Privacy Policy

1.  About this Privacy Policy

KCT Legal Pty Ltd (A.C.N. 676 004 916) (we, us, our) is a Melbourne-based legal practice.

We are committed to protecting your privacy and managing your personal information in an open and transparent way, in accordance with the applicable Australian privacy laws, including Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs) and the Notifiable Data Breaches (NDB) scheme.

A copy of the APP may be obtained from the website of the Office of the Australian Information Commissioner (OAIC) here.

This Privacy Policy applies to all personal information previously or currently provided to us, or collected by us, in connection with:

  • the provision of legal or related services;

  • your dealings or relationship with us; and

  • your use of our website, social media pages and any online portal we operate (together, Online Services).

Please review this Privacy Policy carefully. It explains how we collect, use, disclose and otherwise handle personal information and the steps we take to protect it. It does not cover our client confidentiality obligations (which are set out in our retainers and terms of engagement).

By engaging us or using our Online Services, you agree to the handling of your personal information as set out in this Privacy Policy.

2.  What is “personal information”?

“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in a material form or not (as defined in the Privacy Act).

Examples of personal information we collect include:

  • Identity and contact details – name, title, date of birth, gender, addresses, email address, telephone numbers

  • Client and matter details – information about your legal issues, instructions, objectives, background and relationships relevant to your matter

  • Government identifiers – driver licence details, passport details, Medicare number, tax file number (TFN) where permitted and other identity documentation

  • Business information – job title, employer or business name, business contact details, authority/role and any relevant professional or trade licences or registrations

  • Financial information – bank account details, credit card details, payment history, records of invoices and accounts

  • Interaction information – records of communications and interactions with you (including emails, file notes, correspondence, call logs and attendance notes)

  • Online activity information – device identifiers, IP address, browser type, time zone, pages viewed, referring/exit pages and other usage information collected via cookies, log files and similar technologies (see section 7 below)

We may also collect personal information about individuals associated with you, such as your employees, contractors, business partners, family members, opposing parties, witnesses and other persons relevant to a matter. You should ensure that any such individuals are aware that you are providing their personal information to us and direct them to this Privacy Policy.

3.  What is “sensitive information”?

“Sensitive information” is a subset of personal information and includes information about a person’s:

  • racial or ethnic origin;

  • political opinions or memberships;

  • religious or philosophical beliefs;

  • trade union or professional association memberships;

  • sexual orientation or practices;

  • criminal record; and

  • health or disability information.

Because of the nature of legal practice, we may need to collect sensitive information where it is relevant to your matter (for example, health information for a personal injury claim or criminal history for a criminal law or employment matter).

We only collect sensitive information where:

  • it is reasonably necessary for, or directly related to, our functions or activities; and

  • we have your consent, or we are otherwise permitted or required by law to do so.

4.  How do we collect personal information?

We collect personal information in a number of ways, including:

  • directly from you, for example when you;

  • contact us by telephone, email, post or via our Online Services;

  • attend our offices or meet with us;

  • provide us with instructions or documents; or

  • subscribe to our mailing lists, updates or events;

  • from third parties in connection with a matter (for example, other parties, their legal or other advisers, courts and tribunals, government agencies, regulators, professional bodies, insurers, experts and service providers);

  • from publicly available sources (for example, company registers, land titles offices, Australian Securities & Investments Commission (ASIC), social media and other online publications); and

  • automatically through your use of our Online Services, including via cookies and similar technologies (see section 7).

5.  Why do we collect, use and disclose personal information?

We collect, use and disclose personal information for purposes reasonably necessary for, or directly related to, our functions and activities as a legal practice, including to:

  • assess whether we can act for you, including conflict checks;

  • provide legal and related services to you;

  • manage our relationship with you and administer files, billing and accounts;

  • verify your identity and comply with our legal, regulatory and professional obligations (for example, under anti-money laundering, counter-terrorism financing, sanctions, professional conduct and trust accounting requirements);

  • respond to enquiries, complaints and other communications;

  • manage, improve and develop our business and Online Services, including through analytics and research;

  • send you legal updates, alerts, newsletters, event invitations and other marketing communications (see section 6 below); and

  • otherwise carry out functions and activities you would reasonably expect in connection with our dealings with you.

