Skip to content

Legal · Privacy

Privacy policy

Last updated: 22 May 2026 · Effective from: 22 May 2026 · Version 0.2 (draft)

This policy is a draft pending lawyer review. The content reflects Outlaw IT's data-handling practices but has not been signed off by qualified legal counsel. Required before public launch. If you're reading this on the production site after launch, the lawyer-review version replaces this notice.

1. About this policy

This policy describes how D&B Kennedy Pty Ltd trading as Outlaw IT (ABN 32 669 344 263) ("Outlaw IT", "we", "us", "our") collects, uses, stores, discloses, and protects personal information. It applies to information we collect through our website, our contact and booking forms, in the course of engagement discussions, and during ongoing service delivery.

While Outlaw IT's annual turnover may currently be below the small business operator threshold defined in s 6D(1) of the Privacy Act 1988 (Cth), we have voluntarily elected to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in full. This commitment applies regardless of whether we technically qualify as an "APP entity" under the Act. We treat your personal information with the same care and accountability we would owe under full APP entity obligations. Daniel Kennedy is the designated Privacy Officer for Outlaw IT.

By providing personal information to us through our website, by email, or in the course of an engagement, you acknowledge you have read and understood this policy. Specific consent is sought separately where required (e.g., direct marketing opt-in, sensitive information handling).

2. What personal information we collect

We collect personal information that is reasonably necessary to provide our services. This typically includes:

  • Contact details: name, email address, phone number (optional on website forms), business name, business address
  • Account information: when you become a client, the email addresses, names, and role information of users in your organisation that we manage on your behalf
  • Service delivery information: support tickets, communications, device identifiers, network logs, security event data — used to deliver managed IT services and respond to incidents
  • Payment information: via our accounting platform (Xero); we don't store card details on our infrastructure
  • Website analytics: we use Cloudflare Web Analytics, which is cookieless and doesn't track individual users — see the Cookies and Tracking section below

2.1 Required versus voluntary collection

Most personal information you provide is voluntary. However, some information is required to deliver our services:

  • To respond to a website enquiry: name and email address are required. Phone number, business name, staff count, and message details are optional.
  • To engage us under a Master Services Agreement: legal entity name, ABN, billing contact, technical contact, and a signed agreement are required.
  • To onboard managed user accounts: user names and email addresses (and sometimes role or department information) for each user in your tenant we manage on your behalf.

If you choose not to provide required information, we may not be able to respond to your enquiry, deliver services, or meet our contractual obligations. We will tell you at the point of collection if information is required versus optional.

2.2 Sensitive and government-identifier information

We do not collect sensitive information (as defined in s 6 of the Privacy Act 1988 — race, religion, political opinion, health information, sexual orientation, criminal record, etc.) as part of our normal services. If a client engagement requires us to handle sensitive information (e.g., health records held by a medical-practice client), we collect and handle it only with the client's explicit instruction and consent, and apply additional security controls.

We do not use Tax File Numbers, Medicare numbers, driver's licence numbers, or other government identifiers for any purpose other than the specific purpose for which they were issued. Client billing uses ABN (a business identifier, not a personal one) where applicable.

2.3 Anonymity and pseudonymity

We accept enquiries via anonymous or pseudonymous means (e.g., a contact-form submission with first name only) where practicable. However, to deliver paid services, onboard clients, process payments, or meet our tax and anti-money-laundering obligations, we require sufficient identification to verify the legal entity and engagement.

3. How we collect it

  • Directly from you via our contact form, email, phone, or in-person meetings
  • From your organisation's IT systems we manage on your behalf — through endpoint agents (NinjaOne), security tools (Defender, Huntress), and configuration platforms (CIPP)
  • From third-party services we manage on your behalf where you have authorised us as administrator (Microsoft 365, Pax8, etc.)
  • From publicly available sources (business registries, public websites) during prospect research

4. Why we collect it

We collect personal information for the following purposes:

  • To respond to enquiries and provide quotes
  • To deliver managed IT services under a signed Master Services Agreement
  • To send service-related communications (invoices, monthly reports, security alerts, incident notifications)
  • To meet legal, regulatory, and contractual obligations
  • To improve our services and identify trends

5. Who we disclose it to

We disclose personal information to:

  • Third-party service providers we engage to deliver our services. Each provider is bound by their own published privacy policy and (where applicable) contractual confidentiality terms. The principal providers and their primary processing locations are:
    • Microsoft (M365 hosting, Bookings, email delivery via Graph API) — Australia East / South-East regions for primary data; metadata and telemetry may be processed in the United States and other Microsoft data centres globally
    • Cloudflare (DNS, edge security, website hosting via Pages) — United States primary; global edge presence including Australia
    • Pax8 (CSP partner / cloud-software billing) — United States
    • NinjaOne (Remote Monitoring and Management) — United States
    • Hudu (client documentation) — United States
    • Acronis (backup) — Australian data centre option available for client backups; corporate processing may occur in Switzerland or the United States
    • Huntress (security operations / threat hunting) — United States
    • 1Password (credential vault) — Canada with global presence
    • Xero (accounting and invoicing) — Australia (primary) and New Zealand
  • Source code infrastructure for our website is held in GitHub (private repositories — United States). GitHub may process metadata associated with our code commits; it does NOT receive your personal information through our website forms or services. Our production website is served separately from Cloudflare Pages.
  • Government or regulatory authorities when required by law (e.g. lawful subpoena, court order, ATO request, OAIC investigation).
  • Professional advisors — our accountant, lawyer, insurance broker — where reasonably necessary and bound by professional confidentiality obligations.

