Who We Are
New Rebellion Pty Ltd (ABN 19 688 435 985) operates new-rebellion.com and all services hosted under it, including Hub (our marketing co-pilot) and Lens (our marketing audit engine). When this policy says "we", "us" or "New Rebellion" it means New Rebellion Pty Ltd. We are based in Melbourne, Victoria, Australia.
What This Policy Covers
This policy covers all data collected through new-rebellion.com, its subdomains and any tools hosted under the domain, including Hub and Lens. One policy governs everything.
What We Collect
Account information
/When you create an account we collect your email address. We use passwordless authentication (magic link sent to your email). A secure session cookie is set in your browser to keep you signed in
/Business profile information you provide, including business name, website URL, industry and marketing context
Information you provide during an audit
/Business information including website URL, industry, marketing channels, team size, budget signals and goals
/Files you upload during a session (analytics exports, spreadsheets, CSV or JSON files, 4 MB limit per file). Files are processed in memory to extract marketing-relevant data for your report and are not permanently stored on our servers
Information collected automatically
/We use Google Analytics 4 to collect standard web analytics: pages visited, referral source, device type, browser, country and interactions with content. No personally identifiable information is sent to Google Analytics
/Server logs maintained by our hosting provider (Vercel) may record IP addresses, request timestamps and user agent strings
/We use Cloudflare Turnstile for bot verification. This is an invisible check that does not present a visible CAPTCHA
/We analyse usage patterns to improve the service and prioritise support
Information from third-party integrations
Hub offers optional integrations with third-party platforms via OAuth 2.0 or API key connections. If you connect any of these, we pull read-only data to power your dashboard and generate reports. We cannot modify your configurations on any connected platform.
/Google Analytics (GA4): Read-only scope (analytics.readonly). We pull traffic, sources, pages, devices and events for up to the previous 90 days
/Google Search Console: Read-only scope (webmasters.readonly). We pull query and page performance data
/Google Ads: Read-only campaign performance data. We cannot create, modify or delete campaigns or settings
/Meta (Facebook and Instagram): Read-only page insights and Instagram metrics via OAuth. We cannot post, modify or delete content on your pages
/TikTok Marketing API: Read-only advertising performance data via OAuth. We cannot create, modify or delete campaigns or ad content
/Microsoft Ads: Read-only advertising performance data via Microsoft OAuth. We cannot create, modify or delete campaigns or ad content
/Google Tag Manager: Read-only scope (tagmanager.readonly). We pull container configuration, tags, triggers and variables for auditing purposes. We cannot modify your GTM setup
/Klaviyo: Connected via your private API key (entered by you in Hub Settings). We pull read-only email and SMS campaign performance, flows, lists and subscriber metrics. We cannot send emails, modify flows or change your account settings
/OAuth refresh tokens and API keys are encrypted at rest and stored securely until you disconnect. You can disconnect any integration at any time via Hub Settings. You can also revoke Google access at
myaccount.google.com/permissions Website scanning
/When you provide a URL (your own or a competitor), we scan publicly available information from that website including technology stack, page structure, performance metrics and publicly listed business details. No login-protected or private data is accessed
Google API Services: Limited Use Disclosure
New Rebellion's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
/We only use Google API data to provide and improve the marketing intelligence services you have requested
/We do not transfer Google API data to third parties except as necessary to provide the service (processing via the Anthropic Claude API to generate your reports), as required by law or with your explicit consent
/We do not use Google API data for serving advertisements
/We do not allow humans to read your Google API data unless you provide affirmative consent, it is necessary for security purposes or it is required by law
/Google API data is stored securely in our database with encryption at rest and access controls. Data is retained as described in the Data Retention section below. You can request deletion at any time
How We Use Your Information
/Deliver the services you have requested, including marketing reports, dashboards and recommendations
/Provide industry benchmarks and insights relevant to your business
/Build anonymised industry benchmarks across Australian businesses. No individual business data is published without consent
/Enrich business profiles with publicly available data from company registries, review platforms and business directories to improve benchmark accuracy
/Improve our website, tools and content
/Send transactional emails related to your account and reports where you have provided your email address
/Contact you if you have requested a call, sent a message or opted into communications
We do not sell your information. We do not use your business data to train AI models. We do not share your personal information with third parties for their marketing purposes.
