Privacy Policy
Omniforge Pty Ltd trading as TaskSmith (ABN 58 683 226 511)
Effective date: 9 June 2026
Version: 1.0
1. About this policy
This Privacy Policy explains how Omniforge Pty Ltd, trading as TaskSmith ("TaskSmith", "we", "us", "our"), collects, uses, discloses and protects personal information. It is written to align with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth).
This single policy covers both:
- Our website (
tasksmith.com.au) — which is a marketing site; and - The TaskSmith platform — the workflow-automation software we provide to business clients.
We are a business-to-business (B2B) provider. We do not offer self-service public sign-up; clients are onboarded through a consultative engagement governed by a written services agreement.
2. Two roles: controller and processor
It is important to understand the two different roles we play, because they determine who is responsible for the personal information involved.
| Role | What it covers | Who is responsible |
|---|---|---|
| We are the controller | Account and contact information of the individuals at our client organisations who administer or log in to use the platform, and enquiries made through our website. | TaskSmith determines how this information is handled. This policy governs it. |
| We are the processor | The business documents our clients upload for processing — for example invoices, quotes, purchase orders, delivery dockets and job tickets — which may contain personal information about our client's customers, suppliers or staff. | Our client is the controller of this data. We process it only on their documented instructions under our services agreement. The client is responsible for notifying and obtaining any necessary consents from the individuals concerned. |
In plain terms: the documents you upload to TaskSmith are your data, to use and share as you see fit. We process them only to deliver the service you have engaged us for, and for no other purpose.
In plain English: We wear two hats. We look after our own users' account details (we decide how that's handled). For the documents you upload, you are in charge — we just process them on your instructions.
3. What personal information we collect
3.1 When you visit our website
- Your name, email address, company and message, if you submit an enquiry or contact form.
- Standard server log data (such as IP address) necessary to operate and secure the site.
3.2 When you use the TaskSmith platform (account data — we are controller)
- Name and business email address of authorised users.
- Username and securely hashed password (we never store passwords in plain text).
- Multi-factor authentication details (e.g. an authenticator app secret).
- Session and security metadata — IP address, device and approximate location — used to secure your account.
- Billing account details — business name, ABN, billing contact emails, billing address and phone number.
3.3 Client document content (we are processor)
When you use the platform, you upload business documents for processing. These may incidentally contain personal information belonging to third parties (your customers, suppliers or staff). We process this content solely to perform the contracted workflow on your behalf.
3.4 Sensitive information
We do not intentionally collect sensitive information (as defined in the Privacy Act), including health, biometric or government-identifier information such as tax file numbers.
Because clients upload their own business documents, such information may occasionally appear incidentally within an uploaded document (for example, a tax file number printed on an invoice). Where this occurs:
- We do not use or disclose that information for any purpose other than performing the contracted workflow; and
- Clients are responsible for ensuring they have the authority to submit those documents for processing, and should avoid uploading sensitive information unless it is necessary for the workflow.
4. How we collect personal information
We collect personal information directly:
- From you, when you contact us or are onboarded as a client.
- From your authorised users, when they use the platform.
- From documents you choose to upload for processing.
Because onboarding is consultative and governed by a written agreement, the purposes of collection are explained to you during onboarding and in that agreement, in addition to this policy.
5. Why we collect, hold, use and disclose personal information
We use personal information to:
- Provide, operate, secure and support the TaskSmith platform.
- Authenticate users and protect accounts against unauthorised access.
- Process the documents and workflows you instruct us to.
- Manage billing and our client relationship.
- Respond to enquiries made through our website.
- Meet our legal, regulatory and contractual obligations.
We do not sell personal information, and we do not use client document content to train artificial-intelligence models.
6. Disclosure to third parties and overseas recipients
To deliver the platform we use a small number of trusted service providers ("subprocessors"). Some are located outside Australia, principally in the United States. Before disclosing personal information to an overseas recipient we take reasonable steps, as required by APP 8 — primarily a Data Processing Agreement that binds the provider to appropriate protections.
The current providers that may handle personal information are:
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud (GCP) | Cloud hosting and database (data stored in our Australian region) | United States (company); Australia (data at rest) |
| OpenAI | AI document/text processing | United States |
| Microsoft (incl. GitHub) | Productivity and development tooling | United States |
| Sinch (Mailgun) | Transactional email delivery | United States |
| Stripe | Payment processing | United States |
| Pydantic Logfire | Application monitoring and logging | United States |
We maintain a current subprocessor list and Data Processing Agreement records, available to clients on request. We will update this list as our providers change.
In plain English: We use a small number of well-known cloud providers, mostly based in the US, to run the platform. All of them have signed data protection agreements with us. Your data is stored on servers in Sydney (Google Cloud). It may pass through US systems for processing (e.g. AI tasks) but is not retained there beyond what is needed for the service.
We may also disclose personal information where required or authorised by law.
7. Security
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Our measures include:
- Encryption of data in transit (TLS) and at rest.
- Strong password hashing (Argon2id), breached-password checking, and mandatory multi-factor authentication for platform users.
- Server-side session management and access controls.
- Secrets management and restricted cloud access.
- Hosting with a major cloud provider (Google Cloud) under a Data Processing Agreement.
No system can be guaranteed completely secure, but we work continuously to protect the information we hold.
8. Retention and deletion
We retain personal information only for as long as it is needed for the purposes described in this policy.
For client account data and uploaded document content, we provide a 60-day export window after cancellation, then take reasonable steps to delete or de-identify the information within 30 days after the end of that window, unless a longer period is required:
- to comply with a legal or regulatory obligation — for example, tax and GST source documents, which Australian law requires be kept for 5 years (this obligation usually rests with our client, and we retain such records only where they instruct us to or where the law requires us to);
- for legitimate business purposes such as retaining compliance documents; or
- where a longer period has been agreed in your services agreement.
In plain English: After you cancel, you have 60 days to download your data. After that, we delete it within 30 days — typically 90 days from cancellation in total. We only keep data longer if the law specifically requires it (for example, GST records must be kept for 5 years by law).
9. Access and correction
You may request access to the personal information we hold about you, and ask us to correct it if it is inaccurate, out of date or incomplete. Contact us using the details in section 12.
If the information relates to client document content for which we act as processor, we will refer your request to the relevant client (the controller) and assist them as required under our agreement.
We will respond to access and correction requests within a reasonable period. If we decline a request, we will explain why in writing.
10. Complaints
If you believe we have breached the Australian Privacy Principles, please contact us using the details in section 12. We will acknowledge your complaint and respond within a reasonable period.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
11. Data breaches
We maintain a Data Breach Response Plan. If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches scheme, and notify affected clients in accordance with our contractual obligations.
12. Contact us
- Privacy Officer: Robbie Newton
- Email: robbie.newton@tasksmith.com.au
- Postal address: 34 Belair Drive, Yatala QLD 4207, Australia
13. Changes to this policy
We may update this policy from time to time. The current version is published at tasksmith.com.au/privacy and within the TaskSmith platform. Material changes will be communicated to clients.
Last updated: 10 June 2026.