Privacy is your right

Thank you for visiting This information sheds some light on how we think about privacy. It also details how we operate our business.


Our Privacy Promise

We respect and protect your rights

To us privacy doesn't mean secrecy. Privacy is the power to control what you do and don’t share. It’s a fundamental right. We will do everything we can to ensure you’re in control of your information and how it flows.

Your data is yours

You should control your data. We are only a temporary custodian of the data you choose to share. We will only use the data you share for the purpose of delivering you the service you've requested.

The choice is yours

The information you choose to share with us is up to you. Although we work with information heavy businesses, we are deliberately information light.

Our Privacy Notice


How to contact us

Contact us on any time.

You can also write to us;

Greater Than X Pty Ltd

PO Box 237

Stones Corner Qld 4120



Why and how we process personal information

We keep all data processing as simple and limited as possible.

We practice purpose specification and data minimisation.

We only process data to deliver a service to you

Right now we’re amidst some change. We’re not comfortable with many of the tradeoff decisions products and services lead us to make. We’re actively designing a privacy and security enhancing infrastructure across our business, from our CMS to the tools we use to deliver client projects.

Let’s dive into the specifics.

Our contact form (Squarespace CMS)

We use the information you share with us via our contact form to contact you back.

We deliberately limit the information you can provide us via this form to;

  • An email address, and

  • A free text message.

When you submit a message by pressing  “Send now” this information is sent to Our emails are currently managed by G Suite.

G Suite

We use G Suite by Google Cloud to manage internal and external communications.

We also use;

  • Google Docs

  • Google Slides

  • Google Sheets

  • Google Hangouts, and

  • Google Calendar

Gmail, Google Hangouts and Google Calendar are the only places the personal information you choose to share with us is stored and accessed.


  • Email

  • Name

  • Phone number

  • Work address, and

  • Email contents

Will be stored within Gmail.

We use this information to contact you directly - if you have asked us to. We do not use this information in any other way.

We currently review this information at the end of each financial year and delete all email exchanges that are no longer active and relevant to our work.


  • Name

  • Email

  • Phone number, and

  • Meeting notes

Will be stored within Google Calendar. The same goes for Google Hangouts.

We currently review this information at the end of every financial year and delete all meeting records that are no longer active or relevant to our work.

Purchasing a digital product

When you purchase one of our digital products we ask you to share information with us so we can;

  1. Securely authenticate the transaction, and

  2. Send you the product you’ve purchased.

To make this happen, we’ve integrated Stripe (our Payments Services Provider) with Squarespace (our Content Management System). When you start purchasing our playbook, you’re interacting with our website (run using Squarespace). When you’re paying, Stripe is managing the process.

Stripe breaks down their data protection practices in their Privacy Policy. You can also read more about specific security practices, like tokenisation, if you’re interested.

This process starts by asking you for your email address. Your email is where your direct download link for our digital products will be sent.

You’re then asked for you payment information;

  • Credit card number

  • CVV

  • Expiration month and year

And before you complete the transaction, you’re asked for your postal address. Stripe details more about why they ask for this information (spoiler alert: It’s about fraud prevention mostly) here.

By sharing this information, Stripe can process your payment. We can then send you the product you've paid for.

Payments Dashboard

As a Stripe customer, we also have access to a dashboard. We’ve broken down the exact information we have access to below.

Payment status

Stripe risk evaluation: (evaluation ie “normal”)

Payment details

ID:ch_1B3KxbCww5IUyJoE7TQTVhTc (illustrative only)

Amount: A$00.00

Fee: A$00.00

Net: A$00.00


Description: Charge for


ID: 5cc199af676dkl6e1e199127 (illustrative only)

orderId: 000 (illustrative only)

Shipping_recipient: First Last

websiteId: 57754a9bn45a7c5g145jkb89 (illustrative only)


Address: Street, Suburb

City, Post Code

Origin: Country

CVC check: Status

Street check: Status

Zip check: Status

ID: card_1D3KwICxx5TYyJlZebWdDg2l (illustrative only)

Name: First Last

Number: ···· 4512 (we can actually see the last 4 digits)

Fingerprint: bZP3FTi98YH4LWLm (illustrative only)

