Privacy Policy

Riparian Capital Pty Ltd t/a NIO Digital (formerly World Class Creatives)  ·  ACN 614 523 741

Effective date: 14 April 2026  ·  Version 1.0

Australia — Privacy Act 1988 (APPs) & Spam Act 2003
Malaysia — PDPA 2010
Singapore — PDPA 2012 (as amended)
United States — CAN-SPAM / TCPA / CCPA

1. About this policy and who it covers

This Privacy Policy applies to all personal information handled by Riparian Capital Pty Ltd trading as NIO Digital (and formerly World Class Creatives), including information relating to:

• Visitors to our website at niodigital.com.au
• Prospective and current clients who engage us for services
• End-customers and contacts of our clients whose data we process on their behalf
• Individuals who interact with marketing campaigns, forms, emails, SMS, or Voice AI services we operate or manage
• Anyone who provides personal information to us, or whose information is provided to us, in connection with our services

We have adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). A copy of the Australian Privacy Principles is available at oaic.gov.au. Where we serve clients in Malaysia, Singapore, or the United States, additional jurisdiction-specific obligations apply and are addressed throughout this policy.

2. Who we are — legal entity, trading names, and third-party providers

Legal entity: Riparian Capital Pty Ltd (ACN 614 523 741)

Trading as: NIO Digital / NIO Digital Agency

Former brand name: World Class Creatives. If you interacted with us or received services under the World Class Creatives brand, this policy applies equally to any personal information collected during that time. World Class Creatives is not a separate legal entity; it was a trading name of the same company now operating as NIO Digital.

Registered address: PO Box 567, Sunnybank QLD 4109, Australia

Website: niodigital.com.au

Phone: 1300 722 395  |  International: +61 430 453 388

Email: team@niodigital.com.au

NIO Digital engages authorised third-party service providers and contractors who may work under NIO Digital’s direction and on NIO Digital’s behalf in the delivery of client services. These include freelance contractors, specialist sub-agencies, platform providers, and technology partners. Where such providers handle personal information on NIO Digital’s behalf, they are treated as sub-processors and are required to handle that information in accordance with this policy and applicable privacy laws. See Section 12 for further detail.

3. Our dual role: data controller and data processor

NIO Digital operates in two distinct capacities with respect to personal data, depending on the context:

• Data controller (our own activities): When we collect data through our own website, business development, sales enquiries, or NIO Digital’s own marketing activities, we determine the purposes and means of that processing and act as the data controller. This policy governs those activities.
• Data processor (on behalf of clients): When we manage CRM platforms, operate Voice AI services, run marketing campaigns, build and deploy lead generation assets, or otherwise handle personal data under a client’s instructions, we act as a data processor. The client is the data controller and is responsible for their own privacy notices to their end-customers. NIO Digital processes data only as directed by the client. A Data Processing Agreement (DPA) governs this relationship.

If you are an end-customer of one of our clients and wish to exercise rights over your personal data, you should contact the relevant client directly. NIO Digital will cooperate with and assist clients in handling such requests as required by applicable law.

4. What personal information we collect

Information about clients and prospective clients

• Name, job title, business name, ABN/ACN or equivalent business registration number
• Email address, phone number, postal and billing address
• Payment and invoicing details (processed via third-party payment providers — we do not store full card numbers)
• Project briefs, creative assets, platform login credentials, and access permissions you provide to us for the purpose of delivering services
• Communications records, meeting notes, and correspondence

Information about end-customers (processed on behalf of clients)

• Name, email address, phone number, and mailing address
• Enquiry and transaction history held within CRM platforms we manage
• Voice call recordings and transcripts (where Voice AI services are deployed)
• SMS and email interaction data, including opt-in/opt-out status
• Demographic and behavioural data collected through marketing campaigns
• Any additional data categories specified in the applicable client service agreement