Third-Party Services
We use the following third-party services to operate new-rebellion.com and Hub. Each processes data as described:
/Vercel hosts the website and may log standard server information (IP addresses, request timestamps)
/Google Analytics 4 collects anonymised usage data about how the site is used
/Google OAuth handles authentication when you connect GA4, Search Console, Google Ads or Google Tag Manager
/Meta OAuth handles authentication when you connect Facebook Pages or Instagram accounts
/TikTok OAuth handles authentication when you connect TikTok advertising accounts
/Microsoft OAuth handles authentication when you connect Microsoft Ads accounts
/Anthropic (Claude API) processes audit data and generates reports. Anthropic does not use API inputs to train models. Their usage policy is at
anthropic.com/policies /Supabase is our primary database provider, hosting user accounts, business profiles, analytics data and report records
/Upstash (Redis) provides caching for report delivery and session data
/Cloudflare provides DNS, CDN, bot protection and invisible bot verification (Turnstile)
/Resend delivers transactional emails on our behalf, including authentication links, report delivery and follow-up communications
/Notion stores internal CRM records (company profiles, audit summaries, contacts and interactions)
/Calendly handles call bookings under their own privacy policy
/logo.dev displays business logos on reports (public domain logo lookup only)
/Google PageSpeed Insights and Chrome UX Report provide website performance data used in site health assessments
Cookies and Local Storage
We use a secure HTTP-only cookie to maintain your authenticated session in Hub. This cookie identifies your session and is required for Hub to function. It does not track you across other websites.
Google Analytics sets standard analytics cookies for anonymised usage measurement. No advertising or retargeting cookies are used. You can control cookies through your browser settings.
Lens uses browser session storage and local storage (not cookies) to maintain conversation state and allow session recovery. This data lives in your browser only and is cleared when you close the tab or clear your browser data.
Data Retention
/User accounts are retained until you request deletion
/Business profiles and connected data are retained for the life of your account. Analytics snapshots are refreshed periodically and older snapshots may be overwritten
/Audit reports are stored in our database so you can revisit them from your Hub dashboard. Reports may contain your business name, URL, industry and marketing data as discussed during your session
/Website analytics are retained per Google Analytics default settings (14 months)
/OAuth tokens and API keys are encrypted at rest and retained until you disconnect the integration or delete your account
/Uploaded files are processed in memory during your session and not permanently stored
/Transactional emails: if you have an account, you may receive report delivery emails and periodic follow-ups. You can unsubscribe at any time via the link in any email or through Hub Settings
/Industry benchmark data (anonymised, aggregated scores at the domain level) is retained indefinitely to support benchmarking
Automated Decision-Making
Hub uses artificial intelligence (Anthropic Claude) to generate personalised marketing assessments. The AI analyses information you provide and any connected data sources to produce scored reports. The output is marketing guidance. It does not constitute a binding decision about your business.
In line with the Privacy and Other Legislation Amendment Act 2024 (Cth), which introduces automated decision-making transparency obligations from 10 December 2026, we proactively disclose that our tools use a computer program (Claude, operated by Anthropic) that substantially assists in generating scored assessments of your marketing performance. The personal and business information used includes details you provide and data from connected accounts. You can request a human review of any assessment by contacting us below.
Data Security
We use industry standard security measures to protect your data. All data in transit is encrypted via TLS. OAuth tokens and API keys are encrypted at rest. Server-side data is stored in access-controlled environments with row-level security. However, no method of electronic transmission or storage is 100% secure and we cannot guarantee absolute security.
International Data Transfers
Our hosting and third-party services may process data outside Australia, including in the United States. By using our services you consent to the transfer of your information to these jurisdictions. We ensure all service providers maintain appropriate data protection standards.
Your Rights
Under the Australian Privacy Act 1988 you have the right to access, correct or request deletion of your personal information. You can disconnect integrations and update your profile directly in Hub Settings. For anything else, use the form below. If you are located in the EU or UK, you may also have rights under GDPR including the right to data portability and the right to restrict processing.
We will respond within 30 days.
Children
Our services are intended for business professionals and are not directed at anyone under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a minor, contact us and we will delete it promptly.
Changes to This Policy
We may update this policy from time to time. The date at the top of this page reflects the most recent revision. Material changes will be communicated via a notice on the website.
Contact
New Rebellion Pty Ltd
ABN 19 688 435 985
Melbourne, Victoria, Australia
new-rebellion.com