Start your 7-day free trial - Full platform access
AI-Powered Privacy Policy Review

Your privacy policy is a legal document.
Treat it like one.

Vague collection descriptions that don't satisfy APP 1. Missing cross-border disclosure for cloud providers. No complaint handling process. Kontractually reviews privacy policies against the Australian Privacy Act, OAIC APP requirements, and GDPR obligations before you publish.

Review your privacy policySee the checklist

7-day free trial. Full platform access. No credit card required.

APP requirements checklist

8 required elements every Australian privacy policy must include.

The Australian Privacy Principles prescribe what a privacy policy must contain. Kontractually checks every requirement against your document before you publish. Your policy must also address the notifiable data breach obligations under the Privacy Act.

1
Identity and contact details
The entity's name, ABN (if applicable), and contact details for privacy enquiries must be clearly disclosed.
2
Kinds of personal information collected
APP 1 requires disclosure of what categories of personal information are collected and held. Vague language ('information you provide us') is insufficient.
3
How information is collected
Primary sources (directly from individuals) and secondary sources (third parties, cookies, analytics) must be identified.
4
Purpose of collection and use
Each purpose for which personal information is collected, used, and disclosed must be stated. Catch-all purposes ('as permitted by law') don't satisfy APP 1.
5
Cross-border disclosure
If personal information is disclosed overseas (including to cloud providers), APP 8.1 requires disclosure of the countries. Post-Optus/Medibank, regulators are scrutinising this closely.
6
Access and correction rights
Individuals have a right to access and correct their personal information under APP 12-13. The policy must explain how to exercise these rights.
7
Complaint handling process
APP 1.4(e) requires disclosure of how to make a privacy complaint and how complaints will be handled, including escalation to the OAIC.
8
Data breach response
The Notifiable Data Breaches scheme requires entities to have a data breach response process. The policy should reference this obligation and response timeframes.
FAQ

Privacy policy review questions.

More questions? Email us.

Your playbook defines what gets checked. A standard Australian Privacy Act playbook covers: entity identity and contact details disclosed, categories of personal information specified, collection methods identified, purpose of collection stated for each category, cross-border disclosure countries named, individual access and correction rights explained, complaint handling process described, and data breach notification obligations referenced. You can add specific APP provisions as rules.

Yes. If your business handles personal information of EU residents (including Australian businesses with EU customers), you may have GDPR obligations alongside your Australian Privacy Act obligations. You can configure a dual-review playbook that checks against both: Australian APP requirements and GDPR requirements including lawful basis for processing, data subject rights (access, erasure, portability, objection), and data retention limits.

Yes - and this is one of the most common use cases. Technology companies and SaaS businesses typically collect more personal information than traditional businesses, use more third-party processors, and have more complex cross-border data flows. Kontractually checks that the privacy policy reflects all of this accurately - particularly third-party analytics, cloud infrastructure providers, and marketing platforms that receive personal data.

Regulators have focused post-breach scrutiny on: cross-border disclosure (APP 8.1 requires naming countries where data is sent, including cloud providers), data minimisation (collecting only what's necessary), retention and deletion policies (not holding data indefinitely), and data breach response processes (Notifiable Data Breaches scheme obligations). Kontractually checks all four against your compliance playbook.

At minimum, review your privacy policy when: your data collection practices change, you add a new third-party processor, you start operating in a new jurisdiction, privacy legislation changes (the Privacy Act review recommendations are expected to introduce significant changes), or you experience a data incident. Kontractually makes this routine - upload the updated policy and check it against your review playbook before republishing.

Also useful

Contract review without a lawyer
A systematic review process that doesn't require legal training or $400/hr fees.
MSP contract review
Data processing agreements, DPAs, and privacy obligations for MSPs reviewed against your standard.
Franchise agreement review
Franchise disclosure documents and privacy obligations across your franchise network.

Review your privacy policy before regulators do.

Set up your privacy review playbook in 10 minutes. See exactly what the Australian Privacy Principles require - and where your current policy may fall short.

Start 7-day free trial