Privacy Policy

02 / What this policy covers

Two things, with a clear line between them.

First, the personal information we collect from visitors to efa.com.au and from people who contact us about our services. That is the part most readers care about, and it is set out in full below.

Second, the principles under which we access client data while delivering managed services. This is summarised below. The detailed terms — what we do, what we don't, what audit looks like — are governed by the service agreement we sign with each client.

03 / Information we collect

What we get from this site and from talking to you.

When you visit our site or contact us, we collect:

• Contact details you provide — name, email, business name, phone number, role.
• Correspondence — the content of emails, form submissions, and meeting requests you send us.
• Site analytics — anonymised, aggregated traffic data via Cloudflare Web Analytics. No cookies, no individual tracking, no fingerprinting.

We do not run advertising pixels, third-party tracking cookies, or session recording on this site.

04 / Information we access — managed services

When we work for a client, we have admin access to their systems. Here is how we handle that.

Providing managed services means we hold administrative privileges in client environments — Microsoft 365 tenants, SharePoint, identity platforms, devices, and supporting infrastructure. The access is necessary; the responsibility is real.

Our principles:

• Least privilege. We use the minimum access required to complete the work.
• No copying. We do not move client data onto EFA-owned systems unless it is required for support and agreed with the client.
• Source of truth on client systems. Where practical, client data stays on client-owned infrastructure — their tenant, their SharePoint, their devices.
• Logged actions. Administrative work in client environments is documented in our ticketing system.

The full terms of how we handle client data are set out in each client's service agreement. Clients may request a copy of our subprocessor list and data handling addendum at any time.

05 / How we use information

Service delivery, communication, and what the law requires.

We use the information we collect to:

• Respond to enquiries and prepare proposals.
• Provide and bill for our services.
• Communicate operationally about ongoing work.
• Meet our legal and tax obligations.

We do not sell personal information. We do not use personal information for marketing without consent.

06 / Disclosure to third parties

The tools we use, and the rules that govern when we share.

We use third-party tools to operate our business — covering hosting and infrastructure, communication and scheduling, AI and automation infrastructure, and accounting. A current list of our key service providers is available on request.

We disclose personal information only where:

• It is necessary to deliver a service you have asked for (for example, routing a contact submission through our hosting provider).
• We are required by law (court order, regulatory request).
• You have given consent.

07 / Cross-border data transfers

Some tools we use store data outside Australia.

Where data is held offshore, we take reasonable steps to ensure providers handle it consistently with the APPs or equivalent privacy frameworks.

For client engagements, we keep client data on Australian-hosted infrastructure wherever possible. Where EFA-managed infrastructure is involved (for example, a VPS we operate on a client's behalf), it is hosted in Sydney by default.

08 / Storage and security

The controls we run.

• Multi-factor authentication on every system that holds personal data.
• Encrypted storage for any data on EFA-managed infrastructure.
• Access controls. Only people who need access have access.
• Vendor selection. We use providers with documented security practices.
• Audit logging for administrative actions in client environments.

No system is perfectly secure. If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme.

09 / Marketing partners

Forward note on advertising and analytics.

We may, in future, engage marketing partners who operate advertising and analytics tools on this site — for example, Google Ads conversion tracking. When that happens, we will update this policy and display a cookie notice at the time those tools are introduced.

As of the date of this policy, no advertising or third-party analytics tools are running on this site.

10 / Your rights

What you can ask us to do.

Under the Privacy Act, you have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate, out of date, or incomplete.
• Complain to us — and, if you are not satisfied with our response, to the OAIC.

To exercise these rights, email info@efa.com.au. We will respond within 30 days.

If you remain unsatisfied, you can lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

11 / Cookies

This site does not use tracking cookies.

The only cookies that may be set are functional cookies required by our hosting provider for security and content delivery. These do not identify individuals.

If we add tools that use tracking cookies in future, we will display a cookie notice at the time those tools go live.

12 / Updates to this policy

We update when our services or obligations change.

The "last updated" date at the top of this policy reflects the current version. Material changes will be flagged on this page for at least 30 days before they take effect.