Khamango
Lifecycle Tools Product docs

Khamango tools privacy

Tools Platform Privacy Policy

This policy applies to Khamango Opportunity Check, CreditMatch, Credit Transfer and BSA Manager. It is hosted here so each tool can refer to the same current version.

Current draft version: 0.2. Last updated: 19 May 2026. This page is separate from the official Khamango marketplace privacy policy unless Khamango expressly states otherwise.

Khamango Tools Platform — Privacy Policy

Version: 0.2 (draft for legal review) Last updated: 19 May 2026 Status: Draft. Not for publication until reviewed and approved by Khamango’s solicitor.

This Privacy Policy applies to the Khamango Tools Platform, including the Khamango Opportunity Checker, Khamango Credit Match, Khamango Credit Transfer and Khamango BSA Manager (together, the Tools). It supports, and should be read alongside, the Khamango Tools Platform Terms and Conditions.

This Privacy Policy is separate from the privacy policy that applies to the official Khamango biodiversity credit marketplace at https://khamango.com.au. If You are using the marketplace, the marketplace privacy policy applies. If You are using the Tools, this Privacy Policy applies.

Capitalised terms used but not defined in this Privacy Policy have the meaning given in the Khamango Tools Platform Terms and Conditions.

1. About this Privacy Policy

Khamango Pty Ltd (ABN 22 684 894 620) of 141 Corrimal Street, Wollongong, NSW 2500, Australia (Khamango, we, us or our) is a private business based in New South Wales, Australia. Khamango is committed to protecting Personal Information collected through the Tools.

Khamango is bound by the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs), the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act, and any registered privacy code that applies to Khamango from time to time. As a private business, Khamango is regulated by Commonwealth privacy law; the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW), which apply to NSW public-sector agencies and certain health service providers, do not apply directly to Khamango.

Khamango operates from, and provides the Tools within, Australia. This Privacy Policy is governed by the laws of New South Wales, Australia and any disputes about this Privacy Policy will be heard in the courts of New South Wales, Australia, consistent with clause 23.11 of the Khamango Tools Platform Terms and Conditions.

This Privacy Policy describes how Khamango collects, holds, uses, discloses and otherwise manages Personal Information collected through the Tools. It also describes Your rights in relation to that Personal Information and how to exercise them.

This Privacy Policy may be updated from time to time. The current version, its version number and its effective date are published at the Khamango Tools Platform privacy policy URL. Khamango will give You notice of material changes by email or in-Tool notice.

2. What Personal Information we collect

The Personal Information Khamango collects depends on Your interaction with the Tools. Common categories include:

Account information: name, email address, telephone number, organisation name, role, and any other information You provide when registering an Account or being invited as an Invited User.

Billing and payment information: billing name and address, transaction history, payment method tokens and receipts. Full card numbers are collected and stored by Stripe and not by Khamango.

Property and land information (Opportunity Checker, BSA Manager): property address, Lot/DP, boundary, parcel, land use, vegetation, planning, constraint and management-cost data, and contact details for landholders, advisers, assessors, consultants and contractors associated with a property.

Transaction and credit information (Credit Match, Credit Transfer): buyer, seller, listing, biodiversity credit class, quantity, price, transfer authority, identity, document execution and lodgement information.

Document content: the contents of reports, plans, evidence, forms, signatures, photographs, communications, calendar items, compliance records and other files uploaded to or generated through the Tools.

Communications: correspondence with Khamango, including email, support tickets, in-Tool messages, secure link recipient details and feedback.

Usage and device data: IP address, device identifiers, browser type, operating system, referrer URL, pages accessed, features used, time and date of access, and similar log and analytics data.

Cookies and similar technologies: described in clause 8.

Marketing preferences: Your consent to receive commercial electronic messages from Khamango under the Spam Act 2003 (Cth), and Your communication preferences.

Khamango will collect Personal Information about other individuals from You where You provide it — for example, landholders, buyers, sellers, advisers, assessors, consultants, contractors, Invited Users and other counterparties. Clause 9.5 (Your privacy obligations) of the Khamango Tools Platform Terms and Conditions describes Your obligations when providing this kind of Personal Information.

