Essential Company Policies Every Australian Small Business Needs

When you’re building a business, it’s easy to focus on the exciting parts: winning customers, improving your product, hiring your first team members, and chasing growth.

But as soon as your business involves more than just you (or you start collecting customer data, taking payments, or working with contractors), one question tends to come up very quickly: what policies should a company have?

Policies aren’t just “corporate paperwork”. For small businesses and startups, they’re a practical way to set clear expectations, reduce risk, and show your team and customers that you run a professional operation. The right policies can also help you comply with Australian laws, respond consistently when issues arise, and avoid misunderstandings that turn into expensive disputes.

Below, we’ll walk through the essential policies many Australian small businesses need, how to prioritise them, and what to consider when tailoring them to your business.

Why Policies Matter For Small Businesses (Not Just Big Companies)

It’s a common myth that policies only matter once you have a big HR department or multiple office locations.

In reality, your policies are often what keep your business running smoothly during the exact moments that are most stressful for founders: a customer complaint, a staff conflict, a data breach, or someone using company equipment in a way that creates risk.

Policies Help You Stay Consistent (And Fair)

When you’re moving fast, decisions can become inconsistent. A policy gives you a pre-agreed approach, so you’re not reinventing the wheel each time something happens.

For example, if someone requests time off, a consistent process reduces frustration and helps prevent claims that you’re treating people differently without a reason.

Policies Support Legal Compliance

Some policies are effectively “mandatory” because Australian law expects you to handle certain topics appropriately. Even where a policy isn’t explicitly required, having one can help you show you took reasonable steps to comply.

Common areas include privacy, workplace safety, discrimination and harassment, and consumer-facing practices.

Policies Protect Your Culture As You Grow

If you’re a startup, you might feel like “culture” is something you’ll deal with later. But culture is built early - and policies can reinforce how your business works (communication expectations, acceptable behaviour, how decisions are escalated, and what your standards are).

What Policies Should A Company Have From Day One?

If you’re a very small business or early-stage startup, you don’t need a 100-page policy library on day one.

Instead, aim for policies that address the highest-risk areas for your business. For many Australian businesses, that means starting with privacy, customer terms, and the foundational workplace expectations (especially if you have staff or contractors).

Privacy Policy (If You Collect Personal Information)

If you collect personal information - like customer names, emails, phone numbers, delivery addresses, payment details (even indirectly), or website tracking data - you should have a Privacy Policy that clearly explains what you collect, why you collect it, how you store it, and who you share it with.

This is especially important if you run an online business, use email marketing, have a booking form, or operate any kind of platform or app.

Even if your business may be covered by the small business exemption under the Privacy Act (which depends on factors like turnover and what you do), a Privacy Policy is often still a practical baseline that builds trust and reduces complaints. Keep in mind some businesses can be covered regardless of turnover (for example, if they handle certain types of sensitive information, provide health services, or trade in personal information).

Website Terms (If You Operate Online)

Many startups rely on a website for lead generation, eCommerce, bookings, or account creation. Website terms are the “rules” for using your site and can cover things like acceptable use, intellectual property, and limitations on liability.

For online businesses, having clear terms can also reduce disputes when someone claims they relied on a website statement or tries to misuse your content.

Customer-Facing Refunds, Returns And Complaints Policy

If you sell goods or services, you should be clear (internally and externally) on how you handle refunds, returns, and complaints.

This doesn’t mean you can write “no refunds” and call it a day. In Australia, the Australian Consumer Law (ACL) sets minimum consumer guarantees and rules around misleading conduct and remedies.

A simple policy helps you and your team respond consistently, avoid escalating issues unnecessarily, and reduce the risk of saying something non-compliant in the moment (especially over email or social media).

Information Security Basics (Even If You’re Not A Tech Company)

Even small businesses can be targeted by phishing, invoice scams, and data breaches. A basic internal policy can cover:

• password standards and multi-factor authentication
• who can access what systems
• how to handle suspicious emails
• how customer information is stored and shared

For many startups, this isn’t about complicated cybersecurity - it’s about reducing avoidable mistakes.