We do not sell personal information to third parties. We do not engage in commercial marketing rentals or trades of contact data.

5.1 Overseas disclosure

As listed above, we disclose personal information to overseas recipients. The countries to which personal information may be disclosed include the United States, Canada, Switzerland, New Zealand, and EU member states (where service providers operate global infrastructure).

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to that information (APP 8.1). The reasonable steps we take include:

  • Reviewing the recipient's published privacy commitments and security certifications (e.g., SOC 2, ISO 27001, IRAP where applicable)
  • Entering into contractual arrangements (where standard or available) that bind the recipient to data-protection obligations broadly equivalent to the APPs
  • Selecting providers known for cooperative compliance with Australian privacy frameworks (Microsoft, Cloudflare, and others maintain published Australian compliance attestations)
  • Configuring services for Australian data residency where the provider offers it (e.g., M365 AU regions, Acronis AU data centre option)

Note that under section 16C and APP 8.2 of the Privacy Act, we may not always be accountable for the acts and practices of overseas recipients. Where you have specific concerns about cross-border disclosure (e.g., due to your sector, jurisdiction, or contractual obligations), tell us at engagement time and we can configure services for AU-only data residency where vendor support exists.

6. Direct marketing

We currently do not run a marketing list or send promotional emails to prospects. Communications you receive from us are limited to:

  • Direct responses to enquiries you have initiated
  • Service-related communications under an active engagement (invoices, monthly reports, security alerts, incident notifications, scheduled maintenance windows)
  • Material changes to our services or to this privacy policy (active clients only)

If we begin sending broader marketing communications in the future (e.g., a quarterly newsletter, occasional service announcements to prospects), we will:

  • Disclose this intended use when collecting your information, where practicable (APP 7.2)
  • Provide a simple opt-out mechanism in every direct marketing communication (one-click unsubscribe)
  • Honour opt-out requests within 5 business days
  • Not use sensitive information for direct marketing without your explicit consent

To opt out of any communications from us at any time, email info@outlawit.com.au with "Unsubscribe" in the subject line, or reply directly to the relevant communication.

7. Cookies and tracking

Our website uses Cloudflare Web Analytics, which is cookieless and aggregates traffic patterns without tracking individual visitors. We do not run cookies for advertising or third-party tracking purposes. We do not run Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or similar identification tracking.

We use Cloudflare Turnstile on form submissions for anti-bot verification. Turnstile is cookieless and does not track users across sites.

Our website fonts are self-hosted — we do not load fonts from Google Fonts or any third-party CDN. No request leaves your browser to Google or other font providers when you load our pages. This is a deliberate choice consistent with our privacy stance.

If you book a discovery call through our Microsoft Bookings page (`bookings.outlawit.com.au`, which redirects to `bookings.cloud.microsoft`), the booking is created in our Microsoft 365 tenant. Information you provide (name, email, optional phone number, optional notes) is stored within Microsoft 365 under the same Australian data residency and retention rules as the rest of our M365 environment. Microsoft's privacy practices are documented at privacy.microsoft.com.

8. Data residency and storage

We store personal information in services with AU data residency where available — particularly Microsoft 365 (AU East / AU South-East regions) and Acronis (AU data centre option). Some service providers (e.g. Cloudflare, GitHub, Pax8 platform) operate globally and may process metadata or telemetry in jurisdictions outside Australia. We disclose these in our service agreements with clients.

For clients with specific data-sovereignty requirements, we can configure services for AU-only data residency where vendor support exists. Tell us at engagement time.

9. How long we keep it

We keep personal information for as long as it's needed to deliver services and meet legal requirements. Client information is retained for the duration of the engagement plus 7 years post-termination (matching ATO tax-record retention requirements). Contact-form submissions from prospects are retained for 12 months unless we begin an active engagement.

10. Your rights

Under the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you (APP 12)
  • Correct inaccurate personal information (APP 13)
  • Make a complaint about our handling of your personal information (APP 1.5)
  • Be informed of the kinds of personal information we collect (this policy)

To exercise any of these rights, email info@outlawit.com.au. We aim to respond within 30 days.

11. Security

We protect personal information using:

  • Encrypted storage and transport (TLS 1.2+, AES-256 at rest where applicable)
  • Multi-factor authentication on all OIT staff accounts
  • Conditional Access policies in our M365 tenant
  • Credentials stored in 1Password Business — never in spreadsheets or shared documents
  • Backup encryption with separate key management (Proxmox Backup Server)
  • Documented incident response procedure (see SLA targets)

No security control is perfect. If we become aware of a notifiable data breach as defined under the Privacy Act, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) within the timeframes required.

12. Children

Our services are not directed to individuals under 16. We do not knowingly collect personal information from minors.

13. Changes to this policy

We update this policy when our practices change. Material changes are flagged with a "Last updated" date at the top. Current clients are notified by email of material changes.

14. Contact

For privacy enquiries, complaints, or access/correction requests:

D&B Kennedy Pty Ltd trading as Outlaw IT
ABN 32 669 344 263
Email: info@outlawit.com.au
Mail: SEQ Queensland (specific address available on engagement)

If you're not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC): oaic.gov.au.