Khamango does not actively seek to collect sensitive information within the meaning of the Privacy Act (such as health information, racial or ethnic origin, political opinions or criminal record). If You provide sensitive information through the Tools — for example, by uploading a document that contains it — Khamango will handle it in accordance with APP 3 and APP 6 and will limit its use to the purposes for which it was provided.

Some biodiversity data accessed or generated through the Tools may include or relate to sensitive species information, sensitive site information or culturally sensitive Aboriginal heritage information that is subject to access restrictions or generalisation under the Biodiversity Conservation Act 2016 (NSW), the Aboriginal Cultural Heritage provisions of the National Parks and Wildlife Act 1974 (NSW), related NSW Government data licence terms or upstream licence terms imposed by the Department or the Biodiversity Conservation Trust. Khamango handles this data in accordance with applicable restrictions and applies technical controls (such as rate-limiting, query auditing and bulk-export restrictions) to support its protection.

3. How we collect Personal Information

Directly from You, including when You:

register an Account, are invited as an Invited User, or use a Tool;

submit information through a form, secure link, email, telephone call or other communication;

make a payment, request a refund or contact support;

provide feedback, respond to a survey or attend a meeting; or

interact with Khamango on social media or other channels.

Indirectly, including when:

an account holder invites You as an Invited User;

another user adds You as a counterparty, recipient or authorised representative in a Tool workflow (for example, a Credit Transfer secure link);

information about You is included in a document, evidence pack, report or other content uploaded by another user; or

Khamango receives information about You from a professional adviser, assessor, consultant or contractor acting on Your behalf.

Automatically, through the operation of the Tools, including:

log data, IP address, device information and usage analytics;

cookies and similar technologies; and

data captured by error-monitoring, security and fraud-prevention systems.

From public registers and third-party data sources, including New South Wales Government map services, government data portals, biodiversity data services, public registers maintained by the Department, and third-party data providers, where this data relates to property or transactions in scope of a Tool You are using.

Where it is unreasonable or impractical to collect Personal Information directly from You, Khamango will, where reasonably practicable, notify You that the information has been collected and the circumstances of the collection.

4. Why we collect, hold, use and disclose Personal Information

Khamango collects, holds, uses and discloses Personal Information for the following primary purposes:

providing the Tools to You and generating Outputs, including running screening, matching, scoring, document generation, workflow and reporting functions;

verifying Your identity and authority, where this is required for a transaction or workflow;

processing payments, issuing invoices and receipts, managing subscriptions and handling refunds, chargebacks and disputes;

communicating with You about the Tools, including transactional notifications, security alerts, service updates, support responses, renewal reminders and account communications;

sending You marketing communications about Khamango Tools, where You have consented or where Khamango is permitted to do so under the Spam Act 2003 (Cth), in each case with a functional unsubscribe facility;

maintaining, securing, supporting, improving and developing the Tools;

detecting, investigating and responding to actual or suspected security incidents, fraud, abuse, breaches of the Acceptable Use Policy and unlawful activity;

complying with applicable Laws, regulator requirements, court orders, lawful requests from law enforcement and tax, audit and recordkeeping obligations;

establishing, exercising or defending legal claims; and

any other purpose that You consent to, or that is permitted or required by Law.

Khamango will only use or disclose Personal Information for a secondary purpose where it is permitted under the APPs — for example, where You would reasonably expect the secondary use, where You have consented, or where the secondary use is required or authorised by Law.

5. Who we disclose Personal Information to

Khamango may disclose Personal Information to the following categories of recipient:

Khamango’s related entities, for the purposes described in clause 4;

Khamango’s service providers, including providers of cloud hosting, email, customer support, analytics, security, error monitoring, document generation, e-signature, file storage, communications and similar services;

Payment processors, including Stripe, in connection with payment processing, billing, invoicing, subscription management, taxation and fraud prevention;

NSW Government agencies, public registers and government services that Khamango queries on Your behalf as part of providing the Tools, including services operated by the NSW Department of Climate Change, Energy, the Environment and Water (or its successor), the Biodiversity Conservation Trust, NSW Land Registry Services, Spatial Services NSW and other NSW Government agencies. Information disclosed to NSW Government agencies is handled by those agencies under their own privacy obligations, including the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) where applicable to those agencies;

Commonwealth Government agencies where required or authorised by Law, including the Australian Taxation Office in connection with billing and tax records;

