We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.
Our controls may include access management, MFA where available, least-privilege permissions, encryption in transit, secure backups, monitoring, staff training, and vendor due diligence.
We retain personal information only for as long as needed for the purposes described in this policy (and as required by law), then we delete or de-identify it where reasonable.