Privacy Policy

This Privacy Policy explains how SMALL PEA SOFTWARE PTY LTD ("we", "us", "our") collects, uses, stores, and discloses personal information in connection with our website at smallpeasoftware.com and in the course of responding to client enquiries and delivering software development services.

Last updated: 2 July 2026

1. Who We Are

SMALL PEA SOFTWARE PTY LTD is an Australian proprietary company established in 2022 and based at Level 4, 8 Thomas St, Chatswood NSW 2067. We develop custom business software, web applications, API integrations, and related technical services for organisations in Australia and, where agreed, overseas.

For the purposes of the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs") contained in that Act, SMALL PEA SOFTWARE PTY LTD is the entity responsible for the personal information described in this policy. We are referred to in this document as "Small Pea Software".

Our contact details are set out in Section 19 of this policy. If you have questions about how we handle personal information, or if you wish to make a complaint, you may contact us using those details.

2. Scope of This Policy

This Privacy Policy applies to personal information we collect:

  • when you visit or interact with our website at smallpeasoftware.com ("Website");
  • when you submit an enquiry through our contact or quote forms, send us an email, or call us by telephone;
  • when you engage us to provide software development, consulting, integration, maintenance, or support services ("Services"); and
  • when you otherwise communicate with us in connection with our business.

This policy does not apply to personal information we process solely on behalf of a client where we act as a service provider handling data under that client's instructions. In those circumstances, the client's privacy policy and contractual terms govern how your information is handled, although we still take reasonable steps to protect information entrusted to us.

Our Website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before providing personal information to them.

Separate terms may apply to specific client projects. Where a written agreement between you and Small Pea Software addresses privacy or data handling, that agreement prevails to the extent of any inconsistency with this policy for information processed under that engagement.

We are bound by the Privacy Act where it applies to our activities. Many small businesses are not subject to the Privacy Act unless they meet certain turnover thresholds or handle health information and other prescribed categories. Regardless of whether we are legally required to comply in every respect, we handle personal information using practices aligned with the APPs because our clients and enquiry contacts reasonably expect responsible data stewardship from a software development partner.

3. What Is Personal Information?

"Personal information" has the meaning given in the Privacy Act. Generally, it is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in material form or not.

Examples of personal information we may handle include your name, job title, business contact details (email address, telephone number, postal address), company name, billing information, communications you send us, and technical information associated with your use of our Website where that information can reasonably be linked to you.

Some personal information may be sensitive information under the Privacy Act — for example, information about health, racial or ethnic origin, political opinions, religious beliefs, or criminal record. We do not ordinarily collect sensitive information through our Website or standard enquiry process. If sensitive information is relevant to a client project (for example, because the software we build processes health-related records on a client's behalf), we address handling requirements in the project agreement and only collect such information where permitted by law and with appropriate consent or authority.

4. Anonymity and Pseudonymity

Where lawful and practicable, you may interact with us without identifying yourself or by using a pseudonym. For example, you may browse our Website without submitting personal information. However, if you request a quote, engage us to deliver Services, or ask us to take action that requires verification of identity, we may need your real name and contact details. Without that information, we may be unable to respond to your enquiry, enter into a contract, or provide support.

We will inform you when identification is required and explain why. We do not refuse enquiries solely because you ask about our privacy practices before providing personal information.

5. Personal Information We Collect

The types of personal information we collect depend on how you interact with us. We collect only information that is reasonably necessary for our functions and activities, unless you voluntarily provide additional detail.

5.1 Information You Provide Directly

When you contact us or request a quote, we may collect:

  • your name and, where relevant, your role or job title;
  • your company or organisation name;
  • your email address and telephone number;
  • the content of your message, project brief, or enquiry, including details about systems, workflows, budgets, and timelines you choose to share;
  • any files or documents you attach to communications; and
  • records of follow-up correspondence, meeting notes, and agreed scope documents.

If you engage us to deliver Services, we may additionally collect billing and accounts contact details, purchase order references, tax-related information necessary for invoicing, and technical credentials or access details required to perform the work — always limited to what is necessary for the engagement.

