Privacy Policy
1. About this Policy
This Privacy Policy describes how Feezy Pty Ltd ACN 661 267 385 (we, us, our) collects, holds, uses, discloses, and otherwise handles personal information in connection with the Feezy platform (feezy.io and app.feezy.io) and any related services (collectively, the Platform).
Feezy is a marketplace and contract management platform for education recruitment agents. It enables agents to discover higher education institution partners, manage agency agreements, and where subscription terms allow, generate and execute contracts with institutions.
We are committed to handling personal information in a way that is transparent, lawful, and consistent with community expectations. Depending on where you are located, different data protection laws apply. This Policy covers our obligations under:
(a) the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) — applicable to all users;
(b) the General Data Protection Regulation (EU) 2016/679 (GDPR) — applicable to users in the European Economic Area (EEA);
(c) the UK GDPR and the Data Protection Act 2018 — applicable to users in the United Kingdom; and
(d) applicable US state privacy laws (including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)) — applicable to users in those jurisdictions.
By accessing or using the Platform, you acknowledge that you have read this Policy. If you do not agree, please do not use the Platform.
2. Key Terms
We may collect the following types of personal information:
Personal Information / Personal Data means any information about an identified or reasonably identifiable individual, as defined in the applicable law.
Platform User means an individual who accesses the Platform as a registered agent or agent team member.
Agent means an education recruitment agency or individual recruiter who has registered for a Feezy account.
Institution means a higher education institution that appears on the Feezy marketplace or that sends contract workflows to Agents via the Platform.
Agent Data means personal and business information that an Agent or its staff enters into the Platform, including student pipeline data, contact details, and contract data.
Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, and deletion.
3. Who We Are
Feezy Pty Ltd is the data controller (or APP entity, in Australian privacy law terms) in respect of Personal Data processed through the Platform. Our registered office is at 81-83 Campbell Street, Sydney NSW 2001, Australia.
For users in the EEA, we are established outside the EU and are required by Article 27 GDPR to designate an EU representative. We are in the process of appointing a formal representative. In the interim, you may direct EU data protection queries to privacy@feezy.io and we will respond within the timeframes required by the GDPR.
For users in the UK, we are similarly in the process of appointing a UK representative under the UK GDPR. In the interim, UK queries may be directed to privacy@feezy.io.
If you have a question, complaint, or wish to exercise a data subject right, please contact us at:
(a) Email: privacy@feezy.io
(b) Post: Privacy Officer, Feezy Pty Ltd, 81-83 Campbell Street, Sydney NSW 2001, Australia
4. What Personal Information We Collect
4.1 Information you provide directly
When you register for or use the Platform, we may collect:
(a) Account and contact information: full name, email address, job title, business or agency name, telephone number, and country of location;
(b) Professional information: agency details, business address, registration or accreditation numbers, and languages spoken;
(c) Contract and marketplace data: the content of contracts and agreements created, negotiated, or executed through the Platform, including agency commission terms, performance targets, and institutional contacts;
(d) Integration data: where you connect a third-party CRM or database (such as Zoho CRM) or upload data via CSV or other import tools, the personal information contained in those records — which may include student contact details, enrolment history, and agent pipeline information. We process such imported data on your behalf as a data processor (see Section 4.4 below); and
(e) Communications: messages, support requests, and correspondence you send to us.
4.2 Information we collect automatically
When you use the Platform, we may automatically collect:
(a) Usage data: log files, access timestamps, IP addresses, browser type, operating system, pages visited, and features used;
(b) Device information: device type, screen resolution, and language settings; and
(c) Cookies and similar technologies: see Section 10 (Cookies) below.
4.3 Information from third parties
We may receive personal information about you from:
(a) institutions that invite you to participate in a contract workflow via the Platform;
(b) DocuSign, in respect of electronic signature events (including signature timestamps and IP addresses) for contracts you execute through the Platform; and
(c) third-party identity or verification services we may use from time to time, with appropriate notice.
4.4 Data you import — Agent as Data Controller
Where you use the Platform's integration features (such as a Zoho CRM connector, CSV upload, or any other future import tool) to bring external data into the Platform, you remain the data controller of that imported data. We act as your data processor in respect of it.
You are responsible for ensuring that your collection, use, and import of that data complies with applicable law (including the Privacy Act, GDPR, and UK GDPR where relevant), and that affected individuals have been given appropriate notice. We will process imported data only in accordance with your instructions and our Data Processing Agreement.
