HE Comply Privacy Policy

Operated by Feezy Pty Ltd ACN 661 267 385
Version 1.1  |  Effective date: March 2026 |  www.hecomply.com

Contact privacy@hecomply.com
Data controller / APP entity Feezy Pty Ltd ACN 661 267 385, 81-83 Campbell Street, Sydney NSW 2001, Australia
EU representative (Art 27 GDPR) privacy@hecomply.com (interim — see section 3)
UK representative (UK GDPR) privacy@hecomply.com (interim — see section 3)
Governing law (general) New South Wales, Australia
Governing law (EU/UK transfers) EU SCCs / UK Addendum (prevail over NSW law for transfers)
1.  About this Policy

This Privacy Policy describes how Feezy Pty Ltd ACN 661 267 385 (we, us, our) collects, holds, uses, discloses, and otherwise handles personal information in connection with the HE Comply platform (hecomply.com and app.hecomply.com) and any related services (collectively, the Platform).

HE Comply is a contract management and compliance tool used by higher education institutions to manage agent partnerships, track obligations, and issue DocuSign-enabled contracts to education recruitment agents.

We are committed to handling personal information in a way that is transparent, lawful, and consistent with community expectations. Depending on where you are located, different data protection laws apply to the way we handle your information. This Policy covers our obligations under:

(a) the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) — applicable to all users;

(b) the General Data Protection Regulation (EU) 2016/679 (GDPR) — applicable to users in the European Economic Area (EEA);

(c) the UK GDPR and the Data Protection Act 2018 — applicable to users in the United Kingdom; and

(d) applicable US state privacy laws (including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)) — applicable to users in those jurisdictions.

By accessing or using the Platform, you acknowledge that you have read this Policy. If you do not agree, please do not use the Platform.

2.  Key Terms

Personal Information / Personal Data means any information about an identified or reasonably identifiable individual, as defined in the applicable law.

Platform User means an individual who accesses the Platform on behalf of an Institution or as a permitted invitee, including institution administrators, staff members, and education agents invited to complete or sign contracts.

Institution means a higher education institution that subscribes to and uses the Platform.

Agent means an education recruitment agent who is invited via the Platform to receive, execute, or otherwise engage with contracts generated by an Institution.

Processing means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, and deletion.

3.  Who We Are

Feezy Pty Ltd is the data controller (or APP entity, in Australian privacy law terms) in respect of Personal Data processed through the Platform. Our registered office is at 81-83 Campbell Street, Sydney NSW 2001, Australia.

For users in the EEA, we are established outside the EU and are required by Article 27 GDPR to designate an EU representative. We are in the process of appointing a formal representative. In the interim, you may direct EU data protection queries to privacy@hecomply.com and we will respond within the timeframes required by the GDPR.

For users in the UK, we are similarly in the process of appointing a UK representative under the UK GDPR. In the interim, UK queries may be directed to privacy@hecomply.com.

If you have a question, complaint, or wish to exercise a data subject right, please contact us at:

(a) Email: privacy@hecomply.com

(b) Post: Privacy Officer, Feezy Pty Ltd, 81-83 Campbell Street, Sydney NSW 2001, Australia

4.  What Personal Information We Collect
4.1  Information you provide directly

When you or your Institution registers for the Platform, or when you are invited to the Platform as an Agent, we may collect:

(a) Account and contact information: full name, email address, job title, business name, telephone number, and country of location;

(b) Professional information: institution name, CRICOS code, accreditation details, and similar professional credentials;

(c) Contract data: the content of contracts and agreements created, uploaded, managed, or executed through the Platform (which may include names, signatures, business addresses, and commercial terms); and

(d) Communications: messages, support requests, and correspondence you send to us.

4.2  Information we collect automatically

When you use the Platform, we automatically collect:

(a) Usage data: log files, access timestamps, IP addresses, browser type, operating system, pages visited, and features used;

(b) Device information: device type, screen resolution, and language settings; and

(c) Cookies and similar technologies: see Section 10 (Cookies) below.