Expires: MM / YYYY

Type: i.e. Visa debit card


Payout: po_1D64Y2Cjr5QIdJoETkHyT9j0 (illustrative only)

Email history: No email sent


200 OK POST /v1/charges/ch_1D3KwICxx5TYyJlZebWdDg2l (illustrative only) 2018/03/08 10:21:51


A payment for $54.99 AUD was updated 2018/03/08 10:21:51

A successful payment was made for $54.99 AUD 2018/03/08 10:21:51

The example information we have communicated above is secured with strict role-based access rights. Although we can access this information via our dashboard, we don’t use it in any way.

Squarespace (our Content Management System)

We use Squarespace as our content management system. This enables us to communicate openly about our work. It also enables us to sell digital products, like our playbooks.

Although Squarespace has utility, it’s fraught with privacy and security issues. See this report using the tool, webbkoll for more detail. We’ve spoken to Squarespace directly about these issues. We don’t expect much will change. As a result, we’re working to design a new privacy and security enhancing business infrastructure from the ground up. This is a big investment and is taking time.

We’ll make some noise about it (and share lessons learned) when it’s pushed to production.

Back to it.

Within Squarespace’s Content Management System there are three modules that have the ability to capture personal information.

These are;

  • Orders

  • Customers, and

  • Analytics


The Orders module within Squarespace contains the following;

  • Order number

  • Order date and time

  • Name

  • Email

  • Purchase amount

  • Payment status

  • Fulfillment status

  • Address

  • Suburb

  • City

  • State

  • Zip or Post code

  • Country

  • Phone number (if provided), and

  • Charge ID (which then links to Stripe’s payment module referenced above)

This information is secured with strict role-based access rights. Although we can access this information via our dashboard, we don’t use it unless;

  1. You contact us about an issue, and

  2. We use the information to try figure out what’s gone wrong and make it right


The Customers module within Squarespace is much the same as Orders. The primary difference is that it presents the data in a slightly different format.

The information this module presents is:

  • Name

  • Email

  • Order quantity

  • Order date

  • Total spent

  • Billing address consisting of address, suburb, city, post code and country

  • Order number, and

  • Order status

This information is secured with strict role-based access rights. Although we can access this information via our dashboard, we don’t use it unless;

  1. You contact us about an issue, and

  2. We use the information to try figure out what’s gone wrong and make it right

Squarespace Analytics

Our default is “do not track”.

Why? Because the value of the activity, compared to the risk, is low for our business.

We achieve this by activating SQUARESPACE ANALYTICS RESTRICTION.

We also restrict tracking by disabling our activity log, a new feature Squarespace has released in response to the European General Data Protection Regulation (GDPR).

This prevents Squarespace from sending Analytics cookies to our visitors.

You can also do more to protect your privacy and limit tracking technologies.

You can opt-out of the popular Google Analytics service.

You can start controlling cookie settings in your browser.

You could switch to a browser like Qwant, Brave or DuckDuckGo. If you really want to go big, you could help plant trees by searching with Ecosia.

You could even start using a Virtual Private Network (VPN).


We publish some of our content on our LinkedIn business page.

LinkedIn’s business page gives us the ability to see;

  • Anonymised likes

  • Visitor numbers

  • Update impressions, and

  • Followers

We can also see social notifications. These notifications show;

  • Likes

  • Shares

  • Comments, mentions, and

  • The person who has made that action

This means we can see what people are saying about our brand on LinkedIn. We can also tell whether or not they’re engaging with the content we share.

We do not use any of this data outside of the LinkedIn platform. Our use of this information is limited to liking, commenting, or sharing a post someone has shared about us.

As you might expect, it’s lovely when people say nice things about your work. We try show our gratitude in the simplest, least intrusive way possible.

As is the case with the entire suite of products and services we use to run our business, this information is secured with strict role-based access rights.


We publish some of our content on our Twitter business page.

Twitter gives us the ability to;

  • See people’s open profiles

  • View their commentary

  • Engage in discussions that are meaningful to us, and

  • Share our point of view on topics we're interested in

We have not activated Twitter analytics.

