This Privacy Policy applies to all personal information collected by Umbrella Insurance Advice Pty Ltd (we, us or our) via the website located at www.umbrellainsuranceadvice.com (Website).
1. What information do we collect?
The kind of Personal Information that we collect from you will depend on how you use the Website. The Personal Information which we collect and hold about you may include:
Name
Email address
Phone number
2. Types of information
The Privacy Act 1988 (Cth) (Privacy Act) defines types of information, including Personal Information and Sensitive Information.
Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable: whether the information or opinion is true or not whether the information or opinion is recorded in a material form or not
If the information does not disclose your identity or enable your identity to be ascertained, it will in most cases not be classified as Personal Information and will not be subject to this privacy policy.
Sensitive Information is defined in the Privacy Act as including information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.
Sensitive Information will be used by us only:
for the primary purpose for which it was obtained
for a secondary purpose that is directly related to the primary purpose
with your consent or where required or authorised by law
where the information is Sensitive Information, only with your explicit consent and subject to additional safeguards as required by the Privacy Act 1988
3. How we collect your Personal Information
We may collect Personal Information from you whenever you input such information into the Website, related app or provide it to us in any other way.
We may also collect cookies from your device which enable us to tell when you use the Website and to help customise your experience. As a general rule, it is not possible to identify you personally from our use of cookies alone.
Cookie categories and retention: Essential cookies: required for core functionality. Retained only for the session or up to 30 days, depending on purpose. Analytics cookies: help us understand usage. Google Analytics cookies may be retained for up to 13 months. PostHog cookies are typically retained for up to 12 months. Marketing cookies: used for advertising and conversion measurement. Facebook Pixel cookies may be retained for up to 90 days.
You can manage cookies through your browser settings. Third‑party cookies are subject to the respective third parties’ privacy policies.
Before placing non‑essential cookies on your device, we will obtain your consent through our cookie banner. You can modify your cookie preferences at any time through our Cookie Management Centre. We will maintain your cookie preferences for 365 days, after which we will ask you to reconfirm.
We generally don’t collect Sensitive Information, but when we do, we will comply with the preceding paragraph and the Privacy Act.
Where reasonable and practicable, we collect your Personal Information from you only. However, sometimes we may be given information from a third party. In such cases we will take steps to make you aware of the information provided by that third party.
4. Purpose of collection
We collect Personal Information to provide you with the best service experience possible on the Website and keep in touch with you about developments in our business.
We customarily only disclose Personal Information to our service providers who assist us in operating the Website. Your Personal Information may also be exposed from time to time to maintenance and support personnel acting in the normal course of their duties.
Direct marketing: By using our Website, you consent to the receipt of direct marketing material. We will only use your Personal Information for this purpose if we collected it directly from you, and if it is material you would reasonably expect to receive from us. We do not use Sensitive Personal Information in direct marketing activity. Our direct marketing material will include a simple means to opt out, such as an unsubscribe link.
Prior to sending any direct marketing communications, we will obtain your explicit consent through a clear affirmative action. We will maintain an auditable record of your consent choices and any subsequent modifications. Marketing preferences will be honoured within 5 business days of any change.
You can manage your marketing preferences through your account settings or by contacting our Privacy Officer. We will process opt‑out requests within 5 business days and maintain records of your preferences. Marketing communications will not exceed 12 messages per month. Each communication will clearly display preference management options. If you choose to opt out, we will retain minimal Personal Information necessary to ensure compliance with your request.
5. Security, access and correction
We store your Personal Information in a way that reasonably protects it from unauthorised access, misuse, modification or disclosure. When we no longer require your Personal Information for the purpose for which we obtained it, we will take reasonable steps to destroy, anonymise or de‑identify it. Most Personal Information in our client files and records will be kept for a maximum of 7 years to fulfil our record‑keeping obligations.
We implement industry‑standard security measures including encryption, access controls, and secure data centres to protect your Personal Information. When deletion is required, we use secure erasure methods including digital shredding and physical destruction of storage media. For digital records, we employ 180‑day retention periods for active data and 7 years for archived data, after which automated purge protocols permanently remove the information using recognised secure deletion standards.
Our security framework includes regular third‑party security audits, penetration testing conducted every 180 days, and SOC 2 Type II‑aligned controls. We maintain audit logs of data access, employ AES‑256 encryption for data at rest and TLS 1.3 for data in transit, and conduct quarterly reviews of access permissions. All staff undergo mandatory security awareness training every 12 months, with additional role‑specific security certifications required for personnel handling sensitive data.
The Australian Privacy Principles: permit you to obtain access to the Personal Information we hold about you in certain circumstances (Australian Privacy Principle 12) allow you to correct inaccurate Personal Information subject to certain exceptions (Australian Privacy Principle 13)
Where you would like to obtain such access, please contact us in writing using the contact details set out at the bottom of this privacy policy.
6. Complaint procedure
If you have a complaint concerning the manner in which we maintain the privacy of your Personal Information, please contact us using the contact details set out at the bottom of this policy. All complaints will be considered by Justin Turtle and we may seek further information from you to clarify your concerns. If we agree that your complaint is well founded, we will, in consultation with you, take appropriate steps to rectify the problem. If you remain dissatisfied with the outcome, you may refer the matter to the Office of the Australian Information Commissioner.
Documentation and response timeline
We will acknowledge receipt of your complaint within 2 business days and provide you with a reference number.
Our privacy team will investigate your complaint and maintain detailed records of all communications and findings.
We aim to resolve all privacy complaints within 30 business days. If additional time is required, we will notify you in writing.
All complaint documentation will be retained for up to 7 years following resolution. If the matter requires escalation, our Privacy Officer will personally review your case within 5 business days of the escalation request.
7. Overseas transfers
We do not disclose your Personal Information to recipients outside Australia unless it is necessary for the purposes described in this policy and you have provided explicit written consent. Where an overseas transfer is necessary, we will:
obtain your explicit written consent before any transfer
ensure appropriate safeguards are in place, such as contractual commitments requiring the recipient to protect your Personal Information to standards equivalent to the Australian Privacy Principles
transfer data only to recipients in jurisdictions with adequate privacy protection frameworks or implement suitable safeguards where adequacy is not available
maintain records of all international transfers, including the recipient’s security measures, applicable privacy laws in their jurisdiction, and specific safeguards used
If you request us to transfer your Personal Information to an overseas recipient, that recipient may not be required to comply with the Australian Privacy Principles and we may not be liable for mishandling by that recipient.
8. How to contact us about privacy
If you have any queries, or if you seek access to your Personal Information, or if you have a complaint about our privacy practices, you can contact us at: [email protected].