What are you looking for?

Australia and New Zealand Privacy Policy

Last Updated: 3 March, 2026 View the prior version of this Privacy Policy.

  1. IMPORTANT INFORMATION AND WHO WE ARE

Privacy policy

This privacy policy gives you information about how Actionstep collects and uses your personal information through your use of this website, including any information you may provide when you purchase a product or service. For users located in Australia, this privacy policy is provided in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. For users located in New Zealand, this privacy policy is provided in accordance with the Privacy Act 2020 and the Information Privacy Principles.

This website is not intended for children and we do not knowingly collect personal information relating to children.

Who is responsible for your personal information

The Actionstep Group is made up of different legal entities. This privacy policy is issued on behalf of the Group so when we mention “Actionstep”, “we”, “us” or “our” in this privacy policy, we are referring to the relevant company in the Group responsible for handling your personal information based on your location. If you are located in Australia, Actionstep Operations Australia Pty Ltd (ACN 636 757 125), 6.01, 301 Coronation Drive, Milton QLD 4064is responsible for your personal information and this website. If you are located in New Zealand or elsewhere, Actionstep Operations New Zealand Limited (Company Number 1302336), Level 10, Ste 3, Aon Centre, 29 Customs Street West, Auckland 1010, New Zealand is responsible for your personal information and this website. This privacy policy applies to the Actionstep platform and related services only. If you are a customer of other products within the Actionstep Group (including Lawmaster or FilePro), please refer to the privacy policy applicable to that product.

2. THE TYPES OF PERSONAL INFORMATION WE COLLECT ABOUT YOU

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:

  • Identity Data: includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data: includes billing address, delivery address, email address and telephone numbers.
  • Financial Data: includes bank account and payment card details.
  • Transaction Data: includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
  • Profile Data: includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data: includes information about how you interact with and use our website, products and services.
  • Marketing and Communications Data: includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share aggregated data such as statistical or demographic data which is not personal information as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

3. HOW IS YOUR PERSONAL INFORMATION COLLECTED?

We use different methods to collect personal information from and about you including through:

Your interactions with us. You may give us your personal information by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal information you provide when you:

  • apply for our products or services;
  • create an account on our website;
  • subscribe to our service or publications;
  • request published resources or marketing materials to be sent to you; or
  • give us feedback or contact us.

Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal information by using cookies and other similar technologies. While Australia and New Zealand do not have specific cookie consent legislation, we provide you with information about our use of cookies and similar technologies in the Cookies section below.

4. HOW WE USE YOUR PERSONAL DATA

Our approach to collecting and using your personal information

Under Australian and New Zealand privacy laws, we must only collect personal information that is reasonably necessary for our functions or activities. We collect and use your personal information in accordance with the following principles:

Reasonably necessary to provide our services to you: Where we need to perform our agreement with you or take steps at your request before entering into an agreement.

Reasonably necessary for our functions and activities: We may use your personal information where it is reasonably necessary for our business functions and activities, for example to enable us to give you the best and most secure customer experience. We take reasonable steps to ensure that our collection and use of your personal information is fair and lawful.

Required or authorised by law: We may use your personal information where it is required or authorised by or under an Australian or New Zealand law, or a court or tribunal order.

Consent: We rely on consent where we have obtained your agreement to use your personal information for a specified purpose, for example if you subscribe to an email newsletter or other marketing communications. For sensitive information (including health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, biometric information, and genetic information), we will obtain your consent before collecting it unless an exception applies. You may withdraw your consent at any time by contacting us at privacy@actionstep.com. Withdrawal of consent will not affect any handling of your personal information that occurred before the withdrawal. If you withdraw consent for handling that is necessary to provide our services to you, we may not be able to continue providing those services. We will inform you of any consequences before processing your withdrawal request.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal information, and our reasons for doing so. We have also identified where our use is reasonably necessary for our business functions and activities.