Other users or counterparties that You have authorised to access information through a Tool workflow, including via secure links, Invited User invitations or transaction parties You have nominated;

Professional advisers, assessors, consultants and contractors that You have nominated or that Khamango is required to engage in connection with providing the Tools;

Law enforcement, regulators, government agencies and courts, where required or authorised by Law, including the Office of the Australian Information Commissioner, the Australian Competition and Consumer Commission, NSW Fair Trading and the NSW Police Force;

A successor in business, in connection with a sale, merger, restructure or transfer of all or substantially all of Khamango’s business or assets, on terms that require the successor to protect Personal Information consistently with this Privacy Policy; and

Any other recipient that You consent to, or that Khamango is permitted or required by Law to disclose to.

Khamango requires its service providers to handle Personal Information in accordance with the APPs and contractual arrangements that reflect Khamango’s obligations.

6. Overseas disclosure of Personal Information

Khamango is based in Australia, but its service providers and infrastructure providers may store or process Personal Information in countries other than Australia.

The principal categories of overseas recipient and the principal countries in which they hold or process Personal Information are:

Recipient category

Principal jurisdictions

Cloud hosting and infrastructure providers

Australia, United States, European Union

Payment processing providers (including Stripe)

Australia, United States, Ireland

Email, calendar and document storage providers

Australia, United States, European Union

Document generation and e-signature providers

Australia, United States

Analytics, error monitoring and security providers

Australia, United States, European Union

Customer support and communications providers

Australia, United States, European Union

Khamango maintains a current list of its principal overseas recipients and the countries in which they hold or process Personal Information, available on request and updated from time to time.

Before disclosing Personal Information to an overseas recipient, Khamango takes steps that are reasonable in the circumstances to ensure that the overseas recipient handles Personal Information in a manner consistent with the APPs, including by entering into contractual arrangements with the overseas recipient.

Where overseas disclosure is required for processing a payment, Stripe handles cardholder Personal Information in accordance with its own privacy policy and PCI-DSS compliance program. By choosing to make a payment using Stripe, You acknowledge that Stripe will handle Your payment information in accordance with Stripe’s terms and privacy notices.

7. Automated decision-making and artificial intelligence

Some Tools generate Outputs using automated logic, including matching algorithms, scoring methods, rule-based assessments and, where Khamango notifies You, generative or other artificial intelligence models.

Automated Outputs may contain errors, including incorrect classifications, missed matches, false matches, out-of-date data, fabricated detail, omissions, miscalculation and inconsistency between Outputs generated at different times. You must independently verify automated Outputs before relying on them for any decision that has legal, financial, ecological, planning, regulatory, transaction, credit sale, credit purchase, BSA, land management, tax or valuation consequences.

You may contact Khamango using the details in clause 14 to request information about the operation of an automated Output, including the principal categories of input data, the logic applied and the limitations of the Output, subject to Khamango’s reasonable protection of its Confidential Information and Intellectual Property Rights.

Khamango does not currently make decisions that produce legal or similarly significant effects about You solely by automated means without human involvement. If this changes, Khamango will update this Privacy Policy and, where required, provide You with additional disclosure consistent with the Privacy and Other Legislation Amendment Act 2024 (Cth) and any related guidance from the Office of the Australian Information Commissioner.

8. Cookies, analytics and tracking

The Tools use cookies and similar technologies to operate the Tools, remember Your preferences, analyse usage, protect security and improve performance. Categories include:

Strictly necessary cookies required for the Tools to function (for example, session cookies that keep You logged in);

Preference cookies that remember Your settings;

Analytics cookies that allow Khamango to understand how the Tools are used (for example, Google Analytics or a similar service); and

Security cookies that help detect fraud, abuse and security incidents.

You can adjust Your browser settings to refuse some or all cookies. If You disable strictly necessary cookies, some parts of the Tools may not work correctly.

Where Khamango uses third-party analytics services, those services have their own privacy policies and may transfer data to countries other than Australia.

