Privacy Policy

Last updated: 26 July 2025

This Policy explains how SMART PLUS FAMILY PTY LTD (ABN 36 644 265 412) trading as Passivhaus HUB collects, uses and safeguards your personal information when you use any Passivhaus HUB website (passivhaushub.com), learning platform (my.passivhaushub.com) or related service (collectively, the “Service”). It also sets out your rights under the Australian Privacy Act 1988, the EU/UK GDPR and the NZ Privacy Act 2020.

1. Key definitions

Account – profile you create to access the Service.
Cookie – small text file stored in your browser.
Data Controller – entity that decides why & how data is processed (Passivhaus HUB for GDPR purposes).
Device – any computer, phone or tablet you use.
Personal Data – information about an identified or reasonably identifiable individual.
Service Provider – third‑party company that helps us run the Service.
You / User / Data Subject – the individual using the Service.

2. What we collect

Identity & contact – name, email, phone, postal address, country.
Account data – username, hashed password, course progress, certificates.
Financial – Stripe/PayPal transaction IDs, last 4 digits of card; ID docs for bank transfers.
Usage – IP, browser, pages viewed, session times, referral URL.
Marketing consents, email preferences, campaign responses.
Social‑login – name & email from Google, Facebook, Twitter or LinkedIn.
Certification – details required by the Passive House Institute (PHI) for exam booking.
Sensitive info – not routinely collected. If you volunteer dietary/accessibility needs we use them only for that purpose and then delete them.

3. How we collect data

Directly – forms, checkout, event sign‑in, emails, phone.
Automatically – cookies, server logs, pixels, Google Analytics.
Third‑party sources – Stripe, social‑login providers, PHI.

4. Cookies & similar tech

We use:

Type	Purpose
Essential	security, login sessions.
Preferences	remember language, video settings.
Analytics	Google Analytics, Hotjar.
Advertising / Remarketing	Meta pixel, LinkedIn Insight Tag, Google Ads, Bing UET, TikTok pixel.

A cookie‑consent banner appears on first visit. Visitors in the EU/UK can granularly opt‑in and you can change or withdraw consent anytime via Cookie Settings in the footer. See /policies/cookie-policy for full details.

5. Why & on what basis we process your data

Legal basis	Examples
Contract	create Account, deliver courses, process payments, issue certificates.
Legitimate interest	improve Service, prevent fraud, limited marketing of similar products.
Consent	newsletters, non‑essential cookies.
Legal obligation	tax records, consumer‑law guarantees.

Direct marketing. You may opt out of email, SMS or targeted‑ad marketing at any time by unsubscribing or emailing [email protected].

6. Who gets access & their policies

Purpose	Vendor • Privacy link
Hosting / platform	GoHighLevel – link AWS – link Vimeo – link
Analytics	Google Analytics – link Hotjar – link
Payments	Stripe – link PayPal – link Apple IAP – link Google Play IAP – link
Advertising	Google Ads – settings Bing / Microsoft – link Meta (Facebook/Instagram) – link LinkedIn Ads – link TikTok Ads – link
Security	Google reCAPTCHA – link
Accounting	Xero – link
Certification	Passive House Institute – link

We sign data‑processing agreements or rely on Standard Contractual Clauses (SCCs) where required.

7. International transfers

Data may be stored or processed in Australia, the EU, the UK, the USA or other jurisdictions where our providers operate. For EU/UK users we rely on SCCs or adequacy decisions (e.g. New Zealand) to safeguard transfers.

8. Retention

Data	Duration
Invoices & financial records	7 years
Marketing consents	until withdrawn
Analytics logs	26 months
Session recordings (video & chat)	24 months then archived/deleted
PHI exam data	10 years (PHI requirement)

9. Your rights

Region	Rights
Australia	access, correction, complaint to OAIC
EU / UK	GDPR rights incl. erasure, portability, objection, lodge complaint with DPA
New Zealand	access, correction, complaint to OPC

To exercise your rights, please email [email protected]. We will respond to all requests within 30 days.

10. Security & breach notification

TLS encryption in transit
ISO‑27001 compliant hosting
Least‑privilege staff access
Annual penetration testing

If a data breach is likely to cause serious harm we will comply with Australia’s Notifiable Data Breach (NDB) scheme and, where GDPR/UK GDPR applies, notify authorities and affected users within 72 hours.

11. Behavioural remarketing opt‑outs

You can further control interest‑based ads via industry programmes:

NAI opt‑out – networkadvertising.org/choices
DAA opt‑out – optout.aboutads.info
EDAA opt‑out – youronlinechoices.eu
Device settings: Limit Ad Tracking (iOS) • Opt‑out of Ads Personalisation (Android)

12. Facebook Fan Page & Insights

We operate the Facebook page facebook.com/smartplusacademy1. Facebook Ireland & Passivhaus HUB are joint controllers for aggregated “Insights” statistics. Facebook places a 2‑year cookie to compile de‑identified stats; see Facebook’s Data Policy for details.