Reason for collectionType of dataReason for collection
To register you as a new customer(a) Identity
(b) Contact		Reasonably necessary to provide our services to you
To process and deliver your order including to:
(a) manage payments, fees and charges
(b) collect and recover money owed to us		(a) Identity
(b) Contact
(c) Financial
(d) Transaction
(e) Marketing and Communications		(a) Reasonably necessary to provide our services to you
(b) Reasonably necessary for our business functions (to recover debts due to us)
To manage our relationship with you which will include:
(a) notifying you about changes to our terms or privacy policy
(b) dealing with your requests, complaints and queries		(a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications		(a) Reasonably necessary to provide our services to you
(b) Required or authorised by law
(c) Reasonably necessary for our business functions (to keep our records updated and manage our relationship with you
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)(a) Identity
(b) Contact
(c) Technical		(a) Reasonably necessary for our business functions (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Required or authorised by law
To deliver relevant website content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Consent and preferences
(g) Technical		Reasonably necessary for our business functions (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, customer relationships and experiences and to measure the effectiveness of our communications and marketing(a) Technical
(b) Usage		Reasonably necessary for our business functions (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To send you relevant communications and make personalised suggestions and recommendations to you about goods or services that may be of interest to you based on your Profile DataTo provide our services to you, improve our website and service offerings, and to market to youAutomatically when you use our website
To carry out market research through your voluntary participation in surveysReasonably necessary for our business functions (to study how customers use our products/services and to help us improve and develop our products and services).

Direct marketing

When your personal information is collected via forms or other data collection tools, you will be asked to indicate your preferences for receiving marketing communications from Actionstep. We comply with the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth) in Australia, and the Unsolicited Electronic Messages Act 2007 in New Zealand.

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view about which products, services and offers may be of interest to you and/or send you relevant marketing communications, where you have consented to receive such communications or where permitted by applicable law.

Third-party marketing

We will get your express consent before we share your personal information with any third party for their own direct marketing purposes.

Opting out of marketing

You can ask us to stop sending you marketing communications at any time by following the opt-out or unsubscribe links within any marketing communication sent to you or by contacting us at privacy@actionstep.com. For electronic messages, we will action your request within 5 business days as required by the Spam Act 2003 (Cth) and Unsolicited Electronic Messages Act 2007 (NZ). For telephone marketing, we will update our calling lists within 30 days in accordance with the Do Not Call Register Act 2006 (Cth).

If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes for example relating to updates to our Terms and Conditions, product changes or checking that your contact details are correct.

Cookies

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

We use cookies for the following purposes:

  • authentication: to identify you when you visit our website and as you navigate our website;
  • personalisation: to store information about your preferences and to personalise the website for you;
  • analysis: to help us to analyse the use and performance of our website and services; and
  • cookie consent: to store your preferences in relation to the use of cookies more generally.

Cookies used by our service providers

Our service providers use cookies and those cookies may be stored on your computer when you visit our website. We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google’s privacy policy is available at: https://www.google.com/policies/privacy/ .

We use Freshdesk to provide in-product customer support.

We use Pendo to analyse how our product is used and to gather feedback so that we can make improvements to the product. Pendo’s privacy policy is available at:  https://www.pendo.io/legal/privacy-policy/.

We use CookieYes to manage consent and the use of cookies on our website. CookieYes’ Privacy Policy is available at: https://www.cookieyes.com/privacy-policy/.

We use Ortto to appropriately use and manage contact details, preferences and activity history for the purposes of marketing and company communications.

5. DISCLOSURES OF YOUR PERSONAL DATA

We may disclose your personal information where necessary with the parties set out below for the purposes set out in the Purposes table (above). Under Australian Privacy Principle 6 and New Zealand Information Privacy Principle 11, we will only disclose your personal information for the primary purpose for which it was collected, or for a secondary purpose that you would reasonably expect, or where you have consented, or where otherwise required or authorised by law:

Specific third parties as listed in our Trust Center at https://www.actionstep-trust.com/subprocessors, which is updated from time to time to reflect our current sub-processors. Our sub-processors include providers of:

  • Cloud infrastructure and hosting services
  • Customer support and helpdesk services
  • Customer relationship management services
  • Analytics and product improvement services
  • Marketing automation and communications services
  • Transactional email and SMS services
  • Document conversion and processing services
  • Cookie consent management services
  • Application performance monitoring services

For a complete and current list of our sub-processors, including their locations and the services they provide, please visit our Trust Center at the link above.

