Privacy Policy
Last updated: 19 May 2026
Who We Are
RAD is operated by RAD Business Pty Ltd (ACN 698 339 507) trading as RAD (“RAD”, “we”, “us”, “our”). Our registered office is Level 1, 171 William Street, Darlinghurst NSW 2010, Australia.
This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Scope of this Policy
This Privacy Policy applies to personal information we collect about:
Visitors to our website (radrnd.com and related domains)
Prospective customers and advisors who contact us, request information, or attend events
Registered users of the RAD platform, including advisor account holders and client administrators
Team members of enrolled client organisations whose details are provided to us during account setup
Other individuals whose personal information we may collect in the ordinary course of business
This Privacy Policy does not govern how RAD processes data captured through the platform on behalf of enrolled client organisations or their nominated administrators and invited team members. That processing is governed separately by RAD’s Data Processing Agreement, which forms part of our Terms of Service and applies on a per-client basis. If you are a team member of a client organisation, please refer to the privacy notice provided to you by your organisation or contact us at privacy@radrnd.com for further information.
3. What personal information we collect
We collect the following categories of personal information:
3.1 Information you provide to us
Contact details - name, email address, phone number, organisation name, role
Professional credentials - tax agent registration details where you are an advisor
Account details - username, password (stored encrypted), authentication tokens
Billing details - invoicing contact, payment information (handled by our payment processor)
Communications - records of correspondence with our team, including support requests and feedback
3.2 Information we collect automatically
Website usage data - pages viewed, time spent, referring URL, IP address, device and browser information
Platform usage data - login times, features used, actions taken within the RAD dashboard
Cookies and similar technologies - see Section 9 for our cookies practices
3.3 Information we collect from third parties
Where an advisor enrols a client organisation, we receive contact details for that organisation's nominated administrator
Where a client administrator invites team members to the platform, we receive those team members' contact details
Where you connect with us through publicly available channels (e.g. LinkedIn), we may receive limited profile information for the purpose of responding to your inquiry or managing our professional relationship with you. We do not systematically collect personal information from public social media profiles.
4. How we use personal information
We use personal information for the following purposes:
Providing and operating the RAD platform
Setting up and managing user accounts
Communicating with you about your account, our services, and product updates
Responding to inquiries, support requests, and feedback
Processing payments and managing billing
Improving our platform, services, and user experience
Marketing our services to existing users where such use is directly related to the primary purpose of collection and you would reasonably expect such use (Australian Privacy Principle 6.1), or to prospective customers where we have obtained your consent (Australian Privacy Principle 7.1)
Complying with our legal obligations and protecting our legal rights
Detecting, preventing, and responding to security incidents and platform misuse
We will not use your personal information for any purpose other than the primary purpose for which it was collected, or a directly related secondary purpose, unless we have your consent or are otherwise authorised or required to do so by law (including under Australian Privacy Principle 6).
5. Grounds for collection and use
We collect personal information where it is reasonably necessary for one or more of our functions or activities (Australian Privacy Principle 3.1), or where you have provided your consent to collection. The circumstances in which we collect personal information include the following:
You have provided consent (for example, by submitting a contact form, accepting our Terms of Service, accepting the Data Processing Agreement or opting in to marketing communications)
Collection is necessary to provide a service you have requested
Collection is reasonably necessary for one or more of our functions or activities, including the security, operation, and improvement of the RAD platform (Australian Privacy Principle 3.1)
We are required or authorised to do so by law
Where consent is the basis for our collection or use, you may withdraw your consent at any time. Withdrawing consent may limit our ability to provide certain services to you.
6. Disclosure of personal information
We may disclose personal information to the following categories of third parties:
6.1 Service providers
We engage third-party service providers (“sub-processors”) to deliver the RAD platform. These include:
Google Cloud Platform — hosting and storage (Sydney region).
Google Cloud Agent Platform — AI inference infrastructure runs the Claude (developed by Anthropic) and Gemini (developed by Google) models we use for processing. Models run inside Google’s infrastructure (in Australia and, temporarily, in other countries). Your data is not used to train these models.
