Legal

Privacy Policy

Last updated: 22 April 2026

Draft pending legal review. Drafted against the Privacy Act 1988 (Cth), the Australian Privacy Principles, and current HitCreate practice. Not yet reviewed by a qualified legal practitioner.

Who we are

HitCreate is a trading name of FYI United Group Pty Ltd (ACN 665 393 546, ABN 39 665 393 546) based on the Gold Coast, Queensland. This policy explains how we handle personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Information we collect

  • Contact details: name, email, phone, business name, role.
  • Engagement details: brief content, project scope, assets you share with us.
  • Payment details: processed by Stripe — we do not store full card numbers. We receive transaction metadata (amount, currency, status, last 4 digits).
  • Website analytics: pages visited, referrer, device type, approximate location from IP. We do not use third-party advertising trackers.
  • Support communications: emails and messages you send to us.

How we use it

  • To deliver the Services you have engaged us for.
  • To bill you and respond to payment disputes.
  • To respond to enquiries and provide support.
  • To improve our website, proposals, and service quality.
  • To comply with legal obligations (tax, record-keeping, dispute resolution).

We do not sell personal information. We do not use personal information for unrelated marketing without your consent.

Who we share it with

We use a small number of trusted providers to run our business. Each is bound by its own privacy policy and contractual obligations to protect your information:

  • Stripe — payment processing and fraud prevention
  • Airwallex / Wise — business banking and payouts
  • Resend — transactional and marketing email delivery
  • Cloudflare — DNS, CDN, and DDoS protection
  • Hetzner — server hosting (Singapore data centre)
  • GitHub — source code and project files
  • Google Workspace / Gmail — business email
  • Our own infrastructure — Postgres, Supabase (self-hosted), Stalwart mail server

Some of these providers process data outside Australia (Stripe and Cloudflare are US-based; Resend is US-based; GitHub is US-based). Where this is the case, the overseas recipient is either bound by the Australian Privacy Principles or is subject to a law that provides substantially similar protection.

Where we store it

Operational data is stored on servers we control, located in Singapore (Hetzner). Some analytics and delivery data is held by third parties as listed above, primarily in the United States and the European Union. We maintain encrypted backups with Kopia (Hetzner Storage Box, Finland; Backblaze B2, United States).

How long we keep it

Client engagement records (contracts, invoices, correspondence) are retained for at least 7 years to meet Australian tax record-keeping obligations. Marketing contacts are retained while the relationship is active and for a reasonable period after, unless you request deletion. Analytics logs are retained for up to 12 months.

Security

We use encryption in transit (HTTPS everywhere, TLS 1.2+) and at rest (disk-level encryption on servers and backups). Access to production systems is restricted by SSH keys and multi-factor authentication. API secrets are stored with mode 600 permissions on disk. Incident response is logged internally.

No system is perfectly secure. If we become aware of a data breach likely to cause serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

Your rights

Under the Privacy Act and Australian Privacy Principles, you can:

  • ask what information we hold about you
  • ask us to correct it if it is wrong or out of date
  • ask us to delete it, subject to our legal obligations to retain some records
  • opt out of marketing emails at any time via the unsubscribe link
  • make a complaint about how we handle your data

To exercise any of these rights, email [email protected]. We respond within 30 days. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

Cookies and analytics

We use a small number of first-party cookies for session state and analytics. We do not use third-party advertising cookies or fingerprinting. You can disable cookies in your browser without losing access to the public content of this website.

Children

Our Services are not directed to children under 16. We do not knowingly collect personal information from children under 16.

Changes to this policy

We may update this policy from time to time. The current version is always available at hitcreate.io/privacy. Material changes will be communicated to active clients by email.

Contact

Questions or requests relating to your personal information — email [email protected].

See also our Terms of Service and Refund Policy.