This Privacy Policy explains how TMF and JMF Management Pty Ltd (trading as SideQuests) collects, uses, stores, and discloses your personal information when you use the SideQuests website and tools at sidequests.au.
We are committed to handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy covers all users of our services, including visitors who use our tools without registering an account.
- About Us and This Policy
- What Personal Information We Collect
- How We Collect Personal Information
- Why We Collect Personal Information
- How We Use and Disclose Personal Information
- Direct Marketing
- Overseas Disclosure
- Cookies, Analytics, and Tracking
- Data Quality and Security
- Data Retention
- Your Rights: Access and Correction
- Notifiable Data Breaches
- Complaints
- Changes to This Policy
- Contact Us
1. About Us and This Policy
TMF and JMF Management Pty Ltd (we, us, our) operates the SideQuests platform at sidequests.au. SideQuests provides AI-powered tools to assist Australian law students, including a case notes generator that transforms legal documents into structured study notes.
This Privacy Policy is our open and transparent statement of how we manage personal information. It applies to all personal information we collect through the SideQuests website and any subdomains, user accounts and the SideQuests portal, and communications you have with us.
We recommend you read this Policy carefully before providing us with any personal information. By using our services, you acknowledge that you have read and understood this Policy.
Legislative framework
We handle personal information in accordance with:
- the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs);
- the Spam Act 2003 (Cth), which governs commercial electronic messages;
- the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
2. What Personal Information We Collect
We collect the following categories of personal information, depending on whether you use our tools as a guest or as a registered user.
2.1 Account and identity information
When you create a SideQuests account, we collect:
- your first name and last name;
- your email address;
- your university or institution (optional, used to personalise output);
- your password (stored as a one-way cryptographic hash — we never store or see your actual password);
- your preferred download format (optional);
- your account status and the date your account was approved.
2.2 Documents and content you submit
When you use our case notes generator, we process:
- documents you upload (for example, PDF or Word files of legal judgments or case materials);
- free-text descriptions or notes you enter into our tools;
- your selections for subject, study level, and output language.
2.3 Case notes and generated output
We retain the structured case notes generated by our AI tools, associated with your account (if logged in) or as an anonymous record (if using as a guest). Retained case notes allow you to access your generation history through the portal.
2.4 Usage and technical data
We automatically collect certain technical information when you visit or use our services:
- your IP address at the time of each request;
- browser type, version, and operating system;
- pages you visit and actions you take within the service;
- the date, time, and duration of your visit;
- referring URL (the page you came from, if applicable);
- time taken to generate your case notes.
2.5 Security and fraud-prevention data
To protect the integrity of our service and prevent misuse, we collect and process:
- behavioural signals used to detect automated or fraudulent use (for example, timing data and interaction patterns);
- Cloudflare Turnstile verification tokens;
- records of security events, including blocks and flagged requests, with associated IP addresses and reasons.
2.6 Communications
When you contact us or correspond with us, we collect your name, email address, the content of your message, and any attachments you provide.
2.7 Sensitive information
We do not intentionally collect sensitive information as defined in the Privacy Act 1988 (Cth) (such as health information, racial or ethnic origin, political opinions, or biometric data). If you choose to include such information in a document you upload, you do so at your own discretion and we will handle it in accordance with this Policy.
3. How We Collect Personal Information
3.1 Directly from you
We collect most personal information directly from you when you register for an account, verify your email address, log in, use our tools, update your profile, contact us, subscribe to product updates, or submit a password reset request.
3.2 Automatically through your use of our services
We automatically collect technical and usage data when you interact with our website, including through server logs, session management technology, and third-party analytics services described in Section 8.
3.3 From third parties
In limited circumstances, we may receive information about you from third parties, including Cloudflare (security signals and IP reputation data) and our email delivery provider (delivery and bounce status for transactional emails).
3.4 Anonymity and pseudonymity
Where practicable, you may interact with us anonymously or use a pseudonym. You may use the case notes generator without creating an account or providing your name. However, we will still collect your IP address and certain technical data as described above. Using a pseudonym email address may prevent us from delivering important account-related communications.
4. Why We Collect Personal Information
We collect personal information only for purposes that are directly related to our services, and only to the extent necessary for those purposes.
| Purpose | Description |
|---|---|
| Providing our services | To operate the case notes generator and other tools, generate AI-powered output tailored to your course details, and deliver results to you. |
| Account management | To create and manage your account, verify your email, authenticate logins, and process account changes. |
| Personalisation | To tailor generated case notes to your university, subject, and study level where you provide that information. |
| Communications | To send transactional emails and, where you have consented, product updates and newsletters. |
| Security and fraud prevention | To detect, prevent, and investigate fraudulent, abusive, or unauthorised use of our services. |
| Service improvement | To understand how users interact with our tools, diagnose technical problems, and improve our services. |
| Legal and compliance | To comply with applicable laws, respond to legal processes, enforce our Terms of Service, and protect our rights and the safety of users. |
| Record-keeping | To maintain audit logs of significant account events for security and accountability purposes. |
Where we intend to use personal information for a secondary purpose not listed above, we will seek your consent or ensure the secondary use is permitted under the Privacy Act 1988 (Cth).
