Privacy Policy

APP 1We keep this policy current, free and easy to find. It covers everything we do with personal information across our website, account portal, support channels and network. If you have a question this policy doesn’t answer, email help@galah.example and ask for our privacy officer.

APP 2You can browse our website, check plans and read these documents without telling us who you are. We only need your identity when you actually order a service — we can’t connect an anonymous premises to the NBN, and the law requires us to know who our customers are.

APP 3 & 5 We collect only what we need to supply and support your service:

• Contact details — your name, email address and phone number, so we can run your account and reach you about your service.
• Service address — the premises we connect, used to qualify your address and provision the connection.
• Payment details — handled by our payment provider, Stripe. Your card number goes directly to Stripe and never touches our servers; we keep only a payment token, the card brand and the last four digits.
• Technical and session data — the IP addresses we allocate to your service, connection session times, and usage volumes reported by the wholesale network, plus standard website logs when you use our site or portal.
• Support history— records of calls, emails and chats, so we don’t make you repeat yourself.

We collect this directly from you wherever possible, and we tell you at the point of collection why we need it. We do not collect sensitive information (health, beliefs, biometrics and the like) — we sell internet, not horoscopes.

APP 4If we receive personal information we didn’t solicit and wouldn’t have been allowed to collect, we destroy or de-identify it as soon as practicable.

APP 6 We use your information to supply, support and bill your service. We disclose it only where needed to do that, or where the law requires:

• Our wholesale aggregator — receives your service address and connection details to provision and maintain your NBN service.
• NBN Co — receives your address and appointment details where a technician visit or network order is required.
• Stripe — processes your payments, as above.
• Law enforcement and regulators — where a valid warrant, authorisation or legal obligation requires it (see section 11 on metadata retention).

We never sell your personal information. Full stop.

APP 7We may email you about our own plans and service improvements. Every marketing email has a working unsubscribe link, and opting out takes effect promptly. Service messages — outage notices, bills, things you actually need — aren’t marketing and can’t be opted out of while you’re a customer.

APP 8 Your account data is stored in Australia. Some of our suppliers (such as Stripe and our email provider) process data in other countries, including the United States. Where that happens, we take reasonable steps to ensure they handle it consistently with the APPs.

APP 9If you provide a government identifier (for example, a driver’s licence used for identity verification), we don’t adopt it as your customer number or use it to link records about you.

APP 10 We take reasonable steps to keep your information accurate, up to date and complete. The easiest fix is self-service: you can update your contact details in the account portal at any time.

APP 11 We protect your information with encryption in transit, access controls, audit logging and the principle of least privilege — staff see only what their job requires. When we no longer need personal information (and no law requires us to keep it), we destroy or de-identify it. If a data breach is likely to cause you serious harm, we will notify you and the OAIC as required by the Notifiable Data Breaches scheme.

As a carriage service provider, we are required by Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth) to retain certain records — commonly called “metadata” — for two years. In plain words, that means we must keep records of:

• your name, address and billing details;
• the IP addresses allocated to your service, and when they were allocated;
• when your connection sessions started and ended, and the volume of data uploaded and downloaded;
• the type and location of the service (your premises).

Importantly, this is not the content of your communications: not the websites you visit, not your emails, not your browsing history. We retain only what the law lists, for only as long as the law requires, and disclose it only to agencies with a lawful basis to request it.

APP 12 & 13You can ask for a copy of the personal information we hold about you, and ask us to correct anything that’s wrong. Email help@galah.example and we’ll respond within 30 days. There’s no charge for making a request, and no charge for correction. If we refuse a request (rarely, and only on lawful grounds) we’ll tell you why in writing and how to complain about the refusal.

If you think we’ve mishandled your information, please tell us first — email help@galah.example or call 1300 425 240, and our complaints processapplies. If you’re not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.