Bouddi Book a conversation
Privacy & Information Handling

Privacy Policy.

How Bouddi Atelier collects, uses, stores, discloses and protects personal information. Anchored to the Australian Privacy Principles (APPs 1–13) under the Privacy Act 1988 (Cth) and applied as a matter of practice irrespective of turnover.

Effective 17 May 2026 · Version 1.0

01 · Who we are

The entity behind this policy.

Bouddi Atelier (ABN 81 303 387 265) is a boutique AI strategy, governance and education advisory based in Sydney, Australia, serving Australia and New Zealand. In this policy, "Bouddi", "we", "us" and "our" refer to Bouddi Atelier. "You" refers to any individual whose personal information we hold — typically a prospective client, current client, partner, supplier, conference attendee or visitor to this website.

Bouddi is the data controller for any personal information we collect through bouddiatelier.com, our engagements, our newsletter and our board and conference work.

02 · What we collect

The personal information we hold — and why.

We collect only the personal information we need to do the work you have asked us to do or to respond to an enquiry you have initiated. We do not collect sensitive information (as defined under the Privacy Act) in the ordinary course of our work.

From the contact form

  • Full name
  • Role / job title
  • Company or organisation name
  • Business email address
  • Free-text description of the matter you would like to discuss
  • The AI maturity stage option you select, if any

During an engagement

  • Names, titles and contact details of stakeholders nominated by you
  • Documents, evidence and artefacts you provide as engagement inputs
  • Meeting notes, decisions and deliverables produced jointly
  • Invoicing and payment information sufficient to issue tax invoices

From the website itself

  • No cookies are set by Bouddi on visitor browsers
  • No analytics, advertising or social tracking pixels are loaded
  • Standard server logs may be retained by our hosting provider for security and abuse-prevention purposes

From newsletter subscriptions

  • If you subscribe to Bouddi on Substack, Substack collects and processes your subscription details under its own privacy policy
  • We do not separately store newsletter subscriber lists outside Substack

03 · How we use it

The purposes for which we use your information.

  • To respond to enquiries and arrange an initial conversation
  • To scope, propose, deliver and invoice engagements you have authorised
  • To send engagement updates, deliverables and follow-up correspondence to nominated contacts
  • To meet our legal, tax and professional record-keeping obligations
  • To improve the relevance of our services — in aggregate, never by profiling individuals

We do not use your information for behavioural advertising, do not sell or rent personal information to any third party, and do not enrich your details against external data brokers.

04 · Who we share it with

Disclosure and cross-border data flows.

Bouddi is a single-principal practice. Personal information is handled by Michael O'Keefe directly. Where we use third-party service providers to operate the practice, those providers process information only on our instructions and only for the purpose of providing the relevant service.

Website and form hosting

  • Netlify, Inc. (United States) — hosts this website and processes contact form submissions on our behalf via Netlify Forms

Email and productivity

  • Google LLC (United States and other regions) — provides email (Gmail) and document storage used for engagement correspondence and deliverables

Newsletter publishing

  • Substack Inc. (United States) — publishes Bouddi on Substack and manages subscriptions under its own policy

Professional advisers

  • Accounting, legal and insurance advisers under their own professional obligations of confidentiality

Some of these providers store and process information in the United States and other jurisdictions outside Australia. By contacting Bouddi or engaging us, you consent to that cross-border transfer for the purposes set out above. We take reasonable steps to satisfy ourselves that overseas recipients handle personal information in a manner consistent with the APPs.

We will disclose personal information without your consent only where required or permitted by law — for example, in response to a valid legal process or to prevent serious harm.

05 · How long we keep it

Retention and deletion.

  • Contact form enquiries that do not become engagements — retained for up to 24 months from the date of last contact, then deleted from our active systems
  • Engagement records — retained for the duration of the engagement and for 7 years thereafter to meet Australian tax, audit and professional record-keeping requirements
  • Invoicing and tax records — retained for 7 years in line with ATO obligations
  • Server logs — retained by our hosting provider for short, security-related periods under their published policies

Where information is no longer required and we are not legally obliged to retain it, we delete or de-identify it.