5. How We Use and Disclose Personal Information
5.1 Use of personal information
We use personal information for the purposes described in Section 4. We will not use your personal information for an unrelated purpose unless you have consented or it is otherwise permitted by the APPs.
5.2 Disclosure to third-party service providers
We engage trusted third-party service providers who assist us in operating our services. We disclose personal information to these providers only to the extent necessary for them to perform their services.
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Content delivery, DDoS protection, bot detection (Turnstile), and web security. Cloudflare processes all web traffic passing through our platform. | USA / global |
| Email delivery provider | Transactional email delivery (verification emails, password resets, account notices). | USA |
| AI processing provider | The content of documents you upload and your course selections are processed by an overseas AI service to generate your case notes. See Section 7 for detail. | USA |
| Analytics providers | Website usage analytics to help us understand how our services are used. See Section 8 for detail. | USA / global |
5.3 Disclosure required by law
We may disclose personal information where required or authorised to do so by Australian law, a court order, or a lawful request from a government authority. Where permitted, we will notify you of any such disclosure.
5.4 Business transfers
If we are involved in a merger, acquisition, or sale of assets, personal information held by us may be transferred to the acquiring entity. We will notify you of any such transfer by updating this Policy.
5.5 No sale of personal information
We do not sell, rent, or trade your personal information to any third party for their own marketing or commercial purposes.
5.6 Aggregated and de-identified data
We may use and disclose aggregated or de-identified information (which cannot reasonably be used to identify you) for any purpose, including service improvement and reporting.
6. Direct Marketing
6.1 When we may send you marketing communications
We will only send you commercial electronic messages (such as product updates or newsletters) if you have provided your express consent, in accordance with the Spam Act 2003 (Cth) and APP 7. You may opt in when creating your account or at any time through your account settings.
6.2 Transactional communications
Separately from marketing communications, we may send you transactional emails necessary for the operation of your account, including email address verification, password reset links, account approval or rejection notices, security alerts, and verification reminders. You cannot opt out of transactional emails while you maintain an active account.
6.3 Opting out
You may withdraw your consent to marketing communications at any time by clicking the unsubscribe link in any marketing email we send you, or by contacting us at support@sidequests.au. We will process your opt-out within 5 business days as required by the Spam Act 2003 (Cth).
7. Overseas Disclosure of Personal Information
7.1 Nature of overseas transfers
To provide our case notes generation service, we transfer certain personal information to service providers located outside Australia, primarily in the United States of America. This includes:
- the content of documents you upload and your course selections, transmitted to an overseas AI processing service for the purpose of generating your case notes;
- your IP address and traffic data, processed by Cloudflare's global network;
- your email address and name, processed by our email delivery provider to send transactional emails.
7.2 Our obligations under APP 8
Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs. We engage service providers that have published privacy policies and data processing commitments, operate under legal frameworks providing comparable privacy protections, and/or have agreed to contractual obligations consistent with Australian privacy standards.
7.3 Acknowledgement and consent
By using our case notes generator to upload documents, you acknowledge and consent to the transfer of the content of those documents to our overseas AI processing provider for the sole purpose of generating your case notes. If you do not consent to this transfer, please do not upload documents to the service.
8. Cookies, Analytics, and Tracking Technologies
8.1 Cookies we use
| Type | Purpose | Essential? |
|---|---|---|
| Session cookies | Maintain your login session while using the SideQuests portal. Expire when you close your browser or log out. | Yes |
| Cloudflare cookies | Set by Cloudflare for security, DDoS protection, and bot detection. | Yes |
| Cloudflare Turnstile | Privacy-friendly bot detection on our generation form. Processes behavioural signals to verify you are a real person. No cross-site tracking. | Yes |
| Google Analytics (GA4) | Anonymised usage statistics including page views, session duration, device type, and geographic region. May use cookies and local storage. | No |
| Cloudflare Web Analytics | Privacy-focused analytics. Does not use cookies or fingerprinting. Collects aggregated page view statistics only. | No |
8.2 Google Analytics
We use Google Analytics 4 (GA4), provided by Google LLC, to collect information about how visitors use our website. GA4 collects pages visited, time on page, approximate geographic location (country/region), and device/browser type. Google may process this data on US servers. You can opt out via the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout.
8.3 Managing cookies
You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Note that disabling essential cookies (such as session cookies) may prevent you from logging in to your account.
