Last updated: 29 June 2026
This Privacy Policy explains how we handle personal information. In this policy, "we", "us", "our" and "Scalus" mean TMC Media Pty Ltd (ABN 26 660 757 415), trading as Scalus App, of Melbourne, Victoria, Australia.
We provide websites, digital marketing, and marketing-automation services to our clients. This means we handle personal information in two different roles:
We aim to handle personal information consistently with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes our practices and is intended to be read alongside, not instead of, your rights under the Privacy Act. It forms part of how we handle personal information and does not vary the terms of any services agreement you have with us.
When you visit our website, request a demo, or contact us, we may collect:
When you become a client, we also collect and hold:
In addition, while operating systems on a client's behalf, we hold and process information that the client provides about their contacts and leads (such as names, contact details, enquiry details, and records of interactions with the client's website or campaigns). We hold this on the client's behalf — see sections 1 and 5.
We generally only collect personal information that we reasonably need for the purposes described in this policy. Where it is lawful and practical, you can deal with us anonymously or using a pseudonym, although we may not be able to provide some services without certain details.
We use personal information to:
If we want to use your information for a materially different purpose, we will seek your consent or otherwise rely on a basis permitted by law.
We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include access controls so that information is available to staff and contractors who need it, use of reputable service providers, and other technical and organisational measures appropriate to the information we hold.
No method of transmission or storage is completely secure, and we cannot guarantee that information will never be accessed, disclosed, altered or destroyed in breach of our safeguards. We aim to keep our security measures appropriate to the sensitivity of the information and the risks involved.
We use a range of third-party platforms to deliver our services, and your information may be stored or processed in Australia or overseas depending on where those providers operate (see section 7).
A large part of what we do involves operating marketing and automation systems for our clients. When a client loads or generates information about their own customers, leads or contacts in those systems, we generally handle that information on the client's behalf and under the client's instructions.
For that information:
From time to time we may send you marketing about our services by email, SMS or other electronic means. We send electronic marketing only where we have your consent or it is otherwise permitted under the Spam Act 2003 (Cth). Every marketing message identifies us as the sender and includes a simple way to opt out (such as an unsubscribe link or reply instruction), and we will action opt-out requests within a reasonable time.
You can also ask us at any time to stop sending you marketing, or to tell you the source of personal information we have used for marketing, by emailing privacy@scalus.app. We will not use sensitive information for direct marketing without your consent. Opting out of marketing does not stop service-related messages, such as account, billing or support communications.
We do not sell your personal information. We may share personal information with trusted third parties who help us provide our services, including:
We only share what is reasonably necessary for these purposes, and we take reasonable steps to use providers that handle information appropriately. We may also disclose information where required or authorised by law, or to protect our rights, safety or property or those of others.
Some of these providers, and the tools used by our clients' systems, are based overseas or store data on servers outside Australia. This means your personal information is likely to be stored or processed by, or disclosed to, overseas recipients. The countries in which our principal service providers operate or store data include the United States, and may include the European Union and other countries. Where we disclose personal information overseas, we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles, but we cannot always control or guarantee how an overseas recipient handles it.
Where we manage advertising or marketing for a client, we access data from advertising and business platforms such as Meta (Facebook and Instagram) and Google through their official APIs. This may include ad accounts, business assets, pages, performance and insights data, and lead or conversion data generated by the client's campaigns. We access and use this data solely to set up, operate, measure and improve advertising for the relevant client, and in accordance with those platforms' terms and policies. We do not sell this data or use it for unrelated purposes. Where we hold a platform access token or credentials, we keep them confidential and use them only to provide the agreed services.
Our website uses cookies and similar technologies to remember your preferences, keep the site working, and understand how the site is used. We use analytics and advertising tools, including those provided by Meta and Google, which may set cookies and collect usage information.
You can disable or delete cookies in your browser settings, but some parts of the site may not work properly if you do. Some platforms offer their own opt-out or ad-preference settings, which you can use to limit how they use your information.
We use automation in some of our services — for example, to segment contacts, score or prioritise leads, and trigger follow-up messages. These tools assist our team and do not, on their own, make decisions that produce legal effects for you or similarly significantly affect you.
If that changes — that is, if we start using personal information in a substantially automated way to make decisions that could significantly affect you — we will update this section to describe the kinds of information used and the nature of those decisions, as required under the Privacy Act (including the automated-decision transparency requirements taking effect by December 2026).
We keep personal information only for as long as we reasonably need it for the purposes described in this policy, or for as long as required by law (for example, tax and business records). When we no longer need information, we take reasonable steps to delete it or de-identify it.
For information we hold on a client's behalf, retention is generally determined by our agreement with that client and the client's own requirements.
You can ask us to:
You can also ask us to delete information we hold about you, where we are able to do so — though we may need to keep some information to meet legal obligations or to complete a service you have asked for. For how to make a deletion request and what happens next, see our Data Deletion Request page.
To make a request, email privacy@scalus.app. We may need to verify your identity first. We will respond within a reasonable time, usually within 30 days (and within the timeframes the Privacy Act requires for access requests). Access is normally free, although we may charge a reasonable cost in some cases. If we correct your information we will do so promptly. If we decline to give access or to correct information, we will tell you in writing why and how you can complain, including to the OAIC.
If you have a privacy complaint, please make it in writing to privacy@scalus.app, including enough detail for us to investigate. We will acknowledge your complaint and aim to respond within 30 days. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992. The OAIC generally expects you to raise your complaint with us first and give us a reasonable chance to respond.
If we suspect a data breach involving personal information we hold, we will assess it promptly — and within the timeframes required by the Privacy Act, generally within 30 days — and take reasonable steps to contain it. Where we are required to under the Notifiable Data Breaches scheme in the Privacy Act, we will notify the OAIC and affected individuals of an eligible data breach that is likely to result in serious harm.
Where a breach involves information we hold on a client's behalf, we will notify the relevant client promptly and work with them to meet any notification obligations, as the client is generally the entity responsible for that information.
Our website and services are intended for businesses and adults, and are not directed at children. We do not knowingly collect personal information from children. If we become aware that we have collected a child's personal information without appropriate consent, we will take reasonable steps to delete it.
We may update this Privacy Policy from time to time. The current version will always be posted on this page with an updated date, and we can provide a prior version on request. We encourage you to review it periodically. If we make a significant change, we will take reasonable steps to bring it to your attention. This policy governs how we handle personal information; it does not vary the terms of any services agreement, which has its own change process.
For any questions or requests about your privacy, contact us:
We aim to handle personal information consistently with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.