Wirrah Pty Ltd  ·  ABN 38 696 995 794

Privacy Statement

Last updated: 21 June 2026  ·  Applies to: visitors to wirrah.com.au and participants in the Wirrah program.

1. Who we are and what this covers

Wirrah Pty Ltd (ABN 38 696 995 794) ("Wirrah", "we", "us", "our") is a First Nations majority-owned company. This Privacy Statement explains how we handle personal information in two settings: when you visit our website at wirrah.com.au, and when your organisation participates in the Wirrah program.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For First Nations data, we go further than the Privacy Act requires, applying the Maiam nayri Wingara Indigenous Data Sovereignty Principles described in section 5.

The short version

The Wirrah program is built so that your organisation's data never leaves your own Microsoft 365 environment. Wirrah and GraceX do not hold, copy, or take your data out of your tenancy. Your organisation owns it, controls who sees it, and keeps it when the engagement ends.

2. Information collected through the website

The website is a single information page. It does not run analytics or advertising cookies, and it does not host a contact form. You can read the whole site without giving us any personal information.

Personal information only reaches us when you choose to act on it:

  • Email. If you email us, we receive your email address and whatever you include in your message.
  • Booking a conversation. The "Book a conversation" links open Calendly, a third-party scheduling service. Any details you enter there are handled under Calendly's own privacy terms.
  • Video. The page includes a YouTube video that loads only after you click it, using YouTube's privacy-enhanced (no-cookie) mode. YouTube may set cookies once you start playback, under Google's privacy terms.
  • Web fonts. The page loads typefaces from Google Fonts, which means your browser contacts Google's servers to retrieve them.

Calendly, YouTube and Google Fonts are independent services we do not control. We encourage you to review their privacy terms.

3. Information handled through the Wirrah program

When your organisation runs the Wirrah program, information is generated through the weekly check-in, the fortnightly anonymous survey, and the insights report. This can include check-in and survey responses, aggregated trend information, the insights report, and participation records.

The defining feature is where this information lives. All of it is created and stored inside your organisation's own Microsoft 365 environment. Wirrah does not operate an external platform that holds it. At no point do Wirrah, GraceX, or their personnel hold, copy, or transfer this information to an environment outside your tenancy.

4. Data location, ownership and access

Where it is stored

All program data is stored within your organisation's own Microsoft 365 tenancy. For Australian-billed Microsoft 365 tenants, Microsoft stores SharePoint, Exchange, Teams and Forms data at rest within Australian datacentres, consistent with Microsoft's data residency commitments for the Australia geography. Your organisation can verify its data location in the Microsoft 365 Admin Centre.

Who owns it

Your organisation owns all data generated through the program, unconditionally. Ownership is not qualified by any licence, procurement arrangement, or the length of the engagement. Wirrah and GraceX acquire no ownership right over it.

Who can access it

Access is controlled by your organisation's own Microsoft 365 administrator, on a need-to-know basis. Authorised service providers engaged by Wirrah, including the organisational psychologist and technical support, access data only within your tenancy, only to the minimum needed, logged in your tenancy's audit trail, and only for the agreed scope and duration. Neither Wirrah nor GraceX holds standing administrative access to your tenancy.

Encryption

Survey responses are encrypted using AES-256 encryption. The encryption key is generated within your tenancy and does not leave it. Wirrah and GraceX have no access to encryption keys.

5. Indigenous data sovereignty

Wirrah treats Indigenous Data Sovereignty as a governance right, not a compliance box. It is grounded in the United Nations Declaration on the Rights of Indigenous Peoples and operationalised in Australia through the Maiam nayri Wingara Indigenous Data Sovereignty Principles. Our data practices are structured to align with those principles: First Nations data stays under First Nations control, accessible to the organisation that owns it, and accountable to a First Nations majority-owned entity rather than a platform vendor.

The full detail of how Wirrah aligns to each principle is set out in our Data Sovereignty Statement, available as part of the program documentation.

6. Aggregated, de-identified data

Wirrah may compile a sector-level aggregated dataset, but only where a participating organisation gives separate, voluntary, documented consent. Taking part in the program is not consent to contribute, and consent can be withdrawn at any time without affecting access to the program.

Before any data enters the aggregate, it is de-identified so that no individual organisation can be identified or singled out. Funders receive only sector-level reports with no organisation-specific information. Wirrah holds and governs the aggregate dataset as custodian, and no funder or third party becomes a custodian by procuring our services.

7. Disclosure of personal information

We do not sell, rent, or trade personal information. Information may be handled by:

  • GraceX Pty Ltd, which provides the Microsoft 365-native platform infrastructure under a commercial licence agreement with Wirrah, and which is bound by the commitments in this statement through that relationship.
  • The organisational psychologist and technical support engaged under that licence, within the access limits in section 4.

We may also disclose personal information where required or authorised by law.

8. Storing your information overseas

Program data stays within your Microsoft 365 tenancy in Australian datacentres. Some website services are provided by organisations that may process information overseas, including Calendly (scheduling), Google (YouTube and Google Fonts) and Microsoft (email). Where the APPs apply to a cross-border disclosure, we take reasonable steps consistent with APP 8.

9. Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. For program data this rests on the controls above: storage within your own tenancy, access administered by you, AES-256 encryption of survey responses, and no external copies. No method of storage or transmission is completely secure, but the architecture is designed to keep data under your control. In the event of an eligible data breach under the Notifiable Data Breaches scheme, affected individuals and the Office of the Australian Information Commissioner (OAIC) will be notified as required by law.

10. Retention and end of engagement

Program data remains in your Microsoft 365 environment for as long as your organisation keeps it. At the end of an engagement, Wirrah and GraceX remove the technical infrastructure deployed into your tenancy. All data stays in your possession, and Wirrah holds no copies, because the data was never held outside your tenancy. Any contribution previously made to the aggregated dataset remains only in de-identified form.

11. Your rights: access, correction and complaints

You have the right to ask what personal information we hold about you and to ask us to correct it. Because most program data sits inside your own organisation's environment, requests about that data are usually resolved directly with your organisation as the data owner. For information we hold (for example, an email you sent us), contact us using the details below.

If you believe we have mishandled your personal information, you may complain to us, and we will respond. If you are not satisfied, you can escalate to the Office of the Australian Information Commissioner: oaic.gov.au, phone 1300 363 992.

12. Accountability and contact

Wirrah Pty Ltd (ABN 38 696 995 794) is accountable for the commitments in this statement. Tanika Perry, Worimi and Bundjalung woman, Co-Founder and Managing Director, holds 51% of Wirrah and final authority over data governance decisions.

For any privacy enquiry, access or correction request, or complaint, contact:

Wirrah Pty Ltd
Email: tanika@wirrah.com.au

13. Changes to this statement

We may update this statement to reflect changes in our practices, the platform, or the law. The current version will always be published here with a revised "last updated" date. Material changes will be notified where practicable.

This Privacy Statement should be read alongside Wirrah's Data Sovereignty Statement, which sets out the full detail of our Indigenous Data Sovereignty commitments.