Last updated: 4 June 2026. Effective from: 4 June 2026.
Elephant Room Consulting Pty Ltd (Elephant Room, we, us, our) — ABN 93 168 298 888 — is committed to protecting the privacy of the people and businesses we interact with. This Privacy Policy explains what personal information we collect, how we use, disclose, and retain it, how you can access, correct, or delete it, and how to contact us with a privacy concern. We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
This policy applies to visitors to elephantroom.com.au; to clients who engage us as their advertising agency (including the businesses whose advertising accounts we manage on platforms such as Meta, Google, TikTok, Pinterest, and Klaviyo) and their authorised representatives; and to use of our advertising-automation application and our equivalent integrations for the advertising platforms we manage on your behalf.
In what capacity we act. For information about our own website visitors, prospects, candidates, and business contacts, we decide the purposes and means of processing (a controller). For information we access inside a client's advertising platforms under an agency authorisation, we act on the client's instructions and the client remains primarily responsible for it (a processor); the client's engagement terms govern that handling and prevail over this policy to the extent of any inconsistency.
What information we collect
From website visitors. Information you submit through forms (such as your name, business name, email, phone, role, and message), and technical information collected automatically (IP address, browser and device type, pages viewed, timestamps, referring site) through cookies, analytics tools, and server logs.
Through our advertising agency services. When you engage us as your advertising agency, our team and our automation tooling access information inside the advertising platforms you authorise us to manage.
For Meta (Facebook and Instagram) this includes
campaign, ad set, ad, and creative metadata; aggregate performance
metrics (which do not identify individual users); account activity logs
(who changed what, and when); and the Meta-issued access token you
authorise when you connect us as your agency, which lets us read
campaign data and, where you have granted the relevant permissions, make
changes to your campaigns at the direction of your authorised personnel.
The Meta permissions we request are ads_management,
ads_read, business_management, and
public_profile.
For Pinterest, where you engage us to manage your Pinterest advertising, we connect to the Pinterest Marketing API on your authorisation. Our Pinterest application requests the OAuth scopes it requires, and connecting grants an OAuth token that lets us read your campaign and pin metadata and performance metrics and, where authorised, manage your Pinterest campaigns at your direction. For Pinterest, we store campaign analytics information only; we do not store other information accessed through the Pinterest API, and instead retrieve it from Pinterest each time it is needed. We use Pinterest information only to serve and evaluate the performance of your ads on Pinterest; we do not combine it with any other client's information, use it to target people off Pinterest, or share it with any other advertising service. Elephant Room is an independent advertising agency and is not affiliated with, endorsed by, or sponsored by Pinterest.
We do not access or store the personal information of individual end users, Facebook users, Instagram users, Pinterest users, audience members, leads, or other identifiable consumers — audience-level data is aggregate only. Where, on your instruction, we upload a client-provided contact list to a platform as a Custom Audience, the list is hashed before transmission as the platform requires, and we do not keep a separate copy. Where agreed, we send conversion events to platforms' server-side APIs (such as Meta's and Pinterest's Conversions APIs); for advertising platforms these identifiers are hashed before transmission, and where you engage us to operate an email or SMS marketing platform the necessary contact details are handled only as needed to deliver your messaging. The same campaign-level, aggregate-only principles apply across the other platforms we manage for you.
Directly and from third parties. We also collect information you or your representatives provide directly (contact, billing, and contract details, briefs, brand assets, and correspondence), and information from public sources, referrers, advertising platforms (when you authorise us), and our own service providers.
How we use the information
We use the information to provide and improve our advertising agency services and our tooling; to respond to enquiries and support requests; to send service communications (such as invoices and account, support, and security notices); to send marketing communications only with your consent (every one has an unsubscribe link); to invoice, take payment, and meet tax and accounting obligations; to investigate complaints and respond to lawful requests; to operate our internal business; and to comply with our legal obligations. Some of our tooling uses automation, including AI-assisted logic, to optimise campaigns and generate internal recommendations; this operates on campaign-level data, not on the personal information of individual consumers, and does not make decisions producing legal or similarly significant effects on individuals.
