Introduction and Scope
MM Digital Ventures Pty Ltd (ABN 43 669 576 863), trading as inhause (“inhause”) is an Australian-headquartered raw ingredient sourcing company and technology platform operator. We act as a principal merchant in the business-to-business (“B2B”) ingredient supply chain, sourcing products from processors globally and supplying them to food manufacturers, traders, and industrial buyers across the Asia-Pacific region and beyond.
This Privacy Policy explains how we collect, hold, use, disclose, and otherwise handle personal information in accordance with the Australian Privacy Act 1988 (Cth) (“Privacy Act”) as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth) (“2024 Amendment Act”), the Australian Privacy Principles (“APPs”), and, where applicable, the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the New Zealand Privacy Act 2020, the Singapore Personal Data Protection Act 2012 (“PDPA”), Japan’s Act on Protection of Personal Information (“APPI”), and other applicable data protection laws.
This Policy applies to all personal information collected through our commercial trading operations, our digital platforms (including the inhause Market Intelligence Platform, Buyer Portal, the inhause AI ordering and communications system, and inhause.com.au), our supply chain and logistics operations, and any other interactions with us.
Key Definitions
| Term | Definition |
|---|---|
| Personal Information | Information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined in section 6(1) of the Privacy Act, including “personal data” under Article 4(1) GDPR. |
| Sensitive Information | Personal information about an individual’s racial or ethnic origin, political opinions, religious beliefs, health, genetic or biometric data, sexual orientation, or criminal record. |
| Platform | The inhause Market Intelligence Platform, Buyer Portal, inhause AI, Pricing Index, Supply Map, and any related digital interface operated by inhause. |
| inhause AI | inhause’s AI-powered multi-channel ordering and communications system, processing natural language inputs across email, WhatsApp, and web to facilitate commodity transactions. |
| Pricing Index | The inhause proprietary pricing benchmark covering raw ingredient commodities. |
| Trade Data | Commercial information from trading activities including POs, invoices, shipping documents, COAs, pricing data, and transaction records. |
| Counterparty | Any supplier, buyer, broker, logistics provider, or financial institution with whom inhause transacts. |
| Automated Decision | A decision made by a computer program (including AI/ML) that could reasonably be expected to significantly affect an individual’s rights or interests, per the 2024 Amendment Act. |
| DPA | Data Processing Addendum — the contractual framework governing subprocessor processing of personal information on behalf of inhause (Schedule 2). |
| ROPA | Records of Processing Activities — the register documenting all processing activities (Schedule 3, GDPR Article 30). |
Information We Collect
3.1 Business Contact Information
In the course of our B2B sourcing and trading operations, we collect:
- Full name, job title, position, and employer/organisation details
- Business email addresses, telephone and mobile numbers
- Business postal addresses and registered office addresses
- Professional credentials, qualifications, and industry certifications
- Communication preferences and preferred contact methods
- Records of commercial negotiations, pricing discussions, and contractual correspondence
- Transaction history, purchase patterns, product preferences, and credit terms
- Bank account details and payment information for trade settlement
- Tax file numbers, ABN/ACN, GST registration details, and equivalent foreign tax identifiers solely as required for invoicing and regulatory compliance
3.2 Platform and Digital Data
When you access or use any inhause digital platform, we may collect:
- Account registration data including name, email, password (hashed and salted using bcrypt or argon2), organisation, and role
- User-generated content including watchlist configurations, pricing entries, search queries, and market signal preferences
- Usage and interaction data including pages viewed, features accessed, session duration, and navigation paths
- Technical data including IP address, browser type, operating system, device identifiers, and referring URLs
- Cookies and tracking technologies as described in Schedule 1 (Cookie Policy)
- Geolocation data derived from IP address (approximate) or, with explicit consent, precise device geolocation
- Communications with inhause AI including natural language inputs, order instructions, queries, and system-generated responses
3.3 Supply Chain and Logistics Data
- Names and contact details of warehouse personnel, freight forwarders, shipping agents, and customs brokers
- Driver licence details, vehicle registration, and chain-of-custody information for transport operators
- Quality assurance and food safety officer details associated with COAs and regulatory compliance
- Phytosanitary and export permit officer details for cross-border shipments
- FSSAI, FSANZ, FDA, and equivalent regulatory contact details
3.4 Financial and Credit Information
- Director and officer details from credit applications and guarantor documentation
- Credit reports and scores from credit reporting bodies (with appropriate consent or as permitted by law)
- Trade references and commercial credit history
- Bank account details, SWIFT/BIC codes, and payment instructions for LC, TT, and receivables finance
- Insurance policy details for trade credit and cargo insurance
3.5 Recruitment and Personnel Data
If you apply for employment or consulting with inhause, we may collect your name, contact details, resume, work history, qualifications, references, right-to-work documentation, and background check results where required by law.
