Last Updated: May 28, 2026

1. Scope and Controller

This Privacy Policy describes how Lazarus Co Pty Ltd (ABN 53 697 874 258; ACN 697 874 258) ("Lazarus Co", "we", "us", "our"), a company registered in Australia, collects, uses, discloses, and protects personal information in connection with the Ganttastic application (the "Service"). It applies to all users of the Service and to all related websites, apps, and integrations we operate.

For the purposes of the General Data Protection Regulation (EU) 2016/679 and the UK GDPR (together, "GDPR") and the Privacy Act 1988 (Cth), Lazarus Co PTY LTD is the data controller for the processing activities described in this Policy regarding your account and billing data. However, where you upload or process third-party personal data within your project charts and tasks, you are the controller of that data, and we act solely as the data processor on your behalf.

2. Categories of Personal Information We Process

Depending on how you use the Service, we process the following categories of information:

• Account and Profile Data: name, email address, organisation, role, Single Sign-On (SSO) identifiers and profile image if provided by your identity provider.
• Subscription and Billing Data: billing contact details, billing address, tax information, subscription tier, transaction identifiers, payment method token and the last four digits of the payment card. We do not collect or store full payment card numbers; payments are processed by a PCI-DSS compliant provider using tokenisation.
• Usage and Diagnostic Data: feature usage, in-app event telemetry, performance metrics, crash logs and support interactions.
• Device and Network Data: IP address, user agent, time zone, language, referrer URL, cookie identifiers and similar technologies.
• Content You Provide: project data, attachments, comments and any other content you upload or enter into the Service.

We may also process Aggregated or De-identified Data that does not identify an individual. Aggregated data is not personal information.

3. Sources of Personal Information

• Directly from you when you register, subscribe, configure settings, contact support or otherwise interact with the Service.
• Automatically from your devices through cookies, SDKs and similar technologies when you access the Service.
• From third parties where authorised, for example identity providers for SSO and payment processors for transaction confirmation.

4. Purposes and Lawful Bases for Processing

We process personal information only where an applicable lawful basis exists.

• Provide and operate the Service (contract performance): create and manage accounts, deliver features, provide SSO, process subscriptions, issue invoices and notifications, and provide customer support.
• Security, fraud prevention and abuse detection (legitimate interests; legal obligations): protect user accounts, monitor for suspicious activity, ensure availability and integrity, and maintain audit logs.
• Service analytics and product improvement (legitimate interests; consent where required): measure engagement, troubleshoot, and improve usability and performance. We place non-essential cookies and similar technologies only with consent where required by law.
• Marketing communications (consent; legitimate interests where permitted): send product updates and event information. You can opt out at any time.
• Legal compliance (legal obligations): comply with tax, accounting and regulatory requirements, and respond to lawful requests.

Where we rely on legitimate interests, we balance our interests against your rights and reasonable expectations.

5. Cookies and Similar Technologies

We use strictly necessary cookies and similar technologies to make the Service work, including to keep you signed in. We also use Google reCAPTCHA on our sign-up form as a strictly necessary security and anti-fraud control to protect the Service from automated abuse. Because reCAPTCHA is essential to securing sign-up, it may load before you make a cookie choice; it is not an optional, consent-based technology.

Separately, and only with your consent, we use non-essential cookies and similar technologies for product analytics and for error and performance monitoring (our diagnostics provider). When you first visit, a banner lets you Accept all or Reject non-essential. If you reject, these non-essential technologies are not loaded, and if you accept you can change your choice at any time using the cookie settings control we provide. Strictly necessary cookies and reCAPTCHA remain active because the Service cannot function or be secured without them. You can also manage cookies through your browser settings; blocking certain cookies may impact functionality.

6. Payments

Paid subscriptions are processed by an independent, PCI-DSS compliant payment processor. Your payment details are submitted directly to that processor. We receive a non-sensitive payment token and limited metadata to manage your subscription and comply with our obligations.

7. Artificial Intelligence Features

Some features of the Service (including AI-assisted project plan generation and the AI chat assistant) use Google's Gemini models, provided by Google LLC as our sub-processor through the Google Gemini application programming interface. AI features are optional. When you choose to use one, the content you submit for that request (for example a project brief, task details, or your chat message) is transmitted to Google to generate the requested output and return it to you. Google processes this content on its infrastructure to produce the response. This processing may occur on Google servers located outside Australia; where personal information is involved we take steps that are reasonable in the circumstances, consistent with Australian Privacy Principle 8, and Google's data processing terms apply. Under the terms applicable to our paid use of the Gemini application programming interface, Google does not use the content you submit through our AI features to train or improve its generative models. We do not sell your content and we do not use your content to train our own models. AI-generated output is presented to you for review and editing before it is applied and is not used to make any decision producing a legal or similarly significant effect about an individual without human involvement. You retain ownership of your content as set out in our Terms of Service. The third parties we use are listed in our sub-processor list.

8. Hosting, Storage and Sub-processors

8.1 Primary data storage (Sydney, Australia)

Your account data and Your Content are stored at rest in Google Cloud Firestore in Google's Sydney region (australia-southeast1), located in New South Wales, Australia. Data is replicated within Google's designated Australian zones for resilience and availability. Your primary project data is stored at rest in Australia. Limited processing does occur outside Australia, namely content you submit to optional AI features (see section 7) and diagnostic and error telemetry (see section 8.4); both are disclosed in this Policy.

