← Back to login

Privacy Policy

Last updated: 21 May 2026

SUMMARY OVERVIEW AND CONSENT

  1. We are BOO Group, consisting of BOO Group Holdings Pty Ltd (ACN 673 052 509) and its affiliated corporate entities (Provider, we, us and our). This policy explains how we collect, use and disclose personal data when you use BOO Auth (“Service”) and the choices you have associated with that data.

  2. This policy applies to the data handling for all members of our group; the central data handling entities are listed in the “Third-Parties and Internal Organisations” section below. For clarification on the handling of data for your particular circumstance, use the contact details at the end of this policy.

  3. We use your data to operate and secure the Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

DEFINITIONS (GENERAL)

Websites

  1. The Websites are any websites owned, operated or maintained by us or any of our group entities, including but not limited to booauth.com and any current or future domains, subdomains or web applications operated by or on behalf of BOO Group Holdings Pty Ltd or its affiliated corporate entities (each a “Website” and together the “Websites”).

Services

  1. The Services are the Websites, the BOO Auth identity and authentication platform, any software platforms or applications operated by us or our group entities, and the APIs, SDKs and admin tooling that form part of BOO Auth.

Personal Data

  1. Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).

Usage Data

  1. Usage Data is data collected automatically and either generated through use of the Services or from the infrastructure underpinning the Services.

Cookies

  1. Cookies are small files stored on your device (computer or mobile device). When you visit our Websites, we may collect information from you automatically through cookies or similar technology. For more information, visit: https://www.allaboutcookies.org/

  2. For more information about our cookies, please see our Cookie Policy.

Controller

  1. Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.

  2. For the purpose of this Privacy Policy, we are a Controller of your Personal Data. Where your account was provisioned by an organisation that has subscribed to BOO Auth, that organisation acts as a separate Controller for the personal information they instruct us to process on their behalf — we act as a Processor in that capacity.

Processors (or Service Providers)

  1. Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Controller.

  2. We use the services of various Service Providers to deliver the BOO Auth Service. They are listed in the “Third-Parties and Internal Organisations” section below.

Data Subject (or User)

  1. Data Subject is any living individual who is using our Service and is the subject of Personal Data.

Information Collection and Use

  1. We collect several different types of information for the purposes of authenticating users, enforcing security policies, and maintaining a tamper-evident audit trail of security-relevant actions.

Do Not Track (DNT)

  1. The “Do Not Track” (“DNT”) preference can be set in your web browser to inform some websites (which support this technology) that you do not want to be tracked.

  2. The BOO Auth Service does not use behavioural advertising or analytics cookies; the operational cookies required for authentication are not subject to DNT.

DEFINITIONS (BODIES AND LAWS)

Australian Privacy Principles (APP)

  1. Reference to APP in this policy means the Australian Privacy Principles contained in Schedule 1 of the Privacy Act 1988 (Cth). These APPs govern the content of privacy policies and rights under Australian law.

  2. A summary of the APPs is available at: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference

The Office of the Australian Information Commissioner (OAIC)

  1. The OAIC is the principal body which administers Australia’s privacy laws and the Australian Privacy Principles.

  2. The OAIC website is: https://www.oaic.gov.au/

Information Privacy Principles (IPP)

  1. Reference to IPP in this policy means the New Zealand Information Privacy Principles contained in the Privacy Act 2020 (New Zealand).

  2. A summary of the IPPs is available at: https://www.privacy.org.nz/privacy-act-2020/privacy-principles/

The European Economic Area (EEA)

  1. EEA refers to the contracting parties of the European Economic Area as established by the Agreement on the European Economic Area. This area covers the European Union (“EU”) and some other zones deemed part of the EU’s economic area.

Which parts of this policy apply to you?

Territories and applicable laws

  1. Your actual rights and the available complaints / remedies will change depending on what privacy laws apply to you. This Privacy Policy aims to comply with the privacy laws of these specific territories:

a. Australia:

  • Laws: The Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth), and requirements under the Spam Act 2003 (Cth) (altogether the “AU Privacy Law”)
  • Does this apply: These laws apply based on who the data collector is (Australian businesses like us), not based on the nationality of the data subject.

b. Europe:

  • Laws: The General Data Protection Regulation (EU 2016/679) (GDPR or “EU Privacy Law”)
  • Does this apply: These laws apply if you are a resident of the European Economic Area (EEA).

c. United Kingdom:

  • Laws: The UK General Data Protection Regulation (“UK GDPR”) and Privacy and Electronic Communications Regulations 2003 (“PECR”) (altogether the “UK Privacy Law”)
  • Does this apply: These laws apply if you are located in or a citizen of the UK.

d. United States of America:

  • Laws: The California Consumer Privacy Act (CCPA) and the Children’s Online Privacy Protection Act (COPPA) (altogether the “US Privacy Law”)
  • Does this apply: These laws apply if you are a resident of the state of California, USA.

e. New Zealand:

  • Laws: Privacy Act 2020 No. 31 and the Information Privacy Principles (the “NZ Privacy Law”)
  • Does this apply: These laws apply if you are located in or a resident of NZ.

f. Canada:

  • Laws: Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5 (“PIPEDA” or the “CA Privacy Law”)
  • Does this apply: If you are located in Canada.

