Privacy Policy

Songline Journey — Last updated: 1 July 2026

Songline takes your privacy seriously. We collect only the data necessary to deliver the Service and comply with Australian privacy law, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy applies to your use of Songline; see also our Terms of Service.

1. Our Role and Your Agency's Role

Your migration agency decides what information is collected about you and how it is used in providing migration services to you. In privacy terms, your agency is the organisation primarily responsible for your personal information. Songline processes that information on your agency's behalf in order to operate the platform, and on our own behalf only as needed to run, secure, support, and improve the Service. This Policy explains how Songline handles your information; your agency may also have its own privacy policy governing the migration services it provides to you.

2. What We Collect

3. Sensitive Information

Some of the information handled through Songline is "sensitive information" under the Privacy Act 1988 (Cth) — for example, health information, biometric or identity-document details, and information that may reveal racial or ethnic origin, contained in the documents and forms used for a visa application. We and your agency collect and handle this information only where it is reasonably necessary to provide migration-related services and where it has been provided for that purpose. By providing sensitive information, or authorising your agency to provide it on your behalf, you consent to its collection, storage, and use for those purposes. We apply additional safeguards to sensitive information, including encryption at rest and access restricted to your agency and authorised platform administrators.

4. How We Use Your Data

We do not sell your personal data. We do not use your data for advertising purposes.

5. Information About Other People and Dependants

Visa applications often include information about family members and dependants, including children, who may be part of the same application. Where you provide information about another person (for example, a partner or a dependent child), you confirm that you are authorised to provide it and, where appropriate, that you have made that person aware of how their information will be handled. For dependent children, the responsible adult applicant or your agency provides and is responsible for this information. We handle information about dependants and other third parties with the same protections described in this policy.

6. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Supabase, with infrastructure located in Australia (ap-southeast-2). Sensitive data fields (such as passport numbers and credentials) are encrypted at rest using AES-256-GCM. Passwords are hashed using scrypt. All data in transit is encrypted using TLS 1.2 or higher.

Songline maintains an audit log of significant actions (account creation, payment processing, document uploads, template changes, impersonation events) for security and compliance purposes. Audit logs are accessible to agency admins and Super Admin.

Songline does not access individual agency or applicant accounts in the ordinary course of running the Service. Access happens only when there is a specific reason for it — typically in response to a support request from your agency, or where reasonably necessary to investigate and resolve a technical, security, or operational issue affecting the Service. In those situations a limited number of authorised Songline (Dyna Solutions) personnel holding the Super Admin role may access the relevant data, including through a controlled "view as" (impersonation) capability that lets an authorised administrator see the platform as an agency or applicant would in order to diagnose and resolve the issue. This access is restricted to that role, is used only for those legitimate operational purposes, and never for marketing or any unrelated purpose. Each such session is time-limited and expires automatically, and every action taken during it is recorded in the audit log described above. Your agency remains the controller of your information at all times, and this access does not give Songline any greater view of your information than the agency staff who already provide your migration services.

Documents are stored either (a) in your agency's own cloud storage, which your agency configures and which may be located outside Australia (options include SharePoint, AWS S3, Google Drive, Dropbox, or Box), or (b) where your agency uses Songline-managed storage, in Australia (Sydney). Some processing necessary to operate the Service — in particular AI features (see our Terms of Service §6) and certain optional third-party integrations — occurs outside Australia, as described in Section 8 below.

7. Who We Share Data With

We share data only with:

8. Overseas Disclosure of Personal Information

To provide the Service, some of your personal information is disclosed to, or processed by, service providers located outside Australia. The principal overseas location is the United States. Overseas processing includes: AI processing of Sunny queries and translations by Google's Gemini API; live web-search queries sent to Tavily; payment processing by Stripe; e-signature processing (SignNow), meeting and video data (Microsoft Teams), and push-notification tokens (Expo), where your agency enables these features; and document storage, where your agency configures a storage provider located outside Australia.

Before disclosing personal information overseas, we take reasonable steps to ensure that recipients handle it consistently with the Australian Privacy Principles. However, by using the Service you acknowledge that some of your information will be processed overseas, and that the handling of your information in those countries is also subject to the laws of those countries. Where personal information is disclosed overseas, this is done in accordance with APP 8 of the Privacy Act 1988 (Cth).

9. Data Breach Notification

We maintain technical and organisational measures designed to protect your information against loss, misuse, and unauthorised access. If we become aware of a data breach that is likely to result in serious harm to affected individuals, we will assess and respond in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth), including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) where required. Where the breach concerns information we process on behalf of your agency, we will also notify your agency promptly so that they can meet their own obligations.

10. Data Retention

Your data is retained for as long as your account is active or as required by your migration agency. You may request deletion of your personal data by contacting your agency or emailing us at privacy@songline.au. Some data may be retained for legal or compliance reasons.

11. Your Rights

Under the Australian Privacy Principles, you have the right to:

To exercise these rights, contact privacy@songline.au.

12. Cookies and Analytics

We use Vercel Analytics to collect anonymised, aggregate usage statistics. No personally identifiable data is collected or stored through analytics. No third-party advertising cookies are used.

13. Contact Us

For privacy inquiries, data access requests, or complaints:

We will respond to privacy requests within 30 days as required by the Australian Privacy Principles.

If you are unhappy with our handling of your privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.