Website visitor information

• IP address, browser type, device type, and operating system
• Pages visited, time spent on site, and referring URLs
• Information submitted through contact and enquiry forms
• Comments left on the website, including IP address and browser user agent string (used for spam detection)
• Cookie and tracking data (see Section 10)

5. How we collect personal information

We collect personal information through the following means, including but not limited to:

• Website contact, enquiry, and comment forms
• Email correspondence and SMS communications
• Phone calls and meetings (which may be recorded where consent is obtained)
• Voice AI telephone systems that we operate or manage on behalf of clients
• CRM and marketing automation platforms
• Social media and paid advertising platforms (Meta, Google, LinkedIn, TikTok, and others)
• Landing pages, lead generation forms, and marketing campaign assets we design and deploy
• Client-provided datasets, data exports, and access to clients’ existing platforms
• Newsletter subscriptions and email marketing opt-ins
• Third-party data sources (including publicly available sources) where lawful and appropriate
• Cookies and website analytics tools

Where we collect personal information, we will, where appropriate and practicable, explain why we are collecting it and how we intend to use it at the time of collection.

6. Why we collect and use your information

We collect and use personal information for the following purposes:

We will not use your personal information for purposes beyond those listed above without notifying you and, where required, obtaining your consent. You may unsubscribe from our mailing and marketing lists at any time by contacting us in writing or using the unsubscribe mechanism in any marketing communication.

7. Sensitive information

Sensitive information is defined under the Privacy Act 1988 to include information or opinions about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union or professional body, criminal record, health information, genetic information, biometric information, and sexual orientation or practices.

NIO Digital does not ordinarily seek to collect sensitive information. Where sensitive information is incidentally provided or is necessary for a specific service, it will be used only:

• For the primary purpose for which it was obtained
• For a secondary purpose directly related to the primary purpose
• With your express consent; or
• Where required or authorised by law

8. Voice AI services and call recording

NIO Digital provides Voice AI services that may involve automated call handling, call routing, recording, and transcription, deployed on behalf of clients. This section applies to end-customers who interact with those systems.

Notification and consent

Where Voice AI systems are deployed, callers will be notified at the commencement of any interaction — by way of a verbal announcement or equivalent disclosure — that the call may be recorded, transcribed, and processed by an AI system. Continued engagement after such notification constitutes consent in most jurisdictions. Where explicit prior consent is required by applicable law, separate consent mechanisms will be implemented within the call flow.

Jurisdiction-specific requirements

Use of Voice AI data

Recordings and transcripts are used to: fulfil the purpose of the call (e.g. appointment booking, enquiry handling); quality assurance and service improvement; training or improving AI models (only with appropriate consent or under anonymisation and aggregation measures); and regulatory compliance. Recordings are not sold to third parties. Retention periods are as directed by the client or as set out in Section 15.

9. CRM and marketing platform data

As part of our CRM services, NIO Digital may access, input, manage, segment, and export personal data on behalf of clients within platforms such as GoHighLevel, HubSpot, Salesforce, ActiveCampaign, Mailchimp, and similar systems. In this capacity:

• NIO Digital acts as a data processor; the client is the data controller
• All processing activities are governed by a Data Processing Agreement (DPA) between NIO Digital and the client
• We process personal data only in accordance with documented client instructions
• Access is limited to authorised NIO Digital personnel and third-party providers on a need-to-know basis
• Any sub-processors (third-party platform providers) are subject to their own privacy policies and data processing terms — see Section 12

Where NIO Digital collects data through marketing assets we design and deploy (landing pages, forms, advertising campaigns), data flows to the client’s nominated CRM or platform. The client bears primary responsibility for ensuring a lawful basis for collection and for providing appropriate privacy notices to their end-customers. NIO Digital will, upon request, assist clients in implementing compliant consent collection mechanisms.

