Legal

Data Processing Agreement

RR Sols Pty Ltd t/a WattleAddr · ABN 00 000 000 000 · Last updated 12 July 2026

This Data Processing Agreement (DPA) forms part of the agreement between the Customer and RR Sols Pty Ltd (ABN 00 000 000 000) t/a WattleAddr and governs our processing of personal information on the Customer's behalf. All processing occurs within Australia.

1. Scope and roles

This DPA applies where WattleAddr ("WattleAddr", "we") processes personal information on behalf of the Customer ("you") in providing the Service. In respect of End User data submitted to the Service, you are the entity that determines the purposes and means of processing (the controlling entity under the Privacy Act 1988 (Cth)) and WattleAddr is the service provider (processor) acting on your instructions. Each party is responsible for complying with its own obligations under the Privacy Act and the Australian Privacy Principles (APPs).

Where there is any conflict between this DPA and the Terms of Service on the subject of personal-information processing, this DPA prevails.

2. Definitions

  • "Personal Information" has the meaning in the Privacy Act 1988 (Cth).
  • "End User Data" means Personal Information contained in the address queries and related data you submit to the Service (for example, an individual's address).
  • "Process" / "Processing" means any operation performed on Personal Information.
  • "Sub-processor" means a third party engaged by WattleAddr to Process End User Data.
  • "APPs" means the Australian Privacy Principles.

3. Processing details

We Process End User Data only to provide, secure, support and maintain the Service, in accordance with your documented instructions (including your configuration of the Service, such as retention settings) and this DPA. If we believe an instruction breaches the Privacy Act or other law, we will inform you. The subject matter, duration, nature, purpose, categories of data and categories of individuals are set out in Annex A.

4. Your obligations

  • You must have a lawful basis to collect End User Data and to submit it to the Service, and to authorise the Processing described in this DPA.
  • You must comply with the APPs (or other applicable privacy law) in your own handling of End User Data, including providing any required notices to, and obtaining any required consents from, individuals.
  • You are responsible for the accuracy of the instructions you give and the configuration you choose (including retention and query-hashing options).

5. Our obligations

  • We will Process End User Data only on your instructions and for the purposes of providing the Service, and will not use it for our own purposes or disclose it except as permitted by this DPA or required by law.
  • We will ensure personnel authorised to Process End User Data are subject to confidentiality obligations.
  • We will implement and maintain the technical and organisational security measures described in Annex B (APP 11).
  • We will assist you, taking into account the nature of the Processing, to respond to individuals exercising their rights (including access and correction) and to meet your obligations regarding security and data-breach notification.

6. Data residency

All End User Data is stored and Processed within Australia (primary infrastructure in Sydney with a backup in Melbourne). We do not transfer or disclose End User Data to any overseas recipient, and address queries are not routed outside Australia.

7. Sub-processors

You authorise us to engage the Sub-processors listed in Annex C to Process End User Data, each of which is located in Australia and is bound by obligations no less protective than those in this DPA. We will give you reasonable notice before adding or replacing a Sub-processor, and you may object on reasonable data-protection grounds; if we cannot address your objection, you may terminate the affected Service.

Geoscape Australia is the source of the underlying G-NAF address dataset and is not a Sub-processor of your End User Data — we do not send your queries or End User Data to Geoscape.

8. Data breach notification

If we become aware of a data breach affecting End User Data, we will notify you without undue delay and provide information reasonably available to help you assess the breach and meet your obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act). We will take reasonable steps to contain and remediate the breach.

9. Individual requests

If we receive a request from an individual relating to End User Data (for example, for access, correction or deletion), we will, to the extent legally permitted, refer the request to you and assist you to respond, rather than responding directly.

10. Retention, return and deletion

We retain End User Data in the search log for the retention period you configure, after which it is automatically purged. On termination of the Service, or on your written request, we will delete or de-identify End User Data within a reasonable period, except where retention is required by law. Aggregated, de-identified usage data that is not Personal Information may be retained.

11. Audit and information

On reasonable written request (and no more than once per year unless required by a regulator or following a data breach), we will make available information reasonably necessary to demonstrate our compliance with this DPA. For Enterprise customers, additional audit arrangements may be agreed in an order form, subject to reasonable confidentiality and security conditions.

12. Liability and term

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. This DPA takes effect when you accept the Terms of Service (or on the date of your order form) and continues while we Process End User Data on your behalf. Provisions that by their nature should survive termination will do so.

13. Governing law

This DPA is governed by the laws of New South Wales, Australia, consistent with the Terms of Service.

14. Annex A — Details of Processing

ItemDetail
Subject matterProvision of Australian address autocomplete, verification and geocoding
DurationFor the term of the Service and the configured retention period
Nature and purposeMatching, verifying and returning address results; metering; security and support
Categories of individualsThe Customer's End Users who enter addresses into the Customer's applications
Categories of Personal InformationAddress text and matched addresses (which may include an individual’s address), API usage metadata and IP address
Sensitive informationNot intended to be Processed

15. Annex B — Security measures

  • Encryption of data in transit (TLS) and Australian-hosted infrastructure with access controls.
  • Hashing of passwords and API keys; keys shown once and stored only as prefix + hash.
  • Least-privilege access, authentication, and logging and monitoring of access.
  • Configurable data retention and query hashing/omission to minimise Personal Information held.
  • Regular review of controls, backups (Melbourne), and an incident-response and data-breach plan.

16. Annex C — Approved Sub-processors

Sub-processorPurposeLocation
Binary Lane Pty LtdCloud hosting & infrastructureAustralia (Sydney, Melbourne)
Pinch PaymentsPayment processing (card & bank direct debit)Australia

17. Contact

For DPA and privacy matters, contact privacy@wattleaddr.com.au.

This document is provided for transparency and does not constitute legal advice. For questions, contact legal@wattleaddr.com.au.