Essential Workplace Policies If You Have Employees Or Contractors

If your business has staff (or you’re about to hire), workplace policies become a core part of risk management. They help set expectations, reduce confusion, and support fair processes when issues come up.

Policies work best when they match your actual day-to-day operations. A policy that looks good on paper but is never followed can create problems rather than solve them.

Code Of Conduct (Behaviour And Professional Standards)

A code of conduct sets the standard for behaviour at work. This can include expectations around:

• professional communication
• confidentiality and conflicts of interest
• use of company property and systems
• bullying, harassment, and respectful behaviour

This is one of the most useful “umbrella” policies because it gives you a clear reference point if behaviour becomes an issue later.

Anti-Discrimination, Bullying And Harassment Policy

Even in a small team, you should have a clear policy that outlines what behaviour is not acceptable and how complaints can be raised.

This is particularly important because complaints in this area can escalate quickly - and they often involve sensitive issues where a structured, fair process matters.

Leave And Attendance Policy

Startups often operate with flexible hours, remote work, and “do what it takes” energy. That can work - but you still need clarity on how leave requests are handled, expectations for notifying absences, and what evidence may be required (where lawful).

If you need to manage sick leave evidence in particular, it can also help to understand when a statutory declaration for sick leave may be used in practice.

Workplace Surveillance And Monitoring Policy (CCTV, Devices, Emails)

If your business uses CCTV, monitors emails, records calls, or uses location tracking (for example, in vehicles or on devices), you should set clear expectations in a policy.

This is an area where state and territory rules can differ, and it’s easy to accidentally cross privacy or surveillance boundaries (including whether notice is required, whether consent is needed, and when audio recording is prohibited). If your workplace uses cameras, it’s worth ensuring your approach aligns with Australian expectations around CCTV laws.

For many businesses, the key practical point is transparency: tell people what you monitor, why you monitor it, and how recordings are stored and accessed. If you record calls, you should also check the consent requirements that apply in the relevant state or territory and to the specific type of recording.

Work Health And Safety (WHS) Policy

Workplace safety isn’t only for construction and warehouses. Offices, retail stores, clinics, hospitality venues, and remote teams all have WHS obligations.

A WHS policy should outline your commitment to safety and reporting, and it often works alongside training and incident reporting processes.

If you have a higher-risk workplace (or a fast-growing team), you may also need more detailed WHS systems, not just a policy document.

Bring Your Own Device (BYOD) Or Company Device Policy

If team members access customer data or business systems from personal phones and laptops, your business should set rules around passwords, device security, and what happens if a device is lost.

This is also useful if you want to be clear about acceptable use during work hours, especially if you have safety-sensitive roles or client-facing teams. Many employers also use a mobile phone policy to set expectations without micromanaging.

Employment Contracts And Policy Alignment

Policies don’t replace contracts. Your employment arrangements should be supported by a written agreement that matches how you actually engage the person (full-time, part-time, or casual).

For example, your policy position on rostering, shift changes, and notice should align with your Employment Contract and any modern award coverage, so you’re not accidentally promising something you can’t deliver (or under-delivering on something you have promised).

Company Governance Policies For Startups (Especially With Co-Founders Or Investors)

If you’re building a company designed for growth, policies aren’t just “HR documents”. Governance policies help you make decisions properly, keep records, and avoid founder disputes.

They’re particularly important if:

• there is more than one founder
• you plan to raise capital
• you want to protect decision-making and ownership arrangements
• your company operates in a regulated space

Delegations Of Authority (Who Can Approve What)

As soon as you have a team, spending decisions and approvals can become messy. A delegations policy can cover who can:

• sign supplier contracts
• approve expenditure above certain thresholds
• commit the company to longer-term obligations
• approve discounts and refunds

This reduces “accidental commitments” that happen when a well-meaning team member says yes to something that creates a big legal or financial obligation.