Where imported data includes personal information about students, you must ensure that students are aware that their information may be processed via the Feezy Platform. We do not use student data for any purpose other than providing the contracted services to you.
4.5 Sensitive information
We do not intentionally collect sensitive information (such as health data, biometrics, passport numbers, or dates of birth). Please do not submit or import sensitive personal information through the Platform unless you have an explicit legal basis to do so and have obtained our prior written consent to that processing. If you believe sensitive information has been inadvertently submitted, please contact us at privacy@feezy.io.
5. Why We Collect Personal Information and Our Lawful Bases
We collect and use Personal Information for the purposes set out in the table below. Where we rely on a lawful basis under the GDPR or UK GDPR, that basis is indicated.
|
Purpose |
Details |
Lawful Basis (GDPR / UK GDPR) |
|
Providing and operating the Platform |
Creating accounts, authenticating users, enabling marketplace discovery, contract creation and management, and DocuSign-enabled eSigning where subscribed. |
Performance of a contract (Art 6(1)(b)); or Legitimate interests (Art 6(1)(f)) for third-party invitees. |
|
Billing and subscription management |
Processing subscription payments via Stripe; managing free and paid plan access, upgrades, and renewals. |
Performance of a contract (Art 6(1)(b)). |
|
Customer support |
Responding to enquiries, resolving technical issues, and providing Platform assistance. |
Legitimate interests (Art 6(1)(f)) - ensuring users can effectively use the Platform. |
|
Security and fraud prevention |
Monitoring for unauthorised access, detecting abuse, and maintaining Platform integrity. |
Legitimate interests (Art 6(1)(f)) - protecting the Platform and users from harm. |
|
Legal compliance |
Meeting obligations under applicable law, including tax, corporate, and data protection requirements. |
Legal obligation (Art 6(1)(c)). |
|
Platform improvement |
Analysing aggregated, anonymised usage patterns to improve features, fix bugs, and develop new functionality, including to train or improve AI / ML models used within the Platform. |
Legitimate interests (Art 6(1)(f)) - improving the Platform for all users. Note: only anonymised or aggregated data is used for AI/ML purposes. Identified Personal Data will not be used for model training without your explicit written consent. |
|
Communications and marketing |
Sending product updates, release notes, and — where you have consented or we rely on the "soft opt-in" — marketing communications about our services. |
Consent (Art 6(1)(a)); or Legitimate interests (Art 6(1)(f)) for existing customer communications. |
|
Responding to legal processes |
Complying with court orders, subpoenas, regulatory requests, or other lawful demands. |
Legal obligation (Art 6(1)(c)); or Legitimate interests (Art 6(1)(f)). |
We do not use identified Personal Data for training machine learning or AI models without your explicit written consent. We may use anonymised or aggregated platform data (which cannot identify any individual) for product improvement, performance benchmarking, and model development without restriction.
6. To whom might we disclose your personal information?
We do not sell personal information. We may share it with the following categories of third parties:
6.1 Sub-processors and service providers
We use third-party service providers (sub-processors) who process personal data on our behalf under written data processing agreements. Our current sub-processors are:
|
Sub-processor |
Role |
Location |
|
Amazon Web Services (AWS) |
Cloud hosting and infrastructure. EU-connected entities are hosted in AWS Dublin (Ireland); all other data is hosted in AWS Sydney (Australia). |
Ireland / Australia |
|
DocuSign |
Electronic signature and document management for agents on paid plans who use the contracts feature. |
Australia / EEA (configurable by account region; EU SCCs and UK Addendum apply) |
|
Stripe |
Subscription billing and payment processing for paid plans. |
USA (EU SCCs apply for EEA data) |
|
HubSpot |
Customer relationship management and client communications. |
USA (EU SCCs apply for EEA data) |
|
Google Workspace |
Internal team email and communications (client contact data may be incidentally processed). |
USA / Global (EU SCCs apply for EEA data) |
We review sub-processor arrangements periodically and may add or replace sub-processors from time to time. Notice of material sub-processor changes will be communicated to institutional and agent customers in accordance with our Data Processing Agreement.
6.2 Institutions on the Platform
By their nature, contract and marketplace workflows on the Platform involve sharing contact and professional information between Agents and the Institutions they connect with. This sharing is inherent to the service and is necessary for its operation, and occurs only with the Platform User’s explicit permission.
