Data Policy

How Assabvision Growth Advisory handles
client financial and operational data.

This Data Policy explains how we manage, protect and use client financial and operational data in the course of our advisory work. It is designed to complement our Privacy Policy, which focuses on personal information, and our Cookie Policy, which explains how we use cookies on this website.

We recognise that the information you share with us can be commercially and strategically sensitive. We treat that data with care and handle it only for agreed purposes.

Last updated: 2025

Team reviewing financial dashboards and charts in a meeting room

Data as the basis for better decisions

Our work is built on making sense of your numbers, not owning them. We aim to leave you with clearer insight, practical tools and a strong foundation for ongoing analysis.

1. Scope of this Data Policy

This Policy applies to financial, operational and related business data that clients and prospective clients share with Assabvision Growth Advisory in connection with our advisory work. This may include data provided directly by you or collected from your systems with your knowledge and consent.

This Policy should be read in conjunction with our Privacy Policy, which explains how we handle personal information, and our Cookie Policy, which explains how we use cookies and similar technologies on our website.

Where we enter into a specific engagement with your organisation, additional contractual terms may apply. If there is any inconsistency between this Policy and those engagement terms, the engagement terms may prevail to the extent of the inconsistency.

1.1 Who “we” are

In this Policy, “we”, “us” and “our” refer to Assabvision Growth Advisory, based in Richmond, Victoria, Australia:

If you have questions about this Policy or how it applies to your organisation, please contact us using the details above.

2. Types of data we may handle

The data we work with varies between engagements, depending on the questions we are helping you answer. It may include, for example:

2.1 Financial data

  • • Profit and loss statements and balance sheets;
  • • Cashflow reports and forecasts;
  • • Revenue, margin and cost breakdowns;
  • • Budgeting, planning and scenario models.

2.2 Operational and commercial data

  • • Segment, product, service line or region performance data;
  • • Pipeline, utilisation or project analytics;
  • • Pricing, contract and commercial structure information;
  • • Other operational metrics that support decision-making.

2.3 Limited personal data within business records

In some cases, financial or operational data may indirectly include personal information (for example, where employee or customer identifiers appear in underlying records). Our handling of such personal information is also covered by our Privacy Policy.

2.4 Data we usually do not seek

We generally do not require sensitive personal information to perform our work. Where it is possible to provide data in aggregated, anonymised or otherwise minimised form, we encourage that approach.

If you believe a particular dataset may raise additional privacy or confidentiality considerations, please discuss this with us so we can agree an appropriate approach before sharing it.

3. How we use client data

We use client data solely for purposes that are directly connected to our advisory work and the operation of our business. These purposes may include:

  • • Understanding your organisation’s financial and operational position;
  • • Developing analysis, scenarios and insights that inform strategic decisions;
  • • Preparing materials for leadership, board or investor discussions;
  • • Designing and refining dashboards, models and reporting frameworks;
  • • Tracking the impact of agreed initiatives and changes over time;
  • • Meeting our legal, regulatory and professional obligations.

We do not use your confidential client data for unrelated purposes, such as marketing to third parties or developing generic products, without your knowledge and agreement.

3.1 Aggregated and de-identified insights

We may use aggregated or de-identified information (where individuals and specific organisations are not identified or reasonably identifiable) to improve our methods, prepare general insights or share high-level trends.

When information is aggregated or de-identified in this way, it is no longer treated as client data under this Policy.

4. Data sources and minimisation

We aim to work with data in a way that is efficient, proportionate and respectful of confidentiality.

4.1 How we obtain data

We typically receive data:

  • • Directly from you or your authorised team members;
  • • From exports or reports generated by your systems;
  • • From other advisers or stakeholders where you have authorised sharing.

4.2 Data minimisation

Wherever practical, we encourage the use of:

  • • Aggregated or summarised data instead of detailed records;
  • • Pseudonymised or anonymised identifiers where possible;
  • • Limited time ranges and fields that are sufficient for the agreed purpose.

4.3 Your responsibility as data owner

You remain the primary owner and controller of your data. We ask that you share data with us in a manner that is lawful, authorised within your organisation and consistent with any obligations you have to third parties.

