PRIVACY POLICY

Who How Global Pty Ltd (trading as Step Change)   |   ABN: 26 638 400 594  |   Last updated: June 2026

1. About This Policy

Who How Global Pty Ltd (trading as Step Change) (ABN: 26 638 400 594) ("we", "us", "our") is a marketing agency based in New South Wales, Australia. We are bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) in Schedule 1 to that Act, as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth).


This Privacy Policy explains how we collect, hold, use and disclose personal information in connection with our business activities, including our use of artificial intelligence (AI) tools and automated processes.


We are committed to handling personal information responsibly and in accordance with our legal obligations. If you have questions about this policy, please contact us using the details in Section 14.


2. What Personal Information We Collect

We collect personal information that is reasonably necessary for our business functions and activities. The kinds of personal information we may collect include:


From clients and prospective clients:

  • Full name, job title and employer/company name
  • Business and personal contact details (email address, phone number, postal address)
  • Billing and payment information (invoicing details; we do not store full payment card details)
  • Business information, including brand materials, campaign briefs and marketing assets
  • Communications records (emails, meeting notes, project correspondence)


From individuals who interact with our website or marketing:

  • Name and contact details (via enquiry forms, lead capture or newsletter sign-up)
  • Website usage data (pages visited, time on site, browser type, IP address — collected via analytics tools and cookies)
  • Preferences and interests inferred from interactions with our content


From third-party sources:

  • Contact details or professional information sourced from publicly available channels (e.g. LinkedIn, company websites)
  • Data provided by list brokers or data enrichment providers — we rely on those providers having complied with their own collection obligations



3. How We Collect Personal Information

We collect personal information:

  • Directly from you, when you contact us, complete a form on our website, engage our services, or correspond with us by email, phone or in person
  • From your employer or colleagues, where they provide your details to us in connection with a client engagement
  • Automatically, through website cookies and analytics tools when you visit our website
  • From third parties, including referrals, publicly available sources, or data providers
  • Through AI tools, where the use of such tools involves processing personal information you or your organisation provide to us (see Section 10)


4. Why We Collect and Use Personal Information

We collect, hold, use and disclose personal information for the following purposes:


To deliver our services:

  • Managing client projects, campaigns and deliverables
  • Communicating with clients and their representatives
  • Invoicing and receiving payment
  • Onboarding new clients and maintaining client records


To manage and grow our business:

  • Responding to enquiries and proposals
  • Managing supplier and contractor relationships
  • Internal business planning, reporting and operations
  • Staff recruitment and management


For marketing and business development:

  • Sending direct marketing communications (subject to your right to opt out — see Section 9)
  • Promoting our services to prospective clients
  • Sharing case studies, industry insights and thought leadership


For legal and compliance purposes:

  • Meeting our obligations under applicable laws and regulations
  • Responding to legal proceedings, court orders or regulatory requests
  • Protecting the rights, property or safety of our agency, clients or others


5. How We Hold and Secure Personal Information

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.


Storage:

Personal information is held electronically in cloud-based platforms including:

  • HubSpot CRM, Google Workspace, monday.com, Productive.io, Mailchimp, Xero


Security measures include:

  • Password protection and multi-factor authentication on systems that hold personal information
  • Access controls limiting data access to authorised staff with a need to know
  • Encryption of data in transit using HTTPS/TLS protocols
  • Regular review of third-party vendor security practices


Retention:

We retain personal information for as long as it is needed for the purpose for which it was collected, or as required by law. We aim to destroy or de-identify personal information within 7 years after conclusion of a client engagement, unless a longer period is required by law (for example, under tax legislation).


6. Disclosure of Personal Information

We may disclose personal information to:

  • Service providers and contractors engaged to assist in delivering our services, including subcontractors, web developers, media buyers, photographers, illustrators and other specialist contractors
  • Technology and platform providers that operate software or infrastructure we use, including HubSpot (CRM and email marketing), Google Workspace (email and cloud storage), monday.com (project management), Productive.io (time tracking and project management), Mailchimp (email marketing), Xero (accounting), and website hosting/analytics providers
  • AI tool providers — see Section 10 for specific disclosure details
  • Professional advisers, including accountants, lawyers and insurers
  • Regulators, courts and law enforcement agencies, where required or authorised by law
  • Prospective buyers in the event of a business sale, merger or restructure (subject to confidentiality obligations)



7. Cross-Border Disclosure of Personal Information

Some of the third-party platforms and service providers we use may store or process personal information outside Australia. By engaging our services or providing us with personal information, you acknowledge that we may disclose personal information to overseas recipients.


Countries or regions where overseas recipients may be located:

  • United States of America (e.g. Google, HubSpot, Meta, LinkedIn, OpenAI, Anthropic, Perplexity AI)
  • New Zealand and Australia (Xero Limited); European Union (Productive.io)


Our obligations (APP 8):

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information (APP 8.1). Where we cannot ensure APPs-equivalent protection, we will inform you and seek consent where required prior to disclosure.


8. Automated Decision-Making Transparency

8.1 Overview

We may use computer programs or automated tools that use personal information to make, or to do things substantially and directly related to making, decisions that could reasonably be expected to significantly affect the rights or interests of individuals. This section discloses the kinds of personal information used and the kinds of decisions involved.


8.2 Automated processes we use

We currently use HubSpot as our CRM platform, which collects and stores contact engagement data (including email opens, website visits and form submissions). This data is used to manage client relationships and inform outreach activities. At this time, we do not use any automated scoring, segmentation or decision-making processes that could significantly affect the rights or interests of individuals within the meaning of APP 1.7. All outreach and communication decisions are made by our team members, not automated systems.



