Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you’re building a startup or small business in Australia, there’s a good chance you’re collecting personal information - often earlier than you realise.
Maybe you’re taking customer enquiries through your website, sending email marketing, hiring staff, running online payments, or using analytics tools. Even a simple “contact us” form can mean you’re handling personal information.
That’s where having a company privacy policy becomes essential. It’s not just “website paperwork” - it’s a practical compliance document that helps you explain what you do with personal information, build customer trust, and reduce legal risk as you grow.
Below, we’ll walk you through what a company privacy policy is, when you need one, what it should include, and how to make sure it actually matches what your business does day-to-day.
What Is A Company Privacy Policy (And Why Do Small Businesses Need One)?
A company privacy policy is a document that explains how your business collects, uses, stores and discloses personal information.
In plain terms, it tells people things like:
- what information you collect (for example names, emails, phone numbers, delivery addresses, payment details)
- why you collect it (such as fulfilling orders, responding to enquiries, marketing, account setup)
- who you share it with (like IT providers, payment processors, couriers, analytics providers)
- how people can access or correct their information
- how to complain if they think you’ve mishandled their data
Even if your business is small, having a clear privacy policy can be a commercial advantage. It can help you:
- win customer trust (especially if you’re online-only)
- onboard new enterprise clients (many businesses won’t work with you without a privacy policy)
- reduce the risk of complaints and disputes about data handling
- avoid mismatches between your actual practices and what you claim you do
If your business is collecting data through a website or app, it’s also common to pair your company privacy policy with Website Terms and Conditions so customers can clearly understand both your site rules and your data handling approach.
When Do You Need A Company Privacy Policy In Australia?
Many business owners ask: “Do I legally have to have a company privacy policy?”
The practical answer is: if you collect personal information, you should have one - and depending on your circumstances, you may be required to have one under Australian privacy laws or by contract (for example, a platform requirement or client/vendor onboarding).
The Privacy Act And “Small Business” Exemptions
In Australia, privacy obligations often sit under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The specific legal obligation to have an APP privacy policy generally applies to APP entities (which includes most government agencies and many private sector organisations). Some small businesses are exempt, but it’s not as simple as “under $3 million turnover = no privacy obligations”. There are exceptions where the Privacy Act can still apply - for example, if you provide a health service, trade in personal information, or are otherwise brought within the definition of an APP entity.
Also, even where the Privacy Act might not strictly apply to you, other practical and legal pressures can still mean you need a privacy policy, including:
- requirements from your payment provider, advertising platforms, or app stores
- expectations from B2B clients (particularly corporates and government)
- consumer trust expectations (especially for online stores, SaaS, and service businesses)
Common Situations Where You’ll Want A Privacy Policy Immediately
For most startups and small businesses, a company privacy policy becomes important as soon as you:
- have a website with a contact form
- collect emails for newsletters or promotions
- sell products online and collect delivery details
- use tracking tools and analytics (even if “only” for marketing insights)
- run competitions, giveaways, or promotions
- collect customer IDs or verification documents
- store customer notes (for example in a CRM)
If you do email marketing (or plan to), your privacy policy should also line up with your marketing practices and communications - especially if you’re using automated campaigns or mailing list tools. This often overlaps with email marketing laws considerations.
What Should Your Company Privacy Policy Include?
There’s no single one-size-fits-all template that works for every business. A company privacy policy needs to reflect what you actually do.
That said, there are common clauses and topics we typically expect to see in a well-drafted privacy policy for an Australian startup or small business.
1. What Personal Information You Collect
This should be specific and practical. For example:
- identity details (name, date of birth)
- contact details (email, phone number, address)
- billing and transaction details
- account and login information
- device and usage data (IP address, cookies, analytics data)
- support tickets or customer enquiries
If your business collects more sensitive categories of information (for example health information), your obligations can increase significantly. In that case, you’ll want a policy that is drafted specifically for your situation rather than adapted from a generic template.
2. How You Collect It (And From Whom)
Spell out where the information comes from. Common collection methods include:
- forms on your website
- account sign-ups
- online checkout processes
- cookies and tracking tools
- phone calls and emails
- third-party platforms (such as booking tools or marketplaces)
It’s also worth thinking about whether you collect personal information indirectly, such as via referrals, public sources, or data enrichment tools.
3. Why You Collect It (Your Purposes Of Use)
This is one of the most important sections, because it sets the boundary for how you use data. Typical purposes include:
- providing and improving your services
- processing orders and payments
- delivering products
- responding to customer support enquiries
- sending service updates and transactional messages
- marketing and promotions (where permitted)
- fraud prevention and security
- legal and regulatory compliance
4. Who You Share Personal Information With
Most businesses share data with third parties in some form, even if you don’t “sell data”. For example:
- IT and cloud hosting providers
- payment processors
- couriers and logistics providers
- marketing and analytics tools
- professional advisers (lawyers, accountants)
- contractors and service providers who support your operations
If you outsource any part of your operations, this section needs to reflect that - because customers (and business clients) often want to know where their data ends up.
5. Overseas Disclosures
Many startups use global tools (for hosting, email, analytics, customer support, and more). This can mean personal information is stored or accessed overseas.
Your privacy policy should address whether you disclose information internationally and, if so, how.
6. Data Storage And Security (In Practical Terms)
You don’t need to give away your full security blueprint, but you should accurately explain the types of steps you take to protect personal information.
Avoid statements like “we guarantee your data is completely secure” (it’s almost never realistic). Instead, focus on reasonable measures and your approach to security.