We may also disclose your personal information with third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal information and to treat it in accordance with applicable privacy laws. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to handle your personal information for specified purposes and in accordance with our instructions. Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles or New Zealand Information Privacy Principles in relation to the information.

6. INTERNATIONAL TRANSFERS

We share your personal information within the Actionstep Groupfor operational, support, and administrative purposes. This may involve transferring your information to our overseas offices, including in the USA, United Kingdom, Australia, New Zealand, and Canada.

When we transfer your personal information outside Australia or New Zealand, we comply with Australian Privacy Principle 8 (for Australian users) and section 214 of the Privacy Act 2020 (for New Zealand users). Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient will not breach the Australian Privacy Principles or New Zealand Information Privacy Principles in relation to the information. This may include entering into contractual arrangements that require the overseas recipient to handle your personal information in accordance with privacy standards comparable to those applicable in Australia and New Zealand.

We may transfer your personal information to service providers that carry out certain functions on our behalf. Many of our service providers are located in the United States and other countries outside Australia and New Zealand. Our primary service providers include those listed in Section 5 of this policy.

Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information (APP 8.2(a)). This includes entering into contractual arrangements that require the overseas recipient to handle your personal information in accordance with privacy standards comparable to those applicable in Australia and New Zealand.

Where we rely on your consent for overseas disclosure (APP 8.2(b)), we will inform you of the countries to which your information may be disclosed. You acknowledge that if you consent to such disclosure, APP 8.1 (which would otherwise make us accountable for the overseas recipient’s acts) will not apply to that disclosure.

If you do not wish your personal information to be disclosed to overseas recipients, please contact us at privacy@actionstep.com to discuss alternative arrangements, noting that this may affect our ability to provide you with our products and services given our use of overseas service providers as listed in Section 5.

We host customer data in Australia and New Zealand, and you may elect to have your data hosted in your preferred region where supported by our cloud environment.

7. DATA SECURITY

In accordance with Australian Privacy Principle 11 and New Zealand Information Privacy Principle 9, we take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. We have put in place appropriate technical and organisational security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only handle your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data breach. In the event of an eligible data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (for Australian users) or the Office of the Privacy Commissioner (for New Zealand users) as required under the notifiable data breach scheme in Part IIIC of the Privacy Act 1988 (Cth) or Part 6 of the Privacy Act 2020 (NZ), as applicable. For the avoidance of doubt, where a security incident involves personal information subject to a contractual data processing addendum, the notification requirements of that addendum shall apply.

8. DATA RETENTION

How long will you keep my personal information?

We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. Under Australian Privacy Principle 11.2 and New Zealand Information Privacy Principle 9, once we no longer need your personal information for any purpose for which it may be used or disclosed under the Australian Privacy Principles or Information Privacy Principles, we will take reasonable steps to destroy the information or ensure that it is de-identified.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we use your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law we may be required to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for a period of time after they cease being customers, for example for tax, accounting, or regulatory compliance purposes. Depending on the type of information and applicable legal requirements, we may retain financial and transaction records for a minimum of 7 years (for Australian users) or 5 years (for New Zealand users) to comply with AML/CTF record-keeping obligations, or longer where required for legal proceedings, regulatory investigations, or ongoing compliance obligations.

In some circumstances you may ask us to delete your personal information: see section 9 below for further information about your rights.

In some circumstances we will de-identify your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. YOUR LEGAL RIGHTS

You have a number of rights under Australian and New Zealand privacy laws in relation to your personal information.

You have the right to:

Request access to your personal information. Under Australian Privacy Principle 12 (for Australian users) or New Zealand Information Privacy Principle 6 (for New Zealand users), you have the right to request access to the personal information we hold about you. We will provide you with access to your personal information within a reasonable period (generally within 30 days of your request), unless an exception applies. Under Australian and New Zealand privacy laws, we are permitted to charge a reasonable fee for providing access to your personal information. We will not charge you for making the request itself. Before we provide access, we will give you an estimate of the charge (if any) and you will have the opportunity to withdraw your request if you do not wish to proceed. We may refuse to provide access if your request is frivolous or vexatious, or if an exception under the Australian Privacy Principles or Information Privacy Principles applies.

