1) Introduction
Harrby Pty Ltd (“Harrby”, “we”, “our”, “us”) is an Australian Managed Services Provider (MSP) and Microsoft Partner. We provide managed IT, security and consultancy services across Microsoft 365, Azure, Dynamics 365 and Windows 365. We respect your privacy and handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
2) Scope
This policy explains how we collect, use, disclose, store and secure information when you:
- engage us for managed services, projects, consultancy, automation or training;
- use Microsoft cloud services we manage on your behalf; or
- visit our websites, portals or support systems.
It applies to clients, prospective clients, suppliers, partners and website visitors.
3) Information We Collect
- Identity & Contact name, job title, business name, ABN/ACN, email, phone, address.
- Account & Billing invoices, payment records, purchase orders, service agreements.
- Service & Support Data helpdesk tickets, correspondence, change records, configuration details, asset inventories, backup/restore metadata, RMM/PSA data, and project documentation.
- Microsoft Cloud & Device Telemetry tenant IDs, user principal names, sign-in logs, IP addresses, device IDs, compliance states, policy assignments, Intune/Defender/Entra security and audit logs, Azure resource metadata and monitoring data.
- Website & Cookies browser type, pages viewed, session and analytics data (see Cookies & Website Data).
- Sensitive Information we do not intentionally collect sensitive information. If a project requires it, we will do so only with your instructions and consents, and apply additional safeguards.
Direct or indirect collection: We may collect information directly from you or your authorised representatives, from systems we manage for you, or from trusted third parties (e.g., Microsoft) where reasonably necessary to deliver services. Please do not provide information that you are not authorised to share.
4) How We Use Information
- plan, deliver and support managed IT and cloud services you have requested;
- configure, administer, secure and optimise Microsoft 365, Azure, Dynamics 365 and Windows 365;
- monitor performance, availability, capacity and security (including threat detection, incident response and audit);
- provide consultancy, implementation, migration, automation and training;
- meet contractual, legal, regulatory and audit requirements (including APPs and the Notifiable Data Breaches scheme);
- communicate about service status, updates, quotes, invoices and relevant service information;
- improve our offerings, quality assurance and user experience; and
- where permitted, send service announcements or marketing you can opt out of at any time.
We handle information by lawful and fair means and only for purposes a reasonable person would expect in the context of managed IT and Microsoft cloud services.
5) Data Security
We apply layered security controls appropriate to the risks, including:
- encryption in transit and at rest where feasible;
- role-based access, least privilege, multi-factor authentication, and just-in-time access for elevated tasks;
- network segmentation, endpoint protection and vulnerability management;
- logging, monitoring and alerting across supported environments;
- background checks, confidentiality obligations and ongoing staff training;
- secure software development and change control practices; and
- vendor and third-party due diligence.
Notifiable Data Breaches (NDB)
If a data breach is likely to result in serious harm, we will follow the NDB scheme: contain the incident, assess impacts, notify affected clients and the Office of the Australian Information Commissioner (OAIC) where required, and take steps to mitigate risk.
6) Microsoft Cloud & Third-Party Providers
We commonly administer your Microsoft services as your delegated administrator or via approved roles. We process your data only to deliver services you have instructed us to provide.
We may use trusted third-party tools (e.g., remote monitoring and management, backup, email security, SOC/SIEM, automation and ticketing). These providers are bound by contracts and security obligations consistent with the APPs. Where feasible, we select Australian or regionally appropriate data locations.
We do not access your content (e.g., mailbox or document content) unless required for support, troubleshooting, security investigations, legal obligations or where you have explicitly requested our assistance.
7) Cookies & Website Data
Our websites may use essential cookies for functionality and preference management, and analytics technologies to understand usage and improve performance. You can control cookies through your browser settings; some features may not work without them. We do not use cookies to sell personal information.
8) Disclosure of Information
We may disclose information to:
- Microsoft and approved third-party providers necessary to deliver or support the services;
- our professional advisers (accounting, legal, insurance) under confidentiality;
- subcontractors engaged to perform aspects of our services under contract; and
- regulators, law enforcement or government agencies where required by law.
We do not sell or rent your information.
9) Cross-border Data Storage (APP 8)
Depending on the services and regions you select, data may be stored or processed outside Australia (for example, within Microsoft’s global cloud infrastructure or third-party platforms).
Where cross-border disclosure occurs, we take reasonable steps to ensure overseas recipients do not breach the APPs, including through contractual terms and by selecting reputable providers with robust security and privacy controls. If you require data-residency restrictions (e.g., AU-only), please tell us; we will advise what is feasible for the products in scope.
10) Access & Correction Rights (APPs 1213)
You may request access to, or correction of, your personal information that we hold. We will take reasonable steps to provide access/corrections within a reasonable time, subject to permitted exceptions (e.g., security, legal privilege, or privacy of others). We may need to verify your identity before acting on a request.
11) Retention & Disposal
- We keep information only for as long as it is needed for the purposes described above or as required by law.
- Billing and accounting records are typically retained for at least 7 years under Australian tax law.
- Security, audit and operational logs are retained for periods consistent with service needs and your policies.
- Backups follow defined retention schedules.
When information is no longer required, we will take reasonable steps to securely delete, de-identify or destroy it, including sanitising media and applying retention rules to backups where feasible.
12) Client Obligations
- Provide accurate, current and complete information and promptly notify us of changes.
- Ensure any third-party personal information shared with us is provided lawfully, with required notices and consents.
- Maintain appropriate internal policies, user training and access controls (including MFA) for your users and systems.
- Promptly inform us of any suspected security incident or unauthorised access relating to services we manage.
- Avoid sending unnecessary sensitive information and use secure channels we provide for confidential materials.
- Honour licence terms and Microsoft/third-party acceptable-use policies.
Privacy Officer Harrby Pty Ltd
Email: privacy@harrby.com.au
Head Office: Sydney, NSW (servicing Australia-wide: Melbourne, Canberra, Brisbane, Perth, Adelaide, Darwin)14) Policy Updates
We may update this policy to reflect changes in law, technology or our practices. The latest version will be published on our website and takes effect when posted.