The information we have access to via this account is open and publicly available. We do not use this information in any context outside of the Twitter platform.

Our use of this information is limited to;

  • Liking

  • Retweeting, and

  • Commenting

As with LinkedIn, this information is secured with strict role-based access rights.


We use the YouTube platform to publish video content we have produced.

We do not have access to any personal data via this platform. We only use the YouTube platform to publish occasional content.


We manage the commercial function of our business via Xero.

Almost all data that is accessible or stored within Xero relates to our business. However, to produce and send an invoice, some personal data is required. This includes;

  1. An email address, and

  2. The name of a recipient or project contact


Everhour helps us manage how we prioritise and invest our time across multiple client projects.

We’re pretty strict about how we use it. We only use it internally, meaning the information Everhour processes on our behalf relates to our team.

We don’t store documents. We don’t input any strategically sensitive information. We use the product to;

  1. Manage tasks in progress (within their ‘projects’ module)

  2. Schedule our time for multiple projects in advance (within their ‘scheduling’ module), and

  3. Track time against each task to ensure what we say we' do is accurately represented

You can view Everhour’s privacy notice here.


We’re big fans of Typeform. It’s a brilliant product developed in a city we love, Barcelona! Interestingly, DataEthics EU actually calls Typeform out as a “tool for organisations” to use.

We‘ve recently started using Typeform to conduct surveys. Specifically, we’re focused on people’s experience at work, what they care about most and what they feel is missing.

You can access this survey directly here. Here’s exactly what we see within our admin panel (you can tell this was early in the surveys deployment…);

As you can see, the data we have access to is pretty limited. We do not ask for any identifying information. It’s just not needed to generate meaningful and actionable insights.

You can review Typeform’s Privacy Policy here.

Note how they use their own product to deliver the experience? Brilliant!


We use Loom to record videos for our clients. This helps us deliver effective and easy to consume project updates. We also use it to record video content that we share via our YouTube channel. 

So far our clients are really valuing this. We know this because there saying lots of nice things. It’s helping us help them.

If we send you a Loom video update and you view it, we see the following information:

  1. A notification with your profile/default name, and

  2. The time/date you viewed the video

If we send you a Loom video update and you comment on it, we see the following information:

  1. Content of the comment, and 

  2. Time/date of the comment

If you’ve signed up for a Loom account and watch one of our videos, we see the following information:

  1. Your profile name you set when you signed up, and 

  2. Content of the comment

We do not use the information we have access to via Loom for any other purpose. You can learn more about Loom’s data processing activities in their privacy policy (notice).


We use InVision as part of our design workflow. Most commonly we use it to create interactive prototypes. We also use it to share specific content, like our guided Data Ethics Framework.

If you comment on something we’ve shared via InVision, we see the following information:

  1. Your profile name you set when you signed up

  2. Content of the comment, and

  3. Time/date of the comment

We do not use the information we have access to via InVision for any other purpose. You can learn more about InVision’s data processing activities in their privacy policy (notice).


We use Medium to publish ideas, analyses and case studies. In some ways it’s a great platform.

However, it has been known to deploy dark patterns from time to time. 

If you follow us, we see the following information:

  1. Your profile name on Medium, and

  2. The date you started following us

If you comment on one of our stories, we see the following information:

  1. Your profile name on Medium, and 

  2. Content of the comment

Like LinkedIn and Twitter, we use this platform to discuss ideas, debate and learn from others. We do not use the information we have access to about subscribers or responders in any other way.

You can learn more about Medium’s data processing activities in their privacy policy (notice). They have 30,000 claps on this story for some reason. We have no idea why...


We collaborate with clients across multiple geographies. Sometimes we do this in real time.

Mural helps us visually collaborate, regardless of where we or are clients are located. If you collaborate with us via Mural using an anonymous link, we see the following information:

  1. Your assigned avatar name, and

  2. Any content, comments and material you contribute

If we ask you to create an account to help improve how we visually collaborate, we see the following information:

  1. The name you added when you signed up

  2. The email you used to sign up

  3. The role you have been assigned

  4. The date of your last activity

You can learn more about Mural’s data processing activities in their privacy policy (notice).

