Privacy Policy

Last updated: 1 June 2025

1. About this application

c55 Agency Hub ("the Platform", "we", "us") is an internal operations dashboard operated by c55 Creative (ABN: [c55 Creative ABN — contact hub@c55hub.au for details]). It is accessible at https://c55hub.au and is intended exclusively for use by authorised c55 Creative employees and contractors.

If you are not an authorised staff member, you should not use this platform and should not provide any personal information.

2. Data we collect

2.1 Staff authentication data

When staff members create accounts or sign in, we collect: name, email address, hashed password (stored using bcrypt, never stored in plain text), role assignments, last login timestamp, and IP address for audit logging.

2.2 Client operational data

The Platform stores information about c55 Creative clients including: business names, contact details, domain names, hosting account metadata (usernames, disk usage, plan names), WordPress site URLs, SEO project details, and notes entered by staff. No client payment information is stored.

2.3 Google API data

With the explicit authorisation of a c55 Creative staff member who holds appropriate Google account permissions, the Platform accesses:

  • Google Analytics 4 (GA4): Aggregated daily metrics (sessions, users, page views, bounce rate) for client properties to which the authorising user has access.
  • Google Search Console (GSC): Click, impression, CTR, and position data; sitemap status; and URL indexing information for client properties.

This data is stored in our database associated with the relevant client record. It is used solely to provide the reporting functionality of c55 Agency Hub.

2.4 Integration credentials

Credentials for third-party integrations (WHM API tokens, WordPress application passwords, TPP Wholesale credentials) are stored encrypted at rest using Laravel's AES-256-CBC encryption. They are never stored in plain text and are never logged.

2.5 Audit logs

The Platform logs all significant actions (sign-in, account changes, high-trust hosting operations, data sync events) with the acting user's ID, IP address, and a description of the event. These logs are used for security and accountability purposes.

3. Google API Services — Limited Use disclosure

c55 Agency Hub's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Google user data accessed via c55 Agency Hub is:

  • Used only to provide and improve the service — read-only analytics and search performance data is displayed to authorised staff to assist in managing client websites.
  • Not used for advertising — Google data is never used to target advertising or for remarketing purposes.
  • Not shared with third parties — Google user data is not transferred, sold, or shared with any third-party services, applications, or individuals outside of c55 Creative.
  • Not used to build profiles — we do not use Google data to build user profiles or infer information beyond the declared service purpose.
  • Not used for credit or lending — Google data is not used in any financial determination process.

Google OAuth tokens are stored encrypted in our database and are used only to make authorised API requests. Refresh tokens are used to maintain access on behalf of the authorising staff member and are never exposed to end users or clients.

4. How we use your data

We use collected data to:

  • Authenticate staff and enforce role-based access controls
  • Manage and monitor client hosting, domains, and WordPress installations
  • Display aggregated analytics and search performance data from Google APIs
  • Send automated alerts when action is required (domain expiry, backup staleness, etc.)
  • Maintain a tamper-evident audit log for security and accountability

We do not use your data for marketing, profiling, or any purpose other than operating c55 Agency Hub.

5. Data retention

Staff account data is retained while the account is active and for 12 months after deactivation. Audit log entries are retained for 24 months. Google API data snapshots (GA4 and GSC daily metrics) are retained for 13 months (approximately 400 daily records per property). Integration credentials are deleted when the associated account or connection is removed.

6. Security measures

We implement the following security controls:

  • All data is transmitted over HTTPS (TLS). HTTP access is redirected to HTTPS.
  • Passwords are hashed using bcrypt with a strong cost factor.
  • Sensitive credentials (API tokens, application passwords, OAuth tokens) are encrypted at rest using AES-256-CBC.
  • High-trust actions (account suspension, termination) require explicit typed confirmation.
  • WordPress admin handoff uses short-lived (90-second), single-use signed tokens — admin passwords are never replayed.
  • Role-based access control (RBAC) limits feature access to appropriately permissioned staff.
  • All significant actions are recorded in an immutable audit log.

7. Your rights

As an authorised c55 Creative staff member, you may:

  • Request access to the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Revoke Google OAuth access at any time via the Settings menu or via your Google Account permissions

To exercise these rights, contact hub@c55hub.au.

8. Third-party integrations

c55 Agency Hub integrates with the following third-party services. Each has its own privacy policy:

  • Google (Analytics Data API, Search Console API, OAuth 2.0)Google Privacy Policy
  • WHM/cPanel (web hosting management)
  • TPP Wholesale (domain registration)
  • WordPress REST API

9. Contact

For privacy enquiries, data requests, or to report a security concern, contact:

c55 Creative
Email: hub@c55hub.au
Website: https://c55.com.au/contact