Data Handling & Retention PolicyBuilt to Scale Your Business

How Coastal Programs processes, protects, and manages data through automation services — secure, transparent, and compliant with Australian standards.

Get Started TodayExplore Services

Data Handling & Retention Policy

Effective Date: 11 August 2025

Service Provider: Jake Rino Schepis trading as Coastal Programs

ABN: 12 340 373 046

Compliance: Privacy Act 1988 (Cth), Australian Privacy Principles

Our Data Handling Approach

This policy details how Coastal Programs processes, stores, and protects data across different service contexts. We maintain distinct handling procedures for website visitor data (which we control) and client project data (which we process on behalf of clients).

1. Data Categories & Processing Context

Visitor & Business Data

Data we control for our operations:

  • • Website analytics and usage patterns
  • • Contact form submissions and inquiries
  • • Business communications and proposals
  • • Project documentation and contracts
  • • Invoicing and payment records

Client Project Data

Data we process for client services:

  • • Customer inquiries and form submissions
  • • Automated workflow data and triggers
  • • System integration data flows
  • • Communication logs and chatbot interactions
  • • Business process automation data

Data Controller vs Processor: For visitor data, we are the data controller making decisions about processing. For client project data, we are a data processor following client instructions while maintaining appropriate security and compliance measures.

2. Platform Processing & Security

Processing Platforms

We utilise various trusted platforms to deliver automation services. Each platform is selected based on security standards, compliance certifications, and data protection measures:

Website Operations

  • • Analytics platforms (visitor tracking)
  • • Contact form processors
  • • Customer support tools
  • • Communication services

Client Automation Services

  • • Workflow automation platforms
  • • Database and storage services
  • • Integration and API platforms
  • • Business communication tools

Security Standards

Technical Measures

  • • End-to-end encryption for data transmission
  • • Encrypted storage across all platforms
  • • Multi-factor authentication required
  • • Regular security audits and monitoring

Administrative Controls

  • • Access limited to authorized personnel
  • • Confidentiality agreements with team members
  • • Regular staff training on data protection
  • • Incident response procedures maintained

3. Cross-Border Data Transfers

International Processing: Some platforms process data outside Australia, primarily in the United States and European Union. We implement safeguards under Australian Privacy Principle 8.

Transfer Safeguards

  • Standard Contractual Clauses (SCCs): Binding agreements with overseas processors ensuring adequate protection
  • Data Privacy Framework (DPF): Utilisation of DPF-certified platforms where available
  • Platform Security Assessments: Regular review of security measures and compliance certifications
  • Data Minimisation: Only necessary data is transferred to overseas platforms
  • Client Notification: Transparency about platform locations and security measures

Compliance Monitoring

  • Quarterly assessments of platform compliance and security standards
  • Ongoing monitoring of legal and regulatory changes affecting data transfers
  • Client right to object to specific platform usage with reasonable alternatives
  • Regular review and updating of data processing agreements

4. Automated Processing & Decision-Making

Our automation services include computer programs that process data and may make decisions affecting individuals:

Website Automation

  • Chatbot responses: Automated customer service based on inquiry patterns
  • Form routing: Automatic assignment of inquiries to appropriate departments
  • Analytics processing: Automated analysis of website usage and visitor patterns

Client Project Automation

  • Workflow triggers: Automated actions based on predefined business rules
  • Communication automation: Email, SMS, and notification scheduling
  • Data synchronisation: Automated updates between integrated systems

Human Review Available: You can request human review of any automated decision that significantly affects you. Contact us for information about the logic involved in automated processing.

5. Data Retention & Deletion

Business & Legal Records

  • Tax & Financial Records: 7 years (Australian tax compliance requirement)
  • Contracts & Agreements: 7 years post-completion (business record keeping)
  • Business Communications: 3 years (operational purposes)
  • Insurance & Legal Documents: 7 years or as required by law

Project-Specific Data

One-Off Projects

  • • Active project data: Duration of project
  • • System credentials: Deleted immediately upon completion
  • • Project files: 30 days post-delivery (support period)
  • • Client access data: Deleted after successful handover

Ongoing Services

  • • Active service data: Duration of service relationship
  • • System access: Maintained during active engagement
  • • Operational data: 90 days post-termination
  • • Backup data: Automatically purged within 90 days

Website & Analytics Data

  • Website Analytics: 26 months (Google Analytics default, business insights)
  • Contact Form Data: 3 years (business relationship management)
  • Marketing Communications: Until unsubscribed + 3 years (compliance)
  • Support Conversations: 2 years (service improvement and training)

6. Your Rights Under Australian Privacy Law

For Visitor Data

Data we control about you:

  • • Access your personal information
  • • Correct inaccurate information
  • • Request deletion where permissible
  • • Lodge complaints about handling
  • • Object to certain processing

For Client Project Data

Data we process for clients:

  • • Contact the relevant client business directly
  • • We can facilitate data requests as processor
  • • Client controls most data handling decisions
  • • We assist with technical implementation
  • • Security complaints handled by us directly

Making Requests: Contact us with your request including sufficient information to identify the data in question. We'll respond within reasonable timeframes and may need to verify your identity before processing requests.

7. Data Breach Response

In the event of a data breach affecting personal information:

Immediate Response (0-24 hours)

  • Breach containment and security assessment
  • Risk evaluation and impact analysis
  • Preliminary incident documentation
  • Internal team notification and coordination

Notification (24-72 hours)

  • OAIC notification if required under NDB scheme
  • Affected client notification (immediate for data processor breaches)
  • Individual notification if likely risk of serious harm
  • Regulatory cooperation and compliance assistance

Post-Incident (Within 7 days)

  • Comprehensive incident report and lessons learned analysis
  • Implementation of additional security measures to prevent recurrence
  • Review and update of security procedures and training materials
  • Ongoing monitoring and support for affected individuals and clients

8. Contact & Data Protection

Data Protection Inquiries

EmailEmail:info@coastalprograms.com

Phone(+61) 417 223 848

AddressPO Box 1544, Busselton WA 6280, Australia

External Complaints: If you're not satisfied with our response to privacy concerns, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

WebsiteOAIC:www.oaic.gov.au or phone 1300 363 992

9. Policy Updates & Reviews

We review this data handling policy quarterly and update it as needed to reflect changes in our services, platforms, legal requirements, or security measures. Material changes affecting data processing will be communicated to active clients with appropriate notice periods.

Version Control: The effective date at the top of this policy indicates when it was last updated. Previous versions are maintained for reference and compliance purposes. Significant changes are highlighted to existing clients through direct communication.