Change Toolkit logo

Change Toolkit

Privacy Policy

Last updated: April 14, 2026

1. Introduction

Change Toolkit ("we", "us", "our") is committed to protecting your personal information and your right to privacy. This Privacy Policy describes how we collect, use, disclose, store, and protect information about you when you access or use the Change Toolkit platform at changetoolkit.app (the "Service").

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and, where applicable, the EU General Data Protection Regulation (GDPR) and other applicable data protection legislation.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of the Service.

2. Information We Collect

2.1 Account and Identity Information

When you register for an Account, we collect:

  • Email address (required for authentication and communication);
  • Name or display name (if provided);
  • Authentication credentials, managed via Azure Static Web Apps authentication services.

2.2 Subscription and Payment Information

When you purchase a paid plan, payment processing is handled entirely by Stripe, Inc. We do not store your full credit card number, card verification code (CVC), or banking details on our systems. We receive from Stripe a tokenised reference and basic billing information such as the last four digits of your card, card type, and billing postcode for record-keeping purposes.

2.3 User Content and Project Data

The Service allows you to create and store change management projects, assessments, plans, stakeholder data, communications, and other related content ("User Content"). This information belongs to you. We store it solely to provide you with the Service and do not use it for any commercial purpose unrelated to the operation of the platform.

2.4 Infrastructure Logs

We do not use third-party analytics platforms, tracking scripts, or behavioural monitoring tools. We do not intentionally collect or store IP addresses, browser details, device identifiers, navigation paths, or session data within our application.

As an inherent function of operating on cloud infrastructure, Microsoft Azure may automatically generate server-side request logs that include technical metadata such as IP addresses, request timestamps, and HTTP status codes. These logs are produced and managed by Azure as part of standard infrastructure operations, are not linked to your user profile, and are subject to Azure's own data retention and security policies. We access these logs only when required to investigate security incidents or diagnose infrastructure failures.

2.5 Communications

If you contact us via email or a support channel, we retain records of your correspondence to respond to your query and improve our support processes.

3. Legal Basis for Processing

Where the GDPR or equivalent legislation applies, we process your personal information on the following legal bases:

  • Contractual necessity — to provide the Service you have requested and manage your Account and Subscription.
  • Legitimate interests — to maintain the security and performance of the Service, prevent fraud, and improve functionality, where these interests are not overridden by your rights.
  • Legal obligation — to comply with applicable laws, regulations, or lawful requests from authorities.
  • Consent — where we have asked for and obtained your explicit consent, such as for optional marketing communications.

4. How We Use Your Information

We use the information we collect to:

  • Create and manage your Account and Subscription;
  • Provide, operate, and maintain the Service;
  • Process payments and manage billing;
  • Respond to your inquiries, requests, and support tickets;
  • Send transactional communications such as account confirmations, payment receipts, and service notices;
  • Monitor and analyse usage patterns to improve the Service;
  • Detect, investigate, and prevent fraudulent transactions, abuse, and security incidents;
  • Comply with applicable legal obligations and enforce our Terms of Service.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not use your User Content to train machine learning models or for any purpose other than delivering the Service.

5. Data Sharing and Disclosure

We may share your information with third parties only in the following circumstances:

5.1 Service Providers

We engage trusted third-party service providers who process data on our behalf, including:

  • Microsoft Azure — cloud hosting, authentication (Azure Static Web Apps), data storage (Azure Cosmos DB), and blob storage (Azure Blob Storage). Data is processed within Microsoft's infrastructure under their data processing terms.
  • Stripe, Inc. — payment processing. Stripe operates under PCI DSS compliance standards. Their privacy policy is available at stripe.com/privacy.
  • Azure Communication Services — transactional email delivery (e.g., account notifications).

All service providers are contractually bound to handle your data securely and only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required to do so by law, court order, regulatory authority, or other governmental process, or where we have a good-faith belief that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

In the event of a merger, acquisition, asset sale, or other business transfer involving Change Toolkit, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have via the email address associated with your Account.

5.4 With Your Consent

We may share your information with other third parties with your explicit prior consent.

6. International Data Transfers

Your information may be stored and processed in data centres located outside of Australia, including within the United States and other countries where Microsoft Azure and Stripe operate. Where data is transferred outside Australia, we ensure that appropriate safeguards are in place, such as standard contractual clauses or reliance on adequacy determinations, consistent with applicable data protection laws.

7. Data Storage and Security

Your data is stored within Microsoft Azure infrastructure. Azure encrypts data at rest using AES-256 and in transit using TLS 1.2 or higher. We implement additional application-level security controls including access restrictions, authentication enforcement, and regular security reviews.

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your information. In the event of a data breach that is likely to result in serious harm to you, we will notify you and relevant authorities as required by applicable law.

8. Cookies and Similar Technologies

We use the following types of cookies and similar technologies:

  • Essential cookies — required for authentication and session management via Azure Static Web Apps. These cannot be disabled without losing access to your Account.
  • Functional cookies — used to remember your preferences and improve your experience within the Service.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. We do not participate in behavioural advertising networks.

You may configure your browser to block or delete cookies; however, doing so may impair the functionality of the Service.

9. Data Retention

We retain your personal information for as long as your Account is active or as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.

If you delete your Account, we will delete or anonymise your personal information within a reasonable period (typically within 90 days), except where we are required to retain certain information by law or for legitimate business purposes such as fraud prevention. User Content may be retained in encrypted backup storage for up to 30 days following deletion before being permanently purged.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access — the right to request a copy of the personal information we hold about you.
  • Rectification — the right to request correction of inaccurate or incomplete personal information.
  • Erasure — the right to request deletion of your personal information, subject to legal or contractual retention obligations.
  • Restriction — the right to request that we restrict processing of your personal information in certain circumstances.
  • Portability — the right to receive your personal information in a structured, machine-readable format and to transmit it to another controller where technically feasible.
  • Objection — the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Withdraw consent — where processing is based on consent, the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframe required by applicable law (generally 30 days). We may need to verify your identity before processing your request.

If you are located in Australia and believe we have not handled your personal information in accordance with the Privacy Act, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly. If you believe a child has provided us with their information, please contact us at [email protected].

12. Do Not Track

Some browsers transmit "Do Not Track" signals. We do not currently respond to such signals as there is no common industry standard for their interpretation. We will update this section if a uniform standard is adopted.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Material changes will be communicated via email to the address associated with your Account, or via a prominent notice within the Service, at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal information, please contact us at:

Change Toolkit — Privacy Enquiries
Email: [email protected]
Website: changetoolkit.app