3.6 Information from Third Parties
We may receive personal information from industry databases, credit reporting bodies (Equifax, Illion, Dun & Bradstreet), government registers (ASIC, ABR), social media platforms (LinkedIn), and referrals from existing counterparties.
How We Collect Personal Information
- Directly from you through trading negotiations, contracts, platform accounts, enquiries, or communications
- Automatically through your use of our platforms via cookies, server logs, and analytics tools
- Through inhause AI when you interact with our AI-powered systems across any channel
- From publicly available sources including company websites, regulatory filings, and trade publications
- From third parties including credit reporting bodies, trade referees, and existing counterparties
- From our integrated business tools including CRM, email platforms, and communication tools
Where reasonable and practicable, we collect personal information directly from you. Where we collect from a third party, we take reasonable steps to ensure you are made aware of this Policy.
Purposes of Collection, Use, and Disclosure
5.1 Primary Purposes
- Commodity Trading: Sourcing, pricing, negotiation, sale, and delivery of raw ingredients across domestic and international markets
- Contract Performance: Performing obligations under supply agreements, purchase orders, letters of credit, and trading contracts
- Platform Services: Operating the Market Intelligence Platform, Buyer Portal, Pricing Index, Supply Map, Watchlist, and related tools
- inhause AI Services: Processing natural language inputs for commodity ordering, pricing enquiries, and commercial communications
- Payment & Settlement: Processing payments, managing receivables/payables, arranging trade finance, and administering credit insurance
- Supply Chain Management: Coordinating logistics, freight, warehousing, cold-chain compliance, and customs clearance
5.2 Secondary Purposes
- Market Intelligence: Generating anonymised market insights, pricing benchmarks, trade flow analytics, and supply chain intelligence
- Business Development: Identifying counterparties, outreach campaigns, pipeline management, and network expansion
- Quality Assurance: COA verification, food safety compliance, recall management, and traceability
- Legal & Compliance: Laws, regulations, sanctions, AML/CTF, tax obligations, and export controls
- Risk Management: Counterparty credit assessment, trade credit risk, supply chain disruption monitoring, and insurance
- Platform Improvement: Usage analysis, UX improvement, and AI system refinement using de-identified data
- Dispute Resolution: Establishing, exercising, or defending legal claims
- Communication: Transactional communications and, with consent, promotional communications
Lawful Basis for Processing (GDPR/UK GDPR)
Where the GDPR or UK GDPR applies, we rely on:
- Contract (Art. 6(1)(b)): Processing necessary for performing a trading contract or pre-contractual steps (e.g. RFQs, quotations, trade execution)
- Legitimate Interests (Art. 6(1)(f)): Operating our trading business, managing counterparty relationships, due diligence, fraud prevention, platform improvement, and B2B marketing — provided not overridden by your fundamental rights. We conduct and document legitimate interest assessments (LIAs) for each category.