  1. Regardless which privacy laws may apply to you, you may still contact us to resolve any concerns using the contact details and complaints handling process contained in this policy.

  2. In this policy Protected Data refers to either:

a. Personal Information, Sensitive Information and Credit Information, under the AU Privacy Law; b. Personal Data, under the EU Privacy Law; c. Personal Data, under the UK Privacy Law; d. Personal Information, under the US Privacy Law; e. Personal Information, under the NZ Privacy Law; f. Personal Information, under the CA Privacy Law.

Is this policy a contract?

  1. This Privacy Policy is not a contract itself. It is a compliance document required by law for us to explain certain things to the public. The Terms of Service for the BOO Auth Service incorporate this Privacy Policy by reference.

Data use, definitions and collection

  1. We use your data to operate and secure the Service. By using the Services, you agree to the collection and use of information in accordance with this policy.

Personal Data

  1. While using BOO Auth, in particular when your account is created and when you sign in, we collect the following Personal Data:
Types of Data Purpose Who/When
Name (first and last) Identification, display to your organisation’s admins On account creation
Email address Identification, login, transactional notifications (password reset, security alerts, invitations) On account creation
Profile image (optional) Display in your account profile On account creation or update
Password hash (bcrypt) Authentication. We never store the plaintext password. On account creation and password change
TOTP secret (encrypted) Time-based one-time-password MFA, when enrolled On TOTP enrolment
WebAuthn public credentials Passkey MFA, when enrolled On passkey enrolment
Linked identity provider subject IDs (e.g. Google sub) Allow sign-in via the linked provider On linking a third-party provider
Organisation and role memberships Authorisation decisions On admin provisioning or invitation acceptance
IP address Audit trail, rate limiting, security analytics On every request to the Service
User-Agent string Audit trail, security analytics On every request to the Service
Session timestamps (login, last activity) Session expiry enforcement, audit On login and through session lifetime
  1. We do not use BOO Auth account data for marketing. Transactional emails (password resets, invitations, security alerts) are sent on the basis of the Service contract with your organisation.

Usage Data (Audit Logs)

  1. BOO Auth maintains a tamper-evident audit log of security-relevant actions. The audit log records, for each event:

a. The action taken (e.g. login attempt, password change, MFA enrolment, role change, OAuth token issuance, administrative action).

b. The actor (the user, application, or system that performed the action).

c. The target (the user, organisation, or resource affected).

d. IP address and User-Agent of the request that triggered the action.

e. A correlation identifier that links related events from the same request.

f. A cryptographic hash chain linking each record to the previous one, so that any tampering with historical entries can be detected.

  1. Audit logs are essential to the security purpose of the Service and cannot be opted out of while you hold an account.

Operational Telemetry

  1. We use Sentry to collect error reports from the BOO Auth Service. Error reports may include stack traces, request paths, user identifiers, and other information necessary to diagnose faults. We do not use Sentry for behavioural analytics or advertising.

Location Data

  1. The Service collects IP addresses for audit and rate-limiting purposes. We do not separately collect or store live geolocation information.

Identification, Tracking & Cookies Data

  1. BOO Auth uses only essential cookies. See our Cookie Policy for the complete list.

Children’s Privacy

  1. The Service does not address anyone under the age of 18 (“Child/Children”).

  2. We do not knowingly collect personally identifiable information from Children.

  3. If we become aware that we have collected Personal Data from a Child without verification of parental consent, we take steps to remove that information from our servers.

  4. If you are a parent or guardian and you are aware that a/your Child has provided us with Personal Data, please contact us.

HOW DATA IS COLLECTED

General

  1. We may collect data either directly from you, or from your organisation’s administrator, when:

a. Your account is provisioned by an organisation administrator (single-user create, invitation, or bulk upload);

b. You register through an invitation link;

c. You sign in (including via a linked third-party identity provider such as Google);

d. You enrol or use a multi-factor authentication method;

e. You communicate with us through correspondence or support requests;

f. You interact with the Service through its admin UI, API, or SDK.

  1. We collect data directly from you with your informed consent (via this policy and its related documents) and by lawful means.

