Legal
Privacy Policy
Effective date: 1 March 2026
1. Introduction
On The Spectrum Pty Ltd (ABN pending) ("OTS", "we", "us", "our") is committed to protecting the privacy of your personal information. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
As a carriage service provider, we are also subject to the telecommunications-specific privacy obligations under the Telecommunications Act 1997 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth).
We encourage you to read this policy carefully. By using our services or visiting our website, you acknowledge that you have read and understood this Privacy Policy.
2. Information we collect
We may collect the following types of personal information:
Identity and contact information
- Full name
- Date of birth
- Residential and service address
- Email address
- Telephone numbers
Payment information
- Billing address
- Payment method details — card data is tokenised and stored by our payment processor, Stripe. We never store your full card numbers.
- Transaction and billing history
Identity verification data
- Government identification numbers (for identity verification purposes only, processed via GreenID/Illion)
- Verification status and outcome
Service usage data
- Connection metadata — IP addresses assigned, session timestamps, connection duration
- Data usage volumes and connection speeds
- Service performance data and network diagnostics
Support and communication records
- Support tickets and their content
- Emails, call recordings (where consent is provided), and chat transcripts
Device and technical information
- Browser type, device information, and operating system
- IP address used to access our website
- Account preferences and portal usage data
3. How we collect information
We collect personal information from the following sources:
- Directly from you: when you sign up for a service, contact us, complete forms on our website, or interact with our customer portal at portal.ots.network
- From NBN Co: service qualification data, connection status, technology type at your address, and fault information
- From Stripe (payment processor): payment confirmations, transaction records, and tokenised payment method details
- From identity verification providers (GreenID/Illion): identity verification results, as part of the sign-up process
- Automatically: through cookies, web analytics, and network monitoring systems when you use our services or visit our website — including IP addresses, connection metrics, and session data
4. Purpose of collection
We collect and use your personal information for the following purposes:
- Service delivery: provisioning, activating, and maintaining your internet connection via the NBN
- Billing and payments: generating invoices, processing payments, managing your account balance
- Customer support: responding to enquiries, resolving issues, providing technical assistance
- Network management: monitoring network performance, managing congestion, ensuring service quality for all customers
- Fraud prevention: detecting and preventing fraudulent activity, unauthorised access, and abuse of our services
- Regulatory compliance: meeting our obligations under telecommunications legislation, including mandatory metadata retention under the Telecommunications (Interception and Access) Act 1979, and tax record-keeping obligations
- Improving our services: analysing usage patterns and service performance to enhance our network and customer experience
- Communicating with you: sending service notices, plan changes, outage notifications, and (with your consent) marketing communications
5. Disclosure of personal information
We may disclose your personal information to the following third parties:
- NBN Co: as required for service provisioning, fault management, and connection management on the National Broadband Network
- Stripe (payment processor): for processing payments. Stripe stores card data in tokenised form; we do not have access to your full card numbers
- Identity verification providers (GreenID/Illion): to verify your identity as part of the sign-up process
- Regulatory and law enforcement bodies: where required by law, including the Australian Communications and Media Authority (ACMA) and law enforcement agencies with a valid warrant or authorisation under the Telecommunications (Interception and Access) Act 1979
- Telecommunications Industry Ombudsman (TIO): in connection with complaint resolution
- Our hosting provider: our infrastructure is hosted in secure Australian data centres only. Our hosting providers process data in accordance with their respective data processing agreements
- Professional advisers: legal, accounting, and auditing firms as necessary
We will not sell your personal information to third parties. We will not disclose your personal information for direct marketing by third parties.
6. Cross-border disclosure
Our payment processor, Stripe Inc., is a US-based company. Stripe processes payment tokens on our behalf; however, no full card data leaves Australia. Stripe maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS) and handles card data in accordance with its own privacy policy.
All other customer data, including account information, service usage data, and connection metadata, is stored exclusively in secure Australian data centres within Australia.
We do not otherwise routinely disclose personal information to overseas recipients. If this changes, we will update this policy and take reasonable steps to ensure overseas recipients handle your information in accordance with the APPs.
7. Data retention
We retain personal information for the following periods:
| Data type | Retention period | Reason |
|---|---|---|
| Service and account records | Account lifetime + 2 years | Service continuity and dispute resolution |
| Connection metadata | 2 years | Required under Telecommunications (Interception and Access) Act 1979 |
| Billing and financial records | 7 years | Required under ATO record-keeping obligations |
| Support tickets | 3 years after resolution | Service improvement and dispute resolution |
After the applicable retention period, personal information is securely destroyed or de-identified.
8. Security
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:
- Encryption at rest: all stored data is encrypted using AES-256
- Encryption in transit: all data transmitted between your device and our servers is protected by TLS 1.3
- Access controls: role-based access controls limiting staff access to personal information on a need-to-know basis
- Regular security audits: periodic security assessments, penetration testing, and vulnerability scanning
- PCI DSS compliance: we maintain PCI DSS SAQ-A compliance for payment card handling, as card data is tokenised by Stripe and never stored on our systems
- Secure password hashing: account passwords are hashed using Argon2
- Multi-factor authentication: available for customer accounts and required for all administrative access
9. Access and correction
Under the Australian Privacy Principles, you have the right to:
- Access the personal information we hold about you (APP 12)
- Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
How to make a request
You can access and update much of your personal information directly through the customer portal at portal.ots.network. For formal access or correction requests, or to request information not available through the portal, contact our Privacy Officer at [email protected].
We will respond to your request within 30 days. There is no charge for making a request, though we may charge a reasonable fee for providing access to information if the request requires significant resources to fulfil.
We may refuse access in certain circumstances permitted by the APPs, such as where providing access would unreasonably impact the privacy of other individuals, or where the request is frivolous or vexatious. If we refuse a request, we will provide written reasons.
11. Complaints
If you believe we have breached your privacy, you can lodge a complaint using the following process:
- Internal complaint: Contact our Privacy Officer at [email protected]. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
- Telecommunications Industry Ombudsman (TIO): If you are not satisfied with our response, you may escalate your complaint to the TIO, a free and independent dispute resolution service.
Contact: www.tio.com.au | 1800 062 058 - Office of the Australian Information Commissioner (OAIC): You may also lodge a formal privacy complaint with the OAIC.
Contact: www.oaic.gov.au | 1300 363 992
12. Contact
If you have questions about this Privacy Policy, wish to make an access or correction request, or want to lodge a privacy complaint, please contact:
13. Changes to this policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice by email to the address associated with your account before the changes take effect. The updated policy will also be published on our website with the revised effective date.
We encourage you to review this policy periodically. Your continued use of our services after the updated policy takes effect constitutes your acceptance of the changes.