Privacy Policy

Effective 7 April 2026 · Last updated 7 April 2026

1. Who we are

Arcnode IT is a network infrastructure and automation company based in Melbourne, Victoria, Australia. We provide enterprise-grade networking solutions, smart home integration, and managed IT services to business and residential clients.

2. What personal information we collect

We may collect the following categories of personal information depending on how you interact with us:

• Identity information — name, job title, company name
• Contact information — email address, phone number, postal address
• Account credentials — email and hashed password (client portal users only)
• Service information — support tickets, project details, network device data, invoice and billing records
• Technical information — browser type, IP address, access timestamps (collected automatically via server logs)
• Communication records — emails, support correspondence, ticket replies

We do not collect sensitive information (as defined in the Privacy Act) unless you provide it voluntarily and it is reasonably necessary for the services we provide.

3. How we collect personal information

We collect personal information:

• Directly from you — when you contact us via email, register for the client portal, submit a support ticket, or engage us for services
• From your use of our services — when you log in to the client portal, access network monitoring dashboards, or interact with our platforms
• From third parties — we may receive referral information from existing clients or business contacts, only with your knowledge or consent

We will not collect personal information by unlawful or unfair means. Where it is reasonable and practicable, we collect personal information directly from you (APP 3).

4. Why we collect personal information

We collect personal information for the following purposes:

• To provide, manage and improve our network infrastructure and IT services
• To create and manage your client portal account
• To respond to support tickets and service requests
• To send operational notifications (service alerts, ticket updates, billing notices)
• To generate invoices and manage billing
• To monitor network devices and deliver uptime reporting
• To comply with legal obligations, including tax and record-keeping requirements
• To protect the security of our systems and your data

If we do not collect the personal information described above, we may not be able to provide our services to you or respond to your enquiries.

5. Collection notice (APP 5)

This privacy policy, together with specific collection notices displayed at the point of data collection (such as on the client portal registration form), constitutes our APP 5 notification.

6. Use and disclosure

We use and disclose your personal information only for the primary purpose for which it was collected, or for a secondary purpose that you would reasonably expect (APP 6). We do not sell, rent or trade your personal information.

Third-party service providers

We may share personal information with the following categories of service providers who assist us in operating our business:

• Cloud hosting — Vercel (US), Amazon Web Services (Sydney, Australia)
• Email delivery — Resend (for transactional notifications only)
• DNS and security — Cloudflare
• Authentication — Google (OAuth for staff only)
• Accounting — Xero (when connected)

We take reasonable steps to ensure these providers comply with the APPs or are bound by substantially similar privacy obligations.

Overseas disclosure

Some of our service providers operate overseas, primarily in the United States. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure they do not breach the APPs (APP 8). Our primary data storage is on a server located in Sydney, Australia (AWS ap-southeast-2).

7. Data storage and security

We store your personal information in a SQLite database on an AWS EC2 instance in Sydney, Australia. We take reasonable steps to protect your information from misuse, interference, loss, unauthorised access, modification and disclosure (APP 11), including:

• Encryption in transit (TLS/HTTPS on all connections)
• Multi-layer access controls (security groups, IP allowlists, bearer token authentication, CORS restrictions)
• Password hashing with bcrypt (cost factor 12) for portal accounts
• JWT-based session management with 24-hour expiry and revocation support
• Rate limiting and account lockout protections
• Security event logging and monitoring
• Principle of least privilege for staff access (role-based access control)

8. Data retention

We retain your personal information only for as long as it is needed for the purposes described in this policy, or as required by law. Specifically:

• Active client data — retained for the duration of the service relationship
• Invoices and financial records — retained for 7 years as required by Australian tax law
• Support tickets — retained for 2 years after resolution, then de-identified or deleted
• Portal account credentials — retained until the account is closed, then deleted within 30 days
• Server logs and security events — retained for 12 months, then purged
• Contact enquiries — retained for 12 months, then deleted unless a service relationship is established

When personal information is no longer needed, we take reasonable steps to destroy or de-identify it (APP 11.2).

9. Access and correction

You have the right to request access to the personal information we hold about you (APP 12) and to request correction of any information that is inaccurate, out of date, incomplete, irrelevant or misleading (APP 13).

To make an access or correction request, contact us using the details below. We will respond within 30 days. We may need to verify your identity before processing your request. Access will be provided free of charge unless the request requires a disproportionate effort, in which case we will discuss any applicable charges with you beforehand.

10. Anonymity and pseudonymity

Where it is lawful and practicable, you have the option of not identifying yourself or using a pseudonym when dealing with us (APP 2). However, if you wish to use the client portal or engage our professional services, we will need to collect your identity and contact details to provide those services.

11. Direct marketing

We do not currently engage in direct marketing. If this changes, we will only use your personal information for direct marketing with your consent, and we will always provide a simple way to opt out (APP 7).

12. Notifiable data breaches

In the event of an eligible data breach that is likely to result in serious harm to any individual whose information is affected, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act). We maintain a documented data breach response plan.

13. Cookies and local storage

Our client portal uses browser local storage to maintain your login session (authentication token) and your theme preference (light/dark mode). We do not use third-party tracking cookies. Our public website uses Vercel Analytics and Speed Insights, which collect anonymous performance data and do not use cookies to track individual users.

14. Children’s privacy

Our services are designed for business and adult consumers. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected personal information from a minor, we will take reasonable steps to delete it promptly.

15. Changes to this policy

We may update this privacy policy from time to time. The “Last updated” date at the top of this page indicates when the most recent changes were made. We encourage you to review this policy periodically. Material changes will be notified via email to portal users where practicable.

16. Complaints

If you believe we have breached your privacy or the APPs, you may lodge a complaint with us. We will investigate and respond within 30 days. If you are not satisfied with our response, you may escalate your complaint to the OAIC:

17. Contact us