10. Website-specific data: comments, media, cookies, and embedded content

Comments

When visitors leave comments on our website, we collect the information in the comment form, the commenter’s IP address, and browser user agent string to assist with spam detection. An anonymised string derived from your email address (a hash) may be provided to the Gravatar service to determine whether you use it. The Gravatar privacy policy is available at automattic.com/privacy. Upon approval, your profile picture may be visible publicly alongside your comment.

Media uploads

If you upload images to our website, you should avoid uploading images that contain embedded location data (EXIF GPS data). Visitors to the site may be able to download and extract any location data from images published on the website.

Cookies

Our website uses cookies and similar tracking technologies. Specific cookie behaviours include:

• If you leave a comment, you may opt in to saving your name, email address, and website in cookies for your convenience. These cookies last for one year.
• When you visit our login page, a temporary cookie is set to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
• Upon login, cookies are set to save your login information and display preferences. Login cookies last for two days; screen option cookies last for one year. Selecting “Remember Me” extends login persistence to two weeks. Logging out removes login cookies.
• When you edit or publish an article, an additional cookie is saved that records the post ID. This contains no personal data and expires after one day.
• Analytics cookies (e.g. Google Analytics) are used to measure traffic and usage patterns. Data is aggregated and anonymised where possible.
• Marketing and remarketing cookies may be used on advertising platforms such as Meta and Google. These require your consent, which is managed through our cookie consent banner.

You may manage cookie preferences through our cookie consent banner or your browser settings. Opting out of non-essential cookies will not impair your ability to use our website.

Embedded content from other websites

Articles and pages on our site may include embedded content such as videos, images, and articles from other websites. Embedded content from other websites behaves in the same way as if you had visited that other website directly. Those websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content — including if you have an account and are logged in to that website.

11. How we share your information

We do not sell personal information. We may share personal information in the following circumstances:

• With our clients where we collected or processed data on their behalf
• With third-party service providers and sub-processors necessary to deliver our services (see Section 12)
• With employees and authorised contractors of NIO Digital, on a need-to-know basis
• Where you have consented to the use or disclosure
• With professional advisers (lawyers, accountants, insurers) under confidentiality obligations
• With payment processors for invoicing and billing purposes
• With regulatory bodies, law enforcement agencies, or courts where required or authorised by law
• With successor entities in the event of a business sale, merger, or acquisition (with prior notice where required by law)

We do not guarantee the website links or privacy policies of authorised third parties. We encourage you to review the privacy policies of any third-party service you use in connection with our services.

12. Third-party providers and sub-processors

NIO Digital engages third-party providers — including freelance contractors, specialist sub-agencies, and technology platform providers — who may work under NIO Digital’s direction in delivering services to clients. These providers may handle personal information in their role. NIO Digital takes reasonable steps to ensure that such providers:

• Handle personal information only for the purposes for which it was shared with them
• Implement appropriate technical and organisational security measures
• Do not disclose or use personal information for their own purposes without authorisation
• Comply with applicable privacy and data protection laws

Where third-party providers act as sub-processors in the context of client data, they are identified to clients upon request. Categories of sub-processors used by NIO Digital include:

• Web hosting and cloud infrastructure providers
• CRM and marketing automation platforms
• Voice AI and telephony infrastructure providers
• Email delivery and SMS gateway providers
• Analytics and advertising platforms
• Payment processing providers
• Freelance designers, developers, copywriters, and other specialist contractors engaged on a project basis

In cases where personal information is shared with third parties for a purpose beyond those described in this policy, NIO Digital will take reasonable steps to notify you of that sharing or obtain your consent where required.

13. Cross-border transfers of personal data

NIO Digital is based in Australia and operates globally on a remote-service basis. In the course of delivering services and using third-party platforms, personal data may be transferred internationally between Australia and other countries, including Malaysia, Singapore, the United States, and countries where our technology providers have servers or operations.

