Privacy Policy

1. Introduction

Your data is yours. We take that seriously.

Harrby Pty Ltd ("Harrby", "we", "our", "us") is an Australian Managed Services Provider (MSP) and Microsoft Partner. We deliver managed IT, security, and consultancy services across Microsoft 365, Azure, Dynamics 365, and Windows 365.

We respect your privacy. Every decision we make about how we collect, use, and store your information is guided by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) — not just because the law requires it, but because trust is the foundation of everything we do.

This policy tells you exactly what we collect, why we collect it, and how we protect it. No jargon. No surprises.

2. Scope

This policy applies any time you interact with us — whether that's as a client, prospective client, supplier, partner, or website visitor.

Specifically, it covers how we handle your information when you:

Engage us for managed services, projects, consultancy, automation, or training
Use Microsoft cloud services we manage on your behalf
Visit our websites, portals, or support systems

If you're using a Microsoft product we manage for you, this policy works alongside Microsoft's own privacy terms. We're transparent about that relationship throughout.

3. What Information We Collect

We only collect what we need to do our job well. Here's what that looks like in practice:

Identity & Contact

Your name, job title, business name, ABN/ACN, email address, phone number, and postal address. We use this to know who we're working with and how to reach you.

Account & Billing

Invoices, payment records, purchase orders, and service agreements. This keeps our commercial relationship clean and accountable.

Service & Support Data

Helpdesk tickets, correspondence, change records, configuration details, asset inventories, backup and restore metadata, and project documentation. This is the operational data that lets us deliver and improve your services — and resolve issues quickly when they arise.

Microsoft Cloud & Device Telemetry

Tenant IDs, user principal names, sign-in logs, IP addresses, device IDs, compliance states, policy assignments, Intune, Defender, and Entra security logs, Azure resource metadata, and monitoring data. As your delegated Microsoft administrator, this telemetry is essential for keeping your environment secure, performant, and compliant.

Website & Analytics Data

Browser type, pages viewed, session data, and usage analytics. See Section 7 — Cookies & Website Data for full details.

Sensitive Information

We do not intentionally collect sensitive personal information. If a specific project requires it, we'll only do so with your explicit instructions and consent — and we'll apply additional safeguards appropriate to the sensitivity of that data.

How we collect it: We may gather information directly from you or your authorised representatives, from the systems we manage on your behalf, or from trusted third parties (such as Microsoft) where it's reasonably necessary to deliver our services. Please only share information you're authorised to provide.

4. How We Use Your Information

We use your information to run managed IT and cloud services effectively — and nothing else. Here's what that means in practice:

Delivering your services. We plan, configure, administer, secure, and optimise your Microsoft 365, Azure, Dynamics 365, and Windows 365 environments. Your data makes that possible.

Keeping your environment secure. We monitor for performance issues, capacity risks, and security threats — including real-time threat detection, incident response, and audit logging. Proactive security is core to what we do.

Supporting your team. Consultancy, implementation, migration, automation, and training all rely on having accurate information about your environment and your needs.

Meeting our obligations. We handle information in accordance with our contractual commitments, legal requirements, and regulatory standards — including the APPs and the Notifiable Data Breaches (NDB) scheme.

Communicating with you. We'll reach out about service status, updates, quotes, invoices, and anything else directly relevant to our work together.

Improving what we do. We use aggregate insights to sharpen our quality assurance, refine our processes, and improve the experience of working with Harrby.

Where permitted, keeping you informed. We may occasionally send service announcements or marketing communications. You can opt out at any time — no questions asked.

We only use your information in ways a reasonable person would expect, given the context of managed IT and Microsoft cloud services. We don't use it for anything else.

5. How We Protect Your Data

Security is built into everything we do at Harrby. We apply layered controls appropriate to the risk level of the data and systems involved.

Technical Controls

Encryption in transit and at rest, wherever feasible
Role-based access, least privilege principles, and multi-factor authentication (MFA)
Just-in-time (JIT) access for elevated administrative tasks
Network segmentation, endpoint protection, and vulnerability management
Continuous logging, monitoring, and alerting across supported environments

People & Process Controls

Background checks and confidentiality obligations for all staff
Ongoing security awareness training
Secure software development and change control practices
Vendor and third-party due diligence before any tool or provider is brought into our stack

Notifiable Data Breaches (NDB)

If a data breach occurs that is likely to cause serious harm, we act fast. Our response follows the NDB scheme:

Contain — We limit the impact immediately
Assess — We determine the scope and who's affected
Notify — We inform affected clients and the Office of the Australian Information Commissioner (OAIC) where required
Mitigate — We take steps to reduce further risk and prevent recurrence

We won't leave you in the dark. If your data is affected, we'll tell you clearly and quickly.

