Legal

Privacy Policy

Last updated: 29 March 2026

MuseumStack Solutions Pty Ltd (ACN 696 311 083, t/a MuseumStack) is committed to protecting your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, hold, use, and disclose your information.

1. Who We Are

MuseumStack Solutions Pty Ltd ("we", "us", "our") provides a cloud-based collection management system ("the Platform") to museums, historical societies, galleries, libraries, archives, and related institutions ("Subscribers").

Our registered business address is: PO Box 212, Coorparoo, QLD 4151, Australia. You can contact our Privacy Officer at privacy@museumstack.com or by phone on +61 7 3523 4837.

2. Information We Collect

We collect two categories of information:

2.1 Account & Contact Information

  • Full name, email address, and phone number of users and account administrators
  • Organisation name, ABN/ACN, and postal address
  • Billing information (processed by Stripe — we do not store raw card details)
  • Profile photos or avatars (if provided)

2.2 Platform & Collection Data

  • Collection records, accession data, media files, and any metadata uploaded by Subscribers
  • Activity logs, audit trails, and usage analytics
  • Technical data including IP addresses, browser type, and session identifiers
  • Contact records of third parties (e.g. donors, lenders) entered by Subscribers into the Platform

Where Subscribers enter third-party personal information into the Platform, the Subscriber is the primary data controller for that information. MuseumStack acts as a data processor on the Subscriber's behalf.

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Platform
  • Process billing and subscription management
  • Send transactional emails (account verification, password resets, invitations)
  • Respond to support enquiries and provide customer service
  • Monitor platform security, detect fraud, and enforce our Terms of Service
  • Generate aggregated, de-identified usage analytics
  • Comply with our legal obligations under Australian law

We will not use your personal information for direct marketing without your consent, and you may opt out of any marketing communications at any time.

4. Disclosure of Personal Information

We may disclose your information to:

  • Stripe Inc. — for payment processing
  • Amazon Web Services (AWS) — Sydney region — for hosting and data storage
  • Postmark / AWS SES — for transactional email delivery
  • Meilisearch — for full-text search index services
  • Law enforcement or government agencies where required by Australian law

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

Some service providers may process data outside Australia. Where this occurs, we take reasonable steps to ensure they apply equivalent protections consistent with the APPs.

5. Data Storage & Security

All Subscriber data is stored in Australian datacentres (AWS ap-southeast-2, Sydney). We implement industry-standard security measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control and multi-factor authentication
  • Regular automated backups retained for 30 days
  • Audit logs for all data access and modification events
  • Penetration testing and vulnerability scanning

In the event of a data breach that is likely to cause serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme.

6. Your Rights (Access & Correction)

Under the Australian Privacy Principles, you have the right to:

  • Request access to the personal information we hold about you
  • Request correction of inaccurate, out-of-date, or incomplete information
  • Make a complaint if you believe we have breached the APPs

To exercise these rights, contact our Privacy Officer at privacy@museumstack.com. We will respond within 30 days.

7. Cookies & Tracking

The Platform uses session cookies and local storage tokens to maintain authenticated sessions. We do not use third-party advertising cookies. Our website (museumstack.com) may use first-party analytics to understand aggregate traffic patterns. No personally identifiable information is shared with analytics providers.

8. Retention & Deletion

We retain personal information for as long as your account is active or as required to provide the service. Upon account termination, Subscriber data is retained for 90 days to allow recovery, then permanently deleted within 30 days thereafter, unless a longer retention period is required by law.

You may request early deletion by contacting support@museumstack.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active Subscribers of material changes by email with at least 14 days' notice before they take effect. Continued use of the Platform after that date constitutes acceptance of the updated policy.

10. Complaints

If you are unsatisfied with our handling of your complaint, you may contact the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

© 2026 MuseumStack Solutions Pty Ltd. All rights reserved.

Terms of Service  ·  Privacy Officer Contact