- Legal Obligation (Art. 6(1)(c)): Tax reporting, AML/CTF, sanctions screening, and food safety regulations
- Consent (Art. 6(1)(a)): Optional marketing communications, precise geolocation tracking. Consent may be withdrawn at any time without affecting prior lawful processing.
Disclosure of Personal Information
We may disclose your personal information to:
- Trading Counterparties: Suppliers, buyers, and intermediaries as necessary for specific transactions
- Service Providers (Subprocessors): Each subject to a Data Processing Addendum (Schedule 2), including:
- Cloud hosting and infrastructure providers
- AI infrastructure providers for inhause AI
- Email, CRM, analytics, and business intelligence tools
- Payment processors, freight forwarders, customs brokers, warehousing operators
- Financial Institutions: Banks, receivables finance providers, credit insurers, and LC banks
- Credit Reporting Bodies: Equifax, Illion, Dun & Bradstreet for credit assessment
- Professional Advisors: Lawyers, accountants, and auditors bound by professional confidentiality
- Regulators: FSANZ, FSSAI, AUSTRAC, ATO, customs, and any body where disclosure is required by law
- Related Bodies Corporate: Digital Ventures Pty Ltd and future affiliates
- Potential Acquirers: In connection with mergers, acquisitions, or asset sales, subject to confidentiality
We will never sell, rent, or lease your personal information to any third party for their independent marketing purposes. A current subprocessor list is available on request at info@inhause.com.au.
Cross-Border Disclosure and International Transfers
inhause operates across international markets. We may disclose personal information to recipients in:
- New Zealand, Japan, Republic of Korea, India, Singapore, UAE, and other APAC jurisdictions
- The United States (cloud and AI infrastructure providers)
- The European Union and the United Kingdom
Before disclosing to an overseas recipient, we take reasonable steps to ensure APP 8.1 compliance. For GDPR transfers, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other Article 46–49 mechanisms. As simplified transfer regulations under the 2024 Amendment Act are made, we will update our mechanisms accordingly.
EU and UK Representative (GDPR Article 27)
inhause is not established in the EU or UK. To the extent we process personal data of EU/UK data subjects in connection with offering goods/services or monitoring behaviour, we are required under Article 27 GDPR to appoint a representative.
EU Representative: To be appointed. Details will be published here upon appointment.
UK Representative: To be appointed. Details will be published here upon appointment.
Until such appointments, contact info@inhause.com.au for any GDPR-related enquiries.
Artificial Intelligence, Automated Processing & Transparency
10.1 inhause AI System
inhause operates an AI-powered multi-channel ordering and communications platform processing natural language inputs via web, email, and WhatsApp. inhause AI is powered by third-party large language model infrastructure, subject to a DPA that prohibits the provider from using inhause’s data to train its general-purpose models.
10.2 Data Processed by inhause AI
- The content of your messages, queries, and instructions
- Your identity and organisation details
- Transaction context including product specifications, volumes, pricing, and delivery terms
- Historical interaction data to improve response accuracy
10.3 Human Oversight
inhause AI may provide automated pricing recommendations, availability assessments, and trade matching suggestions. However, no binding trading decision is made solely by automated means without human review. All quotations and order confirmations are subject to final confirmation by authorised inhause personnel.
Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.
10.4 Automated Decision Transparency (2024 Amendment Act)
In compliance with the transparency obligations commencing 11 December 2026, inhause discloses the following automated systems:
- Pricing Recommendations: inhause AI generates indicative pricing based on market data, historical transactions, and proprietary algorithms. All pricing is reviewed by authorised personnel before becoming binding.
- Credit Screening: Automated tools conduct preliminary credit assessments using credit reporting body data. Final decisions are made by humans.
- Trade Matching: Algorithms match buyer requirements with available supply. All matches are reviewed before execution.
10.5 AI Training
De-identified and aggregated interaction data may be used to improve our AI systems. Identifiable personal information will not be used to train third-party models without explicit consent.
