Skip to main content

// Last updated: 12 May 2026

Privacy policy.

Nathan Schram Digital — how we handle your information. Plain English, no legalese.

Introduction

Nathan Schram Digital ("we", "us", "our") is an independent digital consultancy based in Melbourne, Australia, operated by Nathan Schram as a sole trader. We help Australian small and medium businesses — and occasionally international clients — with web design and development, SEO and AI search, Google, Meta, and LinkedIn advertising, and digital strategy.

We take privacy seriously. This policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over your data. It applies to visitors to nathanschram.com, people who book an introductory call with us, and businesses who engage us as a consultant.

We've written this in plain English rather than legalese, because you deserve to understand how your data is handled without a law degree.

Our approach in a nutshell

  • We collect the minimum information needed to do our job well.
  • We don't sell your data, ever.
  • We don't use tracking cookies or behavioural advertising on our own website.
  • When we handle data on behalf of a client, that data stays with the client — we're the processor, not the owner.
  • We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and we aim to meet the spirit of the EU General Data Protection Regulation (GDPR) for visitors and clients based in Europe or the United Kingdom.

Who this policy covers

  • Site visitors — anyone browsing nathanschram.com.
  • Prospects — people who book an introductory call, fill in a contact form, or email us.
  • Clients — businesses who engage us for consulting work.
  • Client end-users — visitors to our clients' own websites, whose data we may process on our clients' behalf.

What information we collect

From site visitors

When you visit nathanschram.com, we collect very little. We use Plausible Analytics, a privacy-friendly, cookieless analytics tool hosted in the European Union. Plausible records aggregate, anonymous data such as:

  • Page views and unique visitor counts (calculated daily with a rotating hash, not a persistent identifier).
  • Referral sources (for example, whether you arrived from Google, LinkedIn, or a direct link).
  • General country-level location, device type, and browser.
  • Top pages and entry/exit paths.

Plausible does not use cookies, does not track you across websites or devices, and does not collect personal data. No consent banner is required for this kind of analytics under EU, UK, or Australian law.

We also do not run Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, or any other third-party advertising or tracking scripts on our own website.

From people who contact us or book a call

If you book a 45-minute introductory call or send us an enquiry, we collect:

  • Your name.
  • Your email address.
  • Your business name and website (if you share them).
  • Any message or context you provide.
  • The date, time, and time zone of your appointment.

Appointment bookings are handled by Cal.com, a third-party scheduling platform. When you book, Cal.com may also collect technical data such as your IP address, device and browser information, and cookies they set on their own booking pages. Cal.com operates from the United States — see "International data transfers" below.

If you email us directly at hello@nathanschram.com, the email and its contents are stored in our email provider's systems.

Contact form submissions

When you fill in the contact form on /contact, your details are processed as follows:

  • What we collect — the name, email address, message, and any optional phone number or company name you provide. The form is protected by Cloudflare Turnstile, which performs a privacy-preserving bot check. Turnstile collects limited technical signals (your IP address, user-agent, and a short-lived challenge token) to distinguish humans from bots — it does not set tracking cookies or build a behavioural profile.
  • Where it goes — submissions are received by a lightweight Cloudflare Worker that stores them in Twenty CRM (an EU-hosted customer relationship management tool) under Nathan's account, so your enquiry can be tracked and responded to.
  • Email notifications — two emails are then sent via Resend (a US-hosted transactional email provider that is GDPR-conformant): an admin notification to hello@nathanschram.com, and an auto-reply confirming receipt to the email address you provided (sent from hello@mail.nathanschram.com).
  • How long we keep it — contact form submissions stay in Twenty CRM until you ask Nathan to delete them (email privacy@nathanschram.com), or up to 12 months if the enquiry doesn't proceed to engagement. If we start working together, retention shifts to the standard client engagement record policy below.
  • Lawful basis (GDPR) — legitimate interests (responding to your direct inquiry) and, where applicable, pre-contractual steps taken at your request under Article 6(1)(b).

From clients

When we're engaged for a consulting project, we collect information reasonably needed to deliver the work, which may include:

  • Your name, business name, ABN, role, email address, and phone number.
  • Billing and payment information (account name, BSB and account number, or equivalent for international clients). We do not store card numbers.
  • Access credentials or authorised access to your marketing platforms (Google Ads, GA4, GSC, GTM, GBP, Meta, LinkedIn Marketing Solutions, Plausible) — usually via partner access, OAuth, or by being added to your accounts as a user, not by you sharing passwords.
  • Context about your business, customers, competitors, and goals that you choose to share during engagements.
  • Our correspondence, meeting notes, contracts, invoices, and work product.

