Privacy Policy

This Privacy Policy is effective from July 31st 2024. 

Contents

Privacy Policy

This Privacy Policy applies to Iceberg Pty Ltd (ABN 85 665 646 462) and its related body corporate, FB Corp Limited (ABN 16 675 876 490) (AFSL 557810) (referred to as ‘Iceberg, ‘we’, ‘us’, or ‘our’). It outlines how we collect, manage, and use personal information, including data collection through our website and platform.

In this Privacy Policy, ‘personal information’ refers to details associated with a specific individual that can be used to identify. Personal information does not include data that has been anonymised and cannot reasonably identify an individual.

Iceberg is committed to respecting your privacy and complying with the Privacy Act 1988 (Cth). We understand the importance of personal information security and are dedicated to protecting any personal data we hold.

This Privacy Policy applies when you access our website or platform, use our services, and in relation to any personal information collected in the course of our business as described in this Privacy Policy.

Iceberg may amend this Privacy Policy at any time. The updated version will be effected once posted on our website.

What personal information does Iceberg collect about me?

Iceberg collects and retains personal information to provide our products and services to you and to comply with legal and regulatory requirements.

The type of personal information we may collect include:

  • Name;
  • Date of birth;
  • Contact details, including phone numbers, email addresses, residential and postal addresses;
  • Employment details;
  • Bank account information;
  • Accounting records;
  • Tax File Number and tax records;
  • Statement of financial position, including assets and liabilities;
  • Nominated beneficiaries of a superannuation fund; and
  • Investment risk preferences.

Under the Anti-Money Laundering and Counter-Terrorism Financial Act 2006 (Cth), we are required to collect and verify your name, address, and date of birth using documents such as your passport and driver’s licence. Verification may be conducted by third-party providers, including but not limited to Connect ID Pty Limited (ABN 80 648 970 101), Simple KYC Pty Ltd (ABN 12 608 580 829), and GB (Australia) Pty Ltd (ABN 64 097 737 105). We may also collect additional information as needed to provide our services or comply with legal obligations.

How does Iceberg collect information about me?

We collect personal information in various ways during our business activities, including:

  • Through communication between you and our representatives or advisers;
  • Your use of our website and platform;
  • Completing application forms for our product or services;
  • Other channels, as required to meet regulatory and legal obligations;
  • Marketing activities, such as surveys, that request information from you.

Since our products and services may be provided by intermediaries like financial planners, solicitors, or accountants, we may also collect personal information about you from these third parties.

Why does Iceberg collect this information?

Iceberg collects your personal information to provide our products and services. For example, we may use your personal information to:

  • Assess applications you make to Iceberg for offers hosted on our website and platform;
  • Provide expression of interest and offer creation and undertake administration and KYC;
  • Administer, invest, pay or transfer your investments or financial product benefits as required by Iceberg’s products and services; and
  • Assist you with related services as needed.

Unsolicited information
‘Unsolicited’ personal information refers to data that Iceberg has received unintentionally. If we obtain unsolicited information, we will protect it with the same care as the personal information we intend to collect.

Will Iceberg disclose my personal information to third parties?

We may need to disclose your personal information to third parties to provide our products or services to you. We take reasonable steps to ensure that any third-party we disclose your information to is bound by confidentiality and privacy obligations to protect it.

Examples of third parties we may disclose your personal information include:

  • Solicitors, accountants, or other advisers providing professional advice in relation to our services; and
  • Directors, officers or employees to facilitate or manage an investment.

We may transfer personal information to countries outside Australia, for example, to comply with foreign trading requirements. We will only do so in compliance with all applicable Australian data protection and privacy laws. We will not disclose your personal information to an overseas recipient unless we have taken reasonable steps to ensure that the recipient protects your privacy according to Australian Privacy Principles. We will not sell your personal information or disclose it to a third-party for any purpose unrelated to a product or service we are providing to you.

We have a strict duty to maintain the privacy of all personal information we hold about you. However, certain exceptions may apply. For example, disclosure of your personal information may be authorised or required:

  • By law (e.g. disclosure to courts under subpoena or to various government departments and agencies such as the Australian Taxation Office);
  • In the public interest (e.g. where a crime, fraud, or misdemeanour may be committed or suspected); and
  • With your consent, which may be express or implied, and written or verbal.

