Privacy Policy

Last updated: 1 June 2026

Also see our Terms of Service and Security and Trust.

Who We Are

New Rebellion Pty Ltd (ABN 19 688 435 985) operates new-rebellion.com and all services hosted under it, including Hub(our marketing co-pilot) and Lens (the data engine inside Hub). When this policy says "we", "us" or "New Rebellion" it means New Rebellion Pty Ltd. We are based in Melbourne, Victoria, Australia.

What This Policy Covers

This policy covers all data collected through new-rebellion.com, its subdomains and any tools hosted under the domain, including Hub and Lens. One policy governs everything.

Hub access is currently provided to New Rebellion consulting clients. As Hub opens to additional customers, this policy will continue to apply.

What We Collect

Account information

/When you create an account we collect your email address. We use passwordless authentication (a magic link sent to your email). A secure HTTP-only session cookie is set in your browser to keep you signed in

/Business profile information you provide, including business name, website URL, industry, marketing context and any preferences you set in Hub Settings

Information you provide during an audit or session

/Business information including website URL, industry, marketing channels, team size, budget signals, goals, competitive context and decision-making authority

/Files you upload during a session (analytics exports, spreadsheets, CSV or JSON files, 4 MB limit per file). Files are processed in memory to extract marketing-relevant data and are not permanently stored

Hub usage and product telemetry

When you use Hub we record product usage events against your account. This includes pages and dashboards viewed, integrations connected, reports generated, actions taken on your marketing plan and calls to action you click. We use this data to:

/Improve the product and prioritise support

/Score account engagement so we can serve active customers better

/Detect anomalies and prompt you with relevant insights inside Hub

We do not share individual usage data with third parties for marketing.

Hub Chat and conversational memory

/Conversations you have with Hub Chat are stored against your account so you can continue them later

/Hub Chat extracts and stores structured business memories (preferences, goals, decisions, problems, outcomes) so the assistant gets more useful over time. You can review or remove memories from Hub Settings

/Hub Chat may call internal tools that read your connected data (analytics snapshots, plan actions, knowledge packs, competitor profiles). Tool results live in your session and feed into the memories above

Messages to your strategist

/When you message the New Rebellion team from inside Hub, the messages and our replies are stored against your account so the conversation continues over time

/If you forward something you are looking at (a score, a metric, a plan action, a competitor), a snapshot of that item is attached to your message so we have the context to respond

/We email you when your strategist replies, and email our team when you send a message. These notifications are sent via Resend

Information collected automatically

/We use Google Analytics 4 to collect standard web analytics: pages visited, referral source, device type, browser, country and interactions with content. No personally identifiable information is sent to Google Analytics

/Server logs maintained by our hosting provider (Vercel) may record IP addresses, request timestamps and user agent strings

/We use Cloudflare Turnstile for bot verification. This is an invisible check that does not present a visible CAPTCHA

Information from third-party integrations

Hub offers optional integrations with third-party platforms via OAuth 2.0 or API key connections. If you connect any of these, we pull read-only data to power your dashboard and generate reports. We cannot modify your configurations on any connected platform.

/Google Analytics (GA4): Read-only scope (analytics.readonly). We pull traffic, sources, pages, devices and events

/Google Search Console: Read-only scope (webmasters.readonly). We pull query and page performance data

/Google Ads: Read-only campaign and keyword performance data. We cannot create, modify or delete campaigns or settings

/Google Tag Manager: Read-only scope (tagmanager.readonly). We pull container configuration for auditing. We cannot modify your GTM setup

/Google Marketing Platform and Merchant Centre: For some enterprise and ecommerce accounts we may request additional Google access to pull read-only performance data from Display and Video 360, Search Ads 360 and Google Merchant Centre. These scopes are only requested when relevant and we use the data for reporting only

/Meta (Facebook, Instagram and Threads): Read-only page, ad, Instagram and Threads insights via OAuth. We cannot post, modify or delete content on your accounts

/X (Twitter): Read-only organic post performance, engagement and follower metrics via OAuth. We cannot post, modify or delete content on your account

/TikTok Marketing API: Read-only advertising performance via OAuth. We cannot create, modify or delete campaigns or ad content

/Microsoft Advertising: Read-only advertising performance via Microsoft OAuth. We cannot create, modify or delete campaigns or ad content