Request correction of your personal information. Under Australian Privacy Principle 13 (for Australian users) or New Zealand Information Privacy Principle 7 (for New Zealand users), you have the right to request that we correct any personal information we hold about you that is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will respond to your correction request within a reasonable period (generally within 30 days). If we refuse to correct your personal information, we will provide you with written reasons for the refusal and information about how you can make a complaint.

Request deletion of your personal information in certain circumstances. While there is no general statutory right to erasure under Australian or New Zealand privacy law, we may at our discretion delete personal information upon request where we no longer need to retain it for any purpose permitted under the Australian Privacy Principles or Information Privacy Principles. We may decline your request where we are required to retain the information by law, or where the information is necessary for our legitimate business purposes or the establishment, exercise or defence of legal claims. We will inform you of our decision within 30 days and, if we decline your request, provide reasons for doing so.

Raise concerns about how we use your personal information. If you have concerns about how we collect, use or disclose your personal information, you may contact us at privacy@actionstep.com. We will investigate your concerns and respond to you within a reasonable timeframe.

Opt out of direct marketing. You have the right to opt out of receiving direct marketing communications from us at any time. See section 4 for details of how to unsubscribe from marketing communications.

Request a copy of your personal information. While there is no statutory right to data portability under Australian or New Zealand privacy law, if you request access to your personal information under APP 12 or IPP 6, we will endeavour to provide the information in a format that is reasonably accessible to you.

Make a complaint. If you are not satisfied with how we handle your personal information or our response to your access or correction request, you have the right to make a complaint to the relevant privacy regulator:

  • For Australian users: Office of the Australian Information Commissioner (OAIC), GPO Box 5288, Sydney NSW 2001, www.oaic.gov.au, phone 1300 363 992;
  • For New Zealand users: Office of the Privacy Commissioner, PO Box 10094, Wellington 6143, www.privacy.org.nz, phone 0800 803 909.

Before making a complaint to a privacy regulator, we encourage you to contact us first at privacy@actionstep.com so we have an opportunity to address your concerns.

If you wish to exercise any of the rights set out above, please contact us at privacy@actionstep.com.

Fees for access requests

Under Australian and New Zealand privacy laws, we are permitted to charge a reasonable fee for providing access to your personal information. We will not charge you for making the request itself. Before we provide access, we will give you an estimate of the charge (if any) and you will have the opportunity to withdraw your request if you do not wish to proceed. We may refuse to provide access if your request is frivolous or vexatious, or if an exception under the Australian Privacy Principles or Information Privacy Principles applies.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We will respond to access and correction requests within a reasonable period, generally within 30 days of receiving your request and any information we reasonably require to verify your identity. If we need more time due to the complexity of your request, we will notify you and keep you updated on progress.

10. CONTACT DETAILS

If you have any questions about this privacy policy or about the use of your personal information, or you want to exercise your privacy rights, please contact us at:

Email: privacy@actionstep.com

For Australian users:

Actionstep Operations Australia Pty Ltd (ACN 636 757 125)
301 Coronation Drive
Milton QLD 4064
Australia

For New Zealand users:

Actionstep Operations New Zealand Limited (Company Number 1302336)
Level 10, Ste 3, Aon Centre, 29 Customs Street West
Auckland 1010
New Zealand

11. COMPLAINTS

You have the right to make a complaint to the relevant privacy regulator in your jurisdiction. For Australian users, this is the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. For New Zealand users, this is the Office of the Privacy Commissioner at www.privacy.org.nz. However, before doing so please make sure you have first made your complaint to us at privacy@actionstep.com or asked us for clarification if there is something you do not understand. We will endeavour to resolve your complaint promptly and fairly.

12. CHANGES TO THE PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES

We keep our privacy policy under regular review. This version was last updated on 3 March 2026. Historic versions can be obtained by contacting us.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us, for example a new address or email address.

13. THIRD-PARTY LINKS

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share personal information about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.