Privacy Policy
Entity: 2BEE FARM PTY LTD (ACN 697 830 461 · ABN 57 697 830 461) — trading as 2bee.farm
Status: ADOPTED — sole-director written resolution 2026-05-15 (board-adoption-resolution-v1.md). Publish on the website once adopted (coordinate with site session).
Version: 0.1 · Date: 2026-05-13 · Owner: Founder & CEO (interim Privacy Officer) · Next review: 2026-11-13
1. Purpose & legal basis
This policy sets out how 2bee.farm collects, uses, holds, and discloses personal information. It is the company’s privacy policy for the purposes of the Privacy Act 1988 (Cth) and Australian Privacy Principle (APP) 1, and the external-facing version published at 2bee.farm/privacy is the same document. Section 12 (GDPR addendum) covers individuals in the EU/UK.
Note: 2bee.farm currently has turnover below the A$3m small-business threshold, but the Privacy Act applies regardless because the company (a) collects/discloses personal information related to a service it provides and trades in connection with health/biometric-adjacent and IoT data, and (b) is a federal-government supplier candidate. The company chooses to comply with the APPs in full and will be bound automatically once it exceeds the threshold or holds a Commonwealth contract.
2. Scope
Applies to all personal information 2bee.farm handles, however collected — website (LOI forms, contact forms, newsletter, chatbot), email, phone, contracts, events, the beekeeper/customer dashboard, hive devices, supplier and grant dealings, and recruitment. Applies to all directors, staff, and contractors.
3. What we collect
| Category | Examples | Source |
|---|---|---|
| Identity & contact | Name, business name, email, phone, postal/site address | Forms, email, contracts, events |
| Customer/account | Login credentials, subscription tier, billing details (card data is held by Stripe/PayPal, not by us), support history | Dashboard, payment processors |
| Hive/operational | Hive locations (GPS), apiary site addresses, colony health records, device telemetry tied to a customer | Devices, dashboard, onboarding |
| LOI/sales | Letters of Intent, expressions of interest, organisation, role, segment | LOI funnel |
| Website technical | IP address, device/browser, pages viewed, referrer, cookie IDs (see Cookie/tracking notice) | Site analytics |
| Recruitment | CV, work history, references, right-to-work, (if engaged) TFN/super/bank | Applicants |
| Supplier/partner | Contact people, bank details for payment | Supplier onboarding |
We generally do not collect sensitive information (health, biometrics, race, political/religious views). Where information about Aboriginal or Torres Strait Islander land/community is involved, the ICIP Policy and Indigenous Data Sovereignty principles also apply. Bee/hive telemetry is not personal information in itself, but becomes personal information when linked to an identifiable customer or apiary site.
4. How we collect it (APP 3 & 5)
We collect personal information directly from the individual where reasonable and practicable — when you submit a form, sign up, contact us, enter a contract, or attend an event. We collect from third parties only where you’d expect it (e.g. a payment processor confirming a transaction, a referee you nominated, a business partner introducing a lead). At or before collection we tell you who we are, why we’re collecting it, who we may disclose it to, and that this policy applies (APP 5 notice — typically the form notice plus a link here).
5. Why we use it (APP 6) — purposes
- Provide and operate the HaaS service and the customer dashboard;
- Respond to enquiries, manage LOIs, and progress sales;
- Bill and take payment; manage accounts;
- Send service messages and (with consent / where permitted) newsletters and marketing — you can opt out of marketing at any time (Spam Act 2003 compliant unsubscribe in every message);
- Improve products, run analytics, and develop new features (de-identified/aggregated wherever possible);
- Meet legal, regulatory, biosecurity, food-safety, tax, and grant-reporting obligations;
- Recruit and manage staff/contractors;
- Protect our rights, safety, and property, and investigate misuse.
We use personal information only for the purpose collected, a directly related purpose you’d reasonably expect, or another purpose with your consent or as permitted/required by law.
6. Direct marketing (APP 7)
We send marketing only where you’d reasonably expect it or you’ve consented; every marketing message has a working unsubscribe; we honour opt-outs promptly; we don’t sell personal information; we don’t use government-related identifiers for marketing.
7. Disclosure (APP 6 & 8)
We disclose personal information to:
- Service providers under contract — cloud hosting (AWS, ap-southeast-2 region), payment processors (Stripe, PayPal), email/CRM, analytics, e-signature (DocuSign/eSignatures), transcription, and similar — bound to use it only for our purposes and protect it;
- Professional advisers — lawyers, accountants, auditors, insurers;
- Partners — only with your knowledge (e.g. a pollination/community partner relevant to your engagement);
- Government/regulators — where required (biosecurity, food safety, tax, law enforcement, court order);
- Acquirers — in a sale/merger of the business (under confidentiality; FPIC applies for any Indigenous-data component per the ICIP Policy).
