.

In accordance with the APPs, we will take reasonable steps to destroy or de-identify Personal Information that we no longer need for any purpose for which it may be used or disclosed under the APPs, unless we are required by Australian law, or by a court or tribunal, to retain it.

10.2 De-identified information

We may de-identify your Personal Information or aggregate it in such a way that it cannot be used to identify you. We may disclose de-identified information for analytical, research, service-improvement and reporting purposes. Consistent with Section 9 (How we hold Personal Information and Data Security), we do not sell, rent or trade Personal Information, whether identified or de-identified, for the primary purpose of monetisation.

Our de-identification procedure involves: 

  • Removing personal identifiers; and
  • Continuously assessing and managing the risk of re-identification. 
 

11. Accessing and Correcting Your Information

You may access or correct your Personal Information by:

  • Logging into your TrueVault account; or
  • Contacting us in writing (see Section 13 – Contact Us).

We may need to verify your identity before processing such requests.
We aim to respond within 30 days.

In certain circumstances (e.g. where access would breach another person’s privacy or relate to legal proceedings), we may lawfully refuse access. If we refuse a request for access to or correction of your Personal Information, we will provide you with written reasons for our refusal (except where it would be unreasonable to do so) and information about how to make a complaint about our decision (see Section 13 (Complaints and Contact Us)).

Where we have corrected your Personal Information after we have already disclosed it to a third party, you may ask us to notify that third party of the correction. We will take reasonable steps to do so unless it is impracticable or unlawful.

If we refuse to correct your Personal Information because it is unlawful or impracticable to do so, you may ask us to associate with the information a statement to the effect that you consider the information to be inaccurate, out of date, incomplete, irrelevant or misleading. Where you make such a request, we will take reasonable steps to do so.

11.1 Quality of Personal Information 

In accordance with the APPs, we take reasonable steps to ensure that the Personal Information we collect is accurate, up to date and complete, and that the Personal Information we use or disclose is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.

 

12. Data Breach Notification

If we have reasonable grounds to suspect that an eligible data breach has occurred (within the meaning of Part IIIC of the Privacy Act), we will assess the suspected breach within 30 days. If the assessment confirms that an eligible data breach has occurred, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable. We maintain a documented data breach response plan to support timely identification, containment, assessment and notification.

 

13. Complaints and Contact Us

If you have a question, concern or complaint about our privacy practices, please contact us:

Privacy Officer
TrueVault Pty Ltd (ACN 675 835 966)
Email: support@truevault.com.au

We aim to investigate and respond within 20 days, and to resolve complaints within 40 days where possible. In any event, we will provide a substantive written response to your complaint within 30 days, in accordance with the Privacy Act. If we cannot resolve your complaint within that time, we will tell you why and provide a revised timeline.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) via www.oaic.gov.au.

 

© 2025 TrueVault Pty Ltd. All rights reserved.