Free Team Effectiveness Indicator now publicly available — Read more about the release in our recent blog
TeamHive Logo

TeamHive

TeamHive Privacy Policy

Last updated: 25th March, 2026

Team Development Analytics Pty Ltd (ACN 696 223 891) is committed to protecting the privacy of all individuals whose personal information we collect and process. This Privacy Policy is primarily governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and where applicable, the GDPR.

1. Introduction

1.1 Team Development Analytics Pty Ltd (ACN 696 223 891) ("Team Development Analytics", "we", "us" or "our") operates the TeamHive platform and service ("Service"). We are committed to protecting the privacy of all individuals whose personal information we collect and process. 1.2 This Privacy Policy explains how we collect, hold, use, disclose and otherwise handle personal information in connection with the Service, including our website at https://team-hive.co ("Website"), the TeamHive online platform ("Platform"), and any related services. 1.3 We are an Australian company, and this Privacy Policy is primarily governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we collect or process personal data of individuals located in the European Economic Area (EEA) or the United Kingdom (UK), we also comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK GDPR, as applicable. See Section 15 for additional information about your rights under the GDPR. 1.4 This Privacy Policy should be read together with our Terms of Use available at https://team-hive.co/terms-of-use, which are incorporated by reference. 1.5 By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Key Definitions

In this Privacy Policy:
  • "Assessment Response Data" means the responses provided by Respondents when completing an assessment through the Service.
  • "Client" means an organisation that registers for and uses the Service to create, distribute and analyse assessments.
  • "Personal Information" has the meaning given in the Privacy Act 1988 (Cth). For the purposes of this policy, it includes "personal data" as defined in the GDPR.
  • "Respondent" means an individual who is invited to complete an assessment through the Service.
  • "User" means any individual who accesses the Platform, including Client representatives and Respondents.

3. Personal Information We Collect

We collect the following categories of personal information:

3.1 Account and Registration Information (Clients and Client Representatives)

When a Client registers for an Account, we collect: • Full name • Email address • Organisation name • Team name • Role or position (where provided) • Billing and payment information (where applicable — see Section 8)

3.2 Assessment Response Data (Respondents)

We collect and process the responses provided by Respondents when completing assessments. As a core privacy feature of the Service: • We separate Assessment Response Data from the Respondent's personal identifiers (name and email address) at the point of processing. • Assessment responses are not linked to identifiable individuals in our database once processed. • The de-identified Assessment Response Data is used to generate reports, scores and insights for the Client. Important: While we design our systems to prevent re-identification, in very small teams it may theoretically be possible for a reader to infer the source of a response based on its content. We take reasonable steps to mitigate this risk (for example, through minimum response thresholds for reporting), but we cannot guarantee absolute anonymity in all circumstances.

3.3 Research Data (Where Consent Is Given)

Where a Respondent provides separate, voluntary consent (see Section 11), we may retain de-identified Assessment Response Data for research purposes. Research Data is fully de-identified and cannot reasonably be used to identify any individual.

3.4 Usage Data

We automatically collect certain technical information when you use the Service, including: • IP address • Browser type and version • Operating system • Device information • Pages visited and features used • Date and time of access • Referring URL This data is collected through server logs, cookies and similar technologies (see Section 12).

3.5 Communications Data

If you contact us (e.g., by email or through a support form), we collect your name, email address and the content of your communication.

4. How We Collect Personal Information

4.1 Directly from you, when you: • register an Account or create a profile; • complete or participate in an assessment; • purchase a Subscription or make a payment; • contact us with an enquiry, complaint or support request; • opt in to marketing communications; or • provide research consent. 4.2 From Clients, when a Client invites Respondents to participate in an assessment (e.g., Respondent name and email address for the purpose of distributing the assessment). 4.3 Automatically, through cookies, server logs and similar technologies when you access the Website or Platform (see Section 12). 4.4 From third-party service providers, such as payment processors who confirm payment status. 4.5 We will not collect personal information by unlawful or unfair means. Where it is reasonable and practicable to do so, we will collect personal information directly from you (APP 3).

