Privacy Policy

Effective date: April 2026  ·  Applies to: Australia and New Zealand
This Privacy Policy explains how OaaS (Operator as a Service) collects, uses, stores, and protects personal information. It is written in compliance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). It also applies to customers and contacts in New Zealand under the New Zealand Privacy Act 2020, which shares substantially the same principles.

Overview

OaaS is an automated alarm response platform used by security monitoring centres. When an alarm occurs, OaaS contacts nominated individuals — by phone, SMS, email, or chatbot — to capture their response and write it back to the monitoring centre's software. In doing so, OaaS processes certain personal information on behalf of the monitoring centres that use our service.

OaaS acts as both a data controller (for information about our customers and their users) and a data processor (for contact information provided by our customers in relation to alarm activations).

Who We Are

OaaS is operated by Takhitech. Our contact details are provided at the bottom of this policy. We are in the process of establishing our formal business entity; this policy will be updated with our Australian Business Number (ABN) and registered address once that process is complete.

What Personal Information We Collect

We collect different types of information depending on how you interact with us:

From monitoring centre customers (business contacts):

  • Name, job title, email address and phone number of account administrators and authorised users
  • Business name and contact details
  • Login credentials (stored as secure hashes — we never store passwords in plain text)
  • Usage data and audit logs relating to your use of the OaaS platform

From alarm contacts (individuals engaged during activations):

This information is provided to us by our monitoring centre customers. It may include:

  • Name, phone number, email address
  • Contact schedules and availability windows
  • Verification PINs (derived from data already in the customer's CMS — we do not create or store these independently)
  • Responses given during engagements (IVR key presses, chatbot conversations, SMS replies)

From website visitors:

  • Information submitted via the demo request form (name, company, email, phone, message)
  • Standard server access logs (IP address, browser type, pages visited) — retained briefly for security purposes and not linked to individuals

How We Use Personal Information

Purpose Information Used Legal Basis
Providing the OaaS alarm response service Contact names, phone numbers, emails, verification PINs, engagement responses Performance of contract with monitoring centre customer
Account management and authentication Administrator and user credentials, usage logs Performance of contract
Security and fraud prevention Login records, audit logs, IP addresses Legitimate interest in protecting our systems and customers
Responding to demo requests and sales enquiries Name, company, email, phone, message Consent (submission of the form)
Improving and maintaining the service Aggregated usage data (not linked to individuals) Legitimate interest in service improvement

We do not use personal information for marketing to alarm contacts. We do not profile alarm contacts or use their information for any purpose beyond the specific alarm engagement for which it was provided.

Disclosure of Personal Information

We do not sell, rent, or trade personal information. We may share information in the following limited circumstances:

  • With the monitoring centre customer — all engagement records and contact responses are returned to the customer's CMS in real time. Customers have full visibility of everything OaaS does on their behalf.
  • With service providers — we use third-party services for cloud hosting, SMS delivery, voice telephony, and email. These providers operate under data processing agreements and are only given access to the data necessary to perform their specific function.
  • If required by law — we may disclose information if required to do so by a court order, subpoena, or other legal obligation under Australian law.
  • With your consent — for any other purpose, only with your explicit consent.

Overseas disclosure: Some of our infrastructure and third-party service providers may operate outside Australia. Where this occurs, we take reasonable steps to ensure those providers meet standards consistent with the Australian Privacy Principles, including through contractual protections. By using OaaS, you acknowledge that your information may be processed overseas in these circumstances.

Storage and Security

OaaS takes the security of personal information seriously. Our technical controls include:

  • Encryption in transit — all connections to OaaS use TLS. No personal data travels unencrypted over the network.
  • Encryption at rest — disk-level encryption is enabled on all servers.
  • Per-customer database isolation — each monitoring centre's data lives in its own database. There is no query path that can join one customer's data to another's.
  • Hashed credentials — passwords and sensitive identifiers are stored as one-way cryptographic hashes, never in plain text.
  • Access controls — role-based access ensures staff can only access what they need. All staff access to customer data is logged in the tamper-evident audit trail.
  • Hardened infrastructure — servers are run on professionally managed cloud infrastructure with firewalled access and regular security updates.

Data Retention

Data TypeRetention Period
Live operational data (activations, contacts, response plans, notes)Life of service. You may request deletion at any time.
Audit logs90 days online, archived for 2 years
Backups30 days rolling
Demo request enquiriesUntil resolved or upon request
Server access logsUp to 30 days for security purposes

On termination of a customer account, a full export of the customer's data is provided, and all data is purged within 30 days unless earlier removal is requested.

Your Rights

Under the Australian Privacy Act 1988 and the New Zealand Privacy Act 2020, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or out-of-date information
  • Request deletion of your personal information (subject to legal obligations to retain certain records)
  • Complain if you believe your privacy rights have been breached

To exercise any of these rights, please contact us using the details below. We will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or the Office of the New Zealand Privacy Commissioner at privacy.org.nz.

Cookies and Tracking

The OaaS website uses only essential technical cookies — specifically a session cookie to keep you logged into the customer portal. We do not use advertising cookies, third-party tracking pixels, or analytics services that collect personally identifiable information. Our Cloudflare Turnstile widget (used on the demo request form) processes data in accordance with Cloudflare's Privacy Policy.

Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of this page will be updated when changes are made. For significant changes, we will notify current customers via email. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

Contact Us

For privacy enquiries, data access requests, or complaints, please contact us at:

Email: support@takhitech.com
Business: Takhitech (ABN to be added)

We aim to respond to all privacy enquiries within 30 days.