/Klaviyo: Connected via a private API key you paste into Hub Settings. We pull read-only email and SMS campaign performance, flows, lists and subscriber metrics. We cannot send emails, modify flows or change your account settings

/OAuth refresh tokens and API keys are encrypted at rest using AES-256-GCM and retained until you disconnect. You can disconnect any integration at any time via Hub Settings. You can also revoke Google access at myaccount.google.com/permissions

Website scanning

/When you provide a URL (your own or a competitor), we scan publicly available information from that website including technology stack, page structure, performance metrics, schema data and publicly listed business details. We use sources including Chrome UX Report, PageSpeed Insights, Google Places and the Wayback Machine. No login-protected or private data is accessed

Business enrichment data

/We enrich business profiles with publicly available data from third-party sources including the Australian Business Register (ABR), Google Places, Clearbit and ASX disclosures. Enrichment is additive and does not overwrite information you provide

Google API Services: Limited Use Disclosure

New Rebellion's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

/We only use Google API data to provide and improve the marketing intelligence services you have requested

/We do not transfer Google API data to third parties except as necessary to provide the service (processing via the Anthropic Claude API to generate your reports), as required by law or with your explicit consent

/We do not use Google API data for serving advertisements

/We do not allow humans to read your Google API data unless you provide affirmative consent, it is necessary for security purposes or it is required by law

/Google API data is stored securely with encryption at rest and access controls. Data is retained as described in the Data Retention section below. You can request deletion at any time

How We Use Your Information

/Deliver the services you have requested, including marketing reports, dashboards and recommendations

/Provide industry benchmarks and insights relevant to your business

/Improve our website, tools and content

/Send transactional emails related to your account, reports and the actions you have asked us to track

/Contact you if you have requested a call, sent a message or opted into communications

Aggregated cross-customer learning

When you mark a marketing action as complete, Hub measures the outcome against the metric we agreed to track. We aggregate those outcomes across the customer base at industry, business type and segment level to learn what tends to work for similar businesses. This powers cross-business intelligence used inside Hub.

/Aggregations only become available once enough peer data exists. We never identify an individual customer in an aggregated view

/We never publish individual business data, scores or outcomes without consent

We do not sell your information. We do not use your business data to train AI models. We do not share your personal information with third parties for their marketing purposes.

Talent and recruitment

If you use our Talent pages at /talent, we collect what you submit so we can match marketers with opportunities and advise employers on hiring.

If you are a marketer, this includes your name, contact details, role and craft, experience, salary expectations, work rights, location, availability, preferences and anything you choose to add such as a short note about your work or a CV. It also includes a self-assessment, where you rate your own strengths across six marketing dimensions. This is your own read on yourself, not a test.

If you are an employer, this includes your name, contact details, company, the role you are hiring for, your budget and the context around the vacancy.

/We use this to contact you, build your profile and match supply with demand across our network

/With your consent, given when you submit, we may share a marketer's profile with relevant employers and recruitment partners in our network. We may receive a referral fee where an introduction leads to a placement

/We store your profile, your self-assessment and any CV you attach securely in our systems so we can match you to roles over time. We keep it until you ask us to remove it

/We only share your profile where you have given consent. You can ask us to update or remove it at any time by emailing filip@new-rebellion.com

The Scene (marketing survey)

The Scene at /scene is an anonymous survey of marketers. Your answers build the State of Marketing in Australia, our published read on the market.

We collect what you tell us about your pay and package, level and craft, skills, the tools you use, where you want to go next and how the work feels. By default these answers are anonymous and are not tied to your identity.

If you opt in to receive the report, or choose to add contact details, we hold your email so we can send the report and updates. Adding your email is optional and never required to contribute.

/Your answers go into an aggregate dataset. We publish and surface findings, including inside Atlas, at industry and segment level only. We never publish an individual response, or pay tied to a named person

/We do not sell your data, and no vendor or recruiter sponsors or influences the published numbers

/If you add your email, it is stored separately from your survey answers with no link between the two, so a response can never be traced back to a person. We email you only about what you ticked

/You can unsubscribe or ask us to delete your contribution at any time by emailing filip@new-rebellion.com

Sub-Processors

We rely on a small set of established sub-processors to operate Hub and new-rebellion.com. The current list, the data each handles and the jurisdiction in which they process it, is published and maintained on our Security and Trust page. We will give reasonable notice before adding or replacing a sub-processor that handles customer data.