4.3  Information from third parties

We may receive personal information about you from:

(a) your Institution, if it invites you to use the Platform or provides your details as part of configuring a contract;

(b) DocuSign, in respect of electronic signature events (including signature timestamps and IP addresses); and

(c) third-party identity or verification services we may use from time to time, with appropriate notice.

4.4  Sensitive information

We do not intentionally collect sensitive information (such as health, biometric, or government-issued identification information). Please do not submit sensitive information through the Platform. If you believe sensitive information has been inadvertently submitted, please contact us promptly so we can delete it.

5.  Why We Collect Personal Information and Our Lawful Bases

We collect and use Personal Information for the purposes set out in the table below. Where we rely on a lawful basis under the GDPR or UK GDPR, that basis is indicated.

Purpose Details Lawful Basis (GDPR / UK GDPR)
Providing and operating the Platform Creating accounts, authenticating users, enabling contract creation, distribution, and eSigning via DocuSign. Performance of a contract (Art 6(1)(b)); or Legitimate interests (Art 6(1)(f)) where processing relates to third-party invitees.
Billing and subscription management Processing subscription payments via Stripe; managing plan upgrades and renewals. Performance of a contract (Art 6(1)(b)).
Customer support Responding to enquiries, resolving technical issues, and providing Platform assistance. Legitimate interests (Art 6(1)(f)) — ensuring users can effectively use the Platform.
Security and fraud prevention Monitoring for unauthorised access, detecting abuse, and maintaining Platform integrity. Legitimate interests (Art 6(1)(f)) — protecting the Platform and users from harm.
Legal compliance Meeting obligations under applicable law, including tax, corporate, and data protection requirements. Legal obligation (Art 6(1)(c)).
Platform improvement Analysing aggregated, anonymised usage patterns to improve features, fix bugs, and develop new functionality. Legitimate interests (Art 6(1)(f)) — improving the Platform for all users.
Communications and marketing Sending product updates, release notes, and — where you have consented or we rely on the "soft opt-in" — marketing communications about our services. Consent (Art 6(1)(a)); or Legitimate interests (Art 6(1)(f)) for existing customer communications.
Responding to legal processes Complying with court orders, subpoenas, regulatory requests, or other lawful demands. Legal obligation (Art 6(1)(c)); or Legitimate interests (Art 6(1)(f)).

We do not use personal information for automated individual decision-making that produces legal or similarly significant effects, and we do not use it for purposes incompatible with those listed above without your prior knowledge.

We will not use identified Personal Data for training machine learning or AI models without your explicit written consent. We may, however, use anonymised or aggregated platform data (which cannot identify any individual) for product improvement, performance benchmarking, and model development without restriction.

6.  Who We Share Personal Information With

We do not sell personal information. We may share it with the following categories of third parties:

6.1  Sub-processors and service providers

We use third-party service providers (sub-processors) who process personal data on our behalf under written data processing agreements. Our current sub-processors are:

Sub-processor Role Location
Amazon Web Services (AWS) Cloud hosting and infrastructure. EU-connected entities are hosted in AWS Dublin (Ireland); all other data is hosted in AWS Sydney (Australia). Ireland / Australia
DocuSign Electronic signature and document management. Institutions initiate and manage all eSigning workflows through the Platform via the DocuSign Developer API. Australia / EEA (configurable by account region; EU SCCs and UK Addendum apply)
Stripe Subscription billing and payment processing. USA (EU SCCs apply for EEA data)
HubSpot Customer relationship management and client communications. USA (EU SCCs apply for EEA data)
Google Workspace Internal team email and communications (client contact data may be incidentally processed). USA / Global (EU SCCs apply for EEA data)

We review sub-processor agreements periodically and maintain an up-to-date sub-processor list. Notice of any material changes to our sub-processors will be communicated in accordance with our DPA for institutional customers.

6.2  Other Institutions and Agents on the Platform

By their nature, contract workflows on the Platform involve sharing contract documents and associated contact information between the Institution that created the contract and the Agent to whom it is sent. You acknowledge this as an inherent feature of the service.