5. Why We Collect, Use and Disclose Personal Information

Under Australian Privacy Law (APPs)

We collect, use and disclose personal information for the primary purposes for which it was collected, and for related secondary purposes that you would reasonably expect (APP 6). Our purposes are as follows:
  • Providing the Service — creating accounts, distributing assessments, generating reports and insights.
    • Information used: Account information, Assessment Response Data.
    • Legal basis (APPs): Primary purpose (performance of our agreement with you).
  • Processing payments — managing subscriptions, invoicing and billing.
    • Information used: Account and billing information.
    • Legal basis (APPs): Primary purpose.
  • Customer support — responding to your enquiries and resolving issues.
    • Information used: Account information, communications data.
    • Legal basis (APPs): Primary purpose.
  • Improving the Service — analysing usage patterns, fixing bugs, developing new features.
    • Information used: Usage data, Aggregated and Anonymised Data.
    • Legal basis (APPs): Related secondary purpose (legitimate interest in service improvement).
  • Research — validating and improving the TeamHive assessment tool; contributing to scientific literature.
    • Information used: De-identified Assessment Response Data (only where separate consent is given — see Section 11).
    • Legal basis (APPs): Consent.
  • Security and fraud prevention — protecting the Service, detecting unauthorised access.
    • Information used: Usage data, account information.
    • Legal basis (APPs): Related secondary purpose (legitimate interest in security).
  • Marketing communications — sending newsletters, product updates and promotional material.
    • Information used: Email address, name.
    • Legal basis (APPs): Consent (explicit opt-in only).
  • Legal compliance — complying with applicable laws, regulations and legal processes.
    • Information used: Any category as required.
    • Legal basis (APPs): Required or authorised by law (APP 6.2(b)).

Under GDPR (for EEA/UK Individuals)

Where we process personal data of individuals in the EEA or UK, our lawful bases under Article 6 GDPR are: • Performance of a contract (Art 6(1)(b)) — to provide the Service and process payments. • Legitimate interests (Art 6(1)(f)) — to improve the Service, ensure security, and analyse usage, where those interests are not overridden by your data protection rights. • Consent (Art 6(1)(a)) — for marketing communications and research use of de-identified data. • Legal obligation (Art 6(1)(c)) — to comply with applicable laws.

6. Who We Share Personal Information With

6.1 We do not sell your personal information. 6.2 We may disclose personal information to the following categories of recipients: • Cloud hosting providers — for storing and serving the Platform and data. • Payment processors — for processing payments and managing subscriptions. • Analytics providers — for understanding how the Service is used (using anonymised or aggregated data where possible). • Email service providers — for sending transactional and marketing communications. • Customer relationship management (CRM) tools — for managing client relationships and support. • Research institutions — for receiving de-identified Assessment Response Data for research purposes (only where Respondent consent has been given — see Section 11). • Professional advisers — for legal, accounting and audit services. • Law enforcement or regulators — where required by law, regulation, court order or binding regulatory request. 6.3 All third-party service providers are required to protect personal information in accordance with contractual obligations consistent with the APPs (and, where applicable, the GDPR). A list of specific sub-processors is available on request by contacting us at contact@team-hive.co.

7. Overseas Disclosures

7.1 Some of our third-party service providers may store or process personal information on servers located outside Australia. 7.2 Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information, as required by APP 8. These steps include: • Entering into contractual arrangements that require the recipient to handle personal information in accordance with the APPs; • Selecting providers that maintain appropriate security certifications (e.g., SOC 2, ISO 27001); and • Assessing the privacy laws and practices of the recipient's country. 7.3 For EEA/UK individuals: Where personal data is transferred outside the EEA/UK, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision (GDPR Articles 46–49).

8. Payment Information

8.1 Payment and billing information (such as credit card details) is collected and processed by our third-party payment processor. We do not store your full credit card number on our servers. 8.2 Information processed by our payment processor is subject to that provider's own privacy policy and PCI-DSS compliance obligations. 8.3 We receive from our payment processor only the information necessary to confirm payment status, manage your Subscription, and issue invoices (e.g., last four digits of the card, billing name, billing address, payment confirmation).

9. Data Security

9.1 We implement reasonable and appropriate technical and organisational security measures to protect personal information against unauthorised access, loss, destruction, alteration and misuse, having regard to the nature of the information, the state of the art and the cost of implementation. These measures include: • Encryption of data in transit (TLS/SSL) and at rest; • Access controls restricting access to personal information to authorised personnel on a need-to-know basis; • Regular security reviews and testing; • Secure software development practices; and • Staff training on data protection and privacy obligations. 9.2 You are responsible for keeping your Account credentials secure. You must notify us immediately if you become aware of any unauthorised access to your Account (see our Terms of Use, clause 3.3). 9.3 While we take reasonable steps to protect personal information, no system is completely secure. We cannot guarantee absolute security.