9. Security

Khamango takes reasonable steps to protect Personal Information from misuse, interference, loss, unauthorised access, modification and disclosure. These steps include:

encryption of data in transit and, where appropriate, at rest;

access controls and authentication for Khamango personnel, contractors and service providers;

network and application security measures, including monitoring, logging and alerting;

restrictions on access to sensitive biodiversity data, including rate-limiting, query auditing and bulk-export controls;

use of Stripe-hosted or Stripe-managed payment flows for card processing, so that Khamango does not itself store full card numbers; and

regular review of security practices and service provider arrangements.

No system that handles data over the internet is fully secure. Khamango cannot guarantee that Personal Information will never be subject to unauthorised access or disclosure. If a data breach occurs, Khamango will respond in accordance with clause 11.

You can help protect Personal Information by:

using a strong, unique password for Your Account;

keeping Your password, secure links and Credentials confidential;

logging out of the Tools when finished;

telling Khamango immediately if You suspect unauthorised access; and

keeping Your device, browser and security software up to date.

10. Retention of Personal Information

Khamango retains Personal Information for as long as reasonably necessary for the relevant Tool, Account, transaction, workflow, legal, tax, accounting, audit, security, dispute-resolution and legitimate business record purposes, or as required or authorised by Law.

Indicative retention approach is:

Category

Retention approach

Account information

For the duration of Your Account, plus a reasonable period after closure where needed to handle residual obligations, support requests, security issues, disputes, legal obligations and business records.

Billing and payment information

Generally for at least 7 years from the end of the tax year in which the relevant transaction occurred, or for any longer period required for accounting, tax, refund, chargeback, payment dispute, audit or legal purposes.

Customer Data (uploaded documents, project information)

For the duration of Your active use and for a reasonable period after last use or Account closure. Khamango will consider deletion or de-identification requests, but may retain Customer Data where reasonably necessary for workflow integrity, transaction records, legal, tax, accounting, audit, security, dispute-resolution, regulatory, backup or legitimate business record purposes.

Communications and support data

For as long as reasonably necessary to respond to the communication, support the relevant Tool or transaction, manage disputes and maintain business records. This will generally be up to 3 years unless longer retention is reasonably required.

Usage, device, log and analytics data

For as long as reasonably necessary for security, abuse prevention, product operation, analytics, audit and troubleshooting. Usage and log data will generally be retained in identifiable form for up to 24 months unless longer retention is reasonably required.

Backup data

Until the next scheduled deletion cycle or backup expiry process, subject to technical limits and ongoing legal, security, audit and disaster-recovery obligations.

Aggregated, de-identified or anonymised data

Indefinitely, in a form that does not identify You.

For clarity, Credit Transfer records, signed bundles, secure-link audit records, DocuSign events and transaction evidence may be retained for longer than ordinary project data where needed for transaction integrity, legal, regulatory, dispute or audit purposes. Credit Match billing, payment, entitlement, refund and payment-dispute records may be retained for statutory accounting and tax periods. Audit, security, fraud-prevention and legal records may also be retained for as long as reasonably necessary.

11. Notifiable Data Breaches scheme

Khamango complies with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

If Khamango becomes aware of a data breach involving Personal Information that is likely to result in serious harm, Khamango will:

promptly carry out a reasonable and expeditious assessment of the suspected eligible data breach;

take reasonable steps to contain the breach and reduce the risk of harm;

if required, notify the Office of the Australian Information Commissioner and affected individuals in accordance with the Notifiable Data Breaches scheme; and

notify any user whose Customer Data is affected as soon as reasonably practicable.

If You suspect a data breach has occurred, or You become aware of unauthorised access to or use of Your Account, Credentials or Customer Data, please contact Khamango immediately using the details in clause 14.

12. Your rights

12.1 Access

You have the right under APP 12 to request access to Personal Information that Khamango holds about You. Khamango will respond to a request within a reasonable period and will generally provide access in the manner You request, unless it is unreasonable or impracticable to do so. Khamango may charge a reasonable fee for providing access, but not for making a request. If Khamango refuses access, Khamango will provide a written notice setting out the reasons and the mechanisms available to You to complain.

12.2 Correction

You have the right under APP 13 to request correction of Personal Information that Khamango holds about You where it is inaccurate, out of date, incomplete, irrelevant or misleading. Khamango will take reasonable steps to correct the Personal Information. If Khamango refuses to correct, Khamango will provide a written notice setting out the reasons, the mechanisms available to You to complain and Your right to request that a statement be associated with the Personal Information noting that You consider it to be inaccurate.

