CMG Nexus CMG Nexus

Privacy Policy

Privacy Policy

CMG Nexus is a multi-tenant commercial operations platform for ordering, field work, receivables, reporting, document handling and accounting-provider sync. This policy explains how we handle personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (Australia), and the Privacy Act 2020 and the Information Privacy Principles (New Zealand).

Last updated 16 July 2026 Terms of Service
Scope & our role Information we collect How we use it Tenant & accounting boundary Sharing & overseas disclosure Security, retention & breaches Your rights Cookies Complaints Changes & contact

1. Scope and our role

This policy applies to CMG Nexus websites, applications, portals, APIs, integrations, support channels and related services.

Data controller vs processor. Where a tenant business uses CMG Nexus to run its operations, that tenant is the entity responsible for the personal information it puts into its workspace (its "Customer Data") — the tenant decides why and how that data is used. For that Customer Data we act only as a service provider / processor on the tenant's instructions. For the account, login, billing and platform-security information we collect directly, we are the responsible entity ("agency" under NZ law).

We aim to handle personal information consistently with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in Australia, and the Privacy Act 2020 and the Information Privacy Principles (IPPs) in New Zealand.

2. Information we collect

Depending on the features used, CMG Nexus may collect or process:

  • account details such as name, email, phone number, role, tenant, login and authentication data;
  • business profile data such as company name, ABN/ACN or NZBN, addresses, buyer contacts, accounts contacts and delivery locations;
  • customer, product, invoice, credit note, payment status, order, statement and catalogue metadata synced from an authorised accounting or commerce provider;
  • field activity data such as visit notes, KPI entries, route activity, location pings and device details where the tenant enables location features and the user grants or is required to provide access for the role;
  • support, message, upload and document data, including PDFs, photos, delivery evidence, PODs and operational records submitted by users;
  • security and audit data such as IP address, user agent, session identifiers, timestamps, action logs, provider responses and error logs.

We collect personal information directly from you and, where authorised, from the tenant and connected providers. Users should not upload unnecessary sensitive information. If sensitive information is included in an operational document, we process it only for the service purpose requested by the tenant.

3. How we use information

We use information to:

  • provide, maintain and secure the CMG Nexus platform;
  • authenticate users and enforce tenant roles, permissions and approval rules;
  • sync authorised accounting-provider data and maintain operational reporting views;
  • support orders, catalogues, field tasks, routes, KPI visits, receivables, statements and document workflows;
  • create audit trails for critical actions, including document export, sync, order submission, credit note and refund-related actions;
  • detect misuse, spam, fraud, unauthorised access and system abuse;
  • provide support, troubleshoot issues, meet legal obligations and improve reliability.

We rely on the performance of our contract with you, our legitimate interests in running and securing the service, your consent where required, and compliance with law. We may use aggregated, de-identified data to operate and improve the platform. We do not sell personal information.

4. Tenant and accounting data boundary

CMG Nexus is an operational layer. Tenant workspaces are isolated from one another, and a tenant's accounting platform remains the accounting source of truth. As the platform operator we do not use one tenant's business data (such as its customers, orders or invoices) for the benefit of another tenant.

CMG Nexus reads, analyses and presents authorised data from connected providers and may create orders, draft quotes, draft invoices or authorised invoices only where the tenant has enabled that workflow and the acting user has permission. Credit note, refund and write-back workflows are restricted to authorised users and logged with user, time, tenant, entity and provider-response details where available. CMG Nexus does not make tax, accounting, legal or financial decisions for the tenant.

5. Sharing and overseas disclosure

We may disclose information to:

  • tenant administrators and authorised workspace users according to configured permissions;
  • connected accounting, payment, mapping, communication, storage, document and infrastructure providers;
  • professional advisers, regulators or law enforcement where required or authorised by law;
  • service providers (sub-processors) that help us host, monitor, secure, support and operate the platform, under confidentiality and data-protection obligations.

Some providers may store or process information outside Australia or New Zealand (for example in cloud infrastructure regions). Where this occurs we take reasonable steps consistent with APP 8 (Australia) and IPP 12 (New Zealand) to ensure the recipient handles the information with comparable protections through appropriate contractual, technical and organisational controls.

6. Security, retention and data breaches

We use reasonable technical and organisational safeguards, including tenant isolation, role-based access control, audit logging, provider-token protection, encryption in transit, rate limiting, CSRF protection, backup controls and monitoring. No internet service can be guaranteed completely secure, so tenants must also manage their own user access, device security and internal approvals.

We retain operational records, audit logs and synced records for as long as needed to provide the service, meet legal or accounting record requirements, resolve disputes, protect the platform and support tenant audit obligations. When no longer required, data is deleted or de-identified.

Data breaches. If a data breach is likely to cause serious harm, we will notify affected individuals and the relevant regulator as required — the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme in Australia, and the Office of the Privacy Commissioner in New Zealand under the Privacy Act 2020 — within the timeframes those laws require. Where we act as processor for a tenant's Customer Data, we will notify the tenant so it can meet its own obligations.

7. Your rights

Subject to law, you may request access to, and correction of, the personal information we hold about you, and may ask us to delete it or restrict its use. In Australia these rights arise under APP 12 and APP 13; in New Zealand under IPP 6 and IPP 7.

To make a request, contact privacy@cmgflow.com. If the information is held within a tenant workspace and controlled by that tenant, we may need to refer your request to the tenant or work with them to respond. We will verify your identity before acting on a request and respond within the timeframes required by law.

8. Cookies and tracking

We use cookies and similar technologies that are necessary for sign-in, session management and core functionality. Where we use optional analytics, we will ask for your preference. We do not place personal information in URLs or query strings, and we choose privacy- preserving defaults.

9. Complaints

If you have a privacy concern, please contact us first at privacy@cmgflow.com so we can investigate and respond. If you are not satisfied with our response, you may contact:

  • Australia — the Office of the Australian Information Commissioner (OAIC), oaic.gov.au;
  • New Zealand — the Office of the Privacy Commissioner, privacy.org.nz.

10. Changes and contact

We may update this policy from time to time. Material changes will be notified by reasonable means, and the "last updated" date above will change. Continued use of the service after an update takes effect constitutes acceptance of the updated policy.

Privacy enquiries: privacy@cmgflow.com. This policy forms part of, and should be read together with, our Terms of Service.