We may also use and disclose personal information for secondary purposes where:

  • you have consented;

  • the secondary purpose is related (or, for sensitive information, directly related) to the primary purpose and you would reasonably expect such use or disclosure; or

  • we are required or permitted by law, court/tribunal order or regulatory authority to do so.

We do not use solely automated decision-making to make decisions that have a significant impact on you; any such decisions involve human review.

6. Direct marketing

We may use your personal information to send you communications about:

  • legal developments;

  • publications, alerts and newsletters;

  • events, webinars and seminars; and

  • services that we think may be of interest to you.

You may opt out of receiving marketing communications from us at any time by using the unsubscribe facility in our emails, or contacting us using the details set out in section 14.

Even if you opt out of marketing communications, we may still contact you for non-marketing purposes (for example, in relation to your file, billing or a legal obligation).

We do not sell or rent your personal information to third parties for their own marketing purposes.

7.  Cookies, analytics and online data collection

When you use our Online Services, we may collect information about your device and usage patterns using technologies such as cookies, log files, web beacons, tags and pixels.

This information may include:

  • your IP address;

  • browser type and version;

  • device identifiers;

  • operating system;

  • pages viewed, links clicked, time and date of visits and referring/exit pages; and

  • other technical and usage information.

We may use this information to:

  • operate, maintain and improve our Online Services;

  • understand how visitors use our Online Services;

  • measure the effectiveness of our communications and marketing; and

  • personalise content we display.

We may use third-party analytics and advertising tools (for example, Google Analytics) in connection with our Online Services. These providers may collect or receive information from our Online Services and use that information to provide services to us. For more information about how Google uses personal information, please refer to Google’s privacy materials, and to opt out you can use tools such as the Google Analytics opt-out browser add-on.

You can usually control cookies through your browser settings (for example, by blocking or deleting cookies). However, if you disable cookies, some features of our Online Services may not function properly.

8.  Disclosure of personal information to third parties

We may disclose personal information to third parties where reasonably necessary for the purposes described in this Privacy Policy, including to:

  • courts, tribunals, mediators and arbitral bodies;

  • government agencies, regulators, law enforcement bodies and professional bodies (for example to update ASIC records or where required under anti-money laundering and counter-terrorism laws);

  • other/opposing parties and their legal and other advisers;

  • service providers who assist us in the operation of our business and in providing legal services to you, such as:

    • barristers, experts, consultants and other professional advisers;

    • external lawyers who we contract to assist in your matter;

    • IT, website hosting, cloud storage and data processing providers;

    • business advisers (such as accountants, auditors and lawyers);

    • insurers;

    • practice management, document management and email services providers;

    • mailing houses, marketing and communications providers;

    • function and event organisers;

    • marketing and communications agencies;

    • delivery and shipping providers; and

    • data analytics and cyber-security providers;

  • financial institutions for payment processing;

  • credit reporting bodies (Equifax) and credit providers; and

  • any person to whom you authorise us to disclose your information, or to whom we are required or permitted by law to disclose it.

In each case, we may disclose personal information to the service provider and the service provider may in turn provide us with personal information collected from you in the course of providing the relevant products or services.

These third parties are only authorised to use or disclose your personal information for the purposes for which we engage them and must handle your personal information in accordance with applicable privacy laws and contractual obligations.

We may also share your personal information within our organisation and the members of our group of companies (including, but not limited to, any related entity as defined in the Corporations Act 2001 (Cth)).

Overseas disclosure

Some of our service providers or other recipients may be located outside Australia, or may store personal information on servers located overseas or hosted outside Australia.

