Privacy Policy

Last updated: 18 April 2026

This Privacy Policy explains how Cadence IP ("we", "us", "our") collects, uses, stores, discloses and protects personal information in connection with the Cadence IP intellectual property practice management platform (the "Service").

We are bound by the Australian Privacy Principles set out in the Privacy Act 1988 (Cth) and, where applicable, by the EU General Data Protection Regulation (GDPR) and the UK GDPR. This policy is written for two audiences: the firms and practitioners who subscribe to the Service ("Customers"), and the individuals whose personal information may be processed in the Service ("Data Subjects") — including a Customer's clients, inventors, opponents and other parties to a matter.

1. Information we collect

Account and billing information. When a Customer creates an account we collect the practitioner's name, work email, phone number, organisation name, role, billing address, and payment-method tokens issued by our payment processor.

Customer-provided content. Customers create matters, contacts, tasks, time entries, file notes, documents, emails, SMS, invoices, intake-form submissions and related records. This content is entered by Customer users, imported from prior systems, sent into the Service by email or SMS, or submitted through embedded intake forms. It frequently includes personal information about Data Subjects who are not themselves Customer users.

Integrations. When a Customer connects a third-party service (for example Xero, Dropbox, Anthropic, OpenAI, Google AI, Twilio), we receive and store the credentials and tokens needed to interact with that service on the Customer's behalf. Sensitive credentials are stored using strong encryption.

Technical and usage information. We collect log data, IP addresses, browser and device information, access times, pages visited, and actions taken in the Service for security, abuse prevention, performance and product-improvement purposes.

Cookies and similar technologies. We use strictly necessary cookies for authentication and session management, and a small number of functional cookies to remember user preferences. We do not use advertising cookies.

2. How we use information

We use the information described above to:

• Provide, maintain and improve the Service;
• Authenticate users and protect accounts from unauthorised access;
• Process payments and manage subscriptions;
• Communicate with Customer users about the Service, including service notices, billing notices and security alerts;
• Operate the integrations a Customer has chosen to enable, and pass content to the chosen AI provider when a Customer user invokes an AI feature;
• Diagnose and resolve technical problems and detect, investigate and prevent abuse;
• Comply with legal obligations and enforce our Terms of Service.

We do not sell personal information. We do not use Customer content to train any artificial intelligence model controlled by us, and we do not provide Customer content to any AI provider for the purpose of training that provider's models.

3. Customer-provided content and the role of the Customer

For Customer-provided content, the Customer is the controller (or, in Australian terms, the APP entity primarily responsible) and we act as a data processor. The Customer determines what personal information is entered into the Service, the lawful basis for collecting it, the retention period, and the persons to whom it is disclosed. Data Subjects who wish to exercise rights in respect of Customer-provided content should generally contact the Customer directly. We will assist the Customer in responding to any such request.

4. Confidentiality and legal professional privilege

The Service is designed for use by legal practitioners and contains content that may be subject to legal professional privilege, professional secrecy obligations, or equivalent client-confidentiality protections. We treat all Customer content as confidential. We do not access Customer content other than as needed to operate the Service, to respond to a support request the Customer has initiated, or where required by law.

5. Disclosure to third parties

We disclose personal information only:

• To the Customer who controls the account in which the information sits;
• To service providers acting on our instructions and under contract, including our cloud hosting provider, error-monitoring provider, transactional-email provider, and payment processor;
• To third-party services that the Customer has expressly connected to its account (for example to push an invoice to Xero, sync files to Dropbox, send an SMS via Twilio, or send a prompt to a Customer-supplied AI account);
• Where required by law, court order, or to respond to a valid request from a regulator or law-enforcement authority; and
• In connection with a corporate transaction (such as a merger, acquisition or sale of assets), in which case we will give notice and the recipient will be subject to obligations consistent with this policy.

6. Artificial intelligence features

AI features in the Service operate against an AI account that the Customer connects using its own API key. When a Customer user invokes an AI feature, relevant matter content is sent to the chosen AI provider via the Customer's own account. We do not insert ourselves between the Customer and the AI provider for any purpose other than to deliver the request. We do not retain a separate copy of prompts or responses beyond what is necessary to display the assistant conversation in the Service. The terms applicable to the AI provider's handling of the data are those between the Customer and the provider.

7. International transfers

The Service is hosted in Australia. Some of our service providers, and any third-party integrations a Customer has enabled, may process data outside Australia (including in the United States, the European Union and the United Kingdom). Where personal information is transferred internationally, we take reasonable steps to ensure the information is handled consistently with the Australian Privacy Principles and, where applicable, GDPR transfer requirements.

8. Security

We employ administrative, technical and physical safeguards reasonably designed to protect personal information from loss, misuse, unauthorised access, disclosure, alteration and destruction. These include encryption in transit, encryption of sensitive credentials at rest, organisation-based logical isolation of Customer data, access controls, audit logging, regular backups, and security review of changes to our infrastructure. No security control is perfect; in the event of a notifiable data breach we will comply with our obligations under the Notifiable Data Breaches scheme.

9. Retention

We retain Customer content for as long as the Customer's account is active and for a reasonable period afterwards to allow for account recovery and to comply with legal obligations. Customers may export and delete content at any time. Backup copies are retained for a limited period and then deleted in the ordinary course.

10. Your rights

Subject to applicable law, individuals may request access to personal information we hold about them, correction of inaccurate information, deletion, restriction of processing, portability, and the right to object to or withdraw consent for certain processing. Where Customer content is concerned, requests should generally be directed to the Customer (see section 3). Otherwise, requests may be sent to the contact address below and we will respond within the time required by applicable law.

11. Children

The Service is not directed to individuals under the age of 16 and we do not knowingly collect personal information from such individuals.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified to Customer users by email or by an in-product notice before they take effect.

13. Contact

Questions, complaints, or requests about this policy or our handling of personal information may be sent to privacy@cadenceip.com.