Service providers are bound by contractual obligations to handle personal information consistent with this Privacy Policy and applicable law, and may not use it for purposes other than delivering the relevant service to RAD.
6.2 Advisors and client organisations
Where you are a team member of a client organisation enrolled on RAD, your personal information may be accessible to your organisation’s administrator and to the registered R&D tax advisor your organisation has nominated, in accordance with the Data Processing Agreement governing your organisation’s use of RAD. Where the nominated advisor is a registered tax agent, that advisor is independently subject to the Tax Practitioners Board Code of Professional Conduct under the Tax Agent Services Act 2009 (Cth), which imposes obligations of client confidentiality and appropriate data handling that apply to personal information they access through the RAD platform.
6.3 Legal and regulatory disclosures
We may disclose personal information where required or authorised by law, including:
In response to lawful requests from government authorities, regulators, or law enforcement
To meet our obligations under the Notifiable Data Breaches scheme
To establish, exercise, or defend our legal rights
In connection with a corporate transaction such as a merger, acquisition, or financing, provided that the recipient is bound by confidentiality obligations and privacy protections no less stringent than those set out in this Privacy Policy. Where such a transaction is completed, affected individuals will be notified of any material change to how their personal information is handled
In response to a formal information-gathering notice issued by the Australian Taxation Office or another taxation authority under the Tax Administration Act 1953 (Cth) or equivalent legislation, in connection with an R&D tax incentive audit, review, or compliance activity relating to an enrolled client organisation. Where such a disclosure is made, RAD will notify the affected client organisation as soon as reasonably practicable and to the extent permitted by law. Notification obligations in respect of enrolled client organisations in this scenario are governed by the Data Processing Agreement
RAD does not sell personal information to third parties. We do not share personal information for advertising or marketing purposes outside our own marketing of RAD's services.
6.4 Confidentiality of client organisation data
RAD treats data uploaded to the platform by or on behalf of enrolled client organisations, including R&D activity descriptions, financial records, technical documentation, and supporting evidence, as confidential to that client organisation. RAD will not access, use, or disclose that data except to the extent necessary to deliver the RAD platform and associated services, to comply with applicable law, or as expressly authorised by the relevant client organisation. Staff access to client organisation data is restricted on a need-to-know basis and is subject to confidentiality obligations. This commitment supplements, and does not limit, RAD’s obligations under the Data Processing Agreement.
7. Cross-border disclosure
Some of our service providers operate infrastructure outside Australia. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to that information, including by entering into contractual data handling commitments with the relevant provider (Australian Privacy Principle 8.1).
Specifically:
Data captured through the RAD platform on behalf of client organisations is stored in Australia (Google Cloud Sydney region).
AI processing services used to generate evidence summaries within the RAD platform may process data (including R&D activity descriptions and supporting documentation) on infrastructure operated by Google Cloud Platform outside Australia. RAD does not use client organisation data to train, fine-tune, or improve AI models. Google Cloud is contractually prohibited from using that data for any purpose other than delivering the AI processing service to RAD, and is bound by data handling commitments consistent with Australian Privacy Principle 8. Further details of these contractual protections are set out in the Data Processing Agreement.
8. Data security
We take reasonable steps to protect personal information from unauthorised access, modification, disclosure, loss, and misuse. These steps include:
Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls and multi-factor authentication for staff access to production systems
Logical isolation of each client organisation's data
Access logging and audit trails
Regular security testing and vulnerability management
Staff confidentiality obligations and security training
SOC 2 Type II certification and ISO 42001 - in progress, targeted shortly after commercial launch
No method of transmission or storage is completely secure. While we take reasonable steps to protect personal information, we cannot guarantee absolute security.
9. Cookies and website analytics
Our website uses cookies and similar technologies to:
Maintain your session when you log in
Remember your preferences
Measure how visitors use our website (analytics)
Improve the performance and security of our services
You may disable cookies through your browser settings, though doing so may affect website functionality. We do not use cookies for cross-site advertising tracking.