Who we share the information with
We may disclose personal information to: authorised personnel of the client; the advertising platforms (Meta, Google, TikTok, Pinterest, Klaviyo, and others) when we act on your account and authorisation (these are counterparties you have separately authorised, not our service providers); the service providers we engage to operate our application and store and analyse data on our behalf — namely cloud application-hosting and database providers, an advertising-platform API broker, an analytics data-warehouse provider, and a background-job-orchestration provider, located in Australia, Singapore, Canada, and the United States (we will provide the current list of specific providers to a client on request); our professional advisors; regulators, courts, and authorities where required by law; and a purchaser or successor in a sale or restructure, bound to handle the information consistently with this policy.
We require our service providers to handle personal information consistently with this policy, we do not disclose personal information to third parties for their own marketing purposes, and we do not share or sell advertising-platform data to any other advertising service. We comply with the applicable platform terms, including the Meta Platform Terms and the Pinterest Developer Guidelines.
Overseas transfers (APP 8)
Some of our service providers operate outside Australia — principally in Singapore, and also in Canada and the United States. Because not all of these countries have been assessed as having privacy protections substantially similar to the APPs, we rely on APP 8.1 and take reasonable steps to ensure each overseas recipient handles personal information consistently with the APPs — including binding each provider to appropriate data-processing terms, restricting access to the minimum necessary, and reviewing each provider's security and privacy posture. Where a client requires it, we will put in place Standard Contractual Clauses or an equivalent transfer mechanism.
How long we keep the information
We keep information only for as long as it is needed for the purposes in this policy or as required by law. Information accessed through your advertising-platform connections is kept while you are engaged with us; when you off-board, we sever the platform connection and revoke the access token within seven (7) days and purge stored records from our primary systems within thirty (30) days. Backups are retained on a short rolling cycle and then securely destroyed or de-identified. Records we are required to keep by law (such as financial and tax records, typically for seven years) are kept for the period the law requires.
How to access, correct, or delete your information
Under APP 12 and APP 13 you may ask us to give you access to the personal information we hold about you and to correct it, and you may ask us to delete it. We respond within a reasonable period (and in any event within 30 days) at no charge, and if we refuse a request we give written reasons. To make a request, email privacy@elephantroom.com.au with the subject line "Privacy Request"; we take reasonable steps to verify your identity proportionate to the sensitivity of the information.
To revoke our application's access to your Meta account: in Meta Business Manager → Business settings, locate our application under your connected Apps (it appears as Elephant Room Marketing) and remove it (removing Elephant Room as an agency partner also revokes access).
To revoke our access to your Pinterest account: in your Pinterest Business account → Settings → Connected apps, remove Elephant Room's connected application (removing our partner access also revokes access).
To request deletion of your data: email data@elephantroom.com.au with a subject line indicating the platform ("Meta Data Deletion Request", "Pinterest Data Deletion Request", or "Data Deletion Request"), and include your relevant account identifier and business name. We will sever the platform connection within seven (7) days and purge stored records from our primary systems within thirty (30) days, and email you a confirmation when complete. Full standalone deletion instructions are at elephantroom.com.au/legal/data-deletion. Requests from anyone other than the account owner or authorised client are referred to the verified account holder.
If you are in the EU or UK
Elephant Room is not established in the EU or UK and does not target marketing to consumers there, but we may handle the personal information of the staff of clients with EU/UK operations. Where the EU or UK GDPR applies, our lawful bases are typically performance of a contract, our legitimate interests in operating an advertising agency, or compliance with a legal obligation, and you have rights of access, rectification, erasure, restriction, objection, and portability. Contact privacy@elephantroom.com.au.
Security
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, including access controls, encryption in transit, secure storage of platform credentials, and contractual commitments from our service providers. No system is guaranteed 100% secure. If we suspect an eligible data breach we assess it under Part IIIC of the Privacy Act 1988 (Cth) and, if confirmed, notify affected individuals and the OAIC under the Notifiable Data Breaches scheme.
Children
Our services are directed to businesses and the professionals who work in them. We do not knowingly collect personal information from children under 16; if you believe we have, contact us so we can delete it.
Changes to this policy
We may update this policy from time to time. The version in force is the one published at this URL, and its date appears at the top. Where changes are material, we take reasonable steps to bring them to the attention of affected clients and individuals.
How to contact us, or make a complaint
Email privacy@elephantroom.com.au, or write to Elephant Room Consulting Pty Ltd, Suite 4.02, 76a Edinburgh Road, Marrickville NSW 2204, Australia. We will investigate any privacy complaint and respond within a reasonable period (and in any event within 30 days). If your complaint is unresolved, you may refer it to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or 1300 363 992.