6. Microsoft Cloud & Third-Party Providers

We commonly administer your Microsoft environment as your delegated administrator or via approved partner roles. We process your data solely to deliver the services you've instructed us to provide — nothing more.

Third-Party Tools

To deliver a complete managed service, we use trusted third-party platforms including:

Remote monitoring and management (RMM) tools
Backup and recovery platforms
Email security solutions
SOC/SIEM services for security operations
Automation and ticketing systems (PSA)

Every provider we use is bound by contractual terms and security obligations consistent with the APPs. Where feasible, we select providers with Australian or regionally appropriate data storage locations.

Access to Your Content

We do not access your content — such as mailbox data or document files — unless it is required for support, troubleshooting, security investigations, or legal obligations, or where you have explicitly asked us to do so. When we do access content, we handle it with discretion and document it appropriately.

7. Cookies & Website Data

Our websites use cookies to function properly and improve your experience. Here's what we use them for:

Essential cookies — Required for core site functionality and preference management. Without these, parts of the site won't work.
Analytics technologies — Help us understand how visitors use our site so we can improve it over time.

You can manage or disable cookies through your browser settings. Some features may not work as expected if cookies are turned off.

We do not use cookies to sell your personal information.

9. Cross-Border Data Storage

Australia has some of the world's strongest privacy protections — but cloud services are global by nature.

Depending on the services and regions you select, your data may be stored or processed outside Australia. This is most common with Microsoft's global cloud infrastructure and certain third-party platforms.

Where cross-border disclosure occurs, we take reasonable steps to ensure that overseas recipients don't breach the APPs. This includes contractual safeguards and selecting reputable providers with robust security and privacy controls.

If you need data residency restrictions — for example, Australian-only storage — please let us know. We'll advise what's feasible for the specific products and services in scope for your engagement.

10. Your Access & Correction Rights

You have the right to know what personal information we hold about you — and to request corrections if anything is inaccurate.

To exercise these rights, contact our Privacy Officer (details in Section 13). We'll take reasonable steps to respond within a reasonable timeframe, subject to permitted exceptions under the APPs (such as security considerations, legal privilege, or the privacy of other individuals).

We may need to verify your identity before acting on a request. This is to protect your information, not to create barriers.

11. How Long We Keep Your Data

We keep your information only for as long as it's needed — no longer.

Data Type	Retention Period
Billing & accounting records	At least 7 years (Australian tax law)
Security & audit logs	Aligned to service needs and your internal policies
Backup data	Per defined retention schedules
Operational & project records	Duration of engagement + reasonable post-engagement period

When data is no longer required, we securely delete, de-identify, or destroy it. This includes sanitising media and applying retention rules to backup systems where technically feasible.

12. Your Obligations as a Client

A strong security posture is a shared responsibility. To help us protect your environment effectively, we ask that you:

Keep your information accurate. Provide current, complete details and notify us promptly of any changes.
Share third-party data lawfully. Ensure any personal information about others that you share with us has been collected with appropriate notices and consents.
Maintain internal controls. Enforce appropriate user policies, training, and access controls — including MFA — for your own users and systems.
Report incidents promptly. If you suspect a security incident or unauthorised access relating to services we manage, contact us immediately. Early notification enables faster containment.
Minimise sensitive data exposure. Avoid sending unnecessary sensitive information, and use the secure channels we provide for confidential materials.
Comply with licence terms. Honour Microsoft and third-party acceptable-use policies applicable to the services in your environment.

These are the behaviours that keep your environment genuinely secure.

13. Contact Us

Questions, access requests, or privacy concerns? We want to hear from you.

Privacy Officer Harrby Pty Ltd Email: privacy@harrby.com Head Office: Sydney, NSW Service coverage: Melbourne · Canberra · Brisbane · Perth · Adelaide · Darwin

We'll acknowledge your enquiry promptly and investigate any complaint thoroughly. If you're not satisfied with our response, you have the right to escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

14. Policy Updates

Privacy law, technology, and our services evolve. This policy will too.

When we make material changes, the updated version will be published on our website and takes effect immediately upon posting. We encourage you to check back periodically.

This policy provides general information about our privacy practices and is not legal advice. If your organisation has specific regulatory, contractual, or compliance obligations — such as IRAP, ISO 27001 alignment, or sector-specific requirements — please let us know. We'll work with you to ensure our configurations and data handling practices align with your needs.