6.3 Professional advisers and regulators
We may share personal information with lawyers, accountants, auditors, or regulators where required to comply with legal obligations or to defend or enforce legal claims.
6.4 Business transfers
If we merge with, acquire, or are acquired by another entity, personal information may be transferred as part of that transaction. We will notify affected individuals where required by law.
6.5 Law enforcement
We may disclose personal information to law enforcement or government authorities where required by law, court order, or other lawful demand.
7. International Transfers of Personal Data
We are based in Australia and our primary infrastructure is in Australia (AWS Sydney). However, personal data may be transferred internationally in the following circumstances:
(a) EU-connected users: where any party to a contract workflow (Institution or Agent) has a presence in the EEA, contract data is routed to AWS Ireland (Dublin region), which is located in the EU.
(b) All other users: data is hosted in AWS Sydney, Australia.
(c) Sub-processor transfers: certain sub-processors (DocuSign, Stripe, HubSpot, Google Workspace) are based in the United States and process personal data there.
For transfers from the EEA to third countries (including Australia and the United States), we rely on the European Commission's Standard Contractual Clauses (SCCs) (Implementing Decision (EU) 2021/914, Module 2 — Controller to Processor) as the lawful transfer mechanism, supplemented by Transfer Risk Assessments.
For transfers from the United Kingdom, we rely on the UK International Data Transfer Addendum (ICO version B1.0, March 2022) to the EU SCCs.
For agents who sign our Data Processing Agreement, the full SCCs and UK Addendum (including Annexes) are appended to that agreement.
8. How Long We Keep Personal Information
We retain Personal Information for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, and to resolve disputes. Our general retention practices are:
|
Category of data |
Retention period |
|
Account and contact information |
For the duration of the active account, plus 7 years after deactivation or termination (Australian tax and corporate record-keeping). |
|
Contract documents and signing records |
For the duration of the active account, plus 7 years (or longer if required by applicable law or the relevant contract). |
|
Imported Agent Data (CRM / CSV) |
For the duration of the active subscription. On termination, returned or deleted in accordance with our Data Processing Agreement. |
|
Usage and log data |
12 months from collection, unless required longer for security investigations. |
|
Payment records |
7 years from the transaction date (ATO and GST compliance). |
|
Support communications |
3 years from resolution of the request. |
|
Marketing consent records |
For the duration of the consent, plus 5 years from withdrawal. |
On expiry of the applicable retention period, we will delete or de-identify personal information unless we are required by law to retain it for longer. On written request, agents may also request earlier deletion of their imported data under the terms of our Data Processing Agreement.
9. Security
We take reasonable technical and organisational measures to protect personal information from unauthorised access, disclosure, misuse, loss, and alteration. Our security measures include:
(a) encryption of data in transit (TLS 1.2 or above) and at rest (AES-256);
(b) access controls and role-based permissions limiting staff access to personal data on a need-to-know basis;
(c) regular security assessments;
(d) offsite backups and disaster recovery procedures; and
(e) staff training on data handling and security obligations.
No system is completely secure. If you suspect a security incident has occurred, please contact us immediately at privacy@feezy.io.
In the event of a data breach that is likely to result in a risk to your rights and freedoms (under GDPR / UK GDPR) or that meets the threshold for notification under the Notifiable Data Breaches scheme (Privacy Act), we will notify you and, where required, the relevant regulatory authority within the applicable timeframes (72 hours under GDPR; "as soon as practicable" under the Privacy Act).
10. Cookies
10.1 What we use
We use cookies and similar tracking technologies on the Platform for the following purposes:
|
Category |
Purpose and examples |
|
Strictly necessary |
Essential for the Platform to function — user authentication, session management, security tokens. These cannot be disabled. |
|
Functional |
Remembering your preferences (language, timezone, display settings). Enabled by default; can be disabled. |
|
Analytics |
Understanding how the Platform is used in aggregate to improve performance and the marketplace experience. We use anonymised data only. Require consent in the EEA and UK. |
|
Marketing / targeting |
We do not currently use marketing or advertising cookies on the Platform. |
10.2 Your choices
We are implementing a cookie consent mechanism for EEA and UK users. When deployed, users accessing the Platform from the EEA or UK will be presented with a consent banner allowing them to accept or decline non-essential cookies. Until that mechanism is live, non-essential cookies will not be set for EEA or UK users. You may control cookies at any time through your browser settings.
