ROCKAXIOM
Start

Privacy Policy

Version 2.0 — effective 15 May 2026. Operated by Rockley Consulting Pty Ltd (ABN 78 673 819 773), trading as ROCKAXIOM.

ROCKAXIOM Privacy Policy
Version 2.0
Effective Date 15 May 2026
Supersedes Privacy Policy dated 1 December 2025
Operated by Rockley Consulting Pty Ltd (ABN 78 673 819 773)
Jurisdiction Tasmania, Australia

About this Policy

Rockley Consulting Pty Ltd ("we", "us", "our") is committed to protecting the privacy of personal information collected through the ROCKAXIOM Business Continuity and Disaster Recovery (BCDR) service and the rockaxiom.au website and onboarding flow.

This Privacy Policy explains how we collect, use, store, disclose and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Policy applies to:

  1. The ROCKAXIOM service, including backup, monitoring, recovery and managed continuity services.
  2. The rockaxiom.au website, including the onboarding form, customer portal links, and any other public-facing pages.
  3. The acceptance and onboarding flow, including the evidentiary record of agreement acceptance.

By using the ROCKAXIOM service, the rockaxiom.au website, or by submitting the onboarding form, you agree to the terms of this Privacy Policy.

1. Information We Collect

1.1 Information collected at onboarding

When you sign up for ROCKAXIOM through the rockaxiom.au onboarding form, we collect:

  • Venue and business details: trading name, business name, ABN/ACN (if provided), site address, billing address.
  • Contact details: contact name, role, email address, phone number.
  • Technical metadata of your submission: IP address, user agent string, browser fingerprint, session identifier, timestamp (UTC) of submission.
  • Agreement acceptance record: the version of each document accepted (MSA, SLA, Product Schedule, Shared Responsibility Schedule, and this Privacy Policy), a hash of the text displayed at the time of acceptance, and confirmation of authority to bind the venue.
  • Payment instrument: collected and processed by Stripe; we do not store card numbers, expiry dates, or CVCs.

1.2 Information collected during service delivery

When you use ROCKAXIOM, we collect:

  • Personal information: name, email address, phone number, role.
  • Technical information: device names, operating system details, hardware identifiers, backup job metadata, logs and status, POS Controller and SQL instance details, IP address and general network information for troubleshooting.

1.3 Backup content

ROCKAXIOM backs up SQL databases, files, folders and system state data from your Windows devices. These backups may include business data stored on the protected devices.

We do not view, analyse or access your backed up business content unless required for recovery, troubleshooting, or when authorised by you.

2. Why We Collect This Information

2.1 Purpose of onboarding-stage collection

We collect onboarding-stage information for the following purposes:

  • Contract formation: to record the parties to the agreement and the terms accepted.
  • Authority verification: to confirm that the person submitting the form is authorised to bind the venue.
  • Fraud prevention and risk control: to identify and prevent fraudulent or unauthorised signups.
  • Evidentiary record: to provide an immutable record that the customer agreed to specific document versions at a specific time, in the event of a future dispute.
  • Communication about onboarding: to send confirmation emails, activation instructions, and onboarding support.
  • Service activation: to provision the ROCKAXIOM service for the customer's environment.

2.2 Lawful basis under APP 3

Collection is reasonably necessary for our functions and activities as a provider of ROCKAXIOM continuity services. Consent is provided by the customer's submission of the onboarding form and acceptance of this Policy and the related contractual documents.

2.3 Purpose of service-delivery collection

We use service-delivery information to:

  • Deliver ROCKAXIOM backup and continuity services.
  • Monitor backup status and remediate failures.
  • Provide support and recovery assistance.
  • Deploy and manage DR appliances where applicable.
  • Improve service reliability and performance.
  • Invoice and process subscription payments.
  • Communicate service updates, outages or urgent issues.
  • Meet legal, security and compliance obligations.

We do not sell, rent or trade personal information.

3. How We Collect Information

We collect information when:

  • You complete the onboarding form on rockaxiom.au.
  • You sign up for ROCKAXIOM or any related service.
  • You communicate with us by email, phone, or through support requests.
  • Backup agents are deployed on your systems.
  • Recovery or troubleshooting tasks are performed.
  • Payments are made via Stripe.
  • You complete forms or interact with our website.

4. Where Your Information Is Stored

4.1 Onboarding and customer data

Onboarding-stage data and customer account data (including contact details, billing references and agreement acceptance records) are stored in Supabase, ap-southeast-2 region (Sydney, Australia). Supabase is operated by Supabase Inc., a US-incorporated company; data is physically stored in Australia.

We have taken reasonable steps to ensure Supabase handles personal information in line with the Australian Privacy Principles, including by configuring the project to the Australian region. We will disclose to you, on request, the steps taken to ensure overseas service providers do not breach APP 11.

4.2 Backup data

Backup data is stored in secure Australian data centres operated by N-able's Cove Data Protection cloud infrastructure. Data remains within Australia unless a different region is requested during onboarding.