Statutory Tort for Serious Invasions of Privacy
inhause acknowledges the statutory tort for serious invasions of privacy, which commenced on 10 June 2025 under Schedule 2 of the Privacy Act (as inserted by the 2024 Amendment Act). This provides individuals with a direct cause of action in court, independent of the APP framework.
inhause has reviewed its practices to account for this legal risk:
- We do not engage in intrusion upon seclusion or misuse of personal information
- Our practices respect individuals’ reasonable expectations of privacy
- We maintain technical and organisational measures to prevent unauthorised access or disclosure
- Staff are trained on the heightened consequences of serious privacy breaches under this tort
If you believe inhause has seriously invaded your privacy, you may lodge a complaint (Section 18) or pursue a claim in the Federal Court, Federal Circuit and Family Court, or a state/territory court.
Data Security
In compliance with APP 11.1 and the 2024 Amendment Act’s requirement for “technical and organisational measures,” we implement:
- Access Controls: Role-based access, MFA, principle of least privilege, Row Level Security (RLS)
- Encryption: TLS 1.2+ in transit, AES-256 at rest across databases, cloud hosting, and communications
- Infrastructure: SOC 2 Type II-compliant cloud platforms, regular patching, network segmentation, intrusion detection
- Authentication: bcrypt/argon2 password hashing, short-lived session tokens, API key rotation
- Incident Response: Documented breach response plan (Section 19), OAIC and GDPR notification procedures
- Personnel: Privacy training, confidentiality agreements, access revocation on departure
- Vendor Due Diligence: Security assessment, DPA execution, ongoing subprocessor monitoring
- Backup & Recovery: Encrypted backups, geographic redundancy, tested disaster recovery
- Logging: Audit logging of personal information access, anomaly detection, periodic review
Data Retention
- Trading Records: 7 years minimum (tax law, Corporations Act)
- Platform Accounts: Duration of registration + up to 2 years
- Communication Records: 7 years (trading-related correspondence)
- Marketing Data: Until opt-out, then suppressed (not deleted)
- Credit Information: Per Part IIIA Privacy Act and Credit Reporting Privacy Code
- inhause AI Logs: Identifiable logs retained 12 months, then de-identified or deleted. Aggregated data may be retained indefinitely for analytics.
Upon expiry, personal information is securely destroyed or de-identified per APP 11.2 and GDPR Article 17.
Cookies and Tracking Technologies
Our platforms use cookies and similar technologies. Our full Cookie Policy is in Schedule 1. In summary:
- Strictly Necessary: Authentication, session management, security. Cannot be disabled.
- Functional: Watchlist preferences, display settings, language.
- Analytics: Platform usage and performance analysis.
- Marketing: Campaign tracking and conversion measurement (consent required).
Manage preferences via browser settings, our cookie consent banner, or by contacting info@inhause.com.au.
Your Rights
15.1 Australian Law (APPs)
- Access (APP 12): Request access to your personal information
- Correction (APP 13): Request correction of inaccurate or misleading information
- Complaint: Lodge a complaint (Section 18)
- Marketing Opt-out (APP 7): Opt out of direct marketing at any time
- Automated Decision Transparency: From 11 December 2026, request information about automated decisions affecting your rights (Section 10.4)
15.2 GDPR / UK GDPR
- Erasure (Art. 17): Right to be forgotten
- Restriction (Art. 18): Restrict processing in certain circumstances
- Portability (Art. 20): Receive data in machine-readable format (JSON/CSV)
- Objection (Art. 21): Object to legitimate interest or marketing processing
- Withdraw Consent (Art. 7): Withdraw at any time
- Automated Decisions (Art. 22): Right not to be subject to solely automated decisions
- Supervisory Authority: Lodge a complaint with your local authority
15.3 Other Jurisdictions
- New Zealand: IPPs 6 and 7 under the Privacy Act 2020 (NZ)
- Singapore: Access, correction, and consent withdrawal under the PDPA
- Japan: Disclosure, correction, and cessation of use under the APPI
How to Exercise Your Rights
Contact us at info@inhause.com.au or by post to: Privacy Officer, MM Digital Ventures Pty Ltd trading as inhause, [Registered Address].