10. Retention of personal information
We retain personal information only for as long as necessary for the purposes set out in this Privacy Policy or as required by law:
Account information is retained for the duration of your active account and for a period of up to 7 years after account closure, after which it will be securely destroyed or de-identified in accordance with Australian Privacy Principle 11.2
Communications and support records are retained for up to 7 years for record-keeping purposes
Marketing contact information is retained until you opt out, after which we suppress it from active use but may retain limited records to honour your opt-out
Data captured through the platform on behalf of client organisations is retained in accordance with the Data Processing Agreement, which reflects applicable regulatory retention obligations including the requirement under section 382-80 of the Income Tax Assessment Act 1997 (Cth) that records substantiating an R&D tax claim be kept for a minimum of 5 years from the date of lodgement of the relevant income tax return. Where a client organisation is subject to an active ATO audit or review, data relating to that organisation may be retained for a longer period in accordance with the Data Processing Agreement
Where we no longer require personal information, we will take reasonable steps to securely destroy or de-identify it.
11. Your rights
Under the Privacy Act 1988, you have the right to:
Access - request a copy of the personal information we hold about you
Correction - request that we correct personal information that is inaccurate, out of date, incomplete, or misleading
Opt out - unsubscribe from marketing communications at any time
Direct marketing objection: request that we cease using your personal information for direct marketing purposes (Australian Privacy Principle 7.1)
Complain - raise a concern about how we have handled your personal information
To exercise any of these rights, contact us using the details in Section 16. We will respond to your request within 30 days. Where we are unable to grant a request (for example, where the information is required for legal or operational reasons), we will notify you in writing of our reasons and, in the case of a refused correction request, inform you of your right to request that we associate a statement with the relevant record noting that you believe the information is inaccurate, out of date, incomplete, misleading, or irrelevant (Australian Privacy Principle 13.3).
If you have a complaint about how we have handled your personal information, we encourage you to contact us in the first instance so that we may seek to resolve it internally. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we require more time, we will notify you of the expected timeframe.
If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner (OAIC). Contact details are available at www.oaic.gov.au.
12. Notifiable Data Breaches
Where we become aware of a suspected data breach, we will promptly assess whether it constitutes an eligible data breach for the purposes of Part IIIC of the Privacy Act 1988 (Cth). We will complete that assessment within 30 days of becoming aware of the suspected breach (s 26WH). Where we conclude that an eligible data breach has occurred and is likely to result in serious harm to one or more individuals, we will notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable after forming that view, in accordance with the Notifiable Data Breaches scheme.
For incidents affecting data captured through the platform on behalf of client organisations, our notification obligations are governed by the Data Processing Agreement.
13. Changes to this Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this Policy reflects the most recent version. Material changes will be notified to active account holders by email and will be highlighted on our website for at least 30 days before taking effect. Prior versions of this Policy will remain accessible on our website or upon request.
14. Collection notices
In addition to this Privacy Policy, we provide a collection notice at or before the time we collect personal information from you, in accordance with Australian Privacy Principle 5. The collection notice sets out the key information required by APP 5.1, including the purposes of collection, whether collection is required or authorised by law, and the main consequences of not providing the information. Where collection occurs through our platform registration or onboarding flow, the collection notice is presented at that point.
15. Sensitive information
We do not intentionally collect sensitive information as defined in section 6 of the Privacy Act 1988 (Cth), which includes health information, information about criminal records, and certain categories of professional information. If we receive sensitive information incidentally in the course of providing the RAD platform (for example, within documents uploaded by users), we will not use or disclose that information except to the extent necessary to deliver the relevant service or as required by law, and will take reasonable steps to de-identify or destroy it where it is no longer required. We will not collect sensitive information without your express consent unless an applicable exception under Australian Privacy Principle 3.3 applies.
16. Contact us
Questions, requests, and complaints relating to this Privacy Policy can be directed to:
RAD Business Pty Ltd
Privacy Officer
Level 1, 171 William Street
Darlinghurst NSW 2010
Australia
Email: privacy@radrnd.com
Designed & operated in Australia
©2026 RAD Inc