Use of your personal information for marketing

We may use your personal information to send you direct marketing communication about our products and services that we believe may interest you. We may also use your information to assist with our internal marketing and research efforts.

These communications can be delivered by email or through our website. If you wish to opt-out of receiving these marketing communications, you can use the opt-out facilities provided in our marketing messages, except for communications through our website.

Collection of information through our website

Website collection and cookies
We collect information through your use of our website to tailor your online experience. The type of information collected is typically non-personal and includes:

  • Date and time of visits;
  • Pages viewed;
  • Types of operating systems;
  • Your computer’s internet protocol (IP) address;
  • The location of your server;
  • The address of any referring website; and
  • Whether information has been downloaded.

While this information is non-personal, it may become personal information when combined with other data. In such cases, it will be treated accordingly to this Privacy Policy.

This information is collected through cookies stored on your device when you access and interact with our website and platform. We do not attempt to identify you or your browsing activities.

You may opt-in to receiving marketing communications through your interaction within our website and platform.

All of our electronic activities comply with the requirements of the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).

How does Iceberg keep my personal information secure?

Security is a foundational component of our architecture, not an afterthought. We have built Iceberg with enterprise-grade security while maintaining the agility startups need. Our multi-tenant architecture ensures complete data isolation between workspaces, with every API request authenticated via JWT tokens and row-level security policies enforced at the database level through TypeORM.

A critical aspect of our AI assistant is that it respects the same strict access controls as our core CRM. When the assistant queries your data, it uses your authenticated session token, meaning it can only access the workspaces, contacts, and companies you have permission to see. There is no backdoor or elevated access; the AI operates with the exact same permissions as the logged-in user. For anonymous sessions, the assistant has zero access to CRM data and operates in a completely sandboxed environment with browser-based storage only.

Our specific security protocols include:

  • Authentication: JWT with refresh tokens, NextAuth integration.
  • Data Access: Row-level security via TypeORM, workspace-based multi-tenancy.
  • API Security: Bearer token authentication on all endpoints, rate limiting.
  • Infrastructure: All secrets managed via environment variables, AWS S3 with IAM policies for file storage.
  • Database: PostgreSQL with encrypted connections, separate schemas for different data domains.

AI Assistant Security:

  • Strict User Context: Assistant tools use the same authentication tokens as users, ensuring no elevated privileges.
  • Workspace Isolation: AI can only access data within the user’s authorised workspace(s).
  • Anonymous Mode: The assistant is completely sandboxed with localStorage only, with no access to any CRM data.
  • Audit Trail: All AI interactions are logged through Langfuse with full traceability.
  • No Training on User Data: We use managed AI services (Google Gemini) that do not train on customer data.
  • Tool-Level Permissions: Each AI tool validates user permissions before executing any data operations.

While we strive to provide a secure environment for your personal information, you should be aware of the inherent risk in storing or transmitting information electronically. This includes using online communications such as email or online application forms. We cannot guarantee that information transmitted over the internet will not be intercepted, and any such communication is made at your own risk.

Accessing and requesting correction of personal information

We endeavour to ensure the accuracy of information about you when collected or used. Subject to privacy law exceptions, you have the right to access and correct any inaccurate, incomplete, or outdated personal information we hold about you. If access to your personal information is denied we will provide reasons for this decision.

To access and/or correct your personal information held by Iceberg, please contact us:

Attention: Compliance Officer
Email: [email protected]
Mobile: 0415 490 024
Address: 30 Balfour Street, New Farm, QLD, 4005

If you request corrections and Iceberg agrees, changes will be made promptly. If we do not agree with your correction request, we will explain why and note your request in our records.

What if I have a complaint or concern?

If you have any concerns or complaints regarding your privacy, please contact our Compliance Officer at:

Attention: Compliance Officer
Email: [email protected]
Mobile: 0415 490 024
Address: 30 Balfour Street, New Farm, QLD, 4005

We aim to respond to privacy complaints within 30 calendar days.

If you are dissatisfied with our response to your complaint, you may have the option to lodge a complaint with an external dispute resolution scheme. This scheme is designed to assist you if you are unable to resolve your complaint with us, but we encourage you to contact us first.

You also have the option to refer your privacy complaint to the Officer of the Australian Information Commissioner (‘OAIC’):

Website: www.oaic.gov.au
Phone: 1800 363 992
Email: [email protected]
Mail: Office of the Australian Information Commissioner
GPO Box 5288
Sydney NSW 2001