Data Residency and International Transfers

Our primary database is hosted on Supabase in the AWS ap-southeast-2 region (Sydney, Australia), so your core business and account data is held onshore. Application hosting runs on Vercel, which serves traffic from a global edge network with compute primarily in the United States and Europe. AI processing is performed by Anthropic in the United States. Other sub-processors operate primarily from the United States, Australia and the European Union.

By using our services you consent to the transfer of your information to these jurisdictions. Where data is transferred outside Australia, we rely on service providers that maintain appropriate data protection standards including, where relevant, Standard Contractual Clauses.

With our primary database located in Sydney, your core customer and account records are held onshore in Australia. Some sub-processors listed on our Security and Trust page process limited data overseas as described above.

Cookies and Local Storage

We use a secure HTTP-only cookie to maintain your authenticated session in Hub. This cookie identifies your session and is required for Hub to function. It does not track you across other websites.

Google Analytics sets standard analytics cookies for anonymised usage measurement. No advertising or retargeting cookies are used. You can control cookies through your browser settings.

Lens uses browser session storage and local storage (not cookies) to maintain conversation state and allow session recovery. This data lives in your browser only and is cleared when you close the tab or clear your browser data.

Data Retention

/User accounts are retained until you request deletion

/Business profiles and connected data are retained for the life of your account. Analytics snapshots are refreshed periodically and older snapshots may be overwritten

/Audit reports are stored in our database so you can revisit them from your Hub dashboard. Reports may contain your business name, URL, industry and marketing data as discussed during your session

/Hub Chat conversations and business memories are retained until you delete them. Individual memories can be removed from Hub Settings

/Product usage events are retained for up to 24 months in identifiable form. Older events are deleted or aggregated into anonymised counters

/OAuth tokens and API keys are encrypted at rest and retained until you disconnect the integration or delete your account

/Uploaded files are processed in memory during your session and not permanently stored

/Website analytics are retained per Google Analytics default settings (14 months)

/Transactional emails: if you have an account, you may receive report delivery emails and periodic follow-ups. You can unsubscribe at any time via the link in any email or through Hub Settings

/Industry benchmark data (anonymised, aggregated at industry and segment level) is retained indefinitely to support benchmarking

Automated Decision-Making

Hub uses artificial intelligence (Anthropic Claude) to generate personalised marketing assessments. The AI analyses information you provide and any connected data sources to produce scored reports. The output is marketing guidance. It does not constitute a binding decision about your business.

In line with the Privacy and Other Legislation Amendment Act 2024 (Cth), which introduces automated decision-making transparency obligations from 10 December 2026, we proactively disclose that our tools use a computer program (Claude, operated by Anthropic) that substantially assists in generating scored assessments of your marketing performance. The personal and business information used includes details you provide and data from connected accounts. You can request a human review of any assessment by contacting us below.

Data Security

We use industry standard security measures to protect your data. All data in transit is encrypted via TLS. OAuth tokens and API keys are encrypted at rest using AES-256-GCM. Server-side data is stored in access-controlled environments with row-level security. A full description of our security controls, sub-processors and compliance roadmap is published on our Security and Trust page.

No method of electronic transmission or storage is 100% secure and we cannot guarantee absolute security. We will notify you and the Office of the Australian Information Commissioner of any eligible data breach in accordance with the Notifiable Data Breaches scheme.

Your Rights

Under the Australian Privacy Act 1988 you have the right to access, correct or request deletion of your personal information. You can disconnect integrations and update your profile directly in Hub Settings. For anything else, use the form below. If you are located in the European Union or United Kingdom you may also have rights under GDPR including the right to data portability and the right to restrict processing.

We will acknowledge requests within 5 business days and complete them within 30 days of verification.

Children

Our services are intended for business professionals and are not directed at anyone under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a minor, contact us and we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. The date at the top of this page reflects the most recent revision. Material changes will be communicated via a notice on the website and, where you have an account, by email.

Contact

New Rebellion Pty Ltd
ABN 19 688 435 985
Melbourne, Victoria, Australia
new-rebellion.com