Privacy Policy
ABN 16 685 196 776
1. Introduction
Hawkesbury Motorcycles Holdings Pty Ltd, trading as Hawkesbury Motorcycles ABN 16 685 196 776 ("Hawkesbury Motorcycles", "we", "us", or "our"), respects your privacy and is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme.
This Privacy Policy explains how we collect, hold, use, disclose, and destroy personal information when you interact with Hawkesbury Motorcycles, including through our website, our online customer portal, and our dealership operations.
This policy applies to: https://www.hawkesbury.motorcycles and the Hawkesbury Motorcycles customer portal.
We also comply with electronic communications obligations regulated by the Australian Communications and Media Authority (ACMA), including the Spam Act 2003.
Oversight of privacy legislation in Australia is provided by the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
By using our website or customer portal, or providing personal information to us, you consent to the collection, use, and disclosure of that information in accordance with this Privacy Policy.
2. Personal Information We Collect
The types of personal information we collect depend on how you interact with us.
Contact and identification information
- Full name
- Residential or mailing address
- Phone number
- Email address
Customer and vehicle information
- Motorcycle interests and purchase history
- Vehicle or motorcycle registration number
- Service and warranty history
- Finance or insurance application details
Test ride and dealership transaction information
Where you participate in a test ride or purchase transaction, we collect identification information for safety, compliance, and insurance purposes:
- Driver's licence image (front and back)
- Licence number, issuing state, and expiry date
- Licence address
- Residential address
- Motorcycle or vehicle registration number
This information is collected only for legitimate business purposes: rider verification, insurance requirements, and operational risk management. See section 7 for how we protect and destroy this information.
Website interaction information
When visiting our website we may automatically collect:
- IP address
- Device and browser information
- Pages visited and time spent on the website
- Referring website or search engine
- Approximate geographic location derived from IP address
3. How We Collect Personal Information
Personal information may be collected:
- Directly from you through enquiries, forms, or in person
- When you purchase or service a motorcycle
- When booking a service or test ride
- When you use the Hawkesbury Motorcycles customer portal
- When contacting us by phone
- Through interactions with our website
- Through social media interactions
- Via authorised third parties such as finance providers or insurers
How we do not collect identity documents
We do not request or accept driver's licence images or other identity documents via email, SMS, or any other uncontrolled communication channel. Identity documents are collected exclusively through our secure customer portal. See section 7 for details.
4. Cookies, Pixels and Tracking Technologies
Our website uses cookies and related tracking technologies to improve website functionality and marketing effectiveness. These may include:
- Cookies
- Tracking pixels and web beacons
- Remarketing tags
- Analytics scripts
These may be provided by digital marketing partners including Google, Meta platforms (Facebook and Instagram), X (formerly Twitter), and website analytics providers.
These technologies allow us to understand how visitors use our website, improve website performance, measure advertising effectiveness, and display relevant advertising to previous visitors.
These tools typically do not identify you personally unless you voluntarily provide personal information. Further information is available in our Cookie Policy.
5. How We Use Personal Information
We collect and use personal information to operate our business and provide products and services. This may include:
- Responding to enquiries
- Arranging test rides and verifying rider identity
- Processing motorcycle purchases
- Arranging servicing and parts supply
- Managing warranty claims
- Assisting with finance or insurance applications
- Improving our website and services
- Marketing motorcycles, parts, or services
Electronic marketing communications are sent in accordance with the Spam Act 2003 and ACMA regulations and will always include an unsubscribe option.
6. Disclosure of Personal Information
Hawkesbury Motorcycles does not sell personal information.
We may disclose information where necessary to:
- Motorcycle manufacturers and distributors
- Finance and insurance providers
- Warranty service providers
- Freight and logistics companies
- IT and website service providers
- Marketing and analytics providers
- Professional advisers such as accountants or lawyers
We may also disclose personal information where required by law or by a lawful request from a government or regulatory authority.
7. Driver's Licence and Identity Documents
How we collect your licence
Driver's licence images are collected exclusively through the Hawkesbury Motorcycles customer portal — a secure, encrypted online system. We do not accept licence photos by email, SMS, messaging application, or any other uncontrolled channel.
When your licence is required (for a test ride, vehicle purchase, or finance verification), a staff member will generate a secure, time-limited link through our platform. That link is delivered to you by email or SMS and takes you directly to the encrypted upload page.
You may also initiate a self-service upload at any time from your customer account.
How your licence is protected
All driver's licence images are encrypted using AES-256-GCM, an industry-standard authenticated encryption algorithm, before they are stored. The encryption keys are held in a secure secrets vault and are never stored in the database, source code, or any log. A licence image is never written to disk in plain text.
- Encrypted at rest. Your licence image is sealed with application-layer encryption before storage and cannot be read without the encryption key.
- Encrypted in transit. All data is transmitted over HTTPS.
- Access-controlled. Only authorised finance and management staff may view or download licence images. Access is restricted by role and is checked on every request.
- Audit-logged. Every view, download, and deletion of a licence image is recorded in a tamper-evident audit log, capturing who accessed the record, when, and from where. Access is denied if the audit record cannot be written.