6.3  Professional advisers and regulators

We may share personal information with lawyers, accountants, auditors, or regulators where required to comply with legal obligations or to defend or enforce legal claims.

6.4  Business transfers

If we merge with, acquire, or are acquired by another entity, personal information may be transferred as part of that transaction. We will notify affected individuals where required by law.

6.5  Law enforcement

We may disclose personal information to law enforcement or government authorities where required by law, court order, or other lawful demand.

7.  International Transfers of Personal Data

We are based in Australia and our primary infrastructure is in Australia (AWS Sydney). However, personal data may be transferred internationally in the following circumstances:

(a) EU-connected users: where any party to a contract workflow (Institution or Agent) has a presence in the EEA, contract data is routed to AWS Ireland (Dublin region), which is located in the EU.

(b) All other users: data is hosted in AWS Sydney, Australia.

(c) Sub-processor transfers: certain sub-processors (DocuSign, Stripe, HubSpot, Google Workspace) are based in the United States and process personal data there.

For transfers from the EEA to third countries (including Australia and the United States), we rely on the European Commission's Standard Contractual Clauses (SCCs) (Implementing Decision (EU) 2021/914, Module 2 — Controller to Processor) as the lawful transfer mechanism, supplemented by our Transfer Risk Assessments.

For transfers from the United Kingdom, we rely on the UK International Data Transfer Addendum (ICO version B1.0, March 2022) to the EU SCCs.

Australia does not currently hold an adequacy decision from the EU Commission under Article 45 of the EU GDPR. Accordingly, transfers of personal data from the EEA to Australia are governed by the contractual and technical safeguards described in this section, including the EU SCCs and UK Addendum where applicable.

For institutional customers who sign our Data Processing Agreement, the full SCCs and UK Addendum (including Annexes) are appended to that agreement.

8.  How Long We Keep Personal Information

We retain Personal Information for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, and to resolve disputes. Our general retention practices are:

Category of data Retention period
Account and contact information For the duration of the active subscription, plus 7 years after termination (to meet Australian tax and corporate record-keeping requirements).
Contract documents and signing records For the duration of the active subscription, plus 7 years (or longer if required by applicable law or the terms of the relevant contract).
Usage and log data 12 months from collection, unless required longer for security investigations.
Payment records 7 years from the transaction date (ATO and GST compliance).
Support communications 3 years from resolution of the request.
Marketing consent records For the duration of the consent, plus 5 years from withdrawal.

On expiry of the applicable retention period, we will delete or de-identify the personal information, unless we are required by law to retain it for longer. On written request, institutional customers may also request earlier deletion under the terms of our Data Processing Agreement.

9.  Security

We take reasonable technical and organisational measures to protect personal information from unauthorised access, disclosure, misuse, loss, and alteration. Our security measures include:

(a) encryption of data in transit (TLS 1.2 or above) and at rest (AES-256);

(b) access controls and role-based permissions limiting staff access to personal data on a need-to-know basis;

(c) regular security assessments and penetration testing;

(d) offsite backups and disaster recovery procedures; and

(e) staff training on data handling and security obligations.

No system is completely secure. If you suspect a security incident has occurred, please contact us immediately at privacy@hecomply.com.

In the event of a data breach that is likely to result in a risk to your rights and freedoms (under GDPR / UK GDPR) or that meets the threshold for notification under the Notifiable Data Breaches scheme (Privacy Act), we will notify you and, where required, the relevant regulatory authority within the applicable timeframes (72 hours under GDPR; "as soon as practicable" under the Privacy Act).

10.  Cookies and Tracking Technologies
10.1  What we use

We use cookies and similar tracking technologies on the Platform for the following purposes:

Category Purpose and examples
Strictly necessary Essential for the Platform to function — user authentication, session management, security tokens. These cannot be disabled.
Functional Remembering your preferences (language, timezone, display settings). Enabled by default; can be disabled.
Analytics Understanding how the Platform is used in aggregate to improve performance. We use anonymised data only. Require consent in the EEA and UK.
Marketing / targeting We do not currently use marketing or advertising cookies on the Platform.
10.2  Your choices

We are implementing a cookie consent mechanism for EEA and UK users. When deployed, users accessing the Platform from the EEA or UK will be presented with a consent banner allowing them to accept or decline non-essential cookies. Until that mechanism is live, non-essential cookies will not be set for EEA or UK users. You may control cookies at any time through your browser settings.