We don’t otherwise disclose personal information without consent.
8. Overseas disclosure (APP 8)
Some service providers store or process data outside Australia (e.g. US-headquartered SaaS, though primary hosting is AWS Sydney). Before disclosing overseas we take reasonable steps to ensure the recipient handles the information consistently with the APPs (contractual data-protection terms), or rely on a permitted exception. Likely overseas locations: United States, EU. By using the service you acknowledge this; where APP 8.1 applies we remain accountable for the overseas handling.
9. Data quality & security (APP 10 & 11)
- We take reasonable steps to keep personal information accurate, complete, and up to date — tell us if your details change.
- We protect personal information with access controls, encryption in transit and at rest where supported, least-privilege access, MFA on company accounts (1Password TOTP), credential management via 1Password, and vendor due diligence. Security measures are detailed in the (forthcoming) Information Security Policy.
- We destroy or de-identify personal information when no longer needed for any purpose for which it may be used or disclosed and we’re not legally required to keep it (see retention below). Card data is not stored by us.
- If a data breach occurs, we follow the Data Breach Response Plan and the Notifiable Data Breaches scheme (Part IIIC, Privacy Act).
10. Retention
We keep personal information only as long as needed: customer/account and contract records for the engagement plus 7 years (tax/limitation periods); LOI/sales records while the opportunity is live plus a reasonable follow-up period; website analytics per the retention set in the analytics tool; recruitment records for unsuccessful applicants up to 12 months unless consented otherwise; financial records 7 years (tax law). Then we destroy or de-identify.
11. Access & correction (APP 12 & 13)
You can ask for access to, or correction of, the personal information we hold about you — email [email protected]. We’ll respond within a reasonable time (target 30 days), verify your identity first, and explain if we refuse (e.g. legal exception) and how to complain. No charge for making a request; we may charge reasonable costs for giving access.
12. GDPR addendum (individuals in the EU / UK)
Where the EU or UK GDPR applies (we offer services to, or monitor, individuals in the EEA/UK):
- Roles: 2bee.farm is the controller for website visitors, enquirers, and customers; processor where we handle hive data on a customer’s behalf under a services agreement (a DPA is available on request).
- Lawful bases (Art 6): contract performance (providing the service); legitimate interests (security, analytics, B2B marketing to business contacts) balanced against your rights; consent (cookies/marketing where required); legal obligation (tax, etc.).
- Your rights (Arts 12–22): access, rectification, erasure, restriction, portability, objection, and the right not to be subject to solely automated decisions with legal/significant effect (we don’t make such decisions about individuals). Withdraw consent any time. Exercise via [email protected]; we respond within one month.
- International transfers (Ch V): transfers out of the EEA/UK rely on Standard Contractual Clauses (and the UK Addendum) plus a transfer risk assessment, or another Art 46 mechanism.
- Retention/security: as in §§9–10.
- Complaints: you may complain to your local supervisory authority (and, in the UK, the ICO). We have no EU establishment; if an Art 27 representative becomes required we will appoint one.
13. Cookies & tracking
The website uses cookies and similar technologies for functionality and analytics. See the separate Cookie/Tracking Notice (linked from the site footer and cookie banner) for the list and how to control them.
14. Children
The service is for businesses and adults; we don’t knowingly collect personal information from children under 16. Community/school programmes are contracted with the institution, not with students.
15. Complaints
If you think we’ve breached the APPs (or GDPR), email [email protected] with “Privacy complaint” in the subject. We’ll acknowledge within 7 days and aim to resolve within 30 days. If unsatisfied, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au) — or your EU/UK supervisory authority.
16. Responsibilities
| Role | Responsibility |
|---|---|
| Founder & CEO (interim Privacy Officer) | Owns this policy; handles access/correction/complaint requests; oversees breach response; signs DPAs/SCCs; reviews vendor privacy terms. |
| All staff & contractors | Collect/use/disclose personal information only per this policy; report any suspected breach immediately (see Data Breach Response Plan); use approved systems and access controls. |
| Board / sole director | Adopts this policy; ensures resources for compliance. |
17. Changes
We may update this policy; the version on 2bee.farm/privacy is current; material changes will be notified to active customers. Last updated: 2026-05-13 (draft).
18. Related documents
Data Breach Response Plan; Cookie/Tracking Notice; Website Terms of Use; (forthcoming) Information Security Policy; ICIP Policy (Indigenous data); Records retention practice. Contact: [email protected].
19. Review
Annually, and on any change to the Privacy Act / APPs (including the 2024–25 Privacy Act reforms — statutory tort for serious invasions of privacy, children’s online privacy code, automated-decision transparency), or to GDPR guidance. Owner: Founder & CEO / Privacy Officer.