Version 1.0.1 · Effective 2026-05-10
Privacy Policy
We respect your privacy and take our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) seriously. This Privacy Policy explains what personal information we handle, where it lives, who else processes it, and what choices you have.
It applies to all uses of the Cohold platform (the "Platform"), including the apex marketing site, the issuer admin dashboard, the shareholder portal, and the public document and unsubscribe pages.
If you are an issuer using the Platform to manage your shareholders, you are the controller of your shareholders' data, and we process it on your behalf. We are the controller for our own data (e.g. the identity of issuer admins who have signed up to use the Platform).
1. The personal information we handle
| Category | Examples |
|---|---|
| Account identity | Name, email address, role within an organisation |
| Authentication | Sign-in events, session tokens, passwords / passkeys |
| Shareholder records | Name, email, postal address, shares held, share class, ABN/ACN where applicable |
| Communications | Subject lines, body content, recipient lists, delivery + open + bounce telemetry |
| Documents | PDFs uploaded by issuers (annual reports, financial statements, notices) |
| Audit log | Who did what, when, on which tenant — required by Corporations Act s.286 |
| Billing | Stripe customer ID, invoice metadata. We do not store full card numbers |
| Technical | IP address, browser user-agent, request timestamps, basic error telemetry |
We do not knowingly collect:
- government identifiers (TFN, Medicare, driver licence);
- biometric data;
- health information; or
- information about minors.
2. How we collect it
We collect personal information when:
- you create an account (issuer admins);
- an issuer uploads cap-table data via CSV (shareholders);
- you sign in to the shareholder portal;
- you receive, open, or click an email we deliver on the issuer's behalf;
- you upload or download a document via the Platform;
- you contact us by email; or
- your browser sends technical metadata as part of a normal request.
3. Where your data lives
This is the most important section. We keep auditable shareholder data and audit-log records onshore in Australia. A handful of services that have no APP-grade Australian-only equivalent process specific data classes outside Australia, under contractual safeguards.
| Data class | Stored where | Crosses border? |
|---|---|---|
| Shareholder records, communications, audit log, all DB rows | Neon Postgres, AWS ap-southeast-2 (Sydney) | No |
| Server-side processing of all of the above | Vercel Functions, syd1 (Sydney) | No |
| Document files (PDFs uploaded via the documents flow) | Vercel Blob, store provisioned in syd1 (Sydney) | No |
| Authentication identity, session tokens, password / passkey credentials | Clerk (United States) | Yes |
| Outbound transactional + broadcast email content + delivery telemetry | Resend (United States) | Yes |
| Payment method tokens, billing details | Stripe (United States; Stripe Australia Pty Ltd is the contracting entity for AUD billing) | Yes |
| Webhook signing keys, env vars | Vercel platform (multi-region; not customer data) | N/A |
The three overseas flows exist because:
- Clerk runs our authentication. There is no APP-grade Australian-only auth-as-a-service we would ship in V1. We disclose this and rely on Clerk's data processing addendum, which incorporates Standard Contractual Clauses (SCCs) for cross-border transfers.
- Resend delivers transactional and broadcast email. Email delivery from a Sydney-only sender to global recipients necessarily crosses borders by virtue of the recipients' inboxes. Resend's processor terms incorporate SCCs.
- Stripe is the de facto payment processor for AUD SaaS billing in Australia. Stripe Australia Pty Ltd is our contracting entity; processing infrastructure is operated by Stripe, Inc. in the United States. Stripe's processor terms incorporate SCCs.
We never send shareholder records, communications, audit-log entries, or documents to any of these three overseas processors except where the data class itself requires it (for example, a broadcast email body necessarily passes through Resend's pipeline to reach the recipient).
