Privacy Policy

Effective date: 7 May 2026 Last updated: 7 May 2026 Version: 1.0

1. About this Privacy Policy

This Privacy Policy explains how Ampl Software Pty Ltd (ABN 32 002 781 811) — referred to in this policy as "Ampl Software", "we", "us", or "our" — collects, holds, uses, and discloses personal information.

It applies to:

Visitors to our websites at ampl.au, theleadinghand.au, and any other site we operate.
Customers and users of The Leading Hand (the cloud workshop management platform we operate at app.theleadinghand.au), including workshop owners, staff, and end-customers whose details are processed in our customers' accounts.
People who contact us about our products or services.

We are bound by the Australian Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs), and where applicable by the New Zealand Privacy Act 2020 and the thirteen Information Privacy Principles (IPPs). This policy is written to comply with both.

2. Who we are

Ampl Software Pty Ltd is an independent Australian software company. We have been building software for the automotive industry since 1984.

Registered details:

Legal name: Ampl Software Pty Ltd
ABN: 32 002 781 811
Registered office: Suite 1031, 100 George Street, Parramatta NSW 2150, Australia
Privacy contact: privacy@theleadinghand.au

Our flagship product, The Leading Hand, is workshop management software used by mechanical workshops, service centres, and trades businesses across Australia. We also provide a desktop product currently in supported retirement until 31 October 2027.

3. What personal information we collect

The information we collect depends on how you interact with us. We collect only what we need to provide our services, communicate with you, and run our business.

3.1 Information you provide directly

When you visit our marketing sites: name, email address, phone number (optional), workshop name, and the contents of any message you send us through a contact or demo-booking form.
When you sign up for The Leading Hand: name, email address, phone number, business name, ABN, business address, billing details, and the username and password you choose.
When you use The Leading Hand as a workshop user: records you create about your customers, vehicles, jobs, parts, suppliers, invoices, and communications. This is your data; we are the processor on your behalf — see §6.4.
When you communicate with us: the contents of emails, support tickets, phone calls, and any information you choose to share when reporting a problem or asking a question.

3.2 Information we collect automatically

Marketing site analytics: if we add a third-party analytics provider, it will be a privacy-respecting service that does not track individuals across sites and does not use cookies for identification, and we will update this policy and §7 (sub-processors) before going live with it. We do not use Google Analytics.
Product telemetry: when you use The Leading Hand we record the IP address from which you connect, the browser and device type, and timestamps and identifiers for actions you take in the product. This is used to operate the service, prevent abuse, and produce audit trails on your account.
Cookies: see §12.

3.3 Information from third parties

Accounting integrations: when you connect your Xero, MYOB, QuickBooks Online, or Reckon account to The Leading Hand, we receive customer, contact, invoice, and chart-of-accounts data from those systems on your authorisation. You can disconnect at any time.
Single sign-on (in some cases): if you sign in with a third-party identity provider, that provider tells us your email address and basic profile details.
Payment processors: when you pay for a subscription, our payment processor confirms whether the payment succeeded and provides a non-sensitive token for future charges. We do not see, store, or process card numbers — see §3.4.

3.4 What we don't collect

We do not collect, see, or store full credit card numbers ("PANs"). All card payments are handled by our payment processor through their hosted-checkout interface; we receive only a payment token. This is the basis of our PCI DSS SAQ-A posture.
We do not collect biometric data, government identity numbers (other than ABNs / NZBNs you explicitly provide for invoicing), or sensitive information as defined under the Privacy Act unless you choose to provide it (e.g. in a free-text support message), in which case we treat it under the heightened standards of the APPs.
We do not collect information from people we know to be under 18 (see §14).

4. How we collect personal information

We collect personal information in the following ways:

Directly from you when you fill in a form, sign up for our products, contact us, or interact with our products.
Automatically through your interactions with our websites and products (see §3.2).
From third parties you authorise to share information with us (see §3.3).
From publicly available sources when verifying business information (e.g. ABN lookups against the Australian Business Register).

