01
Introduction
1.1
ARAF Standards Authority Ltd (ARAF Authority, we, us, our) is committed to protecting the privacy of personal information we collect and handle.
1.2
This Privacy Policy explains how we collect, hold, use, and disclose personal information in connection with our websites and framework publications relating to the Agentic Risk Architecture Framework (ARAF), including official ARAF framework websites and related domains (collectively, the Site), our published framework materials, and our framework governance activities, research publications, consultation processes, certification framework administration, and related professional services.
1.3
We are bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act). This Policy should be read together with our Website Terms of Use.
1.4
By accessing the Site or interacting with us, you confirm you have been provided with access to this Privacy Policy. Where we require consent, we will obtain it as required by law.
Framework Governance
1.5 — Framework Governance
ARAF Standards Authority Ltd is responsible for the stewardship, publication, and governance of the Agentic Risk Architecture Framework (ARAF) standard. Venture Bench Pty Ltd may provide professional services, consulting, governance advisory, or assessment services relating to the framework. Personal information may therefore be processed by either entity depending on the nature of the interaction.
02
Definitions
2.1
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in material form or not.
2.2
Sensitive information means personal information about an individual's racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, health information, or biometric information.
03
Information We Collect
3.1
We may collect the following categories of personal information:
Contact and Identity Information
Name, email address, phone number · Job title, role, company or organisation name · Business address, LinkedIn profile or professional biography
Inquiry and Engagement Information
Content of enquiries submitted via the Site or email · Information provided in connection with professional engagement discussions · Information about your organisation's AI systems, governance structures, or commercial arrangements (where provided for assessment purposes)
Website Usage Information
IP address, browser type and version, operating system, device identifiers · Pages visited and time spent, referring website or source · Geographic location (country/region level)
Framework Download Information
Email address (if provided to access downloads) · Download activity and timestamps · Organisation name (if provided)
Professional Engagement Information
Assessment materials, documentation, and governance artefacts · Communications and correspondence · Billing and payment information
3.2
We generally do not collect sensitive information unless necessary for a specific engagement and you have provided express consent, or where required or permitted by law.
3.3
AI and Automated Processing. We may use secure software tools, including AI-assisted technologies, to support analysis, document review, research, and internal workflow management. Where such tools are used:
- (a)Personal information is processed in accordance with contractual and confidentiality obligations;
- (b)We do not use client-specific confidential information to train publicly available AI models;
- (c)We implement controls to prevent unauthorised secondary use of engagement data;
- (d)Automated processing does not replace professional judgement;
- (e)We take reasonable steps to ensure appropriate contractual controls with third-party providers;
- (f)We do not permit third-party providers to use engagement data to train their generally available models, except where you have expressly agreed.
04
How We Collect Personal Information
4.1
We collect personal information:
- (a)Directly from you when you submit an enquiry, request access to framework materials, subscribe to updates, enter into a professional engagement, provide information for an ARAF assessment or ADA review, attend events, or exchange contact details;
- (b)From third parties, including publicly available sources, referrals, and event organisers;
- (c)Automatically through cookies and similar technologies when you use the Site (see Section 10).
4.2
Where we collect personal information about you from a third party, we will take reasonable steps to ensure you are made aware of this Policy.
4.3
Unsolicited information. If you provide personal information that we did not request, we will determine whether it is reasonably necessary. If it is not, we will destroy or de-identify it where lawful and reasonable.
05
Purposes of Collection, Use, and Disclosure
5.1
We collect, hold, use, and disclose personal information for:
Website and Communications
Responding to enquiries, providing information about our services and frameworks, sending requested updates, administering and improving the Site, and analysing website usage.
Professional Services
Providing governance assessments, framework certification processes, advisory or research collaborations, ARAF assessments, ADA reviews, and related services; administering pilot assessment programs; preparing governance artefacts and deliverables; communicating about engagements; issuing invoices and processing payments; maintaining engagement records.
Business Operations
Managing business relationships, complying with legal obligations, establishing or defending legal claims, and conducting internal research using de-identified or aggregated data.
5.2
We will not use or disclose personal information for a purpose other than: (a) a purpose set out in this Policy; (b) a purpose you would reasonably expect; (c) a purpose to which you have consented; or (d) as required or permitted by law.