We ask that you do not submit personal information through enquiry forms or email unless it is relevant to your request. If your project involves processing personal information about third parties (for example, your customers or employees), describe that requirement in general terms during initial conversations. Detailed data specifications are typically documented in project agreements rather than collected through our public Website.

5.2 Information Collected Automatically Through the Website

When you browse our Website, our hosting infrastructure and, where enabled, analytics tools may automatically collect technical information such as:

  • your IP address and general geographic location derived from it;
  • browser type and version, operating system, and device type;
  • pages visited, time and date of access, referring URL, and navigation paths;
  • cookie identifiers and similar technologies as described in our Cookie Policy.

We use this information to maintain Website security, understand aggregate usage patterns, and improve site performance. We do not use automatically collected Website data to build individual profiles for unrelated marketing purposes.

5.3 Information from Third Parties

We may receive personal information about you from third parties in limited circumstances — for example, where you are referred to us by an existing client, where a business associate provides your contact details with your knowledge, or where publicly available business directories list professional contact information. When we collect personal information from a third party, we take reasonable steps to ensure you are aware of the collection as required by the APPs.

5.4 Information We Do Not Collect Through Standard Enquiries

We do not require you to create a user account to browse our Website or submit a contact enquiry. We do not collect payment card details through our Website enquiry forms. Payment for Services is handled through invoicing and agreed payment methods outside the public marketing site.

6. How We Collect Personal Information

We collect personal information by lawful and fair means. Collection methods include:

  • forms on our Website (including contact and quote request forms);
  • email correspondence sent to support@smallpeasoftware.com or other published addresses;
  • telephone calls to 02 4404 1725;
  • video or in-person meetings arranged in connection with an enquiry or project;
  • automated technologies such as cookies and server logs when you use our Website; and
  • written contracts, statements of work, and project documentation.

Where it is reasonable and practicable, we collect personal information directly from you. If we collect information about you from someone else, we will take reasonable steps to notify you of that collection, the purposes for which we collected the information, and other matters required under APP 5.

7. Why We Collect, Use, and Disclose Personal Information

We collect, hold, use, and disclose personal information for purposes connected with operating our business and providing Services. Primary purposes include:

  • responding to enquiries and providing quotes, proposals, and scope outlines;
  • delivering software development, integration, consulting, maintenance, and support Services;
  • managing client relationships, project communication, and account administration;
  • issuing invoices, processing payments, and maintaining financial records;
  • maintaining our Website, ensuring security, and diagnosing technical issues;
  • improving our Website content and understanding how visitors use the site in aggregate;
  • complying with legal obligations, responding to lawful requests from regulators or courts, and establishing, exercising, or defending legal rights; and
  • sending administrative communications related to an existing enquiry or engagement.

We will not use or disclose personal information for a secondary purpose unrelated to the primary purpose of collection unless you consent, you would reasonably expect the use or disclosure, or an exception under the Privacy Act applies.

Examples of uses you would reasonably expect include: using your email address to reply to the same enquiry; retaining correspondence to understand project history if you later engage us; using billing details to issue invoices for work performed; and sharing limited contact information with a subcontractor assisting on your project where you have authorised the arrangement.

We do not use personal information from enquiries to build unrelated commercial profiles, sell data to list brokers, or disclose enquiry content to competitors. Internal access to enquiry and client records is limited to personnel involved in responding, delivering, or administering Services.

7.1 Direct Marketing

We do not sell personal information. We may send occasional communications about our Services to business contacts where permitted under the Privacy Act and applicable spam laws, including the Spam Act 2003 (Cth). You may opt out of marketing communications at any time by using the unsubscribe mechanism in an email or by contacting us. Opting out of marketing does not affect transactional or project-related messages necessary to perform Services you have requested.

8. Disclosure of Personal Information

We may disclose personal information to:

  • our employees, contractors, and professional advisers who need access to perform their roles and are bound by confidentiality obligations;
  • IT service providers who host our Website, email systems, or project management tools, including providers whose infrastructure may be located outside Australia;
  • subcontractors or specialist consultants engaged on a specific client project, where disclosure is necessary and authorised;
  • payment processors, accountants, and insurers as required for ordinary business administration;
  • law enforcement, regulatory bodies, or courts when required or authorised by law; and
  • a successor entity in the event of a merger, acquisition, or sale of business assets, subject to appropriate confidentiality safeguards.