As it stands these are the products and services we’re using that store, process or analyse data. When this changes, we’ll update this policy. If the changes we make affect you, we will notify you directly.

How we collect data

Other than the data associated with payments, we only collect data from you directly. If you haven’t shared it with us then we don’t have access to it.

On what legal grounds do we process your data?

Our legal grounds for processing your “non sensitive” personal data are contract. This is because we only process personal data:

  1. To fulfil a contractual obligation to you (e.g. process a payment and deliver you the product you've paid for via email); or

  2. Because you have asked us to do something before or with the possibility of entering into a contract (e.g. discuss a speaking engagement, request a workshop, ask us to meet you regarding a business challenge you have etc.).

Do we perform automated decision-making and automated profiling?

No, we do not.

We do not use your personal data to automatically evaluate or make inferences about who you are as a person, your personality traits or anything related to you.

We do not use your personal data to make automated decisions about you.

It might seem odd, but we would rather speak to you, engage in a conversation and figure out if there’s any mutual value in continuing our conversations and our relationship.

Is the personal data we hold accurate?

We hope so, because the only way we get it is directly from you.

Having said that, you can contact us on at any time to;

  1. View the data we have on you

  2. Correct it if it’s not accurate, and

  3. Request we delete it if you no longer want us to use it in any way

Do we share personal data?

We don’t and will never engage in the direct exchange of your data. That’s not our business.

The services we use act as data processors for our business. Because of this they do have access to your personal data. As an example, when you choose to buy one of our digital products, Stripe, our Payment Services Provider, processes this data on our behalf. They take care of everything related to processing the payment, from actually processing the payment to managing the potential risks associated with it. 

In the context of the European General Data Protection Regulation, this means we are a controller ("A controller determines the purposes and means of processing personal data") and Stripe is a processor ("A processor is responsible for processing personal data on behalf of a controller). 

The exact services and data we/they have access to is detailed in the second clause of this policy above.

Is your personal data secure?

Our team is motivated to give people more control and utility of their information and how it flows. In fact, it’s literally our business. That means we’re values driven and values aligned, by design. But we don’t stop there. We make sure our team is well versed in Data Ethics, Privacy and Security by Design and Data Trust by Design.

By doing this we don’t eliminate all risks. We do, however, limit our risks significantly.

Getting more specific, the limited personal data we process is secured via role based access rights. Google actually has a good bit of detail on the security practices of G Suite here. Stripe has good detail here. Squarespace has good detail here and Xero has good detail here. Everhour breaks things down here, and lastly, Typeform get specific here.

Taking these practical steps to treat your data as if it’s our own decreases the likelihood certain data breaches occur. However, if we believe a data breach may have occurred, we execute an operational process aligned to the recommendations made by the OAIC as part of the Notifiable Data Breaches Scheme.


  1. Assess the incident

  2. Mitigate the impact

  3. Communicate with relevant stakeholders, and

  4. Ensure any preventable weaknesses are improved as quickly as possible

Putting it simply, if we make a mistake we will own it and ensure we don't make it again.

Your rights

Let’s keep this simple. Your data is yours. You should control it. You should benefit from sharing it - if you choose to do so.

If you’ve shared your data with us directly and want to;

  1. View what we have

  2. Receive a copy of what we have

  3. Edit what we have, or

  4. Delete what we have

Then you are more than welcome to do it.

To make this, or anything else you’d like to discuss about your data with us happen, email

We won’t take weeks to get back from you. We’ll respond within 48 hours.

Oh, and we’ll do it for free. It’s a bit ridiculous to charge you.

To protect your privacy and the privacy of others, we will need evidence of your identity before we can grant you access to information about you.

Our Obligations

We’re bound by specific jurisdictional regulations. But don’t think we’re limited to that. We want to do whatever we can to make our use of data as person-centric as possible. We focus first and foremost on doing the right thing by you. Regulations and requirements are simpler to get right when that’s the approach you rely on.

Will we update our privacy policy?

We almost certainly will. We plan to keep growing our business. As that happens how we use data will evolve, as long as it aligns to our core values.

This version is dated the 30/08/2019.

If we make any changes to our policy that affect you directly, we will let you know.