10. Notifiable Data Breaches

10.1 We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). 10.2 If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will: • Take immediate steps to contain and remediate the breach; • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable; • Notify affected individuals as required by the NDB scheme; and • Notify the relevant Client within 72 hours of becoming aware of the breach, as set out in our Terms of Use (clause 8.4). 10.3 For EEA/UK individuals: We will also notify the relevant supervisory authority within 72 hours of becoming aware of a breach involving personal data of EEA/UK individuals, in accordance with GDPR Article 33, and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).

11. Research Use of De-identified Data

11.1 Separate and Voluntary Consent

When completing an assessment, Respondents are given the separate and voluntary option to consent to the use of their de-identified Assessment Response Data for research purposes. Research participation is entirely voluntary and is not a condition of using the Service or receiving assessment results.

11.2 What Respondents Consent To

Where consent is given, the Respondent consents to:
  • Their de-identified Assessment Response Data being used for research purposes to validate and improve the TeamHive 360 assessment tool; and
  • Their de-identified data being shared with other researchers and research institutions for scientific purposes, in support of open scientific practices.

11.3 De-identification and Safeguards

  • All Assessment Response Data used for research is fully de-identified before being provided to any researcher. No personal identifying information (name, email address or other identifiers) is ever shared with researchers.
  • De-identified data is stored securely in accordance with the Australian Code for the Responsible Conduct of Research (2018) and the National Statement on Ethical Conduct in Human Research (2007, updated 2018).

11.4 Withdrawal of Consent

  • A Respondent may withdraw their research consent at any time by contacting us at contact@team-hive.co.
  • Upon withdrawal, we will cease using that Respondent's de-identified data in future research.
  • Data cannot be withdrawn from research studies that have already been completed using de-identified datasets, as the data is anonymised and can no longer be linked to the individual.

11.5 GDPR Basis (for EEA/UK Individuals)

Where a Respondent located in the EEA or UK provides research consent, the lawful basis for processing is consent under GDPR Article 6(1)(a), read together with Article 89 (safeguards for research processing). The right to erasure under Article 17 is subject to the exception in Article 17(3)(d) (research purposes) to the extent that erasure would render impossible or seriously impair the achievement of the research objectives.

12. Cookies and Tracking Technologies

12.1 What We Use

We use the following categories of cookies and tracking technologies: • Strictly necessary cookies — essential for the operation of the Website and Platform (e.g., session management, authentication). • Analytics cookies — help us understand how visitors use the Website and Platform so we can improve performance. • Functional cookies — remember your preferences and settings (e.g., language and display preferences).

12.2 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. If you disable cookies, some features of the Service may not function correctly.

12.3 Analytics Services

We may use third-party analytics services to analyse how visitors use the Website. These services use cookies to collect information (including your truncated IP address), which may be transmitted to and stored on servers located outside Australia. Where we use such services, we enable IP anonymisation where available. You may be able to opt out of analytics tracking by installing browser add-ons offered by the relevant analytics provider, or by adjusting your cookie settings.

12.4 "Do Not Track" Signals

We currently do not respond to "Do Not Track" browser signals, as there is no industry-standard protocol for doing so. We will update this policy if a standard is adopted.

13. Data Retention

13.1 We retain personal information for as long as reasonably necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting or reporting requirements. 13.2 Our general retention periods are: • Account and registration information — for the duration of your Account, plus 12 months after Account closure or termination (to allow for data export and to resolve any outstanding issues). • Assessment Response Data (linked to Client reports) — for the duration of the Client's Subscription, plus 12 months after termination. De-identified and Aggregated data may be retained indefinitely for benchmarking and Service improvement. • Research Data (de-identified) — retained indefinitely in de-identified form, in accordance with the Australian Code for the Responsible Conduct of Research, unless consent is withdrawn (see Section 11.4). • Payment and billing information — for 7 years after the last transaction, as required by Australian taxation law. • Usage and analytics data — up to 26 months from collection, unless anonymised and aggregated. • Marketing consent records — for the duration of the consent, plus 12 months after withdrawal. • Communications data — for 24 months from the date of communication, unless related to a dispute or legal matter. 13.3 On termination of the Service: As set out in our Terms of Use (clause 20.1(c)), upon your written request made within 30 days of termination, we will make Your Content available for export in a standard, machine-readable format. After that 30-day period, we may delete Your Content from our active systems (subject to backups and legal retention obligations). 13.4 When personal information is no longer required, we will take reasonable steps to destroy it or ensure it is de-identified, as required by APP 11.2.