Most browsers allow you to control cookies through their settings. Note that disabling certain cookies may affect the functionality of the Platform.

11.  Your Rights
11.1  Rights under Australian law

Under the Privacy Act and the APPs, you have the right to:

(a) access the personal information we hold about you;

(b) request correction of inaccurate, incomplete, or out-of-date information; and

(c) make a complaint to us, and if unsatisfied with our response, to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

11.2  Rights under GDPR (EEA users)

If you are located in the EEA, you also have the following rights under the GDPR:

(a) Right of access (Article 15): to obtain a copy of your personal data and information about how it is processed;

(b) Right to rectification (Article 16): to have inaccurate data corrected and incomplete data completed;

(c) Right to erasure (Article 17): to request deletion of your personal data in certain circumstances;

(d) Right to restriction (Article 18): to restrict our processing of your personal data in certain circumstances;

(e) Right to data portability (Article 20): to receive your data in a machine-readable format and transfer it to another controller, where processing is based on consent or contract;

(f) Right to object (Article 21): to object to processing based on legitimate interests, including profiling; and

(g) Right to withdraw consent (Article 7(3)): where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu.

11.3  Rights under UK GDPR (UK users)

UK users have equivalent rights under the UK GDPR and Data Protection Act 2018. You may lodge a complaint with the UK Information Commissioner's Office (ICO) at www.ico.org.uk.

11.4  Rights under US law (California users)

If you are a California resident, the CCPA / CPRA provides you with the right to:

(a) know what personal information we collect, use, disclose, and sell;

(b) delete personal information we hold about you (subject to certain exceptions);

(c) correct inaccurate personal information;

(d) opt out of the sale or sharing of personal information (we do not sell personal information); and

(e) non-discrimination for exercising your CCPA rights.

To exercise any California privacy right, please contact us at privacy@hecomply.com. We will not discriminate against you for doing so.

11.5  How to exercise your rights

To exercise any of the rights described in this section, please submit a written request to privacy@hecomply.com. We will respond within 30 days (or within any shorter period required by applicable law, such as 1 month under the GDPR). We may ask you to verify your identity before fulfilling your request.

There is no charge for making a request, except where requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or decline to respond.

12.  Third-Party Links and Integrations

The Platform may contain links to third-party websites or may integrate with third-party services (such as your institution's systems). We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you use in connection with the Platform.

13.  Children's Privacy

The Platform is designed for use by institutional professionals and education agents. It is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information through the Platform, please contact us at privacy@hecomply.com and we will take steps to delete it.

14.  Complaints

If you have a concern about how we have handled your personal information, we ask that you contact us first at privacy@hecomply.com to give us an opportunity to resolve your complaint.

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we are unable to resolve your complaint to your satisfaction, you may escalate it to the relevant authority:

(a) Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au

(b) EEA: your national supervisory authority — see https://edpb.europa.eu

(c) UK: Information Commissioner's Office — www.ico.org.uk

15.  Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will:

(a) update the effective date at the top of this Policy;

(b) post the revised Policy at hecomply.com/privacy; and

(c) where the change is material, notify you by email or prominent in-Platform notice.

Your continued use of the Platform after the effective date of the revised Policy constitutes your acceptance of the changes. If you do not agree, please stop using the Platform and contact us to close your account.

16.  Contact Us

All privacy enquiries, access requests, correction requests, and complaints should be directed to:

Channel Details
Email privacy@hecomply.com
Post Privacy Officer, Feezy Pty Ltd, 81-83 Campbell Street, Sydney NSW 2001, Australia
Response time Within 5 business days for general enquiries; within 30 days (or as required by applicable law) for rights requests.
Version 1.1  |  Effective date: March 2026 |  www.hecomply.com