This site uses cookies

We use strictly-necessary cookies to keep you signed in and remember your preferences. By continuing to use the site you accept this.

Get Support Sign in

Privacy Policy

Version 2026-05-13 · Last updated 2026-05-13 · Contact privacy@lochstudios.com

Introduction

This privacy policy explains how LochStudios collects, uses, stores, and shares personal information about clients and end-users of the LochStudios Panel and associated services.

Information we collect

We collect: account identifiers (email address, name, phone number, billing address, ABN); authentication metadata (password hash, TOTP secret, recovery codes, recent login devices and IPs); service usage (hosting accounts, domain names, SSL certificates, Microsoft 365 subscriptions, generic services and their statuses); communications (SMS message bodies and statuses, transactional email logs, opt-out preferences, support notes); audit data (every administrative action with actor, target, before/after snapshots, IP, user agent); cookie consent state and timestamp; and visitor IP intelligence (geolocation, ASN, VPN/proxy/Tor classification) attached to logged-in requests.

How we use this information

We use this information to authenticate users; to provision and manage services; to communicate operationally (account security, billing, service status); to detect and prevent abuse (rate limiting, anti-bot, fraud signals); to meet Australian tax and consumer-law retention requirements; and to operate the system (backups, error tracking, audit trails).

Legal basis (GDPR Art. 6)

Performance of a contract for service provision and billing; legitimate interest for security, fraud prevention, and operational logging; legal obligation for tax records (7-year retention under AU tax law) and audit retention; consent for any marketing communications (which is opt-in and revocable at any time via your account preferences).

Third parties we share data with

See the data processors register below. We do not sell personal information.

Retention

Active client records are retained for the duration of the relationship. Closed client records are retained for the longer of: (a) 7 years for tax records (AU); or (b) any active legal hold. Audit logs are retained indefinitely with cleared PII fields once an account is anonymised. Health logs are pruned at 90 days. SMS message bodies are pruned at 365 days. Backups are retained indefinitely on encrypted archive storage. Subject access requests are retained for 30 days after download availability begins.

Your rights

You may: request a copy of all personal data we hold about you (subject access request); request anonymisation of your records once all active services are closed (right to erasure); withdraw consent for marketing communications at any time; update your contact information; and lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local data-protection authority.

Cookies

We use strictly-necessary cookies to keep you signed in (lochsid session cookie), to remember devices that have completed 2FA (remember-device cookie), and to remember that you have acknowledged this policy (cookie_ack cookie). We do not use analytics, advertising, or tracking cookies. When this policy is updated, the version number changes and you are re-prompted to acknowledge.

Security

All traffic is transported over HTTPS with HSTS preloading. Passwords are stored as Argon2id hashes. TOTP secrets are encrypted at rest. SSL private keys submitted via the Panel are encrypted with the application key and never logged in plaintext. Database backups are encrypted off-site with public-key (age X25519) encryption; the decryption private key is stored off-server in cold storage.

Contact

For privacy matters, write to privacy@lochstudios.com.

Data processors

Name Purpose Data shared Jurisdiction Website DPA URL
Synergy Wholesale Pty Ltd Domain registration, hosting, SSL certificates, Microsoft 365 provisioning name, email, phone, address, domain_name Australia https://www.synergywholesale.com
Cellcast Pty Ltd SMS delivery phone, message_body Australia https://cellcast.com.au
ExchangeRate-API Currency conversion rates (anonymous queries — no PII) United Kingdom https://exchangerate-api.com
Cloudflare, Inc. Encrypted off-site backup storage (R2) encrypted_database_dumps, encrypted_sar_exports United States https://cloudflare.com
ax.email Transactional SMTP delivery + IMAP bounce mailbox (packages.lochstudios.com) email_address, message_body Australia https://ax.email
IPLocate IP geolocation + threat detection enrichment (visitor IP only) ip_address United States https://iplocate.io