USE OF DATA

General

  1. We use the collected data for the following purposes:

a. To authenticate you and authorise access to applications connected to BOO Auth (on the grounds of fulfilment of our contract with you, or with your organisation);

b. To enforce multi-factor authentication where required (on the grounds of our legitimate interest in protecting your account, or your consent);

c. To maintain a tamper-evident security audit trail for incident response, forensic analysis, and compliance evidence (on the grounds of our legitimate interest in operating a secure Service, and our legal obligations);

d. To detect and prevent abuse — including rate limiting, lockout on repeated failed attempts, and OAuth token reuse detection (on the grounds of our legitimate interest in security);

e. To send transactional emails such as password resets, invitations, and security alerts (on the grounds of fulfilment of our contract with you);

f. To diagnose and repair errors in the Service (on the grounds of our legitimate interest in maintaining functionality);

g. To comply with legal obligations and respond to lawful requests from regulatory or law enforcement agencies.

  1. We only collect and use data necessary for the primary purpose it is collected for.

Legal Basis for Processing Personal Data Under the GDPR

  1. If you are from the European Economic Area (EEA), the legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it. We rely on one of the following grounds:

a. We need to perform a contract with you, or with your organisation;

b. You have given us permission to do so;

c. The processing is in our legitimate interests and it is not overridden by your rights;

d. To comply with the law.

HANDLING AND DISCLOSURE OF DATA

Disclosure of Data (who)

  1. We may disclose personal information for the purposes described in this Privacy Policy to:

a. Our employees and related bodies corporate (including all entities listed in the “Third-Parties and Internal Organisations” section below);

b. Third-party Service Providers necessary to operate the Service (hosting, email delivery, error monitoring — listed below);

c. The organisation whose account you hold (your administrator), for legitimate administrative and audit purposes;

d. Applications you have authenticated into via BOO Auth — limited to the OIDC/OAuth claims you have consented to share;

e. Government agencies, regulatory bodies and law enforcement agencies, as required or permitted by law;

f. Acquirers in the event of a merger, acquisition or sale of assets, on the conditions set out below.

  1. We do not sell any Personal Data to third parties.

  2. We do not use Personal Data for advertising or remarketing of any kind.

Retention of Data (when)

  1. We retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy:

a. Account data — retained for the lifetime of your account. Deactivated accounts are retained for audit continuity for up to 7 years, unless your organisation’s administrator requests earlier deletion and there is no overriding audit obligation.

b. Audit logs — retained per the retention policy configured by your organisation (default 90 days; longer windows may apply where required by your organisation’s compliance obligations).

c. Session cookies — 30 days maximum, or until you log out.

d. Password reset tokens and 2FA challenges — short-lived (typically 10 minutes); destroyed on use or expiry.

e. OAuth tokens — issued with provider-configured lifetimes; refresh-token rotation is enforced.

  1. We retain Usage Data as needed to maintain Service security and to satisfy legal or compliance obligations.

Transfer and Storage of Data (where)

  1. We use the following methods for storing data including back-ups:

a. DigitalOcean managed Postgres and Kubernetes — primary data store and runtime hosting. Region is configured at deployment time (typically Sydney, Australia).

b. Backups — automated daily backups of the primary database, retained per the provider’s backup policy.

  1. Your information, including Personal Data, may be transferred to and maintained on servers located outside your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

  2. We take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. No transfer of your Personal Data takes place to an organisation or a country unless there are adequate controls in place.

Collaboration with Third Parties

  1. We do not sell any Personal Data to third parties.

  2. We do not collaborate with third parties for marketing or remarketing.

Business Transaction

  1. If we or any of our group entities are involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Disclosure for Law Enforcement

  1. Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Legal Requirements

  1. We may disclose your Personal Data to third parties (including legal advisors) in the good-faith belief that such action is necessary to:

a. comply with a legal obligation;

b. protect and defend our rights or property;

c. prevent or investigate possible wrongdoing in connection with the Service;

d. protect the personal safety of users of the Service or the public; or

e. protect against legal liability.

Security of Data

  1. The security of your data is important to us. We protect personal information with the following technical controls:

a. HTTPS-only cookies marked HttpOnly and Secure in production.

b. Passwords stored as bcrypt hashes; never logged in plaintext.

c. Server API keys and OAuth client secrets stored as SHA-256 hashes.

d. Per-IP rate limiting and account lockout on repeated failed logins.

e. Multi-factor authentication available (TOTP, WebAuthn passkeys).

f. Tamper-evident audit log with cryptographic hash chain.

g. OAuth refresh-token rotation with reuse detection.

h. Encryption at rest provided by the underlying database hosting provider (DigitalOcean managed Postgres).