We only ask for what we need. If something isn't relevant to the work, we don't collect it.

From client end-users

Where we've been engaged to build, manage, or report on a client's website or advertising, we may process personal information belonging to the client's own users or customers — for example, visitor analytics, ad audience data, or conversion events. In those cases, our client is the data controller and we act as a data processor on their behalf. See "Processing data on behalf of clients" below.

How we use your information

We use the information we collect for the following purposes:

  • To respond to enquiries — replying to emails, preparing for intro calls, and sending a complimentary digital health check.
  • To deliver services — running projects, configuring platforms, analysing campaigns, producing reports, and invoicing.
  • To improve our website — understanding which articles are read and where visitors come from (using Plausible's aggregate data only).
  • To keep records — fulfilling tax, accounting, and legal obligations under Australian law.
  • To communicate about our services — following up on calls, sending project updates, or occasionally letting past clients know about relevant changes. We don't run marketing newsletters or automated drip sequences.
  • To comply with the law — responding to lawful requests and meeting our regulatory obligations.

For visitors located in the EU, UK, or other GDPR jurisdictions, our legal bases for processing under GDPR Article 6 are:

  • Contract — where processing is necessary to provide a service you've asked for (e.g. an intro call booking, a consulting engagement).
  • Legitimate interests — for basic website analytics, responding to enquiries, and running a professional services business in a proportionate way.
  • Legal obligation — for tax and record-keeping requirements.
  • Consent — in the rare cases we ask for it explicitly.

Cookies and tracking

nathanschram.com itself does not use tracking cookies. Plausible Analytics is cookieless by design.

Some third-party pages embedded or linked from our site — notably Cal.com appointment pages — do set their own cookies on their own domains. Those cookies are governed by Cal.com's privacy policy, not ours. We have no control over them beyond choosing to use Cal.com as a scheduling provider.

If we ever add a feature that requires cookies or tracking (we have no current plans to), we'll update this policy and, where required, ask for your consent first.

Third-party services and data processors

We use a small, considered set of third-party services. Each one is named below with what it's used for and what data it may receive or store.

Services used to run nathanschram.com

  • Plausible Analytics — cookieless, EU-hosted website analytics. Aggregate, anonymous data only. Privacy policy.
  • Cal.com — appointment scheduling for intro calls. Receives your name, email, booking details, and technical data (IP address, browser). US-based. Privacy policy.
  • Cloudflare (site delivery, Worker, Turnstile) — serves this site via Cloudflare Pages, hosts the Cloudflare Worker that receives contact form submissions, and provides the Turnstile bot-check widget that protects the contact form. Cloudflare may log request metadata (IP address, user-agent, timestamps) in the course of delivering these services. Global infrastructure with regional processing. Privacy policy.
  • Twenty CRM — customer relationship management tool used to store contact form submissions and track enquiries. Receives the name, email, optional phone/company, and message you submit via the contact form. EU-hosted. Privacy policy.
  • Resend — transactional email provider used to send admin notifications and auto-reply confirmations for contact form submissions. Receives the email addresses and content of those messages. US-hosted, GDPR-conformant. Privacy policy.
  • Hetzner Online GmbH — our website and internal systems are hosted on a server in Hetzner's Falkenstein, Germany data centre. Hetzner may process standard web server data (IP addresses, request paths, timestamps) in server logs as part of delivering the site. Privacy policy.
  • Google Workspace (Google LLC) — email, calendar, and document storage behind our business address (hello@nathanschram.com). If you email us or we correspond with you, Google Workspace stores and processes the email content and metadata (including IP addresses and device information) to deliver, store, and secure the messages. Data is processed across Google's global infrastructure, primarily in the United States. Privacy policy.
  • DNS and accounting providers — reputable third-party providers handle our DNS and invoicing/accounting. These providers may process your information in the course of resolving domain names or producing tax-compliant records.