06 · How we protect it

Security and confidentiality.

We apply security controls proportionate to the sensitivity of the information we hold. Practical measures include strong account authentication on all email, storage and form services; encryption of data in transit (TLS) and at rest where supported by the underlying service; restricted access on a least-privilege basis; and a written client confidentiality undertaking on every engagement, with NDA on request.

Despite reasonable precautions, no transmission over the internet or storage system is guaranteed to be perfectly secure. If we become aware of a data breach likely to result in serious harm, we will respond in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

07 · Cookies and tracking

What this site does — and does not — do in your browser.

  • Bouddi sets no cookies on visitor browsers
  • We run no analytics (no Google Analytics, no Plausible, no Fathom, no Matomo)
  • We run no advertising or social pixels (no Meta Pixel, no LinkedIn Insight, no Google Ads tag)
  • We embed no third-party widgets that drop cookies (no Calendly, HubSpot, Intercom, YouTube or Vimeo embeds)
  • Web fonts are self-hosted on this domain — no font CDN call leaves your browser

The only third-party assets loaded by this site are those required to deliver the page you requested. Because no non-essential cookies are set and no tracking occurs, no consent banner is required under the Privacy Act, the EU GDPR or the ePrivacy Directive. If that changes — for example, if we add analytics in the future — we will update this policy and, where required, request your consent before any non-essential cookie is set.

08 · Your rights

Accessing, correcting and complaining.

  • Access — you may request a copy of the personal information we hold about you
  • Correction — you may ask us to correct information that is inaccurate, out of date, incomplete, irrelevant or misleading
  • Deletion — you may ask us to delete information we are not legally required to retain
  • Withdraw consent — where we rely on your consent to process information, you may withdraw it at any time, without affecting the lawfulness of prior processing
  • Complain — you may complain to us, or to the Office of the Australian Information Commissioner (OAIC) if you are dissatisfied with our response

We will acknowledge requests within 5 business days and aim to resolve them within 30 days. Identity verification may be required before we release personal information.

09 · How to contact us

Privacy enquiries and complaints.

Bouddi privacy contact

  • Michael O'Keefe, Principal Consultant
  • Bouddi Atelier · ABN 81 303 387 265
  • Sydney, Australia
  • bouddiatelier@gmail.com

External complaint pathway

  • Office of the Australian Information Commissioner (OAIC)
  • Web: oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5288, Sydney NSW 2001

10 · APP coverage

Where this policy meets each Australian Privacy Principle.

Because Bouddi's clients include APRA-regulated and ASX-listed organisations, we maintain APP coverage as a matter of practice irrespective of turnover thresholds. The mapping below is a quick cross-reference for procurement and risk reviewers.

APP 1
Open and transparent management. This policy is publicly available and refreshed as practices change.
APP 2
Anonymity and pseudonymity. Initial enquiries can be made anonymously by phone or email; the contact form requires identification.
APP 3
Collection of solicited information. Limited to what is necessary for the purposes in §03.
APP 4
Unsolicited information. Promptly assessed and deleted or returned where not relevant.
APP 5
Notification of collection. Provided at point of collection on the contact page and through this policy.
APP 6
Use or disclosure. Limited to the primary purpose in §03 and §04.
APP 7
Direct marketing. We do not market to individuals; engagement updates relate only to active or recent engagements.
APP 8
Cross-border disclosure. Overseas service providers identified in §04; reasonable steps documented.
APP 9
Government identifiers. We do not collect or use government identifiers.
APP 10
Data quality. Information is corrected on request and reviewed at engagement milestones.
APP 11
Security. Controls described in §06; breach response per Part IIIC.
APP 12
Access. Procedure described in §08.
APP 13
Correction. Procedure described in §08.

11 · Changes to this policy

How we manage updates.

We review this policy at least annually and whenever a material change to our practices warrants it. Version number and effective date at the top of this page are updated with every change. Material changes will be flagged on the home page for 30 days.

Privacy enquiry → contact us