Technical Protections

  • AES 256-bit encryption
  • Encryption in transit and at rest
  • Encryption onsite before upload
  • Transfer over TLS 1.2 one-way connections
  • Decryption only during recovery at your venue

Facility Security

  • 24/7 biometric physical security
  • CCTV and audit logging
  • UPS and generator power redundancy
  • Multizone fire protection and VESDA detection systems
  • ISO 27001 and ISO 9001 certifications

4.3 Payments

Payment information is processed by Stripe, operating under their own Privacy Policy and PCI-DSS compliance program. Stripe may store some data outside Australia; we do not control Stripe's data residency. We disclose only the minimum information required to process the transaction.

5. How We Store and Protect Your Information

We store personal information using secure systems, including:

  • Encrypted application and backup platforms.
  • Access-controlled management portals.
  • Multi-factor authentication for administrative accounts.
  • Strict internal access controls (role-based access, least privilege).
  • Secure email and document services.
  • Audit logging where appropriate.

6. Retention of Information

6.1 Service-related information

We retain personal information for as long as required to deliver the service or to meet legal obligations.

6.2 Backup data

Backup data is retained for 365 days as part of the active ROCKAXIOM service. After cancellation, backups are typically retained for 30 days before deletion unless you request earlier deletion.

6.3 Acceptance evidence

The record of agreement acceptance (timestamp, IP address, user agent, document versions, hash of displayed text, and signatory confirmation) is retained for the life of the contract plus six years from the date of last performance, to align with the limitation period for contractual disputes under Tasmanian law.

7. Disclosure of Information

7.1 Service Providers

We may share information with:

  • Supabase (application database and onboarding form back-end, ap-southeast-2 region).
  • N-able (Cove Data Protection cloud storage).
  • Stripe (billing and subscription processing).
  • Action1 or equivalent endpoint management platforms, if enabled.
  • Email and document providers such as Google Workspace or Proton.

These providers only receive the minimum data required and are expected to maintain appropriate security.

7.2 Legal and Regulatory

We may disclose information where required by law, court order, or regulatory authority.

7.3 IT Partners

Where you engage an IT Managed Service Provider or internal IT team, and with your permission, we may share relevant backup and recovery information with them to support continuity.

7.4 No Marketing Disclosure

We do not share personal information with third parties for marketing purposes.

8. Website Data and Cookies

The rockaxiom.au website and onboarding form may use the following cookies and similar technologies:

  • Session cookies for form submission, session management and CSRF protection.
  • Essential functionality cookies for navigation and load balancing.
  • Privacy-respecting analytics (if enabled) to understand traffic and usage patterns.

We do not use invasive advertising trackers or behavioural advertising cookies. If we introduce third party analytics (such as Google Analytics) or remarketing pixels, this Policy will be updated and consent will be obtained where required.

9. Access, Correction and Deletion

Under APP 12 and APP 13 you may request:

  • Access to personal information we hold about you.
  • Correction of inaccurate or incomplete information.
  • Deletion of personal information that is no longer required, subject to legal and operational requirements.

To make a request, contact us using the details in Section 14. We will respond within a reasonable time (generally within 30 days).

10. Data Breaches

If a data breach occurs that is likely to result in serious harm, we will follow the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). This may include notifying affected individuals and the Office of the Australian Information Commissioner (OAIC), and taking reasonable steps to reduce any risk of harm.

We maintain an internal data breach response plan and review it periodically.

11. Children's Privacy

ROCKAXIOM is a business service and is not directed at individuals under 18. We do not knowingly collect personal information from children.

12. Third Party Links

Our website and communications may contain links to external sites such as Stripe, N-able or Supabase. We are not responsible for the privacy practices or content of those third parties and encourage you to review their privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be published on this page with a revised "Last Updated" date.

Where the change is material (for example, a change to the types of information collected, a change to how information is used or shared, or a change in data residency), we will provide at least 30 days' notice by email to active customers before the change takes effect.

Continued use of the ROCKAXIOM service after a change takes effect constitutes acceptance of the updated Policy. If you do not accept a material change, you may cancel the service in accordance with the Terms of Service.

14. Contact Us

If you have any questions or concerns about this Privacy Policy, how your information is handled, or to make a privacy request, please contact:

Rockley Consulting Pty Ltd Email: support@rockaxiom.au Website: rockaxiom.au / rockleyconsulting.com.au ABN: 78 673 819 773 Location: Tasmania, Australia

You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have breached the Australian Privacy Principles.

Change Log

Version Date Summary of changes
1.0 1 December 2025 Initial publication.
2.0 15 May 2026 Extended scope to expressly cover rockaxiom.au website and onboarding flow. Added detail on onboarding-stage data collection (IP, user agent, signing metadata), retention of acceptance evidence, Supabase ap-southeast-2 application-tier residency, material-change notice period, and complaint-channel signposting to OAIC.

Privacy enquiries: support@rockaxiom.au