Conflicts Of Interest Policy

Startups often move in small networks: friends, ex-colleagues, early investors, and advisors.

A conflicts policy helps you identify when someone’s personal interests could affect business decisions - and how those conflicts should be declared and managed. This is particularly relevant if you have directors, advisory boards, or related entities involved in the business.

Record-Keeping And Document Management Policy

In a growing business, documents scatter quickly: contracts in inboxes, approvals in Slack, invoices across multiple systems.

A simple record-keeping policy helps you maintain one source of truth. It can cover:

• where contracts are stored
• who can sign and where signed copies live
• how long key documents are retained
• how access is managed when staff leave

This becomes crucial when you raise investment, apply for finance, enter into major partnerships, or sell the business.

Equity And Founder Arrangements (Often Supported By Agreements)

“Policy” isn’t always the best tool for equity arrangements - you’ll usually need formal agreements. But it’s still helpful to document internal expectations around how equity is handled, how decisions are made, and how disputes are managed.

If you have multiple founders or shareholders, many businesses put formal rules in a Shareholders Agreement and align those with internal governance practices (for example, board approvals, voting thresholds, and key reserved matters).

Similarly, a Company Constitution can set baseline rules for how the company is run, which can be especially helpful when your ownership structure changes over time.

How To Prioritise Policies Based On Your Business Model

If you’re thinking “this sounds like a lot”, you’re not alone. The goal isn’t to create every possible policy - it’s to create the right ones for your risk profile.

Here’s a practical way to prioritise.

1) Start With Your Biggest Risk Areas

Ask yourself:

• Do we collect personal information? (Privacy and data handling policies.)
• Do we have staff or contractors? (Workplace policies and employment documentation.)
• Do we operate in a physical site? (WHS and safety procedures.)
• Do we sell to consumers? (Refunds/returns and complaints handling.)
• Do we use monitoring or recording? (Surveillance and communications policies.)

2) Make Sure Your Policies Match Your Contracts And Operations

One of the most common issues we see is a policy that contradicts what’s in a contract, or a policy that promises something the business doesn’t actually do.

For example:

• If your refund policy says “no refunds under any circumstances”, you risk non-compliance with Australian Consumer Law.
• If your leave policy says managers can approve unpaid leave freely, but your employment contract is strict and doesn’t allow flexibility, your team will get mixed messages.
• If you record customer calls but you don’t tell people (or you do it inconsistently), that can create legal and reputational risk (and may be unlawful depending on where the parties are located and how the recording happens).

3) Keep Them Short, Clear, And Easy To Use

Policies are only useful if your team can actually follow them.

Use plain English, define key terms, and make it clear who to speak to if someone has a question. Consider adding a short “What This Means In Practice” section for policies that are commonly used.

4) Review Policies Regularly (Especially When You Change How You Operate)

Policies should evolve as your business evolves.

A policy review is usually needed when you:

• hire your first employee
• start working with a new type of customer (for example, moving from B2B to B2C)
• launch a new platform feature or collect new categories of data
• expand into a new state or territory
• introduce surveillance, monitoring, or workplace tech changes

Even small operational changes can shift your compliance needs.

Key Takeaways

• When you’re thinking about what policies a company should have, the best approach is to focus on the policies that match your biggest risks: people, customers, data, and safety.
• Most Australian small businesses should prioritise clear privacy practices, customer-facing refunds/complaints handling, and workplace behaviour standards early.
• If you have employees or contractors, workplace policies (conduct, leave, WHS, device use, and surveillance) help set expectations and support compliance.
• Startups with co-founders or investors should also think about governance policies and formal documents that support decision-making and reduce founder disputes.
• Policies should be practical and consistent with how your business actually operates - and they should align with your contracts, not contradict them.

If you’d like help putting the right policies in place for your small business or startup, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

General information only and not legal advice. For advice about your specific situation, you should speak to a lawyer.