06
Disclosure of Personal Information
6.1
We may disclose personal information to:
- (a)Service providers — website hosting, email platforms, analytics providers, cloud storage, payment processors, and professional advisers;
- (b)Professional contacts — where necessary to provide our services (with your consent);
- (c)Regulatory and legal bodies — where required by law or to protect our legal interests.
6.2
We require service providers to comply with applicable privacy laws and to only use personal information for the purposes for which it was disclosed.
6.3
We do not sell, rent, or trade personal information to third parties for marketing purposes.
07
Overseas Disclosure
7.1
Some service providers may store or process data outside Australia, including the United States, the European Union, and other jurisdictions.
7.2
Where personal information is disclosed overseas, we take reasonable steps to ensure the recipient is subject to substantially similar privacy obligations, including through contractual safeguards.
08
Data Provided in Professional Engagements
8.1
Engagement materials are handled in accordance with the applicable engagement agreement, which will include specific confidentiality obligations.
8.2
Where engagement materials contain personal information about third parties, you represent that you have authority to disclose that information.
8.3
We may use aggregated, anonymised, and de-identified insights derived from engagement activities for methodology calibration, research, and framework development. Such use will not identify you, your organisation, or any individual.
09
Legal Professional Privilege
9.1
Where we provide legal services, certain information may be protected by legal professional privilege. Nothing in this Privacy Policy limits, waives, or overrides privilege protections.
10
Cookies and Analytics
10.1
The Site uses cookies and similar tracking technologies. Where required, we use a cookie consent mechanism.
| Cookie Type | Purpose |
|---|---|
| Essential | Required for Site functionality (session management, security) |
| Analytics | To understand how visitors use the Site (page views, traffic sources, user flows) |
| Functional | To remember preferences and settings |
10.3
We use Google Analytics to analyse Site usage. Google's privacy policy is available at policies.google.com/privacy.
10.4
You can control cookies through your browser settings. Disabling cookies may affect Site functionality.
11
Direct Marketing
11.1
We may send marketing communications to business contacts where permitted, including updates about frameworks, service information, event invitations, and industry commentary. We do not use sensitive information for direct marketing. Communications may include updates regarding framework releases, governance research, consultation opportunities, pilot assessment programs, certification developments, and industry briefings.
11.2
You may opt out at any time by clicking the unsubscribe link or contacting us.
12
Security
12.1
We take reasonable steps to protect personal information, including secure (HTTPS) transmission, access controls, encryption, regular security reviews, and staff training.
12.2
No data transmission is completely secure. We cannot guarantee absolute security of personal information.
13
Notifiable Data Breaches
13.1
We are subject to the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. Where we become aware of a breach likely to result in serious harm, we will comply with our obligations including notifying affected individuals and the OAIC.
14
Data Retention
| Information Type | Retention Period |
|---|---|
| Website enquiries | 3 years from last contact |
| Professional engagement records | 7 years after completion (or longer where required) |
| Financial and billing records | 7 years (as required by tax law) |
| Website analytics data | 26 months (aggregated/anonymised thereafter) |
| Marketing preferences | Until you opt out or request deletion |
14.2
We may retain de-identified or aggregated information indefinitely for research and methodology development.
15
Access and Correction
15.1
You have the right to request access to and correction of personal information we hold about you. Contact us using the details in Section 19. We will respond within 30 days.
16
Complaints
16.1
If you believe we have breached the APPs, you may lodge a complaint with us. We will acknowledge within 7 days and respond within 30 days.
16.3
If not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): GPO Box 5218, Sydney NSW 2001 · Phone: 1300 363 992 · www.oaic.gov.au
17
European Visitors GDPR
17.1
If you are located in the EEA, UK, or Switzerland, additional provisions apply including rights to erasure, restriction, data portability, and objection to processing. International transfers rely on standard contractual clauses or adequacy decisions.
18
Changes to This Policy
18.1
We may update this Policy from time to time. Material changes will be notified by email or prominent notice on the Site. Continued use constitutes acceptance.
19
Contact Us
Privacy Officer
ARAF Standards Authority Ltd
Level 36, Gateway Building
1 Macquarie Place
Sydney NSW 2000
20
Additional Information
20.1
Anonymity. Where practicable, you may deal with us without identifying yourself. However, we may not be able to respond to your enquiry or provide services without your personal information.
20.2
Links. The Site may contain links to third-party websites. We are not responsible for their privacy practices.
20.3
Children. Our services are designed for business and professional users. We do not knowingly collect personal information from children under 16.