We take reasonable steps to ensure third parties that handle personal information on our behalf only use it for the purposes for which it was disclosed and apply appropriate security measures.

Before engaging a new service provider that will handle personal information, we assess whether the provider's security practices and contractual terms are appropriate for the type of information involved. Where a provider processes information only in de-identified or aggregated form — for example, anonymous Website analytics — disclosure may not involve personal information as defined in the Privacy Act.

9. Overseas Disclosure

Some of our service providers — including cloud hosting, email, and collaboration platforms — may store or process personal information outside Australia, commonly in the United States, European Union, or other jurisdictions where those providers maintain data centres.

Before disclosing personal information overseas, we take reasonable steps to ensure the overseas recipient complies with the APPs or is subject to a substantially similar privacy regime, unless an exception under APP 8 applies. By submitting an enquiry or engaging our Services where overseas disclosure is reasonably necessary, you acknowledge that such disclosure may occur for the purposes described in this policy.

If you require personal information to be stored or processed only within Australia for a specific project, raise this during scoping. We will advise whether we can accommodate that requirement and any impact on service delivery or cost.

10. Storage, Retention, and Security

We store personal information in electronic form on secured systems and, where necessary, in paper records. Access is limited to personnel who need the information to perform their duties.

We implement reasonable technical and organisational measures designed to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. These measures may include access controls, encrypted connections (HTTPS) on our Website, authentication requirements for internal systems, and contractual confidentiality obligations for staff and contractors.

No method of transmission or storage is completely secure. While we take seriously our obligation to protect personal information, we cannot guarantee absolute security. You are responsible for keeping any credentials we issue to you confidential and for notifying us promptly if you suspect unauthorised access.

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Enquiry records that do not proceed to an engagement are generally retained for a limited period sufficient to manage follow-up and then deleted or de-identified unless we are required to keep them longer. Client project records are retained in accordance with contractual obligations and applicable limitation periods for legal claims.

When personal information is no longer needed, we take reasonable steps to destroy or de-identify it.

Security practices we may employ include: restricting administrative access to production systems; using unique credentials for each team member; applying software updates to internet-facing services; backing up critical business records; and reviewing access permissions when staff or contractors conclude their involvement with a project. Specific security controls for software we build on your behalf are documented in project agreements and may include encryption in transit, role-based access within the application, audit logging, and separation of production and test environments.

If we become aware that personal information we hold has been lost or subjected to unauthorised access, modification, or disclosure, we will investigate promptly and take remedial action, including notification where required under the Notifiable Data Breaches scheme described in Section 13.

11. Quality of Personal Information

We take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up to date, complete, and relevant, having regard to the purpose of its use or disclosure (APP 10). You can help us maintain accurate records by notifying us promptly if your contact details change or if you believe information we hold about you is incorrect.

During active projects, we rely on client representatives to provide accurate user requirements and data specifications. Where we become aware that personal information we hold is inaccurate or out of date, we will correct it or, if correction is disputed, note the dispute on our records and take reasonable steps to verify the correct information.

12. Personal Information in Software We Build

When we develop custom software for clients, the application may process personal information belonging to our client's staff, customers, or other individuals. In those circumstances, our client is typically the entity that determines the purposes and means of processing that information. We act as a service provider building and maintaining systems according to the client's instructions.

Project agreements address confidentiality, access controls, data handling during development and testing, use of production data in non-production environments, and obligations at project completion — including secure deletion or return of data we hold on the client's behalf. We do not use client production data for our own unrelated purposes.

If you are an individual whose personal information is processed in a system we built for another organisation, please contact that organisation in the first instance. We will assist our client in responding to lawful requests where required under our contract with them.

13. Notifiable Data Breaches

We are subject to the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If we become aware of a data breach involving personal information we hold that is likely to result in serious harm to affected individuals, we will assess the breach promptly, take steps to contain and remediate it, and notify affected individuals and the OAIC as required by law.