Internal infrastructure providers

  • Hetzner Online GmbH (Falkenstein, Germany) — primary hosting for our analytics warehouse and internal systems. Same provider referenced in "Services used to run nathanschram.com" above; surfaced separately here because the analytics warehouse is logically distinct from the website. Privacy policy.
  • Bitwarden Secrets Manager (operated by Bitwarden Inc.; US-hosted, vault.bitwarden.com) — credential vault for API keys, OAuth tokens, and other secrets. See §Data security for full detail. Privacy policy.
  • Amazon Web Services (Amazon S3, AWS Ireland region; AWS EMEA SARL is the EU-area entity) — encrypted backups of the analytics warehouse only. We do not run application workloads on AWS. Privacy policy.

Platforms we access on behalf of clients

When engaged by a client, we may access and process their data through the following authorised API connections. We only access a client's accounts once they've granted us access, and we use that access solely for work the client has engaged us to do.

  1. Google Ads API — campaign, ad group, keyword, audience, and conversion data, accessed via a Google Ads Manager (MCC) link authorised by the client.
  2. Google Analytics 4 (GA4) — website analytics data, accessed via property-level user access granted by the client.
  3. Google Search Console (GSC) — search performance data, accessed via site-level user access granted by the client.
  4. Google Tag Manager (GTM) — tag and trigger configuration data, accessed via container user access granted by the client.
  5. Google Business Profile (GBP) — local listing, posts, and reviews data, accessed via management access granted by the client.
  6. Meta Marketing API, Facebook Graph API, and Instagram Graph API — campaign, ad set, ad, and ad insights data across Facebook and Instagram, together with Facebook Page organic post insights, Instagram Business account organic insights, and aggregate Meta Pixel / Dataset event data. Access is granted by the client's Meta Business Portfolio adding Nathan Schram Digital's Business Portfolio as a partner on specific assets (Facebook Page, Instagram Business account, Ad Account, Pixel/Dataset). No passwords are shared. Inside our own Business Portfolio, a dedicated "System User" issues the non-expiring access token used to query these APIs — the token is held by our business, not by any individual, and stored in our secrets manager. A client can revoke partner access at any time from their own Business Portfolio settings, which immediately cuts off our access to that client's assets without affecting any other client. We request the minimum permissions required for reporting (typically ads_read, business_management, pages_read_engagement, read_insights, instagram_basic, instagram_manage_insights); we only request ads_management where the engagement explicitly covers campaign management. Meta privacy policy. The contractual scope of this access — authorisation, revocation, our obligations, and the limits we operate under — is set out in our Terms of Service.
  7. LinkedIn Marketing Solutions (Campaign Manager, Marketing Developer Platform, Pages API, Conversions API, Lead Gen Forms) — campaign, creative, audience, and conversion data from client LinkedIn Ad Accounts, together with LinkedIn Company Page organic analytics. Access is granted by the client assigning Nathan Schram Digital an appropriate role on their LinkedIn Ad Account (Viewer, Campaign Manager, or Account Manager, depending on the scope of the engagement) and, where relevant, on their LinkedIn Company Page. Our LinkedIn developer application authenticates against these authorised accounts via OAuth 2.0 using tokens that we rotate and store in our secrets manager. Where the engagement includes Lead Gen Forms, submissions may contain personal data (name, email address, job title, company) that individuals have entered into a LinkedIn form. That data is owned and controlled by the client (the advertiser), and we handle it under the same processor terms as any other client data — see "Processing data on behalf of clients" below. The client can revoke our role at any time from Campaign Manager. LinkedIn privacy policy.
  8. Plausible Analytics — cookieless site analytics, accessed via site-level user access granted by the client (and used on our own website, as described above).

Each of these platforms has its own privacy policy and terms of service that govern how the platform provider handles data. We encourage you to review them.

Internal tools

We use internal analytics and reporting systems that we operate ourselves to consolidate client data for analysis and reporting. These systems run on infrastructure under our direct control, are access-restricted, and use encrypted storage and credential management. No third parties have access to these systems beyond the hosting and infrastructure providers described elsewhere in this policy.

What we don't use on our own site

On nathanschram.com we don't use Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Hotjar, FullStory, or any session-replay tool. Our only analytics tool is cookieless Plausible. We may deploy tracking or measurement tags (such as Meta Pixel, LinkedIn Insight Tag, Google Ads conversion tags, or GA4) on a client's own website when that client has engaged us to, and in accordance with that client's own privacy policy and consent arrangements — but never on our own. We don't sell, rent, or trade personal information to anyone.