8.2 Application compute (Singapore)

The application layer that serves requests to the Service runs on Google Cloud App Hosting in Google's Singapore region (asia-southeast1). Request processing is stateless: compute in Singapore reads from and writes to the Sydney database region, and your primary project data is held at rest and backed up in Australia as described in section 8.1.

8.3 Role of Google

For hosting, compute and database services, Google acts as our processor (sub-processor) under the Google Cloud Data Processing Addendum, which forms part of our agreement with Google. Those terms incorporate recognised data transfer mechanisms and require appropriate security controls, including encryption at rest and in transit, access controls and logging.

8.4 Other service providers

We use additional third-party processors to support transactional and lifecycle email delivery, error and performance monitoring, payment processing, and bot prevention. In particular:

• Sentry (Functional Software, Inc.) processes diagnostic, crash and performance telemetry in Germany, European Union (de ingest region) under the Sentry Data Processing Addendum and the Standard Contractual Clauses, with personal information minimisation enabled.
• Resend (Resend, Inc.) processes outbound transactional and lifecycle email (including verification, password reset, welcome, trial-ending and trial-ended messages) and the associated recipient email address and message metadata in Tokyo, Japan (ap-northeast-1 region) under the Resend Data Processing Addendum and the Standard Contractual Clauses.
• Stripe (Stripe, Inc.) processes self-service subscription payments and the associated billing contact, payment-method token and card last-four digits on Stripe's global infrastructure under the Stripe Data Processing Agreement (PCI-DSS Level 1).
• Google reCAPTCHA processes IP address and interaction signals on Google's global infrastructure as a strictly necessary bot-prevention control on sign-up.

These providers are engaged under written contracts that restrict processing to our documented instructions and require appropriate security. Optional AI features are described separately in section 7.

We maintain a current list of our sub-processors, published at ganttastic.com/sub-processors, with version history so that enterprise customers and other data subjects can review additions or replacements. A copy is also available by contacting admin@ganttastic.com.

9. International Data Transfers

As described in section 8.2, certain processing activities (including application compute, optional AI features and some sub-processors) occur outside Australia. Our primary transfer safeguard is Australian Privacy Principle 8: before disclosing personal information to an overseas recipient, we take steps that are reasonable in the circumstances to ensure the recipient does not handle that information inconsistently with the Australian Privacy Principles. Where personal information relating to individuals in the European Union or the United Kingdom is processed by our sub-processors, we rely on the data processing terms of those sub-processors (for example Google's Cloud Data Processing Addendum), which incorporate recognised transfer mechanisms such as the European Commission Standard Contractual Clauses and, where applicable, the United Kingdom International Data Transfer Addendum.

10. Security and Breach Notification

We maintain technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls, role-based permissions, least-privilege administration, network segregation, vulnerability management and monitoring. No method of transmission or storage is entirely secure; we continuously assess and improve our safeguards.

In the event of a data breach that is likely to result in serious harm or a risk to the rights and freedoms of individuals, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable and as required under the Australian Notifiable Data Breaches (NDB) scheme, and within 72 hours of becoming aware of the breach where the General Data Protection Regulation (GDPR) applies.

11. Data Retention

We retain personal information for as long as necessary to deliver the Service, fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes and enforce agreements. Specific retention periods include:

• Billing and Financial Records: Retained for up to 7 years to comply with applicable Australian tax and accounting laws. When you delete your account these records are retained in de-identified form, with direct identifiers (such as your name and email address) removed or replaced, rather than kept in identifiable form.
• Security and Audit Records: Limited audit records are retained for security and accountability. When you delete your account, the direct identifiers in any retained audit records are removed or replaced so the records are no longer linked to you.
• Backup Data: Held on Google Cloud Firestore managed daily backups (7-day rolling retention) and managed weekly backups (14-week rolling retention) in our Sydney region (australia-southeast1), plus periodic Cloud Storage exports in the same region retained for up to 90 days; older backups are automatically overwritten or expire under the configured lifecycle policy.

When information is no longer required and we are not legally obliged to keep it, we securely delete it; where we are required to keep records we de-identify them as described above.

12. Your Rights

Depending on your location, you may have rights to access, rectify, erase, restrict or object to processing, and to data portability. Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing. You also have the right to lodge a complaint with your local supervisory authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We respond to all verifiable requests within statutory timeframes.

Account deletion and erasure. When you delete your account from your account settings, we permanently erase your profile and the projects you own (including their tasks and attachments), remove you from projects that other users have shared with you so that the project remains intact for its owner, cancel any active paid subscription, and de-identify the limited billing and audit records we are legally required to retain (see section 11). This goes beyond removing your sign-in: your personal data is erased, not merely deactivated.

13. Do Not Track

Your browser may offer a "Do Not Track" signal. There is no industry standard governing DNT signals. We do not alter our practices in response to DNT at this time. We will honour legally required opt-out mechanisms where applicable.

14. Children

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us and we will take appropriate steps to delete it.

15. Changes to This Policy

We may update this Policy to reflect operational, legal or regulatory changes. If changes are material, we will provide notice via the Service or by other appropriate means.

16. Contact

To exercise your rights or ask questions about this Policy, contact our Data Privacy team at admin@ganttastic.com.

17. Trademark Notice

Google, Google Cloud, Firebase and Firestore are trademarks of Google LLC. Any other product names, logos and brands are the property of their respective owners.