14. Security of personal information

NIO Digital takes the security of personal information seriously. We implement appropriate technical and organisational measures to protect personal information from misuse, loss, and unauthorised access, modification, or disclosure. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest where applicable
• Role-based access controls limiting staff and contractor access to personal data
• Multi-factor authentication on key systems and platforms
• Regular security reviews and vulnerability assessments
• Staff and contractor training on data protection obligations and information security
• Incident response procedures, including data breach assessment and notification protocols

When your personal information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify it (subject to retention obligations described in Section 15).

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and relevant regulators in accordance with applicable law, including Australia’s Notifiable Data Breaches scheme (Privacy Act Part IIIC), Singapore’s PDPA mandatory breach notification obligations, and applicable US state breach notification laws.

15. Retention of personal information

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Our standard retention periods are as follows:

Upon expiry of the applicable retention period, personal information will be securely deleted, anonymised, or de-identified.

16. Your rights — by jurisdiction

Depending on your location, you may have the following rights in relation to your personal information:

To exercise any of these rights, please contact us using the details in Section 21. We will acknowledge your request promptly and respond within the timeframe required by applicable law (generally 30 days, extendable in complex cases). We may need to verify your identity before processing a request. There is no charge for making an access request, however an administrative fee may apply for providing copies of records in certain circumstances.

Where we hold data on behalf of a client (acting as a data processor), requests relating to that data should be directed to the relevant client in the first instance. We will cooperate with and assist our clients in handling such requests.

17. Marketing communications and opt-out

NIO Digital’s own marketing

We may send marketing emails, SMS messages, or other promotional communications to existing clients and to individuals who have opted in to receive communications from us. We comply with the following legislation:

• Australia: Spam Act 2003 — we send commercial electronic messages only with express or inferred consent, and every message includes a functional unsubscribe mechanism.
• Malaysia: PDPA 2010 and Communications and Multimedia Act 1998.
• Singapore: PDPA Do Not Call (DNC) Registry provisions and spam-related obligations.
• United States: CAN-SPAM Act (commercial email) and TCPA (SMS and automated calls — prior express written consent is required before sending automated or pre-recorded messages to US mobile numbers).

You may unsubscribe from our marketing communications at any time by clicking the unsubscribe link in any email, replying STOP to any SMS, or contacting us in writing. We will honour opt-out requests within 5 business days.

Marketing on behalf of clients

Where we conduct email or SMS marketing campaigns on a client’s behalf, the client is responsible for ensuring that recipients have provided appropriate consent and that their privacy notice covers those communications. NIO Digital will implement technical opt-out mechanisms as directed by the client and will not send communications to individuals on a client’s suppression list. For US-based recipients, we will implement TCPA-compliant opt-in flows and maintain suppression records on the client’s behalf.

18. Children’s privacy

Our services are directed at businesses and adults. We do not knowingly collect personal information from individuals under the age of 18 (or the applicable age of digital consent in the relevant jurisdiction). If we become aware that we have inadvertently collected personal information from a minor, we will take prompt steps to delete it. If you believe we hold personal information about a child, please contact us using the details in Section 21.

19. Links to third-party websites

Our website may contain links to third-party websites that are not operated by NIO Digital. We are not responsible for the privacy practices or content of those third-party sites. We encourage you to review the privacy policies of any website you visit. A link to a third-party website does not constitute endorsement of that website or its privacy practices.

20. Changes to this policy

This policy may change from time to time to reflect changes in our business practices, services, or legal obligations. The current version is always available on our website at niodigital.com.au. Where changes are material, we will provide notice on our website and, where appropriate, notify existing clients by email. The effective date at the top of this document will be updated with each revision. Continued use of our services after an updated policy takes effect constitutes your acceptance of the updated terms.

21. Privacy complaints and enquiries — contact us

If you have any queries or complaints about this Privacy Policy or the way in which we have handled your personal information, we encourage you to contact us in the first instance:

We will acknowledge your complaint within 5 business days and respond substantively within 30 days. If you are not satisfied with our response, you may escalate your complaint to the relevant regulatory authority: