Legal
Last updated: April 2026
Stocksmith Pty Ltd (ABN 51 627 106 423), operating as Stocksmith, has established this policy to safeguard personal information collected for service delivery and business operations.
The policy aligns with two regulatory frameworks: the Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy Act 1988, and the European Union's General Data Protection Regulation (GDPR).
We aim to transparently communicate what information is collected, why, how it's processed, and individuals' control rights over their data.
This policy addresses "personal information" and "personal data" as defined under Australian and EU regulations.
We handle personal information both independently and on behalf of customers and users. Business entity information isn't covered, but data about individuals within those entities is protected.
The policy applies to all information forms — physical and digital, electronic or hardcopy.
Individuals providing information about others warrant they have obtained consent. We do not knowingly collect personal data from children under the age of 16 without obtaining parental consent. If underage data collection occurs without consent, we will delete it.
We may collect the following categories of information:
We may collect additional personal information maintained per this policy. Non-personal information regarding computers, networks, and browsers isn't subject to privacy regulations.
Information collection primarily occurs through Stocksmith platform use, inquiries, or business dealings. Secondary sources include advertising, public records, mailing lists, contractors, staff, recruitment agencies, and business partners.
Specific collection methods include:
Where information is obtained without knowledge, it will be deleted or the individual will be informed per applicable regulations. If security breaches occur, proper notification protocols apply per GDPR requirements.
The primary principle restricts use to the original collection purpose unless the individual consents otherwise.
Processing relies on identified lawful bases:
Personal information retention continues only as long as necessary unless law requires extended periods.
Third-party disclosure occurs only in compliance with applicable regulations, with notice provided as soon as practicable. We will not disclose or sell an individual's personal information to unrelated third parties under any circumstances, unless the prior written consent of the individual is obtained.
Information enables business operations including:
The individual shall have the right to object at any time to the processing of their personal information for direct marketing purposes. Objections halt direct marketing processing immediately.
Mandatory disclosure occurs when fraudulent or unlawful activity is suspected, law requires disclosure, or a business sale necessitates information transfer.
We will not disclose an individual's personal information to any entity outside of Australia that is in a jurisdiction that does not have a similar regime to the Australian Privacy Principles. International third-party service providers must contractually commit to equivalent safeguards.
Individuals may decline information collection and processing, though this may restrict service access.
Individuals believing they received unwanted communications should contact us at the address below.
We may appoint a Data Protection Officer overseeing policy management and regulatory compliance.
Reasonable precautions protect information from unauthorised access, including physical facility security and electronic network protection.
We use SSL encryption to store and transfer personal information. However, online transaction security cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk.
We are not responsible for third-party privacy or security practices unless required by law.
Individuals suspecting misuse or unauthorised access should notify us immediately. We are not liable for any loss, damage or claim arising out of another person's use of the personal information where we were authorised to provide that person with the personal information.
Upon security breaches, we immediately assess resulting risk severity. If risk exists, the supervisory authority receives notification with breach details within 72 hours of discovery. For high-risk breaches, affected individuals receive immediate notification. Security breach facts, effects, remedial actions, causes, and prevention measures are documented.
Individuals have the right to request held personal information. We have an obligation to provide them with such information as soon as practicable, and by no later than 28 days of receiving the written request.
The individual may retain and reuse information for personal purposes. We may transmit information directly to another organisation if technically feasible.
For information correction, we correct identified errors within 28 days of written notice, or two months for complex rectification requests.
It is an individual's responsibility to provide us with accurate and truthful personal information. We are not liable for provided inaccuracies.
Manifestly unfounded, excessive, or repetitive access requests may be refused or subject to reasonable cost fees. Refusals include explanation, supervisory authority complaint rights, and judicial remedy information within 28 days.
Deletion or removal occurs when:
Deletion may be refused when freedom of expression or information is involved, legal compliance obligations exist, public health serves the public interest, archiving or research purposes apply, or legal claims require protection.
Written complaints about personal information handling should be addressed to the contact details below. Direct resolution between parties is the initial dispute approach.
An individual shall have the right to seek a judicial remedy where they consider that their rights under the GDPR have been infringed as a result of the processing of their personal information in non-compliance with the GDPR. Proceedings should be commenced in Victoria, Australia, where the organisation is established.
Upon discovering unauthorised information access, we notify affected individuals at the earliest opportunity after establishing access extent and method.
We may send important notices regarding terms, conditions, and policy changes. Where materially important to individual interaction, these communications cannot be opted out of.
Privacy correspondence should be addressed to:
Data Protection OfficerThe Data Protection Officer may be initially contacted via email.
Policy changes are posted at https://stocksmith.io/legal/privacy/. We may take additional compliance measures beyond stated policy provisions without deeming non-compliance with applicable privacy regulations.