Privacy Policy — Cascade Analytics

1. Introduction

Cascade Analytics (cascadeanalytics.ai), operated by Murray Clair, based in Australia ("we", "us", "our"), is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

This policy is designed to comply with applicable privacy laws including the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Japan's Act on the Protection of Personal Information (APPI), China's Personal Information Protection Law (PIPL), and France's Loi Informatique et Libertés.

2. Information We Collect

2.1 Information You Provide

Contact information: Name, email address, company name, and message content when you use our contact form or subscribe to communications.
Account information: Email address and authentication credentials when you create an account.
Payment information: Payment details (credit card number, billing address) are collected and processed exclusively by Stripe, Inc. We do not store payment card details on our servers. We receive only a transaction reference, the last four digits of your card, and billing country from Stripe.

2.2 Information Collected Automatically

Usage data: Pages visited, features used, time spent on pages, referral URLs, and click patterns.
Device information: Browser type and version, operating system, device type, and screen resolution.
Network data: IP address (which may be truncated or anonymised), approximate geographic location derived from IP address.
Cookies and similar technologies: As described in our Cookie Policy.

2.3 Information from Third Parties

We may receive limited information from our service providers, including Stripe (payment confirmation), Cloudflare (security analytics), and GitHub Pages (hosting logs).

3. How We Use Your Information

We use personal information for the following purposes:

Providing, operating, and maintaining the Service;
Processing payments and managing subscriptions;
Responding to enquiries and providing customer support;
Sending transactional communications (account confirmations, billing notices);
Improving and optimising the Service;
Detecting and preventing fraud, abuse, and security incidents;
Complying with legal obligations; and
With your consent, sending marketing communications (from which you may opt out at any time).

3.1 Legal Bases for Processing (GDPR/UK GDPR)

For individuals in the European Economic Area (EEA) and United Kingdom, we process personal data on the following legal bases:

Purpose	Legal Basis
Providing the Service	Performance of contract (Art. 6(1)(b) GDPR)
Processing payments	Performance of contract (Art. 6(1)(b) GDPR)
Security and fraud prevention	Legitimate interests (Art. 6(1)(f) GDPR)
Service improvement and analytics	Legitimate interests (Art. 6(1)(f) GDPR)
Legal compliance	Legal obligation (Art. 6(1)(c) GDPR)
Marketing communications	Consent (Art. 6(1)(a) GDPR)

4. Data Sharing and Disclosure

We do not sell your personal information. We share personal information only with the following categories of recipients:

Stripe, Inc. (payment processing) — processes payment data under its own privacy policy. Stripe is certified under the EU-US Data Privacy Framework.
GitHub / Microsoft (website hosting via GitHub Pages) — may process server logs including IP addresses.
Cloudflare, Inc. (CDN and security) — processes network traffic data for performance and security.
Law enforcement or regulators — where required by applicable law, court order, or regulatory request.

All service providers are bound by data processing agreements and are required to handle personal data in accordance with applicable privacy laws.

5. International Data Transfers

As an Australian-based service with global users, personal information may be transferred to and processed in countries outside your country of residence, including Australia and the United States.

For EEA/UK users: Transfers to countries without an adequacy decision are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or by the recipient's certification under the EU-US Data Privacy Framework.

For Chinese users: Cross-border transfers comply with PIPL requirements, including consent-based transfer mechanisms and security assessments where required.

For Japanese users: Cross-border transfers are conducted in accordance with APPI requirements, and we ensure recipients provide equivalent levels of data protection.

6. Data Retention

Account data: Retained for the duration of your account plus 2 years after account closure.
Payment records: Retained for 7 years as required by Australian tax law (Taxation Administration Act 1953).
Contact form submissions: Retained for 2 years from submission.
Server logs and usage data: Retained for 12 months, then anonymised or deleted.
Marketing consent records: Retained for the duration of consent plus 3 years.

We may retain data for longer periods where required by law or to establish, exercise, or defend legal claims.

7. Cookies

We use cookies and similar technologies as described in our Cookie Policy. You can manage cookie preferences through our cookie banner or your browser settings.

8. Your Rights

8.1 All Users

Regardless of your location, you may contact us at any time to enquire about how your personal information is being handled.

8.2 Australian Users

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

Access your personal information held by us (APP 12);
Request correction of inaccurate, out-of-date, or incomplete information (APP 13); and
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au if you are not satisfied with our handling of your complaint.

8.3 EEA and United Kingdom Users (GDPR / UK GDPR)

You have the right to:

Access your personal data (Art. 15);
Rectification of inaccurate data (Art. 16);
Erasure ("right to be forgotten") (Art. 17);
Restriction of processing (Art. 18);
Data portability — receive your data in a structured, machine-readable format (Art. 20);
Object to processing based on legitimate interests (Art. 21);
Withdraw consent at any time where processing is based on consent (Art. 7(3)); and
Not be subject to automated decision-making, including profiling, that produces legal or similarly significant effects (Art. 22). Cascade Analytics does not currently engage in automated individual decision-making.

You may lodge a complaint with your local supervisory authority. For France: CNIL (www.cnil.fr). For Germany: your state data protection authority (Landesdatenschutzbeauftragte).

8.4 California Users (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect, use, disclose, and sell;
Delete your personal information (subject to exceptions);
Opt out of the sale or sharing of personal information — we do not sell personal information;
Correct inaccurate personal information;
Limit use of sensitive personal information; and
Non-discrimination — we will not discriminate against you for exercising your CCPA rights.

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, IP address), commercial information (subscription details), and internet activity information (usage data). We have not sold personal information to third parties.

8.5 Japanese Users (APPI)

Under Japan's Act on the Protection of Personal Information, you have the right to:

Request disclosure of your personal information;
Request correction, addition, or deletion of inaccurate information;
Request cessation of use or provision to third parties; and
Lodge a complaint with the Personal Information Protection Commission (PPC).

8.6 Chinese Users (PIPL)

Under China's Personal Information Protection Law, you have the right to:

Be informed about and consent to processing of your personal information;
Access and obtain copies of your personal information;
Request correction or supplementation of inaccurate or incomplete information;
Request deletion of your personal information;
Request an explanation of processing rules;
Withdraw consent; and
Lodge a complaint with the Cyberspace Administration of China (CAC).

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us immediately.

10. Security

We implement appropriate technical and organisational measures to protect personal information, including:

HTTPS encryption for all data in transit;
Delegating payment processing to PCI DSS-compliant Stripe;
Access controls and authentication for internal systems;
Regular security reviews.

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page and updating the effective date. Where required by law, we will obtain your consent to material changes.

12. Contact Us

For privacy enquiries, data access requests, or complaints:

Cascade Analytics — Privacy
Email: contact@cascadeanalytics.ai
Web: cascadeanalytics.ai
Location: Australia

We will respond to all legitimate requests within 30 days (or within the timeframe required by applicable law).

13. Data Protection Officer

As a small organisation, we have not appointed a formal Data Protection Officer. All privacy matters are handled directly by Murray Clair. If required under GDPR Article 37, we will appoint a DPO and update this section accordingly.