Privacy Policy – A Startup’s Guide

A good privacy policy is an important feature of a successful startup. Putting the legal requirements aside for a moment, its good commercial practice to have a privacy policy for your business to follow. Not only will this put frameworks in place to guide your business, it will reassure your customers as to the safety of their personal information when engaging with your service of product. 

Privacy law in Australia

The fundamental piece of legislation in Australia concerning privacy law is the Privacy Act 1988 (the Act), which is a federal statute that sets out privacy requirements in Australia. This legislation, however, does not apply to all businesses. At first instance, the Act only applies to businesses with an annual turnover of $3m or more. If your business has a turnover of less than $3m, than you’re considered a “small business” for the purposes of the Act, and the Act does not apply. There are, however, some exemptions to this rule. For example, health service providers, credit reporting agencies, or businesses that operate a residential tenancies database, are all bound by the Act regardless of whether or not they are a small business. For a complete list of small businesses that the Act applies to, see

If you operate a small business to which the Act does not apply, then your legal privacy obligations are, legally speaking, fairly minimal. Notwithstanding, that doesn’t mean that you should disregard privacy altogether. We recommend that all startups have a well drafted privacy policy in place. This will not only provide assurance to your customers, it will be a framework in place for you to use when your business exceeds the $3m threshold. 

What to include in your privacy policy?

The contents of a privacy policy will vary depending on the nature of your business. However, if you are operating in the tech space, there is a good chance you will be, at some point, collecting personal information about your customers. Therefore, there are certain topics that all startup privacy policies should address, regardless of your product or service.

1. The Privacy Act

If your business is governed by the Privacy Act, your privacy policy should commence with a statement disclosing this to your user, and that you will comply with all privacy obligations under the Act. Even if the Act doesn’t apply because you are a small business, it is still useful to include such a statement. This means you don’t need to amend and republish your privacy policy once you breach the $3m threshold.

2. The types of information you are collecting, and how it is collected

As a simple starting point, all privacy policies should detail what information will be collected about your customer. At a minimum, this is likely to include the name and contact details of your customer, and possible payment information such as credit card or bank details. Depending on the nature of your business, you should also consider whether you will be collecting information such as:

  1. Demographic information (ie age, country of birth, occupation); 
  2. Market information (ie interests or hobbies); 
  3. Any health information such as allergies or special needs requirements; or
  4. Professional information such as business associates, suppliers, or client base. 

Once you have detailed the type of information collected, you should also mention how you will be collecting it from the customer. For example, when they fill out a registration form, when they input their payment details, or perhaps information will be collected as part of their use of the product by inputting information for analysis. You should fully disclose all relevant processes so that your customer is made fully aware of when they are sharing their information with you.

3. How the information is stored and dealt with

Once you have explained what information you will collect and how you collect it, you should explain how the information will be stored. For most startups, this tends to be on cloud-based storage systems, however many businesses still utilise paper files. When explaining your storage system, you should also assure your customer that there are mechanisms in place to protect the information. 

Your privacy policy should also contain a robust outline on how the personal information will be used. Special attention should be paid to whether it will be shared with any third parties and, if so, for what purpose. It is common for businesses to share the personal information of their customers with third party service providers such as marketing consultants or professional advisors. If this is the case, this should be made clear in your privacy policy.

4. Cookies and analytics

If your businesses operate a website, it is likely that you will be using cookies and some sort of analytics, such as Google analytics. Your privacy policy should disclose this to your customer, and contain an explanation of:

  1. What a cookie is, and how it collects information;
  2. What analytics platform you use; and
  3. How the analytics platform is used, and for what purpose.

5. Direct marketing

There is much commercial value to engaging in direct marketing with your customer base. This can be a useful way to keep them updated on new products or services, special deals, or industry developments. If you are planning on direct marketing, your privacy policy should disclose this to your customer. Not only that, it should also alert them that they have the option to opt out if they wish. 

6. Contact information 

Your privacy policy should contain information on how your customer can contact you if they have a question about your privacy policy, or if they believe you have breached your privacy policy. This demonstrates good faith to your customer and ensures that their concerns can be addressed in an efficient manner. 

Let us help

Here at Allied Legal, our commercial lawyers have drafted numerous privacy policies for a wide range of startups. If you need a privacy policy drafted, or if you have any queries about your privacy obligations under Australian law, gives us a call on 03 8691 3111 or email us at   


Related Articles


How to Pitch Your Startup to Investors

Learn how to craft a compelling startup pitch that captivates investors with our comprehensive guide. From structuring your narrative to showcasing market potential and financial projections, master the art of persuasion and data-driven storytelling to secure funding for your entrepreneurial journey.

What are Director Duties

Are you a director of a company? Understanding directors' duties is critical to your success and the success of your company. Chester James breaks it down in detail, covering everything from strategic oversight to ethical practices and legal obligations. As a director, you are responsible for acting in the best interests of the company and ensuring compliance with the duties imposed on you as a director. Learn what is required of you as a director and how you can fulfill your duties effectively to contribute to the company’s success

What is a Shareholders Agreement?

Understanding what a shareholders' agreement is just got easier, thanks to Chester's latest blog. Tap into simplified insights on roles, rights, and essentials for every investor. You're one read away from clarity.


Subscribe to our newsletter to receive exclusive offers and the latest news on our products and services.

First Name
Last Name
Email Address

Need some help?

If you need assistance, why not book a call with us today? Or fill out the form below to book in for a free confidential consultation.