If we collect personal information about you from someone other than you, we will (where reasonable) take steps to make sure you are aware of the collection and the matters set out in APP 5 / IPP 3.

5. Why we collect personal information

We collect, hold, use, and disclose personal information for the following purposes:

To provide our products and services — sign-ups, account creation, billing, the workshop management functions of The Leading Hand, and any feature you use.
To communicate with you — replying to enquiries, sending product notifications (booking confirmations, invoice receipts, password resets, system alerts), responding to support tickets, and providing service updates.
To bill and collect payment — processing subscription charges, sending invoices, recovering unpaid amounts, and meeting tax-record obligations.
To operate and improve our services — diagnosing problems, monitoring performance, preventing fraud, training our team, and developing new features.
To meet legal and regulatory obligations — including tax, audit, anti-money-laundering, and any lawful request from a regulator or law-enforcement body in a jurisdiction in which we operate.
To send you marketing communications about our products where you have opted in or where the law otherwise allows it (see §13).

We will not use your personal information for a purpose other than the one for which it was collected unless you have consented, the secondary use is closely related and you would reasonably expect it, or another exception under the APPs / IPPs applies.

6. How we use and disclose personal information

6.1 Within Ampl Software

Personal information is accessible to Ampl Software staff and contractors only on a need-to-know basis. Staff are bound by confidentiality obligations and trained on their privacy responsibilities.

6.2 With your consent or at your direction

When you instruct us to (e.g. by connecting a third-party integration), we share information with the system you've nominated.
When you embed a quoted price, invoice, or service reminder in a customer-facing communication, the recipient sees that content.

6.3 With service providers and sub-processors

We use third-party service providers to operate our products. These providers process personal information on our behalf and under contract, are subject to confidentiality and security obligations, and may only use the information for the specific purpose we engage them for. The current list is in §7.

6.4 Workshop customers' data — our role

When you use The Leading Hand to manage your workshop, you (the workshop) decide what customer, vehicle, job, and communication records to create. Under privacy law these records are personal information that you control. We act as the data processor; you are the data controller. We will only process this data:

To provide the product features you use (e.g. send an SMS reminder you queued).
To store and back up your data as part of the service.
For technical operations, security monitoring, and abuse prevention.
As required by law or to defend legal claims.

We will not sell your data, mine it for our own marketing, share it with other tenants, or use it to train artificial intelligence models without your explicit consent.

6.5 To comply with the law

We may disclose personal information without your consent where required or permitted by law — for example, in response to a subpoena, court order, or lawful request from an Australian or New Zealand regulator or law-enforcement body.

6.6 In a business sale or restructure

If Ampl Software is sold, restructured, or merges with another entity, personal information may be transferred to the new entity. We will require the recipient to honour the commitments in this Privacy Policy.

6.7 We do not sell your personal information

Ampl Software does not sell personal information. We do not run paid advertising, we do not have a data-broker relationship with anyone, and we do not derive revenue from monetising customer data.

7. Service providers and sub-processors

We disclose personal information to the following sub-processors. The country listed is the primary location of data processing. All providers operate under contracts with confidentiality and security obligations.

Service provider	Purpose	Country
Amazon Web Services (AWS)	Cloud hosting (S3, RDS, Secrets Manager, CloudWatch)	Australia (Sydney region, `ap-southeast-2`)
Postmark	Transactional email delivery	United States
ClickSend	SMS delivery	Australia (with global telco routing)
Microsoft (Microsoft 365 / Graph)	Optional — when you connect your Microsoft 365 account to send email through your own server	Microsoft Cloud (region depends on customer)
Fat Zebra	Subscription payment processing for Ampl Software billing only — card numbers are entered directly into Fat Zebra's hosted page, not our systems	Australia
Xero, MYOB, Intuit (QuickBooks Online), Reckon	Optional accounting integrations — only when you authorise them	Xero / Intuit: New Zealand and United States. MYOB / Reckon: Australia
Hangfire (self-hosted)	Background job processing — runs inside our AWS environment	Australia

We update this list when we add or replace a sub-processor. Material changes are signalled by an updated "Last updated" date at the top of this policy.