Where we disclose personal information to overseas recipients, we will take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information, or that another permitted exception under the Privacy Act applies.

By providing us with personal information, you acknowledge that your personal information may be disclosed to overseas recipients on this basis, and some of these countries outside Australia may not offer the same level of protection as Australia.

9.  Security and storage of personal information

We take reasonable steps to protect the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure, as required by APP 11 and related guidance.

Measures we use include a combination of:

  • physical safeguards (such as secure premises, restricted access areas and locked cabinets);

  • technical safeguards (such as password-protected systems, encryption, firewalls, access logs and regular backups); and

  • organisational safeguards (such as policies and procedures, staff training and confidentiality obligations).

However, no method of transmission over the internet or method of electronic storage is completely secure. While we use reasonable efforts to protect your personal information, we cannot guarantee absolute security and any transmission is at your own risk.

We retain personal information:

  • for as long as necessary to provide our services and manage our relationship with you; and

  • for the period required or permitted by law, professional rules and our internal policies (which, for most client files, will be at least 7 years after closure of your matter, and often longer in some circumstances).

When we no longer need personal information for any permitted purpose, and we are not required by law to retain it, we will take reasonable steps to destroy or de-identify it.

10. Access and Correction

You have the right to access and request correction of personal information that we hold about you, subject to certain exceptions under the Privacy Act (for example, where giving access would unreasonably impact the privacy of others, be unlawful, breach legal professional privilege or prejudice enforcement activities).

If you wish to access or correct your personal information, please contact us in writing using the details in section 14. We may require you to verify your identity before processing any access or correction requests, to make sure that the personal information we hold is properly protected. There may be fees payable by you in order to complete this verification step.

We will respond to your request within a reasonable time.

We will not charge any fee for your access request but may charge an administrative fee for providing a copy of your personal information to a third party with your consent.

If we decline your request in whole or in part, we will provide you with written reasons and information about how you can complain or seek a review of our decision.

11. Data breaches and the Notifiable Data Breaches scheme

We are required to take reasonable steps to protect the personal information we hold. Where a data breach occurs (for example, lost or stolen devices, unauthorised access, disclosure or hacking), we will assess and respond in accordance with the NDB scheme under the Privacy Act.

If an eligible data breach occurs that is likely to result in serious harm to you or other affected individuals, we will:

  • take reasonable steps to contain and remediate the breach;

  • notify you and the OAIC as required by the NDB scheme; and

  • provide you with information about the breach and recommended steps you can take to protect yourself.

12. Social media, photographs and recordings

From time to time, we may wish to use photographs, video or other images (for example, taken at events, seminars or in our office) that identify individuals in our marketing or educational materials (including on our website and social media pages).

We will only publish such material where:

  • it is lawful to do so; and

  • we have obtained any consent required by law or our professional obligations (including, where appropriate, consent from a parent or guardian for individuals under the age of consent).

If you do not wish us to use an image of you, or you would like us to remove content that identifies you where reasonably practicable, please contact us using the details in section 14.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, our operations or best practice. When we do so, we will publish the updated version on our website with a new “Last updated” date.

We encourage you to review this Privacy Policy periodically.

Your continued use of our services or Online Services after an updated Privacy Policy is posted constitutes your acceptance of the updated terms.

14. Questions, concerns and complaints

If you have any questions about this Privacy Policy, or if you wish to make a complaint about how we have handled your personal information, please contact us:

Mail: KCT Legal Privacy Officer, at Level 14, 350 Queen Street, Melbourne, Victoria 3000

Email: info@kctlegal.com.au

Telephone: +61 3 9670 6484

We will consider and respond to your complaint in writing within a reasonable period (usually within 28 days). We may request further information from you to help us investigate and respond.

If you are not satisfied with our response, you can raise your concerns or complaints with the OAIC (see here for further information about how to contact the OAIC and the types of complaints it can handle).

Last updated: March 2026