1. Scope and our role
This policy applies to CMG Nexus websites, applications, portals, APIs, integrations, support channels and related services.
Data controller vs processor. Where a tenant business uses CMG Nexus to run its operations, that tenant is the entity responsible for the personal information it puts into its workspace (its "Customer Data") — the tenant decides why and how that data is used. For that Customer Data we act only as a service provider / processor on the tenant's instructions. For the account, login, billing and platform-security information we collect directly, we are the responsible entity ("agency" under NZ law).
We aim to handle personal information consistently with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in Australia, and the Privacy Act 2020 and the Information Privacy Principles (IPPs) in New Zealand.
2. Information we collect
Depending on the features used, CMG Nexus may collect or process:
- account details such as name, email, phone number, role, tenant, login and authentication data;
- business profile data such as company name, ABN/ACN or NZBN, addresses, buyer contacts, accounts contacts and delivery locations;
- customer, product, invoice, credit note, payment status, order, statement and catalogue metadata synced from an authorised accounting or commerce provider;
- field activity data such as visit notes, KPI entries, route activity, location pings and device details where the tenant enables location features and the user grants or is required to provide access for the role;
- support, message, upload and document data, including PDFs, photos, delivery evidence, PODs and operational records submitted by users;
- security and audit data such as IP address, user agent, session identifiers, timestamps, action logs, provider responses and error logs.
We collect personal information directly from you and, where authorised, from the tenant and connected providers. Users should not upload unnecessary sensitive information. If sensitive information is included in an operational document, we process it only for the service purpose requested by the tenant.
3. How we use information
We use information to:
- provide, maintain and secure the CMG Nexus platform;
- authenticate users and enforce tenant roles, permissions and approval rules;
- sync authorised accounting-provider data and maintain operational reporting views;
- support orders, catalogues, field tasks, routes, KPI visits, receivables, statements and document workflows;
- create audit trails for critical actions, including document export, sync, order submission, credit note and refund-related actions;
- detect misuse, spam, fraud, unauthorised access and system abuse;
- provide support, troubleshoot issues, meet legal obligations and improve reliability.
We rely on the performance of our contract with you, our legitimate interests in running and securing the service, your consent where required, and compliance with law. We may use aggregated, de-identified data to operate and improve the platform. We do not sell personal information.
4. Tenant and accounting data boundary
CMG Nexus is an operational layer. Tenant workspaces are isolated from one another, and a tenant's accounting platform remains the accounting source of truth. As the platform operator we do not use one tenant's business data (such as its customers, orders or invoices) for the benefit of another tenant.
CMG Nexus reads, analyses and presents authorised data from connected providers and may create orders, draft quotes, draft invoices or authorised invoices only where the tenant has enabled that workflow and the acting user has permission. Credit note, refund and write-back workflows are restricted to authorised users and logged with user, time, tenant, entity and provider-response details where available. CMG Nexus does not make tax, accounting, legal or financial decisions for the tenant.
6. Security, retention and data breaches
We use reasonable technical and organisational safeguards, including tenant isolation, role-based access control, audit logging, provider-token protection, encryption in transit, rate limiting, CSRF protection, backup controls and monitoring. No internet service can be guaranteed completely secure, so tenants must also manage their own user access, device security and internal approvals.
We retain operational records, audit logs and synced records for as long as needed to provide the service, meet legal or accounting record requirements, resolve disputes, protect the platform and support tenant audit obligations. When no longer required, data is deleted or de-identified.
Data breaches. If a data breach is likely to cause serious harm, we will notify affected individuals and the relevant regulator as required — the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme in Australia, and the Office of the Privacy Commissioner in New Zealand under the Privacy Act 2020 — within the timeframes those laws require. Where we act as processor for a tenant's Customer Data, we will notify the tenant so it can meet its own obligations.
7. Your rights
Subject to law, you may request access to, and correction of, the personal information we hold about you, and may ask us to delete it or restrict its use. In Australia these rights arise under APP 12 and APP 13; in New Zealand under IPP 6 and IPP 7.
To make a request, contact privacy@cmgflow.com. If the information is held within a tenant workspace and controlled by that tenant, we may need to refer your request to the tenant or work with them to respond. We will verify your identity before acting on a request and respond within the timeframes required by law.
9. Complaints
If you have a privacy concern, please contact us first at privacy@cmgflow.com so we can investigate and respond. If you are not satisfied with our response, you may contact:
- Australia — the Office of the Australian Information Commissioner (OAIC), oaic.gov.au;
- New Zealand — the Office of the Privacy Commissioner, privacy.org.nz.
10. Changes and contact
We may update this policy from time to time. Material changes will be notified by reasonable means, and the "last updated" date above will change. Continued use of the service after an update takes effect constitutes acceptance of the updated policy.
Privacy enquiries: privacy@cmgflow.com. This policy forms part of, and should be read together with, our Terms of Service.