We will update this section before 10 December 2026 if we introduce any automated decision-making processes that engage APP 1.7 obligations.


8.3 Your rights in relation to automated decisions

If you believe an automated decision has significantly affected your rights or interests and you wish to understand how it was made, please contact us at the details in Section 14. We will explain the role of any automated process and provide an opportunity for human review where appropriate.


9. Direct Marketing and Opt-Out Rights

We may use your personal information to send you direct marketing communications about our services, industry insights, events and other content we believe may be of interest to you.


We only send direct marketing where:

  • You have consented to receive it; or
  • You are an existing client and we are marketing our own similar services, and you have not opted out


How to opt out:

You can opt out of receiving direct marketing communications at any time by:

  • Clicking the unsubscribe link in any marketing email we send you
  • Emailing us at [email protected] with the subject line 'Unsubscribe'
  • Contacting us by phone at (02) 8030 8655


We will process opt-out requests within 5 business days. After opting out, you may still receive service-related or transactional communications (such as invoices or project updates) that are not marketing in nature.


10. Our Use of Artificial Intelligence Tools

We use artificial intelligence (AI) tools in various aspects of our work. This section is provided in accordance with the OAIC's Guidance on privacy and the use of commercially available AI products (October 2024) and our APP obligations.


10.1 AI tools we use

Tool Provider Primary Use Personal Information Involved Overseas Processing
ChatGPT / GPT-4o OpenAI (USA) Content drafting, research, summarisation May include client names or project context if included in prompts Yes – USA
Claude Anthropic (USA) Content drafting, analysis, strategy May include client names or project context if included in prompts Yes – USA
Gemini / Google AI Google (USA) Research, summarisation, drafting May include client names or project context if included in prompts Yes – USA
Perplexity AI Perplexity AI, Inc. (USA) Research, fact-checking, web-sourced summarisation May include client names or project context if included in prompts Yes – USA


10.2 How we handle personal information when using AI

  • We take reasonable steps to minimise the personal information entered into AI tools. Where possible, we de-identify or anonymise information before inputting it.
  • We do not enter sensitive information (e.g. health, financial or identification information) into publicly available generative AI tools without express consent.
  • AI outputs that contain personal information are treated as probabilistic assessments, not factual records, and are subject to human review before being relied upon or communicated.
  • Staff are trained to understand the limitations of AI tools and to verify AI outputs.


10.3 Disclosure to AI providers

When personal information is entered into a commercially operated AI tool, that information may be accessible to the AI tool's developer or operator. We treat this as a disclosure to an overseas recipient and manage it accordingly under APP 8.

We encourage you to review the privacy policies of the relevant AI providers:

OpenAI: https://openai.com/policies/privacy-policy

Anthropic: https://www.anthropic.com/legal/privacy

Google: https://policies.google.com/privacy


10.4 Your right to object

If you do not wish your personal information to be processed using AI tools, please contact us at the details in Section 14. We will discuss the practical implications and, where possible, accommodate your request.


11. Accessing and Correcting Your Personal Information

Access requests (APP 12)

You have the right to request access to the personal information we hold about you. To make an access request, please contact us using the details in Section 14.


We will respond to access requests within a reasonable time (generally within 30 days). We may need to verify your identity before providing access. We may decline access in limited circumstances permitted by the Privacy Act and will explain any such decision. We may charge a reasonable fee for access and will advise you of any applicable fee in advance.


Correction requests (APP 13)

If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you may request that we correct it. We will take reasonable steps to correct it promptly. If we decline, we will give you written reasons and advise you of available review steps.


12. Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we have reasonable grounds to believe there has been an eligible data breach — an unauthorised access, disclosure or loss of personal information that is likely to result in serious harm — we will:

  • Conduct a prompt assessment within 30 days of becoming aware of the suspected breach
  • If an eligible breach is confirmed, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable


We maintain an internal data breach response plan to guide our response to any suspected or confirmed data breach.



13. Complaints

If you believe we have breached the APPs or otherwise mishandled your personal information, we encourage you to contact us directly in the first instance.


To make a complaint, write to us at: [email protected]

Or by post: Who How Global Pty Ltd (trading as Step Change), Attn: Privacy Officer, 35-39 Bourke Road, Alexandria NSW 2015


Please describe the nature of your concern, including relevant dates and steps you have already taken. We will acknowledge receipt within 5 business days and aim to resolve complaints within 30 days.


If you are not satisfied with our response, or if we fail to respond within a reasonable time, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC):


14. Contact Us

For all privacy-related enquiries, access requests or complaints, please contact:


Privacy Officer / Contact Person

Magdalena Bishop, Privacy Officer

Who How Global Pty Ltd (trading as Step Change)

35-39 Bourke Road, Alexandria, NSW 2015

Email: [email protected]

Phone: (02) 8030 8655


15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal obligations. The current version will always be available at:

hellostepchange.com/privacy-policy


Where changes are material, we will take reasonable steps to notify affected individuals (for example, by email notification to active clients or a prominent notice on our website). The date of the most recent update is shown at the top of this document.


Appendix A – Key Legal References

This Privacy Policy has been prepared with reference to:

  • Privacy Act 1988 (Cth): https://www.legislation.gov.au/Details/C2022C00199
  • Privacy and Other Legislation Amendment Act 2024 (Cth), including Part 15 (Automated decisions — APP 1.7, 1.8, 1.9, commencing 10 December 2026)
  • Australian Privacy Principles (Schedule 1 to the Privacy Act)
  • OAIC, Chapter 1: APP 1 — Open and transparent management of personal information: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information
  • OAIC, Guidance on privacy and the use of commercially available AI products (October 2024): https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products