Privacy Policy

Last updated: 29 June 2026

1. Who we are and what this policy covers

This Privacy Policy explains how we handle personal information. In this policy, "we", "us", "our" and "Scalus" mean TMC Media Pty Ltd (ABN 26 660 757 415), trading as Scalus App, of Melbourne, Victoria, Australia.

We provide websites, digital marketing, and marketing-automation services to our clients. This means we handle personal information in two different roles:

  • Information about you, as our own customer or enquirer — for example, when you visit our website, request a demo, contact us, or become a Scalus client. For this information we decide how and why it is handled, and this policy applies to that information.
  • Information about other people that our clients put into the systems we build or operate for them — for example, our clients' own customers, leads and contacts. For this information we generally act on the client's instructions, as their service provider. The client is responsible for collecting that information lawfully and for having any consents or notices required (including consent to load it into our systems). Section 5 explains this in more detail.

We aim to handle personal information consistently with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes our practices and is intended to be read alongside, not instead of, your rights under the Privacy Act. It forms part of how we handle personal information and does not vary the terms of any services agreement you have with us.

2. What we collect

When you visit our website, request a demo, or contact us, we may collect:

  • Your name, phone number and email address
  • Your business or company details
  • Any information you choose to give us in messages, forms or enquiries
  • Information about how you use our website, such as pages viewed, device and browser type, and general location, collected through analytics and cookies (see section 9)

When you become a client, we also collect and hold:

  • Business and billing information
  • Account, login and support information
  • Data needed to build, run and maintain your website, campaigns and automations

In addition, while operating systems on a client's behalf, we hold and process information that the client provides about their contacts and leads (such as names, contact details, enquiry details, and records of interactions with the client's website or campaigns). We hold this on the client's behalf — see sections 1 and 5.

We generally only collect personal information that we reasonably need for the purposes described in this policy. Where it is lawful and practical, you can deal with us anonymously or using a pseudonym, although we may not be able to provide some services without certain details.

3. How we use your information

We use personal information to:

  • Provide, operate, maintain and improve our services
  • Respond to your enquiries and provide support
  • Contact you about demos, quotes, invoices, accounts and service matters
  • Build and run client websites, campaigns and automations
  • Send marketing communications, where permitted (see section 6)
  • Maintain the security and integrity of our systems and help prevent fraud or misuse
  • Meet our legal, tax and regulatory obligations

If we want to use your information for a materially different purpose, we will seek your consent or otherwise rely on a basis permitted by law.

4. Data storage and security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include access controls so that information is available to staff and contractors who need it, use of reputable service providers, and other technical and organisational measures appropriate to the information we hold.

No method of transmission or storage is completely secure, and we cannot guarantee that information will never be accessed, disclosed, altered or destroyed in breach of our safeguards. We aim to keep our security measures appropriate to the sensitivity of the information and the risks involved.

We use a range of third-party platforms to deliver our services, and your information may be stored or processed in Australia or overseas depending on where those providers operate (see section 7).

5. Information our clients put into our systems

A large part of what we do involves operating marketing and automation systems for our clients. When a client loads or generates information about their own customers, leads or contacts in those systems, we generally handle that information on the client's behalf and under the client's instructions.

For that information:

  • The client is responsible for collecting it lawfully and for giving any privacy notices and obtaining any consents required (including to share it with us and to load it into our systems).
  • We use it to provide the services the client has engaged us for, and we do not use it for our own unrelated purposes.
  • If you are one of our client's customers or leads and you have a question or request about your information, please contact that client directly, as they are best placed to manage it. You can also contact us (see section 16) and we will refer your request to the relevant client or assist where appropriate.

6. Direct marketing and your choices

From time to time we may send you marketing about our services by email, SMS or other electronic means. We send electronic marketing only where we have your consent or it is otherwise permitted under the Spam Act 2003 (Cth). Every marketing message identifies us as the sender and includes a simple way to opt out (such as an unsubscribe link or reply instruction), and we will action opt-out requests within a reasonable time.

You can also ask us at any time to stop sending you marketing, or to tell you the source of personal information we have used for marketing, by emailing privacy@scalus.app. We will not use sensitive information for direct marketing without your consent. Opting out of marketing does not stop service-related messages, such as account, billing or support communications.

7. Third parties and overseas disclosure

We do not sell your personal information. We may share personal information with trusted third parties who help us provide our services, including:

  • Website and application hosting and cloud-infrastructure providers
  • Customer-relationship-management (CRM) and marketing-automation platforms
  • Email and SMS delivery providers
  • Advertising and analytics platforms, including Meta and Google
  • Payment processors and accounting providers
  • Professional advisers (such as legal and accounting advisers) and IT support contractors

We only share what is reasonably necessary for these purposes, and we take reasonable steps to use providers that handle information appropriately. We may also disclose information where required or authorised by law, or to protect our rights, safety or property or those of others.

