Last Updated: April 23, 2026
1. Scope and Controller
This Privacy Policy describes how Lazarus Co Pty Ltd (ABN 53 697 874 258; ACN 697 874 258) ("Lazarus Co", "we", "us", "our"), a company registered in Australia, collects, uses, discloses, and protects personal information in connection with the Ganttastic application (the "Service"). It applies to all users of the Service and to all related websites, apps, and integrations we operate.
For the purposes of the General Data Protection Regulation (EU) 2016/679 and the UK GDPR (together, "GDPR") and the Privacy Act 1988 (Cth), Lazarus Co PTY LTD is the data controller for the processing activities described in this Policy regarding your account and billing data. However, where you upload or process third-party personal data within your project charts and tasks, you are the controller of that data, and we act solely as the data processor on your behalf.
2. Categories of Personal Information We Process
Depending on how you use the Service, we process the following categories of information:
- Account and Profile Data: name, email address, organisation, role, Single Sign-On (SSO) identifiers and profile image if provided by your identity provider.
- Subscription and Billing Data: billing contact details, billing address, tax information, subscription tier, transaction identifiers, payment method token and the last four digits of the payment card. We do not collect or store full payment card numbers; payments are processed by a PCI-DSS compliant provider using tokenisation.
- Usage and Diagnostic Data: feature usage, in-app event telemetry, performance metrics, crash logs and support interactions.
- Device and Network Data: IP address, user agent, time zone, language, referrer URL, cookie identifiers and similar technologies.
- Content You Provide: project data, attachments, comments and any other content you upload or enter into the Service.
We may also process Aggregated or De-identified Data that does not identify an individual. Aggregated data is not personal information.
3. Sources of Personal Information
- Directly from you when you register, subscribe, configure settings, contact support or otherwise interact with the Service.
- Automatically from your devices through cookies, SDKs and similar technologies when you access the Service.
- From third parties where authorised, for example identity providers for SSO and payment processors for transaction confirmation.
4. Purposes and Lawful Bases for Processing
We process personal information only where an applicable lawful basis exists.
- Provide and operate the Service (contract performance): create and manage accounts, deliver features, provide SSO, process subscriptions, issue invoices and notifications, and provide customer support.
- Security, fraud prevention and abuse detection (legitimate interests; legal obligations): protect user accounts, monitor for suspicious activity, ensure availability and integrity, and maintain audit logs.
- Service analytics and product improvement (legitimate interests; consent where required): measure engagement, troubleshoot, and improve usability and performance. We place non-essential cookies and similar technologies only with consent where required by law.
- Marketing communications (consent; legitimate interests where permitted): send product updates and event information. You can opt out at any time.
- Legal compliance (legal obligations): comply with tax, accounting and regulatory requirements, and respond to lawful requests.
Where we rely on legitimate interests, we balance our interests against your rights and reasonable expectations.
5. Cookies and Similar Technologies
We use essential cookies to make the Service work and, subject to your consent where required, analytics and functional cookies to enhance your experience. You can manage preferences through your browser settings or any consent manager we provide. Blocking certain cookies may impact functionality.
6. Payments
Paid subscriptions are processed by an independent, PCI-DSS compliant payment processor. Your payment details are submitted directly to that processor. We receive a non-sensitive payment token and limited metadata to manage your subscription and comply with our obligations.
7. Hosting, Storage and Subprocessors
7.1 Primary data storage (Sydney, Australia)
Your account data and Your Content are stored at rest in Google Cloud Firestore in Google's Sydney region (australia-southeast1), located in New South Wales, Australia. Data is replicated within Google's designated Australian zones for resilience and availability. Customer data sovereignty remains in Australia.
7.2 Application compute (Singapore)
The application layer that serves requests to the Service runs on Google Cloud App Hosting in Google's Singapore region (asia-southeast1). Request processing is stateless: compute in Singapore reads from and writes to the Sydney database region, but customer data is held at rest and backed up in Australia as described in section 7.1.
7.3 Role of Google
For hosting, compute and database services, Google acts as our processor (subprocessor) under the Google Cloud Data Processing Addendum, which forms part of our agreement with Google. Those terms incorporate recognised data transfer mechanisms and require appropriate security controls, including encryption at rest and in transit, access controls and logging.
7.4 Other service providers
We use additional third-party processors to support identity, analytics, communications, customer support and other operational needs. These providers are engaged under written contracts that restrict processing to our documented instructions and require appropriate security.
We maintain a current list of our subprocessors, which is available on request by contacting admin@ganttastic.com.
8. International Data Transfers
As described in section 7.2, certain processing activities (including application compute and some subprocessors) occur outside Australia. Before disclosing personal information to an overseas recipient, we take steps that are reasonable in the circumstances to ensure the recipient does not breach the Australian Privacy Principles in relation to that information, as required by Australian Privacy Principle 8. Where personal information is transferred from the EU or UK, we rely on recognised transfer mechanisms including European Commission Standard Contractual Clauses and the UK International Data Transfer Addendum.
9. Security and Breach Notification
We maintain technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls, role-based permissions, least-privilege administration, network segregation, vulnerability management and monitoring. No method of transmission or storage is entirely secure; we continuously assess and improve our safeguards.
In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authorities within 72 hours of becoming aware of the breach, in compliance with GDPR. We will also notify affected individuals and the Office of the Australian Information Commissioner (OAIC) where required under the Australian Notifiable Data Breaches (NDB) scheme.
10. Data Retention
We retain personal information for as long as necessary to deliver the Service, fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes and enforce agreements. Specific retention periods include:
- Billing and Financial Records: Retained for up to 7 years to comply with applicable Australian tax and accounting laws.
- Backup Data: Retained on Google Cloud Firestore's point-in-time recovery rolling window of 7 days, after which earlier backup snapshots are automatically overwritten.
Where feasible, we anonymise or securely delete data when it is no longer required.
11. Your Rights
Depending on your location, you may have rights to access, rectify, erase, restrict or object to processing, and to data portability. Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing. You also have the right to lodge a complaint with your local supervisory authority — in Australia, the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We respond to all verifiable requests within statutory timeframes.
12. Do Not Track
Your browser may offer a "Do Not Track" signal. There is no industry standard governing DNT signals. We do not alter our practices in response to DNT at this time. We will honour legally required opt-out mechanisms where applicable.
13. Children
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us and we will take appropriate steps to delete it.
14. Changes to This Policy
We may update this Policy to reflect operational, legal or regulatory changes. If changes are material, we will provide notice via the Service or by other appropriate means.
15. Contact
To exercise your rights or ask questions about this Policy, contact our Data Privacy team at admin@ganttastic.com.
16. Trademark Notice
Google, Google Cloud, Firebase and Firestore are trademarks of Google LLC. Any other product names, logos and brands are the property of their respective owners.