4. Document access — how PDFs are served
Documents are stored in our private cloud storage provider in Sydney. All access is authenticated and audit-logged. Documents are not accessible via public URLs — every read is fetched server-side by the Platform and streamed through one of the proxy routes:
/api/documents/[id]/file— for issuer admins viewing the document inside the dashboard (membership-checked, audit-logged);/d/[token]/file— for shareholders viewing a document via a per-recipient tokenised link in an email (token-resolved, audit-logged); or/portal/documents/[id]/file— for shareholders signed in to the portal (membership-checked, audit-logged).
A leaked storage path is not enough on its own to retrieve a document — the storage layer requires authentication regardless. Every render writes a row to our audit log so the issuer has a continuous compliance trail of who saw what and when.
5. How we use personal information
We use personal information only for the purpose for which it was collected, including:
- providing the Platform to issuers and their shareholders;
- sending statutory and other communications you ask us to send;
- billing and account management;
- preventing, detecting, and investigating fraud or misuse;
- complying with our legal obligations (including responding to lawful requests from regulators); and
- diagnosing technical issues and improving the Platform.
We do not use shareholder personal information to train AI/ML models or to enrich third-party advertising profiles.
6. When we share personal information
We share personal information with:
- the issuer whose tenant the data belongs to (their authorised admins);
- the third-party processors named in the data-residency table above, strictly to perform the services they provide to us;
- our professional advisers (lawyers, accountants, auditors), bound by confidentiality;
- a regulator or court where required by law; and
- a successor entity on a sale of our business, on terms that preserve this Privacy Policy.
We do not sell personal information.
7. Cookies and similar technologies
The Platform uses cookies only where they are strictly necessary for the service to work. Today that means:
- a Clerk session cookie that keeps you signed in; and
- a future Stripe checkout-session cookie for billing.
We do not run third-party analytics, advertising, or behavioural-tracking cookies in V1. If we add product analytics in the future, we will update this Privacy Policy and present a cookie banner where required.
8. Email tracking
If you receive an email sent through the Platform on behalf of an issuer:
- a tracking pixel may record that you opened the email;
- click events on links may be recorded; and
- bounce, complaint, and unsubscribe events are recorded.
This is provided by Resend as part of standard email delivery. You can suppress most pixel-based open tracking by disabling remote-image loading in your email client. Statutory communications cannot be unsubscribed from, but their delivery telemetry is collected for the same compliance reasons (proof of delivery).
9. Your rights under the Privacy Act
Under the APPs you can ask:
- what personal information we hold about you;
- to correct inaccuracies;
- for a copy in a portable form;
- that we delete your personal information, where we are not required to retain it (for example, audit-log entries are retained for seven years under Corporations Act s.286); or
- to complain about how we handled your personal information.
If you are a shareholder and your enquiry concerns data uploaded by an issuer, we will route the request to that issuer, since they are the controller of that data.
To exercise any of these rights, email privacy@cohold.com.au. We aim to respond within 30 days.
If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
10. Retention
We retain personal information only as long as needed for the purpose it was collected, plus any retention period required by law:
- audit-log entries — 7 years (Corporations Act s.286);
- shareholder records — for as long as the issuer subscribes, plus 30 days after termination unless they request immediate deletion;
- communication content and delivery telemetry — for the life of the tenant, then deleted on the issuer's termination;
- account identity for issuer admins — until the account is closed; and
- billing records — 7 years (Australian taxation requirements).
11. Security
We rely on the technical safeguards described in our Terms of Service (row-level security, TLS, audit-logging, least privilege). No system is invulnerable. If we become aware of a notifiable data breach we will comply with our obligations under Part IIIC of the Privacy Act 1988 (Cth).
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Patch and minor changes (clarifications, new processor categories already disclosed in the residency table) take effect immediately. Material (major) changes require re-acceptance the next time you sign in. Each version is reachable at /legal/privacy/v/<semver> so you can always see what you accepted.
13. Contact
Privacy enquiries: privacy@cohold.com.au.
---
_Rebranded 2026-05-10: contact email and platform name updated from CSF Community Platform / communitylayer.com.au to Cohold / cohold.com.au. No change to the legal entity, data residency, processors, or your rights._