Most browsers allow you to control cookies through their settings. Note that disabling certain cookies may affect the functionality of the Platform.
11. Your Rights
11.1 Rights under Australian law
Under the Privacy Act and the APPs, you have the right to:
(a) access the personal information we hold about you;
(b) request correction of inaccurate, incomplete, or out-of-date information; and
(c) make a complaint to us, and if unsatisfied with our response, to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
11.2 Rights under GDPR (EEA users)
If you are located in the EEA, you also have the following rights under the GDPR:
(a) Right of access (Article 15): to obtain a copy of your personal data and information about how it is processed;
(b) Right to rectification (Article 16): to have inaccurate data corrected and incomplete data completed;
(c) Right to erasure (Article 17): to request deletion of your personal data in certain circumstances;
(d) Right to restriction (Article 18): to restrict our processing of your personal data in certain circumstances;
(e) Right to data portability (Article 20): to receive your data in a machine-readable format and transfer it to another controller, where processing is based on consent or contract;
(f) Right to object (Article 21): to object to processing based on legitimate interests, including profiling; and
(g) Right to withdraw consent (Article 7(3)): where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu.
11.3 Rights under UK GDPR (UK users)
UK users have equivalent rights under the UK GDPR and Data Protection Act 2018. You may lodge a complaint with the UK Information Commissioner's Office (ICO) at www.ico.org.uk.
11.4 Rights under US law (California users)
If you are a California resident, the CCPA / CPRA provides you with the right to:
(a) know what personal information we collect, use, disclose, and sell;
(b) delete personal information we hold about you (subject to certain exceptions);
(c) correct inaccurate personal information;
(d) opt out of the sale or sharing of personal information (we do not sell personal information); and
(e) non-discrimination for exercising your CCPA rights.
To exercise any California privacy right, please contact us at privacy@feezy.io. We will not discriminate against you for doing so.
11.5 Note for Agents regarding imported data
Where you have imported data about third parties (such as student pipeline data) into the Platform, those individuals' rights must be directed to you as the data controller of that data. You should have your own privacy policy and processes in place to respond to rights requests from those individuals. We will assist you in meeting those obligations in accordance with our Data Processing Agreement.
11.6 How to exercise your rights
To exercise any of the rights described in this section in respect of data for which we are the data controller, please submit a written request to privacy@feezy.io. We will respond within 30 days (or within any shorter period required by applicable law, such as 1 month under the GDPR). We may ask you to verify your identity before fulfilling your request.
There is no charge for making a request, except where requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or decline to respond.
12. Third-Party Links and Integrations
The Platform may contain links to third-party websites or may integrate with third-party services (including CRM systems such as Zoho). We are not responsible for the privacy practices of those third parties. When you connect a third-party integration to the Platform, please review that third party's privacy policy. Your use of those integrations is subject to the terms agreed between you and the relevant third party.
13. Children's Privacy
The Platform is designed for use by education professionals and agencies. It is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information through the Platform, please contact us at privacy@feezy.io and we will take steps to delete it.
If you import data as an Agent that may include information about students under 18, you are responsible for ensuring you have a lawful basis to process and share that data, and that appropriate safeguards are in place.
14. Complaints
If you have a concern about how we have handled your personal information, we ask that you contact us first at privacy@feezy.io to give us an opportunity to resolve your complaint.
We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we are unable to resolve your complaint to your satisfaction, you may escalate it to the relevant authority:
(a) Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
(b) EEA: your national supervisory authority — see https://edpb.europa.eu
(c) UK: Information Commissioner's Office — www.ico.org.uk
15. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will:
(a) update the effective date at the foot of this Policy;
(b) post the revised Policy at feezy.io/privacy; and
(c) where the change is material, notify you by email or prominent in-Platform notice.
Your continued use of the Platform after the effective date of the revised Policy constitutes your acceptance of the changes. If you do not agree, please stop using the Platform and contact us to close your account.
16. Contact Us
All privacy enquiries, access requests, correction requests, and complaints should be directed to:
|
Channel |
Details |
|
|
privacy@feezy.io |
|
Post |
Privacy Officer, Feezy Pty Ltd, 81-83 Campbell Street, Sydney NSW 2001, Australia |
|
Response time |
Within 5 business days for general enquiries; within 30 days (or as required by applicable law) for rights requests. |
Effective: March 2026