12.3 Deletion

You may request that Khamango delete Personal Information held about You by contacting Khamango using the details in clause 14. Khamango will delete or de-identify the relevant Personal Information within a reasonable time, except to the extent Khamango is permitted or required to retain it for the reasons set out in clause 10 of this Privacy Policy or clause 9.5 of the Khamango Tools Platform Terms and Conditions. Khamango will explain the basis for any retention on request.

12.4 Marketing opt-out

You may withdraw Your consent to receive commercial electronic messages at any time by using the unsubscribe facility in any commercial electronic message, by adjusting Your communication preferences in the Tools, or by contacting Khamango using the details in clause 14. Withdrawal of consent does not affect transactional, administrative, security or other operational communications necessary to provide the Tools.

12.5 Complaints

If You believe Khamango has breached the Privacy Act, the APPs or any applicable privacy code, You may make a complaint to Khamango using the details in clause 14. Khamango will acknowledge Your complaint within a reasonable time and will investigate and respond within 30 days unless a longer period is required and You are notified.

If You are not satisfied with Khamango’s response, You may complain to the Office of the Australian Information Commissioner (the Commonwealth privacy regulator for private-sector businesses):

Office of the Australian Information Commissioner GPO Box 5288, Sydney NSW 2001 Telephone: 1300 363 992 Website: https://www.oaic.gov.au

Where Your complaint concerns the handling of Personal Information by a NSW Government agency (rather than by Khamango), the NSW Information and Privacy Commission (IPC NSW) is the relevant regulator:

Information and Privacy Commission NSW GPO Box 7011, Sydney NSW 2001 Telephone: 1800 472 679 Website: https://www.ipc.nsw.gov.au

Where Your complaint concerns conduct that may breach the Australian Consumer Law or constitute misleading or deceptive conduct, You may also raise the matter with the Australian Competition and Consumer Commission or NSW Fair Trading.

13. Other websites, third party tools and children

Other websites. The Tools may contain links to, or be integrated with, websites and services operated by third parties. This Privacy Policy does not apply to those third-party websites or services. You should review their privacy policies before providing Personal Information to them.

Third Party Applications. Where You enable a Third Party Application to interoperate with a Tool, the provider of the Third Party Application may access Personal Information for the purpose of interoperation. The Third Party Application provider’s own privacy policy will apply to that access, in addition to this Privacy Policy.

Children. The Tools are not intended for use by individuals under the age of 18. Khamango does not knowingly collect Personal Information from individuals under 18. Account holders must not invite individuals under 18 as Invited Users. If Khamango becomes aware that Personal Information about a child has been collected, Khamango will take reasonable steps to delete it.

14. How to contact us

14.1 Khamango privacy contact

Email: privacy@khamango.com.au Telephone: 0423 901 208 Post: Khamango Pty Ltd, 141 Corrimal Street, Wollongong, NSW 2500, Australia

You can use these details to:

ask a question about this Privacy Policy or how Khamango handles Personal Information;

request access to, correction of or deletion of Your Personal Information;

withdraw consent to receive marketing communications;

report a suspected data breach; or

make a privacy complaint.

14.2 Office of the Australian Information Commissioner

For more information about Your privacy rights and how to make a complaint to the regulator, see https://www.oaic.gov.au.

15. Changes to this Privacy Policy

Khamango may update this Privacy Policy from time to time, for example to reflect changes in Law, Khamango’s business practices, Tool functionality or service providers.

The current version of this Privacy Policy, its version number and its effective date are published at the Khamango Tools Platform privacy policy URL.

Khamango will give You notice of material changes to this Privacy Policy by email, in-Tool notice or at the time of Your next interaction with the Tools, with as much notice as is reasonably practicable in the circumstances. Continued use of the Tools after a notified change takes effect indicates Your acceptance of the updated Privacy Policy, except to the extent additional consent is required by Law.

Material changes will not retrospectively affect how Personal Information already collected was handled at the time of collection, unless Khamango obtains Your additional consent or is required by Law to apply the change retrospectively.

Khamango

Australia's connected pathway for biodiversity credits.

Legal

Tools terms Tools privacy policy Khamango pathway

Contact

khamango.com.au hamish@khamango.com.au