Processing data on behalf of clients

A meaningful part of our work involves handling data that belongs to our clients or their end-users. In those situations:

  • The client is the data controller — they determine what data is collected and why.
  • We are the data processor — we process that data only on the client's documented instructions and for the purposes of the engagement.

We don't use client data for our own marketing, don't combine data across clients, and don't onward-transfer client data to anyone outside the processors listed in this policy without the client's instruction or permission. Where an engagement involves handling individually-identifying data submitted through advertising features — for example, LinkedIn Lead Gen Form responses or Meta Lead Ads — we process those records solely for the client's reporting and CRM integration purposes, never for our own marketing, and we apply the same retention and security controls described elsewhere in this policy.

Where required by law or good practice, we'll enter into a data processing agreement (DPA) with the client covering confidentiality, security, sub-processing, breach notification, and return or deletion of data at the end of the engagement. If you're a client or prospective client and you'd like a DPA in place, get in touch and we'll provide one.

Our Terms of Service sets out the broader contractual framework that sits alongside any DPA — covering authorisation, scope of access, intellectual property, termination, and the platform-provider terms (Meta, Google, LinkedIn, etc.) we operate under.

When an engagement ends, we return or securely delete client data we hold, except where we're required to retain it for legal or accounting reasons (see "Data retention" below).

Data retention

We keep personal information only for as long as we reasonably need it.

  • Plausible analytics data — aggregate-only, with no personal identifiers; retained indefinitely in aggregate form.
  • Website enquiries and intro call bookings that don't proceed to engagement — up to 12 months, then deleted. Contact form submissions stored in Twenty CRM follow the same 12-month rule unless you ask us to delete them sooner.
  • Client engagement records — for the duration of the engagement and then for up to 7 years afterwards, to meet Australian Taxation Office record-keeping obligations and to handle any professional, legal, or tax matters that may arise.
  • Invoices and financial records — a minimum of 5 years under Australian tax law; typically kept for 7 years.
  • Correspondence (email) — retained as long as reasonably useful, generally in line with the engagement record period above.
  • Client platform data accessed via API — our access ceases when the client revokes it or the engagement ends; cached or exported copies held by us are deleted or anonymised within 24 months of receipt or 90 days after engagement end, whichever is sooner, unless the client has explicitly asked us to retain them.

If you'd like your personal information deleted earlier, see our data deletion instructions — we'll action your request unless we're required to keep the information by law.

Data security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, as required by APP 11. Our practical measures include:

  • Encrypted storage — personal information is stored on systems with encryption at rest and in transit (TLS/HTTPS).
  • Access controls — access to client data is limited to Nathan Schram personally. We do not have employees or subcontractors with routine access to client systems.
  • Credentials management — API keys, OAuth tokens, and passwords are stored in Bitwarden Secrets Manager (operated by Bitwarden Inc.; US-hosted), not in plain-text files, email, or code repositories. Credentials are rotated if compromise is suspected. Full sub-processor entry in §Third-party services and data processors above.
  • Principle of least privilege — we request the minimum access level needed on client platforms (for example, "read-only" rather than "admin" where possible).
  • Device security — work devices are encrypted, password-protected, and kept up to date with security patches.
  • Backups — encrypted backups of our analytics warehouse are stored with Amazon Web Services (Amazon S3 in the AWS Ireland region; AWS EMEA SARL is the EU-area entity). Full sub-processor entry in §Third-party services and data processors above.
  • Incident response — if we become aware of a data breach affecting personal information, we'll assess it promptly and, if required under the Notifiable Data Breaches scheme or GDPR, notify the OAIC, relevant supervisory authorities, and affected individuals.
  • Vulnerability disclosure — security researchers can report vulnerabilities affecting nathanschram.com or any service we operate to security@nathanschram.com. We acknowledge reports within 5 business days and coordinate disclosure. Our published disclosure policy lives at /.well-known/security.txt per RFC 9116.

No system is perfect, and we can't guarantee absolute security. What we can guarantee is that we take the obligation seriously and that we act quickly if something goes wrong.