  1. No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee absolute security.

  2. To report a suspected vulnerability, contact security@boogroup.com.au.

THIRD PARTIES AND INTERNAL ORGANISATIONS

Service Providers

  1. Data is collected by us and handled within our group of companies. Data is also shared with the third parties listed below. This list may be updated from time to time as our infrastructure changes.

Internal entities:

Entity Internal or External Nationality / Location Role
BOO Group Holdings Pty Ltd (ACN 673 052 509) Internal Australian Parent entity and primary Controller. Oversees group-wide data governance.
BOO Studio Pty Ltd (ACN 624 302 469), trading as BOO Soft Internal Australian Operates the BOO Auth Service. Acts as Controller for BOO Auth account data and Processor when handling personal data on behalf of customer organisations.

External sub-processors:

Sub-processor Region Role
DigitalOcean United States (region configured at deployment, typically Sydney) Managed Postgres database and Kubernetes hosting.
Amazon Web Services (SES) United States (region configured) Transactional email delivery for password resets, invitations and security alerts.
Google LLC United States Upstream identity provider for “Sign in with Google” — only when you choose to use it.
Sentry United States Error monitoring and crash reporting.
Doppler United States Secrets management. No personal data; configuration values only.
  1. Each sub-processor is bound by data processing terms appropriate to the data they handle.

Sign in with Google

  1. If you choose to authenticate via Google, you are taken to Google’s domain to complete the sign-in. We receive only the OpenID Connect identity claims that Google releases for the requested scopes (typically openid, email, profile) — your full name, email address, profile image URL, and Google’s subject identifier (sub). We do not request or receive access to your Google Workspace data (Drive, Gmail, Calendar, etc.).

  2. The credentials you use to sign into Google are never seen or stored by BOO Auth.

  3. You may revoke BOO Auth’s access to your Google account at any time via your Google Account permissions page at https://myaccount.google.com/permissions.

COMMUNICATION TO YOU

How we communicate with you

  1. BOO Auth sends transactional emails only:

a. Password reset and recovery emails;

b. Account invitation emails;

c. Security alerts (e.g. notification that your account was linked to a third-party identity provider, or that a new device signed in).

  1. We do not send marketing emails through the BOO Auth Service. Marketing about other BOO Group products is governed by the privacy policy of those products, and requires separate opt-in.

Links to Other Sites

  1. The Service may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.

  2. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

YOUR RIGHTS

Our Complaints Process

  1. You can submit complaints to us using the contact information provided below under the Contact Us heading.

  2. Our Data Protection Officer will review your complaint and respond as soon as practicable.

Under the APPs and IPPs

  1. You have the right, under the APPs and IPPs, to request access to the Personal Information we hold for you (and confirmation if we hold any such data). You also have the right to request the correction of such information.

  2. You can submit requests to us using our contact details below.

  3. You can also lodge a complaint with the OAIC if the privacy/data issue hasn’t been resolved. For more information, please visit https://www.oaic.gov.au/privacy/privacy-complaints/.

Under the GDPR and UK GDPR

  1. If the GDPR or UK GDPR applies to you, you have particular data protection rights. We provide you with privacy information at the time we collect personal data from you, via this Privacy Policy (Right to Be Informed).

  2. In certain circumstances, you have the following data protection rights:

a. You may access, update or delete any information we hold on you. (Right to access)

b. You may rectify information that is incorrect or incomplete. (Right of rectification)

c. You have the right to object to our processing of your Personal Data. (Right to object)

d. You may request us to restrict our processing of your data. (Right of restriction)

e. You may request a copy of the information we hold on you in a structured, machine-readable and commonly used format. (Right to data portability)

f. You may withdraw your consent for us to process your data. Please note that this will mean that many features of the Service will be unavailable, such as logging in. (Right to withdraw consent)

  1. We may ask you to verify your identity before responding to such requests.

  2. You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data.

CHANGES TO THIS DOCUMENT AND OUR OTHER DOCUMENTS

  1. We may update this document from time to time. Any changes will be notified via posting the updated information on this page.

  2. We will let you know via email and/or a prominent notice on the Service, prior to the change becoming effective, and update the “Last updated” date at the top of this document.

  3. You are advised to review this document periodically for any changes.

Related documents:

Document Location
Terms of Service /terms
Cookie Policy /cookies
Privacy Policy (this document) /privacy

CONTACT US

  1. If you have any questions about this document, the data we hold, or you would like to exercise one of your rights regarding the data, please contact us.
Field Details
Company BOO Group Holdings Pty Ltd (ACN 673 052 509)
Attention Privacy and Data Protection Officer
Email hello@boogroup.com.au
Security security@boogroup.com.au
Post 101-103 Illawarra Road, Marrickville, NSW 2204, Australia