We will acknowledge receipt within 5 business days and respond substantively within 30 calendar days. We may verify your identity before processing. We will provide written reasons for any refusal.
Direct Marketing
17.1 Types of Communications
- Transactional: Order confirmations, shipping notices, invoices, COA notifications, pricing confirmations. These are not “commercial electronic messages” under the Spam Act 2003 and do not require consent or unsubscribe.
- Commercial Electronic Messages: Product availability alerts, market intelligence updates, pricing reports, campaign outreach. Sent only with consent (express or inferred), with sender identification, and with a functional unsubscribe mechanism.
17.2 Opt-Out
- Click the unsubscribe link in any marketing communication
- Email info@inhause.com.au with subject “Unsubscribe”
- Reply “STOP” to any WhatsApp or SMS marketing message
Opt-out processed within 5 business days. Transactional communications are not affected.
17.3 Do Not Call Register
We comply with the Do Not Call Register Act 2006 (Cth) and will not make unsolicited telemarketing calls to registered numbers unless an exemption applies.
Complaints
Contact our Privacy Officer at info@inhause.com.au. We will acknowledge within 5 business days, investigate fairly, and respond within 30 calendar days.
If unsatisfied, escalate to:
- Australia: OAIC — oaic.gov.au — 1300 363 992
- EU: Your relevant supervisory authority
- UK: Information Commissioner’s Office (ICO) — ico.org.uk
- New Zealand: Office of the Privacy Commissioner — privacy.org.nz
- Singapore: PDPC — pdpc.gov.sg
- Japan: Personal Information Protection Commission (PPC)
You also have the right to pursue a claim under the statutory tort (Section 11) independently.
Notifiable Data Breaches
Under Part IIIC of the Privacy Act, we will:
- Assess suspected breaches within 30 days
- Contain breaches immediately: isolate systems, revoke credentials, preserve evidence
- Notify the OAIC and affected individuals as soon as practicable
- Under GDPR, notify supervisory authorities within 72 hours (Art. 33) and data subjects without undue delay where high risk (Art. 34)
- Conduct post-incident reviews and maintain a register of all breaches
Third-Party Websites and Services
Our platforms may contain links to third-party services not operated by inhause. We are not responsible for their privacy practices. Review their policies before providing personal information.
Children’s Privacy
inhause’s services are directed exclusively to businesses and professionals. We do not knowingly collect personal information from children under 18. If we discover such collection, we will promptly delete it.
We note the OAIC’s Children’s Online Privacy Code under development (registration by 10 December 2026). While our services are not directed at children, we will monitor the Code and assess its applicability.
Anonymity and Pseudonymity
Under APP 2, you may choose not to identify yourself or use a pseudonym. However, given our B2B trading operations and AML/CTF obligations, anonymous or pseudonymous transactions are generally not practicable.
Records of Processing Activities (ROPA)
Per GDPR Article 30 and best practice under the APPs, inhause maintains a ROPA documenting all processing categories. The framework is in Schedule 3. It is reviewed annually and available to regulators upon request.
Changes to This Policy
We may update this Policy to reflect changes in our business, legal obligations, or industry practices. Material changes will be notified by email or platform notice. We will specifically update for: the Children’s Online Privacy Code (December 2026), automated decision transparency obligations (December 2026), simplified international transfer regulations, and any “tranche 2” Privacy Act reforms.
Governing Law
This Policy is governed by the laws of the Commonwealth of Australia and the State of Victoria. Disputes are subject to the exclusive jurisdiction of the courts of Victoria, without prejudice to your right to lodge complaints with supervisory authorities or pursue claims under the statutory tort in any competent court.
