HypaBase

Compliance and data trust

How we know the data is safe, and how we keep it lawful.

HypaBase is built on one promise: always public, always compliant, never fabricated. Every company signal we show comes from a source that is openly published or that we are licensed to use, it is stamped with where it came from, and it is checked against your suppression list before you ever see it. We do not buy contact lists, we do not scrape behind logins, and we do not use leaked or private data. If a signal cannot be obtained lawfully and within its terms, we do not use it.

46
Sources in the network
43
Cleared for use
76
Public websites read
3
Held for review

43 of 46 sources are cleared for use; the rest are held until a licence or legal review clears them. See the full list of every website we read.

01How HypaBase meets Australian data rules

Each obligation below maps to a specific mechanism we actually run, not a promise.

APP 1 - Open and transparent management
Have a clear, up-to-date privacy policy and a way to contact us.
This page plus our privacy policy, with a named contact at [email protected].
APP 3 - Collection of personal information
Only collect what is reasonably necessary, by lawful and fair means.
We collect only business-relevant, B2B information, and only from public sources, public registers, or feeds we are licensed to use.
APP 5 - Notification of collection
Tell people what we collect and why.
This page and our privacy policy are the standing notice of what we collect and why.
APP 6 - Use and disclosure
Use information only for the purpose it was collected.
Data is used only inside the client account it was gathered for. It is never sold and never shared between clients.
APP 7 - Direct marketing
Publicly available business information may be used for marketing, but a simple opt-out must be offered.
We use only public business information, and we honour a simple opt-out on request. Suppression is authoritative and checked before anything reaches a rep.
APP 10 - Quality of information
Take reasonable steps to keep information accurate and up to date.
We never fabricate. Every signal carries its source URL, an excerpt, and an observed date, and any AI-read URL that is not present on a real page is dropped.
APP 11 - Security
Protect information from misuse, loss and unauthorised access.
Encryption in transit and at rest, and a single audited egress path that can only reach approved public destinations.
APP 12 & 13 - Access and correction
Let people see and correct the personal information we hold about them.
Email [email protected] to see, correct, or remove what we hold. We verify identity first and respond within 30 days.
Spam Act 2003
Commercial electronic messages need consent, identification, and an unsubscribe.
You remain the sender of any outreach. We keep your suppression list authoritative so an unsubscribe is honoured everywhere.
Do Not Call Register Act 2006
Do not call numbers on the Do Not Call Register.
We do not publish or list phone numbers as a calling list. You wash your own calling list against the register before dialling.

02What we block, and why

Private & internal networks

Any address that resolves to a private, loopback, link-local or metadata IP range.

Why: A public-data crawler must never be steered at internal infrastructure (SSRF).

Enforced by: Single audited egress path with an allowlist + per-address private-IP revalidation.

Logins, paywalls & scraped social HTML

Anything behind a login or paywall, and social-network profile HTML (e.g. LinkedIn pages).

Why: Only what a company or government chose to publish openly is fair to use.

Enforced by: Adapters read public pages / APIs only; profile HTML is never fetched.

Robots-disallowed pages

URLs a site disallows in its robots.txt, and content past our fetch caps.

Why: We respect a publisher’s stated crawl preferences.

Enforced by: robots.txt is checked and byte / time caps are enforced before any fetch.

Suppressed & opted-out companies

Companies on your suppression list or that have asked not to be contacted.

Why: Suppression is authoritative and checked before anything reaches a rep.

Enforced by: Suppression-first ranking runs on every read; opt-out writes a global suppression row.

Individuals & consumer data

Consumer records, and bare personal names / emails with no business role.

Why: This is a B2B tool; individuals and sole-trader personal data get stricter handling.

Enforced by: An individual-record gate routes sole-trader / personal records to human review.

Unlicensed or unclear-provenance feeds

Aggregated contact lists and any feed whose licence or provenance we cannot verify.

Why: If we cannot say where a datum came from and that we may use it, we do not use it.

Enforced by: Sources stay held (review_needed) until cleared; provenance is stamped on every datum.

Fabricated or guessed data

Guessed domains, pattern-guessed emails, and AI-extracted URLs not seen on a real page.

Why: A guess presented as a fact is a data-integrity failure.

Enforced by: Values without a real source are dropped; unverified AI URLs are marked unverified.

03Why we avoid contact-data aggregators

Large contact-data aggregators assemble personal records from many upstream sources, and for any given record it is often impossible to see where it came from or on what basis it was collected. That provenance gap is exactly what Australian privacy law cares about. HypaBase takes the opposite approach: public-first, provenance-pure. Every signal traces back to a page you can open yourself. If we cannot tell you where a piece of data came from, we do not show it. That is why, at this stage, we have chosen not to build on aggregator feeds such as ZoomInfo, Apollo or Lusha.

04The Australian rules, and where to read them

05Frequently asked questions

Is your data compliant?

Yes. We work within the Privacy Act and the Australian Privacy Principles, the Spam Act, and the Do Not Call Register. We use only public or licensed data, we stamp provenance on every signal, we check suppression first, and we never fabricate.

How can I trust this?

You can check it. Every signal shows its source URL, an excerpt, and the date we saw it, so you can open the original page yourself. The ranking runs on fixed, transparent rules, not an opaque model.

Does this align with Australian law?

Yes. The table above maps each Australian Privacy Principle, plus the Spam Act and Do Not Call obligations, to the specific mechanism we use to meet it.

Do you share my data?

No. Your data is never sold and never shared between clients. It is used only inside your own account. A small number of contracted infrastructure sub-processors help us run the service, and we can provide that list on request.

Where do you get your data?

From public registers and directories, from companies’ own websites (respecting robots.txt), and from a small number of licensed, key-gated feeds. The full list of websites we read is published on our sources page.

Do you use unlawful or undisclosed sources?

No. We do not use leaked, paywalled, dark-web, or purchased aggregator lists. If we cannot say where a datum came from and that we may use it, we do not use it.

How do I opt out, access, or correct my data?

Email [email protected]. We verify your identity, respond within 30 days, and can show you what we hold and where it came from, correct anything wrong, or remove you entirely.

Do you hold consumer data?

No. HypaBase is a B2B tool. Named business contacts are treated as personal information and handled accordingly; consumer records are out of scope.

What about the EU or UK?

We are Australia-first. Where GDPR or UK GDPR applies, we honour those data-subject rights and use appropriate transfer safeguards.

Do you use AI, and is it safe?

We use AI for one narrow task: reading the text of a public page into structured fields. Personal information is stripped before anything is sent to the model, the provider operates under zero-retention terms, the model never invents data, and it never decides who qualifies.

06Request your data, a correction, or removal

See what we hold and where it came from, correct a signal that is wrong or out of date, or have your company removed and opt out of contact entirely. We verify identity before releasing any details and respond within 30 days.

This page is provided for information and does not constitute legal advice. For independent guidance on your obligations, or to make a privacy complaint, contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Questions? Email [email protected].