If specific restrictions or internal policies apply to certain datasets, please let us know so we can factor this into our approach.

5. Security and access control

We implement reasonable technical and organisational measures aimed at protecting client data from unauthorised access, misuse, loss or disclosure. These measures may include:

  • • Access controls for systems and files that contain client data;
  • • Sensible password and device security practices;
  • • Use of reputable cloud and software providers;
  • • Limiting access to team members who need data for their work;
  • • Secure sharing channels, where appropriate, for sensitive information.

While we take these measures seriously, no method of storage or transmission can be guaranteed to be fully secure. We encourage clients to consider their own security policies and to use secure channels when sharing particularly sensitive data.

5.1 Access within Assabvision

Access to client data is limited to those within Assabvision who need it to deliver the agreed work, support internal quality review or manage our risks and obligations.

Where we engage trusted third-party service providers (for example, for IT or storage services), we seek to work with providers who apply appropriate security and privacy standards.

6. Storage locations and international transfers

Client data may be stored on systems located in Australia or in other countries, depending on the location of our service providers and tools. We aim to work with providers that have strong security credentials and appropriate privacy protections in place.

If you have specific requirements about where data is stored or processed (for example, sector or regulatory constraints), please raise these with us so that we can consider them in our choice of tools and approach.

6.1 Transfers to third-party providers

Where client data is handled by third-party providers, we seek to ensure that appropriate contractual or other safeguards are in place, consistent with applicable legal and professional obligations.

If a particular provider or data flow is a concern for your organisation, we will work with you to explore alternatives where reasonable.

7. Retention and deletion of client data

We keep client data for as long as reasonably necessary to:

  • • Deliver the agreed engagement and associated work;
  • • Maintain records of advice and analysis for professional and legal reasons;
  • • Manage potential queries, disputes or follow-on work;
  • • Comply with applicable legal, regulatory or professional obligations.

When client data is no longer needed, we take reasonable steps to securely delete, archive or de-identify it, taking into account our obligations and any practical constraints of the systems involved.

7.1 Client requests regarding data

If you would like us to delete or return certain client data at the end of an engagement, please raise this with us. In many cases we will be able to honour such requests, subject to any legal or professional record-keeping requirements.

We recommend discussing retention expectations as part of our initial scoping and engagement process, especially for projects involving particularly sensitive data.

8. Client instructions, rights and collaboration

We see data handling as a shared responsibility between Assabvision and our clients.

8.1 Your instructions

We handle client data in line with:

  • • The engagement scope and objectives we have agreed with you;
  • • Any specific written instructions you provide regarding data use;
  • • Applicable laws, professional obligations and this Data Policy.

8.2 Your rights and options

Subject to applicable law and our own obligations, you may be able to:

  • • Request information about how your data is being used in a given project;
  • • Ask us to correct errors in data we hold that you have provided;
  • • Request that certain datasets be deleted or returned;
  • • Raise concerns or complaints about how your data has been handled.

8.3 How to raise questions or concerns

If you have questions or concerns about this Policy or our handling of client data, please contact us:

We will do our best to respond promptly and work with you to address any issues in a constructive way.

9. Data incidents and changes to this Policy

9.1 Data incidents

In the unlikely event of a data incident affecting client data (for example, unauthorised access or loss), we will assess the situation and, where appropriate:

  • • Take reasonable steps to contain and investigate the incident;
  • • Consider any legal or regulatory notification requirements;
  • • Inform affected clients where it is appropriate to do so and work with you on next steps.

9.2 Changes to this Data Policy

We may update this Data Policy from time to time, for example to reflect changes in our practices, tools or legal obligations. When we do, we will update the “Last updated” date at the top of this page.

If changes are material and directly affect how we handle your data in an ongoing engagement, we will take reasonable steps to bring those changes to your attention.

9.3 Related documents

Please read this Data Policy together with our other legal and information-handling documents:

  • Privacy Policy – how we handle personal information.
  • Cookie Policy – how we use cookies on this website.
  • Disclaimer – important information about using this website.

Together, these documents aim to give you a clear picture of how we approach data, confidentiality and information across our work.