7. Access, Correction And Complaints
Good privacy policies tell people how they can:
- request access to their personal information
- request correction of inaccurate data
- make a privacy complaint
As a business owner, this helps you too - because it gives you a clear process to follow internally if someone comes to you with a privacy concern.
How To Make Your Privacy Policy Actually Match Your Business (Not Just A Template)
Many privacy policy problems don’t come from “missing clauses” - they come from a mismatch between the document and the reality of your operations.
A company privacy policy should reflect your business model, your systems, and your customer journey.
Start With A Simple “Data Map”
Before you write (or update) your policy, map out:
- what personal information you collect
- where you collect it (site forms, onboarding flows, DMs, invoices)
- where it’s stored (CRM, email tool, spreadsheets, accounting software)
- who can access it (staff, contractors, support providers)
- who it’s shared with (hosting, payments, couriers, analytics)
- how long you keep it
This is not just helpful for compliance - it’s also good operational hygiene.
Be Careful With Big Promises
It’s tempting to sound reassuring by promising things like:
- “We never share your data”
- “We delete all data immediately”
- “Your information is always secure”
If those statements aren’t true in practice, they can create unnecessary legal risk. It’s usually better to be accurate, clear, and consistent.
Align With Your Customer-Facing Processes
Your privacy policy should match your other documents and workflows, including:
- your website checkout flow and enquiry forms
- your internal support process (how you handle customer tickets and complaints)
- your marketing approach (including your opt-in/opt-out process)
- your contracts with suppliers and service providers
For example, if you’re collecting information via your website, the privacy approach should sit comfortably alongside your Cookie Policy if you use cookies and tracking technologies.
Common Privacy Pitfalls For Startups (And How To Avoid Them)
Startups move quickly - new tools, new hires, new products, new markets. That speed can accidentally create privacy blind spots.
Here are some of the most common privacy pitfalls we see in growing small businesses, and how you can reduce your risk.
Using Tools That Collect More Data Than You Think
Analytics, advertising pixels, heatmaps, customer chat widgets, and booking tools may collect information that is personal information in context (or becomes personal information when combined with other data).
If you’re using these tools, your privacy policy should reflect it, and you should be clear about how customers can make choices (such as opting out of marketing).
Collecting Information You Don’t Actually Need
From a practical standpoint, collecting unnecessary personal information increases your compliance burden and security exposure.
If you don’t need date of birth, don’t collect it. If you don’t need copies of identity documents, don’t request them. Keep it lean where you can.
Storing Personal Information In Insecure Places
Many small businesses start with spreadsheets and shared inboxes. That can be okay early on, but you should still think about access control, secure storage, and offboarding processes (for example when a staff member leaves).
If you store payment information, be extremely careful. Many businesses should avoid storing card details at all unless they have strong systems in place. If you’re unsure about your obligations, it’s worth getting advice on storing credit card details and what “reasonable security” might look like for your setup.
Not Preparing For A Data Breach
Even careful businesses can experience a data incident. Having a plan matters - especially if you grow, hire more staff, or collect larger volumes of customer information.
At minimum, you should know:
- who is responsible for managing data incidents
- how you’ll investigate and contain an incident
- how you’ll communicate with customers if needed
- what vendors you rely on (and how to contact them quickly)
Running Promotions Or Giveaways Without Privacy Clarity
If you run giveaways, raffles, or promotional competitions, you’re often collecting personal information at scale (names, emails, sometimes addresses).
This is exactly the kind of activity where your privacy policy should be up-to-date and aligned with your promotion terms.
What Other Legal Documents Work With A Company Privacy Policy?
A company privacy policy is rarely a “standalone” document. It usually forms part of a wider set of legal documents that help your business operate smoothly and reduce risk.
Depending on your business model, you may also need:
- Website Terms and Conditions: These set the rules for how users can use your website and help manage your liability for content, links, and access. This is especially useful if you have user accounts, subscriptions, or online purchasing.
- Customer Terms (or a Customer Contract): If you provide services (or bespoke products), your terms help clarify scope, payment, delivery, changes, refunds, and liability limits.
- Employment Contracts: If you’re hiring staff, it’s important to set expectations from day one with an Employment Contract that reflects your role, pay structure, confidentiality requirements, and relevant policies.
- Privacy Collection Notice: In some cases, you’ll want a short notice shown at the point you collect information (for example, under a form), supported by your broader privacy policy. A privacy collection notice can be a practical way to communicate key points upfront.
- Data Processing/Outsourcing Terms: If you’re providing services to other businesses and handling their customer data, you may need extra contractual protections to clarify responsibilities.
The goal is consistency. If your privacy policy says “we only use your personal information to fulfil orders,” but your marketing systems also send promotions, you’ve created a mismatch that can cause complaints (and reputational damage) later.
Key Takeaways
- A company privacy policy explains how your business collects, uses, stores and shares personal information, and it helps build trust with customers and partners.
- Even small businesses often need a privacy policy in practice - especially if you have a website, collect enquiries, run marketing campaigns, or sell online.
- A strong privacy policy should reflect what you actually do: what data you collect, why you collect it, who you share it with, and how people can access or correct it.
- Common startup pitfalls include using tools that collect more data than expected, storing data insecurely, and making big privacy promises that don’t match reality.
- Your privacy policy should work alongside other key documents like Website Terms and Conditions, customer terms, and Employment Contracts to keep your legal foundations consistent as you scale.
If you’d like a consultation on putting the right company privacy policy in place (and making sure it matches your actual business processes), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