Contact Us
Privacy Officer
MM Digital Ventures Pty Ltd trading as inhause
Email: info@inhause.com.au
Phone: +61 417 023 356
Post: [Registered Business Address, Australia]
Schedule 1 — Cookie Policy
S1.1 What Are Cookies?
Cookies are small text files placed on your device when you visit a website. “Similar technologies” includes web beacons, pixel tags, local storage (HTML5), and session storage.
S1.2 Cookie Categories
| Category | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Strictly Necessary | Authentication, CSRF protection, session management, load balancing, security | Session – 1 year | Legitimate interest |
| Functional | Watchlist preferences, display mode, language, saved search filters | 1 year | Consent |
| Analytics | Page views, session duration, navigation paths, feature usage, error tracking | Up to 2 years | Consent |
| Marketing | Campaign tracking, referral source, conversion measurement | Up to 2 years | Consent |
S1.3 Third-Party Cookies
Our platforms may use third-party cookies from analytics and infrastructure providers. A complete list is available upon request.
S1.4 Managing Preferences
- Cookie Consent Banner: Accept or reject non-essential cookies on first visit; change preferences via the footer link
- Browser Settings: Block or delete cookies via your browser’s help documentation
- Device Settings: Mobile devices offer cookie management in their settings
Disabling strictly necessary cookies will prevent use of authenticated features.
S1.5 Do Not Track
As there is no industry consensus on DNT signals, our platform does not currently respond to them. We will update this section if a uniform standard is adopted.
Schedule 2 — Data Processing Addendum Framework
Each subprocessor processing personal information on inhause’s behalf is required to execute a DPA including:
S2.1 Mandatory DPA Provisions
- Subject Matter & Duration: Nature, purpose, types of data, categories of data subjects, and processing duration
- Processing Instructions: Process only on documented instructions from inhause, unless required by law
- Confidentiality: All authorised personnel bound by confidentiality obligations
- Security Measures: Technical and organisational measures appropriate to the risk, including encryption and access controls
- Sub-processing: No sub-subprocessor without prior written authorisation; notice of additions/replacements with right to object
- Data Subject Rights: Assist inhause with access, correction, erasure, and portability requests
- Breach Notification: Notify inhause within 24 hours of becoming aware of a breach
- Audit Rights: Provide all information necessary for compliance demonstration; allow audits and inspections
- Deletion & Return: Delete or return all personal information upon termination
- International Transfers: Ensure SCCs, adequacy decisions, or equivalent safeguards for transfers outside Australia/EEA
- AI-Specific: Expressly prohibit use of inhause’s data to train subprocessor’s general-purpose models; process only for the contracted service
S2.2 Current Subprocessors
Available upon request at info@inhause.com.au. Material changes will be notified to affected counterparties.
S2.3 GDPR Compliance
DPAs with GDPR-subject subprocessors comply with Article 28 and incorporate the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) where applicable.
Schedule 3 — Records of Processing Activities Framework
Per GDPR Article 30, inhause documents each processing activity using the following framework:
| Field | Description |
|---|---|
| Processing Activity | Description (e.g. “Commodity trade execution,” “inhause AI query processing,” “Credit assessment”) |
| Purpose(s) | Specific purpose(s) for which personal information is processed |
| Lawful Basis | GDPR Article 6 lawful basis (where applicable) |
| Data Subjects | Categories (e.g. buyer contacts, supplier contacts, logistics personnel) |
| Personal Data | Categories (e.g. name, email, transaction data, credit data) |
| Recipients | Categories of third parties receiving disclosed data |
| Int’l Transfers | Transfer details and safeguards in place |
| Retention Period | Period or criteria for determining retention |
| Security Measures | General description of technical and organisational measures |
| Automated Decisions | Whether processing involves automated decision-making; logic involved |
The ROPA is a living document, reviewed at least annually and available to regulators upon request.