If you'd like a copy of the contract terms with any of these providers (commercial-in-confidence subject to redaction), email privacy@theleadinghand.au.

8. Cross-border data transfers

The primary storage location for The Leading Hand customer data is AWS Sydney (Australia). Some sub-processors listed in §7 operate from the United States, the European Union, or other jurisdictions.

When we disclose personal information to a recipient outside Australia or New Zealand, we take reasonable steps to ensure the recipient does not breach the APPs / IPPs in relation to that information, consistent with APP 8 and IPP 12. Steps include:

Choosing providers with established privacy and security frameworks (e.g. SOC 2, ISO 27001, GDPR-aligned commitments).
Putting written contracts in place that bind the provider to confidentiality, security, and use limitations.
Choosing data-residency options (e.g. AWS Sydney) where available.
Reviewing each provider's privacy posture before adding them to our stack.

You acknowledge that, despite these steps, foreign laws may differ from Australian and New Zealand privacy law. By using our services you consent to the cross-border transfers described in this section.

9. How we hold personal information (security)

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

Technical measures:

All data in transit is encrypted using TLS 1.2 or higher.
All data at rest is encrypted using AES-256 (AWS-managed encryption).
Database access is limited to a small number of authorised production engineers and is logged.
We hold a rolling sequence of automated daily backups with periodic restore tests.
We separate tenants logically and (for higher-tier customers) physically — one tenant cannot read another tenant's data.
We monitor for intrusion attempts, unusual usage patterns, and known vulnerabilities. We patch promptly when fixes are released.

Organisational measures:

Access to production systems requires multi-factor authentication.
Staff receive privacy and security training.
Confidentiality obligations are in employment and contractor agreements.
We follow the OAIC's Guide to Securing Personal Information and the principles of NIST SP 800-53.

Card data:

We rely on PCI DSS SAQ-A posture by virtue of routing all card-collection through our payment processor's hosted-checkout. Card numbers do not enter our systems.

No system is perfectly secure. If you suspect that the security of your account has been compromised, contact us immediately at security@ampl.au.

10. How long we keep personal information

We hold personal information only for as long as we have a business or legal need for it.

Active customer accounts: for as long as your subscription is active.
Cancelled accounts: for 30 days after cancellation, during which you can reactivate or export your data. After 30 days, your tenant is closed and customer-content data is deleted.
Billing records: 7 years after the last transaction (Australian tax and corporate-record-keeping obligations under the Income Tax Assessment Act 1997).
Audit logs: 7 years (security and dispute-resolution).
Marketing-site analytics: aggregate, indefinite. Individual visitor records (where collected) are kept for 12 months maximum.
Support tickets: 5 years after the ticket is closed.
Marketing-list subscriptions: until you unsubscribe, plus a short period to ensure you are not re-added in error.

If you ask us to delete personal information sooner, we will do so unless we have a legal reason to keep it. See §11 for how to make that request.

11. Your rights — access, correction, complaint

11.1 Right to access

You can ask us for a copy of the personal information we hold about you. We will respond within 30 days. If we cannot provide access (for example because doing so would unreasonably affect the privacy of another person), we will explain why in writing.

11.2 Right to correct

If your personal information is inaccurate, out of date, incomplete, irrelevant, or misleading, you can ask us to correct it. Most account information you can correct directly in the product. For other corrections, contact us at privacy@theleadinghand.au.

11.3 Right to delete

You can ask us to delete personal information we hold about you. We will do so unless we have a legal reason to keep it (see §10). For workshop-tenant data you control, deletion is performed by you within The Leading Hand or by closing your account.

11.4 Right to withdraw consent

Where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect prior lawful processing.