14. Your Rights — All Users

14.1 Under Australian Privacy Law

Under the APPs, all individuals (regardless of location) whose personal information we hold have the following rights: (a) Right of access (APP 12): You have the right to request access to the personal information we hold about you. We will respond to your request within 30 days. Access may be refused in limited circumstances permitted by law (e.g., where granting access would pose an unreasonable impact on the privacy of others, or where the request is frivolous or vexatious), and we will provide reasons for any refusal. (b) Right of correction (APP 13): You have the right to request that we correct any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant or misleading. We will respond to your request within 30 days. (c) Right to opt out of marketing: You have the right to opt out of receiving direct marketing communications at any time by using the unsubscribe link in any marketing email, updating your preferences in your Account, or contacting us at contact@team-hive.co. (d) Right to complain: You have the right to complain about how we have handled your personal information (see Section 16).

14.2 How to Exercise Your Rights

To exercise any of these rights, contact us at: Email: contact@team-hive.co We may need to verify your identity before processing your request. We will not charge you a fee for making a request or for providing access, unless the request is manifestly unfounded, excessive, or repetitive.

15. Additional Rights for EEA and UK Individuals

15.1

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the GDPR (in addition to the rights set out in Section 14): (a) Right to erasure ("right to be forgotten") (Art 17): You may request that we delete your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent and there is no other legal basis for processing, or where the data has been unlawfully processed. This right is subject to exceptions, including where processing is necessary for scientific research purposes (Art 17(3)(d)) — see Section 11.5. (b) Right to restriction of processing (Art 18): You may request that we restrict the processing of your personal data in certain circumstances (e.g., where you contest its accuracy, pending verification). (c) Right to data portability (Art 20): You have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit it to another controller, where the processing is based on consent or a contract and carried out by automated means. (d) Right to object (Art 21): You have the right to object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds. (e) Right to withdraw consent (Art 7(3)): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. (f) Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement.

15.2 Data Controller

For the purposes of the GDPR, the data controller is: Team Development Analytics Pty Ltd (ACN 696 223 891) Email: contact@team-hive.co

15.3

We do not have an establishment in the EEA. If the GDPR applies to our processing, we have not appointed a representative in the EU under Article 27 GDPR.

16. Complaints

16.1 If you believe we have breached the APPs, the GDPR, or this Privacy Policy, you may lodge a complaint with us by contacting: Email: contact@team-hive.co 16.2 We will: • Acknowledge your complaint within 5 business days; • Investigate the complaint and provide a response within 30 days; and • Work with you in good faith to resolve the matter. 16.3 If you are not satisfied with our response, you may escalate your complaint to: (a) In Australia: Office of the Australian Information Commissioner (OAIC) Website: https://www.oaic.gov.au Phone: 1300 363 992 (b) In the EEA/UK: The supervisory authority in the member state of your habitual residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en For UK residents: the Information Commissioner's Office (ICO) Website: https://ico.org.uk

17. Marketing Communications

17.1 We will only send you marketing or promotional communications if you have explicitly opted in (e.g., by ticking a consent box). We will not rely on pre-ticked boxes or inferred consent. 17.2 You may withdraw your consent and opt out of marketing at any time by: • Clicking the "unsubscribe" link in any marketing email; • Updating your communication preferences in your Account; or • Contacting us at contact@team-hive.co. 17.3 Withdrawal of marketing consent does not affect transactional or service-related communications (e.g., payment confirmations, security alerts, material changes to the Service). 17.4 We comply with the Spam Act 2003 (Cth), which requires that all commercial electronic messages sent from or to Australia include accurate sender identification and a functional unsubscribe mechanism.

18. Children's Privacy

18.1 The Service is intended for use by organisations and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. 18.2 If we become aware that we have collected personal information from a child under 18 without appropriate parental or guardian consent, we will take steps to delete that information as soon as practicable.

19. Aggregated and Anonymised Data

19.1 We may create Aggregated and Anonymised Data from personal information and Assessment Response Data by removing all identifiers so that the data cannot reasonably be used to identify any individual, team or organisation. 19.2 We may use Aggregated and Anonymised Data for any purpose, including service improvement, benchmarking, product development and research. Aggregated and Anonymised Data is not personal information under the Privacy Act 1988 or personal data under the GDPR.

20. Third-Party Links

20.1 The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party site you visit.

21. Changes to This Privacy Policy

21.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. 21.2 Where the change is material, we will give you at least 30 days' notice by email or through the Platform before the change takes effect. 21.3 The "Last updated" date at the top of this policy indicates when the most recent revision was published. 21.4 Your continued use of the Service after a change takes effect constitutes your acceptance of the updated Privacy Policy.

22. Contact Us

If you have any questions, concerns or requests regarding this Privacy Policy or our handling of your personal information, please contact us at: Team Development Analytics Pty Ltd (ACN 696 223 891) Email: contact@team-hive.co