Compliance and data trust
HypaBase is built on one promise: always public, always compliant, never fabricated. Every company signal we show comes from a source that is openly published or that we are licensed to use, it is stamped with where it came from, and it is checked against your suppression list before you ever see it. We do not buy contact lists, we do not scrape behind logins, and we do not use leaked or private data. If a signal cannot be obtained lawfully and within its terms, we do not use it.
43 of 46 sources are cleared for use; the rest are held until a licence or legal review clears them. See the full list of every website we read.
Each obligation below maps to a specific mechanism we actually run, not a promise.
Any address that resolves to a private, loopback, link-local or metadata IP range.
Why: A public-data crawler must never be steered at internal infrastructure (SSRF).
Enforced by: Single audited egress path with an allowlist + per-address private-IP revalidation.
Anything behind a login or paywall, and social-network profile HTML (e.g. LinkedIn pages).
Why: Only what a company or government chose to publish openly is fair to use.
Enforced by: Adapters read public pages / APIs only; profile HTML is never fetched.
URLs a site disallows in its robots.txt, and content past our fetch caps.
Why: We respect a publisher’s stated crawl preferences.
Enforced by: robots.txt is checked and byte / time caps are enforced before any fetch.
Companies on your suppression list or that have asked not to be contacted.
Why: Suppression is authoritative and checked before anything reaches a rep.
Enforced by: Suppression-first ranking runs on every read; opt-out writes a global suppression row.
Consumer records, and bare personal names / emails with no business role.
Why: This is a B2B tool; individuals and sole-trader personal data get stricter handling.
Enforced by: An individual-record gate routes sole-trader / personal records to human review.
Aggregated contact lists and any feed whose licence or provenance we cannot verify.
Why: If we cannot say where a datum came from and that we may use it, we do not use it.
Enforced by: Sources stay held (review_needed) until cleared; provenance is stamped on every datum.
Guessed domains, pattern-guessed emails, and AI-extracted URLs not seen on a real page.
Why: A guess presented as a fact is a data-integrity failure.
Enforced by: Values without a real source are dropped; unverified AI URLs are marked unverified.
Large contact-data aggregators assemble personal records from many upstream sources, and for any given record it is often impossible to see where it came from or on what basis it was collected. That provenance gap is exactly what Australian privacy law cares about. HypaBase takes the opposite approach: public-first, provenance-pure. Every signal traces back to a page you can open yourself. If we cannot tell you where a piece of data came from, we do not show it. That is why, at this stage, we have chosen not to build on aggregator feeds such as ZoomInfo, Apollo or Lusha.
The federal law governing how personal information is handled in Australia.
The 13 principles at the core of the Privacy Act, published by the OAIC.
Rules for commercial electronic messages (email, SMS).
The register of numbers that must not be cold-called.
What must happen if personal information is compromised.
Yes. We work within the Privacy Act and the Australian Privacy Principles, the Spam Act, and the Do Not Call Register. We use only public or licensed data, we stamp provenance on every signal, we check suppression first, and we never fabricate.
You can check it. Every signal shows its source URL, an excerpt, and the date we saw it, so you can open the original page yourself. The ranking runs on fixed, transparent rules, not an opaque model.
Yes. The table above maps each Australian Privacy Principle, plus the Spam Act and Do Not Call obligations, to the specific mechanism we use to meet it.
No. Your data is never sold and never shared between clients. It is used only inside your own account. A small number of contracted infrastructure sub-processors help us run the service, and we can provide that list on request.
From public registers and directories, from companies’ own websites (respecting robots.txt), and from a small number of licensed, key-gated feeds. The full list of websites we read is published on our sources page.
No. We do not use leaked, paywalled, dark-web, or purchased aggregator lists. If we cannot say where a datum came from and that we may use it, we do not use it.
Email [email protected]. We verify your identity, respond within 30 days, and can show you what we hold and where it came from, correct anything wrong, or remove you entirely.
No. HypaBase is a B2B tool. Named business contacts are treated as personal information and handled accordingly; consumer records are out of scope.
We are Australia-first. Where GDPR or UK GDPR applies, we honour those data-subject rights and use appropriate transfer safeguards.
We use AI for one narrow task: reading the text of a public page into structured fields. Personal information is stripped before anything is sent to the model, the provider operates under zero-retention terms, the model never invents data, and it never decides who qualifies.
See what we hold and where it came from, correct a signal that is wrong or out of date, or have your company removed and opt out of contact entirely. We verify identity before releasing any details and respond within 30 days.
This page is provided for information and does not constitute legal advice. For independent guidance on your obligations, or to make a privacy complaint, contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Questions? Email [email protected].