11.5 Identity verification

To protect your information, we will ask you to verify your identity before we act on an access, correction, or deletion request.

11.6 No charge

We do not charge a fee for access, correction, or deletion requests.

11.7 Right to complain

If you believe we have breached the APPs / IPPs or this policy:

Email privacy@theleadinghand.au with a description of the concern. We will acknowledge within 5 business days and resolve within 30 days.
If you are not satisfied with our response, you can escalate to:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — phone 1300 363 992.
- New Zealand: Office of the Privacy Commissioner — privacy.org.nz — phone 0800 803 909.

You don't have to come to us first, but we appreciate the chance to make things right.

12. Cookies and analytics

12.1 Marketing sites (`ampl.au`, `theleadinghand.au`)

Our marketing sites do not currently use third-party analytics. We do not run advertising trackers, social media pixels, Google Analytics, or any cross-site tracking technology. If we add a privacy-respecting analytics provider in the future, we will update this policy and the sub-processor list in §7 before doing so.

12.2 The Leading Hand product (`app.theleadinghand.au`)

The product uses cookies that are strictly necessary to operate. Specifically:

Cookie	Purpose	Lifetime
Authentication session	Keeps you signed in after login	Session, with refresh up to 14 days if you tick "remember me"
CSRF / anti-forgery token	Prevents cross-site request forgery attacks	Session
Tenant context	Identifies which tenant your request belongs to	Session

You can disable cookies in your browser, but you will not be able to sign in to the product if you do.

12.3 No advertising cookies

We do not run paid advertising and do not place advertising cookies on any of our sites or products.

13. Marketing communications

We may send you marketing communications about our products and services. We will only do this where:

You have given us your consent (e.g. by ticking a box when signing up); or
You are an existing customer and the communication is about products or services similar to those you have purchased; or
Another exception under the Spam Act 2003 (Cth) (Australia) or the Unsolicited Electronic Messages Act 2007 (New Zealand) applies.

Every marketing email contains an unsubscribe link. Once you unsubscribe, we will stop within 5 business days, but you will continue to receive transactional messages (booking confirmations, invoices, security notifications) — those are not marketing.

14. Children's privacy

The Leading Hand and our marketing sites are not directed at people under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact privacy@theleadinghand.au and we will delete it promptly.

15. Notifiable data breaches

We comply with the Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act 1988 and the notifiable privacy breach regime under the New Zealand Privacy Act 2020.

If we suffer a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

Notify the affected individual(s) as soon as practicable.
Notify the Office of the Australian Information Commissioner (and, where relevant, the Office of the Privacy Commissioner in New Zealand).
Provide a description of the breach, the kinds of information affected, and steps you can take to protect yourself.

Our internal incident-response procedure is reviewed at least annually.

16. Linked third-party sites

Our sites may link to third-party websites we don't control (e.g. our payment processor, accounting providers, social media, demo-booking calendar). When you follow a link off our sites, you are subject to the destination site's privacy policy. We encourage you to read it.

17. Changes to this Privacy Policy

We may update this Privacy Policy as our products, sub-processors, or legal obligations change.

Minor changes (clarifications, formatting, contact updates): updated "Last updated" date at the top of this policy.
Material changes (new categories of information collected, new sub-processors handling sensitive operations, changes to retention or security): we will notify active customers by email at least 30 days before the change takes effect.

The current version is always available at ampl.au/privacy and theleadinghand.au/privacy.

18. Contact us — Privacy Officer

For privacy questions, complaints, access requests, or correction requests:

Email: privacy@theleadinghand.au Mail: Privacy Officer, Ampl Software Pty Ltd, Suite 1031, 100 George Street, Parramatta NSW 2150, Australia

For security incidents or vulnerability disclosures: security@ampl.au.

For all other enquiries: support@theleadinghand.au (existing customers) or sales@theleadinghand.au (general / pre-sales).

We respond within one business day, AEST.