Our response includes documenting the incident, identifying what information was involved, evaluating the risk of serious harm, and implementing measures to prevent recurrence. If you believe there has been unauthorised access to personal information you provided to us, contact us immediately using the details in Section 19.

14. Access to and Correction of Personal Information

Under APP 12 and APP 13, you have the right to request access to personal information we hold about you and to request correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

To make an access or correction request, contact us using the details in Section 19. We will respond within a reasonable period, generally within 30 days. We may need to verify your identity before processing a request.

We may decline access in circumstances permitted by the Privacy Act — for example, where giving access would pose a serious threat to life, health, or safety, would unreasonably affect the privacy of others, or is frivolous or vexatious. If we refuse access or correction, we will provide written reasons and information about how you may lodge a complaint.

We do not charge a fee for making a request. We may charge a reasonable administrative fee if you request multiple copies or if the request requires substantial effort, but we will inform you before proceeding.

15. Cookies and Website Analytics

Our Website uses cookies and similar technologies as described in our Cookie Policy. Cookies may collect identifiers and usage information that, in combination with other data, could be personal information.

Where we use analytics tools, we configure them to collect aggregated usage data and minimise identification of individual visitors where practicable. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Website functionality.

16. Complaints

If you believe we have breached the APPs or mishandled your personal information, please contact us first so we can investigate and attempt to resolve the matter. Complaints should be sent to support@smallpeasoftware.com with sufficient detail for us to understand and respond.

We will acknowledge your complaint promptly and aim to provide a written response within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

The OAIC can investigate complaints about interference with privacy under the Privacy Act. We encourage you to contact us before approaching the OAIC so we have an opportunity to address your concerns directly.

17. Our Commitment to the Australian Privacy Principles

Small Pea Software is committed to handling personal information in accordance with the APPs. In summary, the APPs require us to:

  • APP 1 — Open and transparent management: maintain this policy and make information about our practices available.
  • APP 2 — Anonymity and pseudonymity: give individuals the option of not identifying themselves where lawful and practicable.
  • APP 3 — Collection of solicited personal information: collect information only by lawful and fair means, and only where reasonably necessary.
  • APP 4 — Dealing with unsolicited personal information: destroy or de-identify unsolicited information we could not have collected under APP 3.
  • APP 5 — Notification of collection: take reasonable steps to notify individuals or ensure they are aware of required matters at or before collection.
  • APP 6 — Use or disclosure: use or disclose personal information only for the primary purpose of collection or for related secondary purposes you would reasonably expect, or with consent or as permitted by law.
  • APP 7 — Direct marketing: limit direct marketing and provide opt-out mechanisms.
  • APP 8 — Cross-border disclosure: take reasonable steps before overseas disclosure to ensure APP compliance.
  • APP 9 — Adoption, use, or disclosure of government related identifiers: not adopt government identifiers as our own identifiers except as permitted.
  • APP 10 — Quality of personal information: take reasonable steps to ensure information is accurate, up to date, and complete.
  • APP 11 — Security of personal information: take reasonable steps to protect information from misuse, interference, loss, and unauthorised access.
  • APP 12 — Access to personal information: provide access on request, subject to exceptions in the Privacy Act.
  • APP 13 — Correction of personal information: correct inaccurate information on request and notify third parties where required.

This summary is provided for convenience. If there is any inconsistency between this summary and the Privacy Act, the Privacy Act prevails.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

Material changes will be published on this page. Where appropriate, we may also notify active clients or enquiry contacts by email. Your continued use of the Website or communication with us after an updated policy is published constitutes acknowledgement of the changes, except where further consent is required by law.

We recommend reviewing this policy periodically. Previous versions may be available on request.

19. Contact Us

For privacy enquiries, access or correction requests, or complaints about how we handle personal information, contact:

Privacy Contact — SMALL PEA SOFTWARE PTY LTD
Level 4, 8 Thomas St, Chatswood NSW 2067, Australia
Email: support@smallpeasoftware.com
Phone: 02 4404 1725
Website: smallpeasoftware.com

Please include sufficient detail for us to identify you and understand your request. We treat privacy correspondence confidentially.