Terms of Service (Australia)

Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.

Create a legally compliant Refund and Returns Policy for your Australian business under the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)). Unlike other countries, Australia has some of the world's strongest consumer protection laws: 'no refund' policies are illegal for goods or services that fail to meet ACL consumer guarantees. Our template accurately reflects the major failure/minor failure distinction, the repair/replace/refund hierarchy, the mandatory consumer guarantee notice required by the ACCC, change-of-mind return options, and return shipping obligations. Suitable for retail, e-commerce, and service businesses.

A Software as a Service (SaaS) agreement is the foundation of every cloud-based software subscription business. Whether you are an Australian startup offering your first B2B platform or an established provider expanding your customer base, having a professionally drafted SaaS agreement is essential to protect your intellectual property, manage your liability, ensure privacy law compliance, and set clear expectations with customers about service levels, payment, and data handling. An Australian SaaS Agreement differs in important respects from equivalent agreements used in the United Kingdom or the United States. Australian law imposes obligations that cannot be contracted out of, particularly under the Australian Consumer Law (ACL), the Privacy Act 1988 (Cth), and the Spam Act 2003 (Cth). A SaaS agreement that simply adopts a US or UK template without adapting it for the Australian legal environment may be unenforceable in key respects and may expose the provider to regulatory risk. The Australian Consumer Law (ACL), being Schedule 2 to the Competition and Consumer Act 2010 (Cth), is one of the most significant considerations for SaaS providers. Sections 23 to 28 of the ACL prohibit unfair contract terms in standard form contracts with consumers and, since November 2023, with small businesses. A term in a SaaS agreement is unfair if it would cause a significant imbalance in the parties' rights and obligations arising under the contract, is not reasonably necessary to protect the legitimate interests of the party advantaged by the term, and would cause detriment to a party if it were relied on. Commonly challenged terms include broad indemnities, unilateral variation rights, and automatic renewal clauses with short cancellation windows. Under the Treasury Laws Amendment (More Competition, Better Prices) Act 2022 (Cth), unfair terms in standard form contracts are now void and attract significant civil penalties. The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) govern how personal information is collected, used, disclosed, and secured by APP entities. A SaaS provider who collects personal information from customers or who processes personal information on behalf of customers must comply with the APPs. Of particular importance are APP 1 (open and transparent management of personal information), APP 3 (collection of personal information), APP 6 (use or disclosure of personal information), APP 8 (cross-border disclosure of personal information), APP 11 (security of personal information), and APPs 12 and 13 (access to and correction of personal information). The agreement should address who owns customer data, how the provider will secure it consistent with APP 11, and what happens to the data on termination. The Spam Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages to Australian accounts. SaaS providers who send marketing emails or in-app notifications to customers must have explicit or inferred consent and must include a functioning unsubscribe mechanism. The agreement should confirm that the provider will comply with the Spam Act 2003 in relation to any electronic communications sent in connection with the service. Australia does not have an equivalent of the EU GDPR's data processing agreement regime. However, where a SaaS provider processes personal information on behalf of a customer, it is best practice to include equivalent contractual protections addressing handling instructions, security obligations, sub-processor disclosure, breach notification, and data return or deletion on termination. Service level agreements (SLAs) specifying uptime commitments are a standard feature of SaaS agreements. A meaningful SLA will specify the uptime percentage, how downtime is measured, what events are excluded (such as scheduled maintenance and factors beyond the provider's control), and what remedy is available to the customer for a breach of the SLA. A service credit regime — where the customer receives a credit against future invoices for periods of downtime exceeding the SLA threshold — is the most common remedy. Subscription pricing in AUD, GST provisions complying with the A New Tax System (Goods and Services Tax) Act 1999 (Cth), auto-renewal with appropriate notice periods, and the right to increase fees on renewal are all standard commercial terms in Australian SaaS agreements. The agreement should also address what happens to customer data on termination, including a grace period for data export before deletion. This Australian SaaS Agreement template addresses all key commercial and legal issues: ACL compliance including unfair contract terms considerations, Privacy Act 1988 (Cth) and APP obligations, Spam Act 2003 compliance, customer data ownership and security, SLA uptime commitments, AUD subscription pricing with GST, auto-renewal and cancellation, IP protection, limitation of liability, confidentiality, and governing law.