- Encrypted on download. The only way a licence image leaves our platform is inside a password-protected PDF, using AES-256 encryption. The one-time password is displayed once to the authorised staff member at the time of download and is never stored by us.
How your licence is destroyed
Hawkesbury Motorcycles operates a "destroyed by default" policy on licence images.
| Scenario | Retention period |
|---|---|
| Self-service upload (customer-initiated) | 3, 5, or 7 days — your choice at upload, defaulting to 7 |
| Staff-requested or in-person upload | 30 days from upload |
Your licence image is destroyed at the earliest of:
- The retention period expiring (automatic, daily)
- Finance staff completing and destroying the record after processing
- You deleting it yourself from your customer account (self-service uploads)
When a licence image is destroyed, the encrypted file is permanently deleted from storage and the record is tombstoned with a reason and timestamp. It cannot be recovered.
You can delete your own self-service uploads at any time from the customer portal. For requests raised by our staff, contact us using the details in section 13.
Why we do not use email or SMS for licence collection
Email and SMS are not secure channels for identity documents. Messages are stored on servers and devices outside our control, cannot be encrypted at rest or in transit in a way we govern, and cannot be selectively deleted. The OAIC has identified driver's licence details as a category of information likely to cause serious harm if compromised, making their exposure a notifiable data breach. To meet our obligations under APP 11 and the NDB scheme, and to protect you from identity theft, we only accept licence images through our encrypted platform.
8. Storage and Security
Hawkesbury Motorcycles operates on a Cloudflare-native platform. All systems are cloud-hosted with no on-premises data storage.
Encryption at rest
All customer contact details and sale documents (contracts, receipts, quotes, and tax invoices) are encrypted at rest using AES-256-GCM before being written to storage. This is in addition to Cloudflare's own infrastructure-level encryption. Encryption keys are held exclusively in a secure secrets vault and are never stored in the database or application code.
In practical terms, this means that if storage media were ever copied or stolen, the data contained in it would be unreadable without the keys, which are held separately.
Masking and access control
Customer contact details (email address and phone number) are masked by default in our dealer management system. A staff member must take a deliberate action to reveal a full contact value, and every such reveal is recorded in an audit log.
Access controls
Access to customer data is restricted by staff role. Not all staff can access all data. Finance-sensitive records, including identity documents, are accessible only to finance and management roles.
Other security measures
- Network-level protections via Cloudflare
- Rate limiting on all customer-facing endpoints
- Staff confidentiality obligations
- Input validation on all data submitted to the platform
While we apply rigorous safeguards, no internet system can be guaranteed to be completely secure.
9. Retention of Personal Information
Personal information is retained only as long as required for business operations, legal obligations, and dispute resolution.
| Type of information | Retention practice |
|---|---|
| Customer contact details | Retained while the customer relationship is active and for legal and business obligations thereafter |
| Sale documents (contracts, receipts, tax invoices) | Retained in accordance with applicable legal obligations |
| Driver's licence images — self-service | 3 to 7 days (see section 7) |
| Driver's licence images — staff or in-person | 30 days from upload (see section 7) |
| Website analytics and cookies | Per our Cookie Policy |
Where personal information is no longer required, we take reasonable steps to securely destroy or de-identify it.
10. Access and Correction
You may request access to the personal information we hold about you. You may also request that information we hold be corrected if it is inaccurate, out of date, or incomplete.
Requests for access or correction should be directed to our Privacy Officer (see section 13). We will respond within a reasonable timeframe and in accordance with our obligations under APP 12 and APP 13.
In some circumstances we may be unable to provide access — for example, where doing so would have an unreasonable impact on the privacy of other individuals, or where it is not required under the APPs.
11. Right to Erasure (Right to Be Forgotten)
You may request that we delete the personal information we hold about you where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent and we have no other lawful basis for holding it.
This right is subject to our legal obligations. Some personal information must be retained for a minimum period under Australian law (for example, financial records under the Corporations Act 2001 and the Income Tax Assessment Act 1997), and we cannot delete information that is required for a current legal dispute or regulatory obligation.
We will acknowledge your request within 5 business days and advise you of the outcome or the next steps required. If we are unable to fulfil the request in full, we will explain why and advise what steps have been taken.
12. Privacy Complaints
If you believe Hawkesbury Motorcycles has breached the Privacy Act or mishandled your personal information, you may submit a written complaint to our Privacy Officer (see section 13).
We will acknowledge your complaint within 5 business days, investigate it, and respond within a reasonable timeframe.
If you are not satisfied with our response, you may refer your complaint to:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
13. Privacy Officer
Privacy Officer — Hawkesbury Motorcycles
Email: [email protected]
Alternatively, you may write to:
Hawkesbury Motorcycles70 Macquarie Street
Windsor NSW 2756
14. Changes to this Policy
Hawkesbury Motorcycles may update this Privacy Policy from time to time to reflect changes in legislation, technology, or business practices. The most current version will always be available at:
https://www.hawkesbury.motorcycles/privacy-policy
The date at the top of this document indicates when the policy was last updated. Where changes are material, we will take reasonable steps to notify you.