9. Data Quality and Security
9.1 Data quality (APP 10)
We take reasonable steps to ensure that the personal information we hold is accurate, up-to-date, and complete having regard to the purposes for which it is used. If you believe information we hold is inaccurate or incomplete, please contact us to correct it (see Section 11).
9.2 Security measures (APP 11)
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our measures include:
- Encryption in transit: all data between your browser and our servers is encrypted using HTTPS/TLS;
- Password hashing: passwords are stored using a one-way cryptographic hash; we never store or see your plaintext password;
- Access controls: administrative access is restricted and protected by authentication;
- Audit logging: significant account events (logins, password changes, approvals) are recorded;
- Bot and fraud prevention: multi-layered controls including rate limiting, honeypot fields, behavioural scoring, and Cloudflare Turnstile;
- Account lockout: repeated failed login attempts result in temporary lockout to prevent brute-force attacks.
No method of internet transmission is completely secure. If you believe your account has been compromised, please contact us immediately at support@sidequests.au.
9.3 Destruction of personal information
When personal information is no longer needed and we are not required by law to retain it, we will take reasonable steps to destroy it or permanently de-identify it.
10. Data Retention
10.1 Retention periods
| Category of data | Retention period |
|---|---|
| Account information | Retained for the life of your account. Purged from our active database when you delete your account. |
| Generated case notes and history | Retained for the life of your account. Deleted when you close your account. |
| Uploaded documents | Used solely to generate your case notes. Not retained beyond what is necessary for the immediate generation request. |
| Session data | Sessions expire on logout or after a period of inactivity. |
| Audit logs | Retained for a reasonable period for security and legal compliance. May be retained for a period after account deletion. |
| Security event records | IP addresses and security block records retained for a reasonable period to support fraud investigation. |
| Password reset tokens | Expire within a short period (typically 1 hour) and are invalidated once used. |
| Email verification tokens | Expire if unused. Unverified accounts are automatically deactivated after 14 days. |
10.2 Account deletion
You may delete your account at any time through your account settings in the SideQuests portal. Please note that certain aggregated or de-identified data may be retained, information in backup systems may persist briefly before being overwritten, and we may retain information where required by law or to resolve outstanding disputes.
11. Your Rights: Access and Correction
11.1 Right to access (APP 12)
Under APP 12, you have the right to request access to the personal information we hold about you. Please contact us using the details in Section 15. We will respond within a reasonable time (generally within 30 days). Access requests are free of charge, though we may charge a reasonable fee for complex requests and will advise you before proceeding.
We may decline access in limited circumstances permitted by the APPs, such as where providing access would pose a serious threat to the safety of any person, unreasonably impact the privacy of another individual, or where the request is frivolous or vexatious. We will give you written reasons for any refusal.
Portal self-service: Registered users can view and manage much of their personal information directly through the SideQuests portal, including their profile, case history, and account settings.
11.2 Right to correction (APP 13)
If you believe that personal information we hold about you is inaccurate, out-of-date, incomplete, or misleading, you have the right to request correction. Registered users can update their name, university, and preferences directly in the portal. For other corrections, please contact us at support@sidequests.au. We will take reasonable steps to correct your information within 30 days.
12. Notifiable Data Breaches
We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). An eligible data breach occurs when there is unauthorised access to or disclosure of personal information we hold, and a reasonable person would conclude the breach is likely to result in serious harm to affected individuals.
If we have reasonable grounds to believe an eligible data breach has occurred, we will: conduct a prompt assessment to determine the nature of the breach; notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable; and notify affected individuals directly, or by publishing a statement on our website if direct notification is not practicable.
If you believe your personal information held by us has been compromised, please contact us immediately at support@sidequests.au.
13. Complaints
13.1 How to make a complaint
If you believe we have breached the APPs or this Policy, we encourage you to contact us first so we can attempt to resolve the matter:
Privacy Complaints — TMF and JMF Management Pty Ltd (trading as SideQuests)
Email: support@sidequests.au · Subject line: Privacy Complaint
Please include your full name and contact details, a description of the personal information concerned, a description of the conduct you believe breaches the APPs or this Policy, and the outcome you are seeking.
13.2 Our complaints handling process
We will acknowledge receipt within 5 business days and respond substantively within 30 days of receipt. We may contact you for further information to assist our investigation.
13.3 Escalation to the OAIC
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
- Post: GPO Box 5218, Sydney NSW 2001
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our services, legal requirements, or our practices. When we make changes we will update the effective date at the top of this Policy and post the updated version at sidequests.au/privacy. For material changes, we will notify registered users by email or by prominent notice on our website prior to the change taking effect.
Your continued use of our services after any changes constitutes your acceptance of those changes. If you do not agree with any changes, you should discontinue use of our services and close your account.
15. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal information, please contact us:
TMF and JMF Management Pty Ltd (trading as SideQuests)
Website: sidequests.au · Email: support@sidequests.au
We aim to respond to all privacy enquiries within 5 business days.