Whether you are a small business commissioning your first e-commerce website or an enterprise upgrading a complex digital platform, an Australian Website Development Agreement is essential to protect both parties and ensure the project is delivered on time, on budget, and with clear ownership of the finished work. Without a written agreement, disputes over who owns the website, how much is owed, and what was supposed to be delivered are almost inevitable. The single most important legal issue in Australian website development projects is intellectual property ownership. Under s 35(6) of the Copyright Act 1968 (Cth), copyright in a website — including the design, code, written content, and other original elements — belongs to the developer as the creator, not to the client, unless there is a written agreement assigning it. Many clients are shocked to discover that after paying thousands of dollars for a website, they do not legally own it. This means the developer could, in theory, prevent the client from modifying the website or could demand payment for continued use. A properly drafted website development agreement addresses this by including a written assignment of copyright under s 196 of the Copyright Act 1968 (Cth), transferring all Project IP to the client upon full payment. An alternative structure — increasingly favoured by developers who build on reusable code bases and frameworks — is for the developer to retain ownership of the underlying platform code (Background IP) while granting the client a perpetual, royalty-free, non-exclusive licence to use that code for the purpose of operating the website. The Project IP that is unique to the client (such as custom design elements and bespoke functionality) may be assigned to the client, while the developer retains the right to use their foundational tools for other clients. This approach requires careful drafting to clearly delineate what is Background IP and what is Project IP. Third-party software is ubiquitous in modern web development. Content management systems such as WordPress and Squarespace, e-commerce platforms such as WooCommerce and Shopify, payment gateways, analytics tools, and image libraries are all commonly incorporated into websites. Each of these comes with its own licence terms. The agreement should list all significant third-party components and confirm that they are licensed for the intended commercial use. Open-source licences — such as the GNU GPL used by WordPress — impose conditions that may affect how the website can be used and distributed. The Australian Consumer Law (ACL), being Schedule 2 to the Competition and Consumer Act 2010 (Cth), imposes non-excludable consumer guarantees on the supply of services. A web developer supplying services to a consumer or small business guarantees that the services will be rendered with due care and skill (s 60 ACL) and that the website will be fit for the purpose disclosed by the client (s 61 ACL). These guarantees apply even if the contract purports to exclude them. For B2B transactions, the parties may limit liability to re-supply of the services, subject to any ACL unfair contract terms considerations. Website accessibility has become an increasingly important legal and commercial issue in Australia. The Disability Discrimination Act 1992 (Cth) prohibits discrimination on the grounds of disability in access to goods, services, and facilities, which the Australian Human Rights Commission has interpreted as applying to websites and digital services. The Australian standard for web accessibility is WCAG 2.1 Level AA, and businesses with significant web presences should ensure their websites meet this standard. The development agreement should specify the accessibility standard the Developer must meet. Privacy compliance is critical for any website that collects personal information from users. The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) require APP entities to have an up-to-date privacy policy (APP 1), to give a collection notice when collecting personal information from individuals (APP 5), and to take reasonable steps to secure that information (APP 11). The Spam Act 2003 (Cth) regulates commercial electronic messages sent through the website. The client is responsible for ensuring the website's content and functionality comply with these laws, but the agreement should require the developer to design the website in a way that facilitates compliance. Domain name registration and management in Australia is governed by the auDA (au Domain Administration) Domain Name Eligibility and Allocation Policy Rules. Only Australian entities with a relevant connection (such as an Australian registered business name or company) can register a .com.au or .net.au domain name. The agreement should address responsibility for domain registration, renewal, and any transfer on termination. Milestone-based payment in AUD with GST provisions, a clear project scope with change order procedures, acceptance testing with deemed acceptance provisions, ongoing hosting and maintenance options, confidentiality, and a professional indemnity-aligned limitation of liability are all essential components of a complete Australian website development agreement. This template addresses all of these elements and uses Australian business conventions throughout, including ABN identification, AUD pricing, and DD/MM/YYYY date formatting.

As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.