Privacy Policy

Cognitex Consulting may collect the following types of personal information:

• Identity information: names, job titles, employer details, professional qualifications and registration details.
• Contact information: email addresses, telephone numbers, postal addresses and LinkedIn profiles.
• Business information: organisational structure, internal legal operations data, technology environments and vendor relationships provided during consulting engagements.
• Financial information: billing and invoicing details, bank account details for payment purposes.
• Communications: correspondence, meeting notes, workshop outputs and feedback provided during engagements.
• Technical information: device identifiers, IP addresses and usage data when you interact with our digital platforms or communications.

Cognitex Consulting does not intentionally collect sensitive information. Where sensitive information is incidentally provided in the course of an engagement (for example, within client documents or during scope discussions), we will handle it with additional care and will not use it for any purpose other than the engagement for which it was provided, unless required by law.

Where it is lawful and practicable to do so, we will offer individuals the option of not identifying themselves or of using a pseudonym when interacting with us. However, in most cases anonymity is not practicable given the nature of our consulting engagements and contractual relationships.

Cognitex Consulting collects personal information in the following ways:

• Directly from individuals during the course of client engagements, including through meetings, workshops, interviews, surveys and correspondence.
• From client organisations when they provide us with contact details or internal data as part of an engagement.
• From publicly available sources, including ASX announcements, company websites, LinkedIn and professional directories, when conducting business development research.
• From referrals and introductions made by existing clients, professional contacts or industry networks.
• Through our website, including via contact forms and email communications.

At or before the time of collection, Cognitex Consulting will take reasonable steps to notify individuals of the matters required under APP 5, including the purposes of collection, how we handle personal information, and how individuals can access and correct their information. This notice may be provided through this Privacy Policy, through engagement letters, or through other communications at the point of collection.

Cognitex Consulting collects, holds, uses and discloses personal information for the following primary purposes:

• Delivering legal technology consulting and advisory services to clients.
• Managing client engagement relationships, including communications, billing and reporting.
• Conducting business development activities, including preparing proposals and client profiles for prospective clients.
• Complying with legal and regulatory obligations.
• Managing our internal operations, including record-keeping, quality assurance and risk management.

Cognitex Consulting may also use personal information for secondary purposes that are directly related to the primary purpose of collection, where the individual would reasonably expect such use. This includes:

• Sending service-related communications and updates relevant to an existing engagement.
• Improving our service delivery and internal processes using anonymised or aggregated insights.
• Providing references or case studies with appropriate consents.

Cognitex Consulting may use personal information of existing clients and professional contacts to send relevant updates, thought leadership materials and information about our services, where the individual would reasonably expect to receive such communications or has provided consent. Each marketing communication will include an option to unsubscribe. We will honour all opt-out requests promptly.

Cognitex Consulting does not use or disclose personal information obtained from third parties for direct marketing without first obtaining consent.

Cognitex Consulting may disclose personal information to the following categories of third parties where necessary to deliver our services or comply with our obligations:

• Subcontractors and specialist advisers engaged to assist with specific aspects of a client engagement, subject to confidentiality obligations equivalent to those in this policy.
• Technology vendors and software providers used in the delivery of our services, including cloud platforms, document management systems and productivity tools.
• Professional advisers including accountants, insurers and legal advisers acting for Cognitex Consulting.
• Regulatory bodies or law enforcement agencies where disclosure is required by law or a court order.

Some of the technology platforms and cloud services used by Cognitex Consulting are operated by entities outside Australia. Where personal information is disclosed to overseas recipients, Cognitex Consulting takes reasonable steps to ensure those recipients handle the information in a manner consistent with the APPs. By providing your personal information to Cognitex Consulting and agreeing to this Privacy Policy, you consent to such overseas disclosure where it cannot reasonably be avoided in the delivery of services.

Cognitex Consulting does not sell, rent or trade personal information to third parties for commercial purposes.

Cognitex Consulting uses AI-assisted tools internally to support service delivery, research, document drafting and analysis. In accordance with guidance from the Office of the Australian Information Commissioner (OAIC), we have established the following practices governing our use of AI tools:

• We assess AI tools for privacy and security risks prior to use on client engagements.
• We avoid inputting identifiable personal information into AI systems where it is not necessary for the task.
• We apply human oversight and review to all AI-generated outputs before they are relied upon or disclosed.
• We maintain records of the AI tools used in the delivery of services.

Where Cognitex Consulting uses AI tools in the delivery of work product, we will disclose this to clients as part of our engagement methodology. Clients are entitled to request that AI tools not be used on their matters, subject to agreement on scope and timing.

Cognitex Consulting will not input identifiable client personal information into third-party AI platforms without the prior written consent of the relevant client, unless the platform is a contracted service provider with appropriate data processing terms in place.

Cognitex Consulting maintains an internal AI Use Policy that governs the responsible use of AI tools across our practice. This policy is reviewed annually and is aligned with the National AI Centre's Guidance for AI Adoption and the OAIC's guidance on privacy and the use of commercially available AI products.

Cognitex Consulting takes reasonable steps to ensure that the personal information we hold is accurate, up to date and complete. We encourage individuals to notify us of any changes to their personal information by contacting us using the details provided in section 13 of this policy.

Cognitex Consulting implements appropriate technical and organisational measures to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Our security measures include:

• Password protection and multi-factor authentication for systems containing personal information.
• Encryption of personal information in transit using industry-standard protocols.
• Access controls limiting access to personal information to authorised personnel on a need-to-know basis.
• Regular review of third-party software and cloud platform security settings.
• Physical security measures for any documents containing personal information.

Cognitex Consulting retains personal information for as long as it is required for the purposes for which it was collected, or as required by law. Personal information that is no longer required is securely destroyed or de-identified. Client engagement records are generally retained for a minimum of seven years following the conclusion of an engagement in accordance with applicable professional obligations.

Individuals have the right to request access to personal information that Cognitex Consulting holds about them. Requests should be made in writing to the contact details in section 13. We will respond to access requests within 30 days of receipt. In some circumstances, access may be refused where permitted under the Privacy Act, and we will provide written reasons for any refusal.

If an individual believes that personal information Cognitex Consulting holds about them is inaccurate, out of date, incomplete, irrelevant or misleading, they may request that it be corrected. We will take reasonable steps to correct the information within 30 days of receiving a correction request. Where we disagree with a correction request, we will provide written reasons.

Individuals who have a complaint about the way Cognitex Consulting has handled their personal information should contact our Privacy Contact using the details in section 13. We will acknowledge receipt of complaints within five business days and aim to provide a substantive response within 30 days.

If an individual is not satisfied with Cognitex Consulting's response to a privacy complaint, they may refer the complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.