Skip to main content

Privacy notice

How Cadence handles personal data

This notice applies to every person who uses or interacts with Cadence — a multi-tenant document-automation platform operated by Jake Hickey. It meets the transparency obligations of the Australian Privacy Act 1988 (including Australian Privacy Principles 1 and 5) and the EU/UK General Data Protection Regulation (Articles 13 and 14).

Last updated: 19 April 2026

1. Who we are

Data controller (for Cadence platform users):
Jake Hickey, operating as Cadence
Contact: support@cadence-platform.com

Data processor (for our business clients):
When a business subscribes to Cadence and their end-users interact with modules, Cadence processes personal data on behalf of that business as a data processor. Each business client remains the data controller for their end-users' data. Processing is governed by the Data Processing Agreement (DPA) signed between Cadence and the client.

2. What personal data we collect and why

Platform users (Cadence accounts)

Data Purpose Lawful basis
Email address Authentication, account setup, password reset, MFA codes Contract / Legitimate interests
Full name Display in interface, audit trail attribution Contract / Legitimate interests
Password (hashed, never stored in plain text) Authentication Contract
TOTP secret (encrypted) Multi-factor authentication Contract / Security
IP address, timestamp Audit log, account lockout, fraud prevention Legitimate interests / Legal obligation
Login attempt records Brute-force protection, account lockout Legitimate interests / Security
Module usage count (times used, first/last used dates) Service operation, capacity management Legitimate interests

Client end-user data (processor role)

When a business client uses a Cadence module to process information about its own customers, applicants, staff, or related parties, Cadence acts as a data processor for that workflow. We handle that information only within the approved module workflow the client has chosen to use.

The approved workflow scope includes financial data, legal or matter data, and family data where that information is relevant to the module. Depending on the workflow, that can include names, contact details, debts, assets, income, transaction details, account references, case or matter references, household composition, dependant details, and family circumstances.

Uploaded files and generated outputs are processed in memory only. Cadence does not keep a persistent copy of uploaded module files or generated document content. The business client remains the controller for that workflow data and is responsible for the collection notice, lawful basis, and any consent or authority needed for the information it chooses to process through Cadence.

What remains outside the approved scope

This notice does not newly approve blanket handling of Australian sensitive information or GDPR / UK GDPR Article 9 special-category data. Unless separately reviewed and agreed in writing, Cadence is not approved to process health data, biometric data, genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, or criminal-offence data through the platform.

Collection context for uploaded files

We collect module uploads when an authorised user deliberately chooses to run a workflow. The file is used to complete that request, returned to the requesting user, and then discarded from application memory after the request finishes. Downloaded files may remain on the user's device, so customers should use secure client-managed devices and apply their own local retention and deletion controls.

What we do not collect

  • We do not use cookies for tracking or advertising.
  • We do not collect payment card data (billing is handled by third-party payment processors, if applicable).
  • We do not use third-party analytics scripts.
  • We do not build profiles for advertising purposes.

3. How long we keep personal data

Data type Retention
Active user accounts Held while account is active
Inactive accounts Purged after 365 days of inactivity
Audit logs 365 days, then automatically deleted
Password reset tokens 30 minutes, then purged
Account setup tokens 72 hours, then purged
MFA email codes 10 minutes, then purged
Login attempt records 24 hours after last attempt
Document data (in-memory processing) Not stored — discarded immediately after processing
Module usage statistics Held while account is active; deleted automatically when account is deleted

4. Who we share personal data with

We use the following service providers to host the platform, store persistent platform data, and deliver security emails. We do not sell personal data, and we do not share it with advertisers.

Sub-processor Role Location
Supabase Inc. Database hosting and backups for persistent platform data Region recorded per environment; EU-region by default for EU/UK customer environments
Superfly Inc. (Fly.io) Application hosting Production: Dublin, Ireland (EU). Staging: US East. Superfly Inc. is US-incorporated with a self-serve DPA.
Google LLC (Google Workspace) Transactional email delivery United States. Transfers covered by Google's Standard Contractual Clauses and Google Workspace Data Processing Amendment.

Cadence keeps a vendor register and records the hosting region, provider identity, and customer-specific transfer wording for the relevant environment. Where cross-border disclosure is relevant, the contract pack for that customer records the applicable transfer steps and provider details.

5. Overseas disclosure of personal data

Personal data may be disclosed outside the user's home country when Cadence uses overseas hosting, database, backup, or email providers. The current production design uses United States application hosting. Persistent data regions are chosen per environment, with EU / UK customer environments intended to use an EU-region database by default and Australia-only environments using the documented approved path for that environment.

Under the Australian Privacy Act (APP 8), we take reasonable steps before disclosing personal data to overseas providers. Under GDPR / UK GDPR, the relevant customer contract pack records the hosting region, provider identity, and transfer wording for the environment in use. Contact us using the details in section 9 if you need the current position for a specific environment.

6. How we protect personal data

  • Passwords are hashed using bcrypt with a high work factor and are never stored in plain text.
  • Sensitive fields (TOTP secrets, module settings, connection strings) are encrypted at rest using Fernet symmetric encryption.
  • Authentication tokens (password reset, account setup, MFA) are hashed before storage.
  • All connections use HTTPS with HSTS enforced.
  • Multi-factor authentication (TOTP authenticator app or email OTP) is available for all accounts.
  • Accounts lock after five consecutive failed login attempts.
  • Security-relevant events are written to an audit log.
  • Document content is processed in memory and is never written to disk or database.
  • Higher-sensitivity financial, legal, and family workflow data is handled only through approved workflows; excluded categories require separate written review.

7. Your rights

Australian Privacy Principles

Under the Privacy Act 1988 (Cth), you have the right to:

  • Access the personal data we hold about you (APP 12).
  • Request correction of inaccurate or out-of-date information (APP 13).
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been interfered with.

GDPR rights (EU/UK users)

If you are located in the EU or UK, you additionally have the right to:

  • Erasure ("right to be forgotten") where no overriding legal basis exists.
  • Restriction of processing while a dispute is resolved.
  • Data portability — receiving your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or the relevant EU data protection authority).

If your information was uploaded to Cadence by one of our business clients through an approved workflow, that client is usually your first point of contact because it decides why the data was collected. Where Cadence acts as processor, we assist the client with access, correction, export, and deletion requests.

To exercise any right, contact us using the details in section 9. We aim to respond within 30 days. We may need to verify your identity before fulfilling a request.

8. Data breaches

If we become aware of a data breach that is likely to result in serious harm, we will:

  • Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC).
  • Notify the affected individuals unless doing so would be exempt under the Act.
  • For EU/UK personal data, notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Article 33) and, where required, notify affected individuals (GDPR Article 34).
  • Notify affected business clients (as data controllers) so they can take action for their end-users.

9. Contact us

For any privacy or data protection enquiry — including access requests, correction requests, complaints, or questions about this notice — please contact:

Jake Hickey — Privacy & Data Protection
Email: support@cadence-platform.com

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or, for EU/UK users, your local data protection supervisory authority.