International data transfers

We're based in Australia, but some of the services we use operate from outside Australia. This means personal information may be transferred to, stored in, or processed in jurisdictions including:

  • European Union — our website and internal systems are hosted with Hetzner Online GmbH in Germany; Plausible Analytics is EU-hosted; and Twenty CRM (where contact form submissions are stored) is also EU-hosted. Data handled by these providers stays within the European Economic Area, which is covered by GDPR protections.
  • United StatesCal.com, Resend (transactional email for contact form replies), and Google Workspace all operate from the US. Google Workspace processes our email across Google's global infrastructure (primarily US-based).
  • Global (Cloudflare)Cloudflare (site delivery, the contact form Worker, and the Turnstile bot-check widget) operates a global edge network. Request metadata is processed at the edge location nearest to the visitor.
  • Other jurisdictions — where reputable SaaS providers operate, we rely on their published privacy commitments and appropriate contractual safeguards.

Before transferring personal information overseas, we take reasonable steps to ensure the overseas recipient handles the information in a way consistent with the Australian Privacy Principles, as required by APP 8. In practice, this means we prefer providers that publish strong privacy commitments, offer appropriate contractual protections (such as Standard Contractual Clauses for EU data), and maintain recognised security certifications.

For data subjects in the EU or UK, cross-border transfers outside the European Economic Area rely on appropriate safeguards under GDPR Chapter V (typically the recipient's published commitments, SCCs, or equivalent mechanisms).

Your rights

If you're in Australia

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you (APP 12).
  • Correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
  • Know how your information is collected, used, and disclosed (APPs 1 and 5).
  • Opt out of direct marketing (though we don't run marketing campaigns by default).
  • Complain if you think we've mishandled your information (see "Complaints" below).

If you're in the EU, UK, or another GDPR jurisdiction

Under GDPR (and the UK GDPR), you additionally have the right to:

  • Rectification — have inaccurate data corrected.
  • Erasure ("right to be forgotten") — have personal data deleted, subject to legal retention requirements. See our data deletion instructions for how to request and what to expect.
  • Restriction — limit how we process your data in certain circumstances.
  • Data portability — receive a copy of data you've provided to us in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local supervisory authority (for example, the ICO in the UK or your national data protection authority in the EU).

How to exercise your rights

Email privacy@nathanschram.com with your request. We'll respond within 30 days, or sooner if reasonably practicable. We may need to verify your identity before releasing information. There's no fee for making a request, although we may charge a reasonable cost-recovery fee for repeated or unusually large requests, which we'll agree with you first.

If your request relates to data that a client controls (for example, visitor analytics on a client's website), we'll forward your request to the relevant client and let you know. In those cases, the client is the data controller and is responsible for responding.

Children's privacy

Our services are aimed at businesses, not individuals, and certainly not children. We don't knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please email us and we'll delete it.

From December 2026, the Australian Children's Online Privacy Code introduces additional protections for children's data. Although our services aren't directed at children, we'll align with the Code's principles where relevant.

Changes to this policy

We may update this policy from time to time — for example, when we add or remove a service, when the law changes, or when we improve our practices. When we do:

  • We'll update the "Last updated" date at the top.
  • For significant changes, we'll take reasonable steps to notify affected people (for example, current clients) by email or via a prominent notice on the website.
  • Older versions are available on request.

Your continued use of our website or services after a change takes effect means you accept the updated policy.

Independent of any specific change, we re-verify this Privacy Policy at least once every 90 days against current third-party-processor documentation, our data-handling practices, and applicable Privacy Act / GDPR guidance. The Last updated date at the top of this page reflects the most recent verification.

Contact and complaints

General questions and requests

For any privacy question, access or correction request, or to exercise a data subject right:

We aim to acknowledge requests within 5 business days and resolve them within 30 days.

Complaints

If you believe we've breached the Australian Privacy Principles, the Privacy Act, GDPR, or this policy:

  1. Tell us first. Email privacy@nathanschram.com with the subject line "Privacy complaint". Describe what happened and what you'd like us to do. We'll investigate and respond within 30 days.
  2. If you're not satisfied with our response, you can escalate.

Escalation — Australian residents

You can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Escalation — EU residents

You can lodge a complaint with your local data protection supervisory authority. A list is maintained by the European Data Protection Board at edpb.europa.eu.

Escalation — UK residents

You can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

This policy reflects our genuine practices, not boilerplate. Our Terms of Service governs the contractual relationship; this policy is the data-handling counterpart. If anything here is unclear, or if you'd like us to explain how a particular section applies to you or your business, please get in touch — we're happy to walk through it.

// Other legal

01

Terms of service

The contractual framework that sits alongside this policy.
02

Data deletion instructions

How to request deletion of any personal information we hold.

// Last updated: 12 May 2026 · Get in touch →