Some of these providers, and the tools used by our clients' systems, are based overseas or store data on servers outside Australia. This means your personal information is likely to be stored or processed by, or disclosed to, overseas recipients. The countries in which our principal service providers operate or store data include the United States, and may include the European Union and other countries. Where we disclose personal information overseas, we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles, but we cannot always control or guarantee how an overseas recipient handles it.

8. Advertising platform data

Where we manage advertising or marketing for a client, we access data from advertising and business platforms such as Meta (Facebook and Instagram) and Google through their official APIs. This may include ad accounts, business assets, pages, performance and insights data, and lead or conversion data generated by the client's campaigns. We access and use this data solely to set up, operate, measure and improve advertising for the relevant client, and in accordance with those platforms' terms and policies. We do not sell this data or use it for unrelated purposes. Where we hold a platform access token or credentials, we keep them confidential and use them only to provide the agreed services.

9. Cookies and analytics

Our website uses cookies and similar technologies to remember your preferences, keep the site working, and understand how the site is used. We use analytics and advertising tools, including those provided by Meta and Google, which may set cookies and collect usage information.

You can disable or delete cookies in your browser settings, but some parts of the site may not work properly if you do. Some platforms offer their own opt-out or ad-preference settings, which you can use to limit how they use your information.

10. Automated processing

We use automation in some of our services — for example, to segment contacts, score or prioritise leads, and trigger follow-up messages. These tools assist our team and do not, on their own, make decisions that produce legal effects for you or similarly significantly affect you.

If that changes — that is, if we start using personal information in a substantially automated way to make decisions that could significantly affect you — we will update this section to describe the kinds of information used and the nature of those decisions, as required under the Privacy Act (including the automated-decision transparency requirements taking effect by December 2026).

11. Data retention

We keep personal information only for as long as we reasonably need it for the purposes described in this policy, or for as long as required by law (for example, tax and business records). When we no longer need information, we take reasonable steps to delete it or de-identify it.

For information we hold on a client's behalf, retention is generally determined by our agreement with that client and the client's own requirements.

12. Your rights — access, correction and complaints

You can ask us to:

  • Access the personal information we hold about you
  • Correct information that is inaccurate, out of date or incomplete
  • Stop sending you marketing (see section 6)

You can also ask us to delete information we hold about you, where we are able to do so — though we may need to keep some information to meet legal obligations or to complete a service you have asked for. For how to make a deletion request and what happens next, see our Data Deletion Request page.

To make a request, email privacy@scalus.app. We may need to verify your identity first. We will respond within a reasonable time, usually within 30 days (and within the timeframes the Privacy Act requires for access requests). Access is normally free, although we may charge a reasonable cost in some cases. If we correct your information we will do so promptly. If we decline to give access or to correct information, we will tell you in writing why and how you can complain, including to the OAIC.

If you have a privacy complaint, please make it in writing to privacy@scalus.app, including enough detail for us to investigate. We will acknowledge your complaint and aim to respond within 30 days. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992. The OAIC generally expects you to raise your complaint with us first and give us a reasonable chance to respond.

13. Data breaches

If we suspect a data breach involving personal information we hold, we will assess it promptly — and within the timeframes required by the Privacy Act, generally within 30 days — and take reasonable steps to contain it. Where we are required to under the Notifiable Data Breaches scheme in the Privacy Act, we will notify the OAIC and affected individuals of an eligible data breach that is likely to result in serious harm.

Where a breach involves information we hold on a client's behalf, we will notify the relevant client promptly and work with them to meet any notification obligations, as the client is generally the entity responsible for that information.

14. Children

Our website and services are intended for businesses and adults, and are not directed at children. We do not knowingly collect personal information from children. If we become aware that we have collected a child's personal information without appropriate consent, we will take reasonable steps to delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. The current version will always be posted on this page with an updated date, and we can provide a prior version on request. We encourage you to review it periodically. If we make a significant change, we will take reasonable steps to bring it to your attention. This policy governs how we handle personal information; it does not vary the terms of any services agreement, which has its own change process.

16. Contact us

For any questions or requests about your privacy, contact us:

  • TMC Media Pty Ltd (ABN 26 660 757 415), trading as Scalus App
  • Email: privacy@scalus.app
  • Address: Melbourne, VIC, Australia (postal address available on request)

We aim to handle personal information consistently with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.