Privacy Policy

1. Introduction

NemGraph (“we”, “us”, or “our”) operates the NemGraph platform at nemgraph.com.au, a software-as-a-service application that provides interactive visualisations and analytics of publicly available Australian Energy Market Operator (AEMO) electricity market data. NemGraph is an Australian company governed by the laws of New South Wales, Australia.

This Privacy Policy explains what personal information we collect from you when you use our platform, how we use it, where we store it, who we share it with, and what rights you have over it. It applies to all visitors to our marketing site and all registered users of the NemGraph platform.

We are committed to handling your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We take privacy seriously and will never sell your personal information to third parties.

2. Information We Collect

We collect information in the following categories when you visit, register for, or use NemGraph.

3. How We Use Your Information

We use the information we collect for the following purposes, all of which are necessary to operate NemGraph as described or are in our legitimate business interest:

• Service delivery — authenticating your identity, delivering the dashboard and data visualisations, enforcing your subscription tier limits (e.g. regions accessible, data delay applied), and saving your preferences and watched DUIDs.
• Billing and subscription management — processing payments via Stripe, issuing invoices, handling subscription upgrades, downgrades, and cancellations, and preventing payment fraud.
• Product analytics and improvement — understanding which features are used, identifying bugs and performance problems, and prioritising our product roadmap.
• Communications — sending transactional emails (account confirmation, password reset, subscription receipts, material changes to this policy). We do not send marketing emails without your explicit opt-in consent.
• Security and fraud prevention — detecting unusual login patterns, preventing account takeover, rate-limiting API abuse, and maintaining audit logs.
• Legal obligations — complying with applicable Australian law, responding to valid legal process, and resolving disputes.

We will not use your personal information for any purpose that is incompatible with those listed above without first notifying you and, where required by law, obtaining your consent.

4. Data Storage and Security

All NemGraph backend infrastructure — including our PostgreSQL (with TimescaleDB) databases, Redis cache, and application servers — is hosted on Amazon Web Services in the ap-southeast-2 (Sydney, Australia) region. Your personal data is stored in Australia and does not leave Australia except as described in Section 5 (Third-Party Services).

We apply the following security controls:

• Encryption at rest — all database volumes are encrypted using AES-256.
• Encryption in transit — all communication between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS and set HSTS headers.
• Password hashing — passwords are hashed using bcrypt with a per-user salt before storage. Plain-text passwords are never logged or retained.
• Access controls — database and server access is restricted to authorised personnel via SSH key authentication and IAM role policies. Access is reviewed quarterly.
• No sale of data — we will never sell, rent, or trade your personal information to any third party for their own commercial use.

While we take these measures seriously, no internet-based system is perfectly secure. We encourage you to use a strong, unique password and to contact us immediately at privacy@nemgraph.com.au if you believe your account may have been compromised.

5. Third-Party Services

We use a small number of carefully selected third-party services to operate NemGraph. Each is described below, along with the data shared with them.

We do not use Facebook Pixel, Google Ads remarketing, or any other advertising or cross-site tracking technology.

6. AEMO Market Data

NemGraph’s core function is to visualise electricity market data published by the Australian Energy Market Operator (AEMO). This includes spot prices, dispatch instructions, generator bids, SCADA output, FCAS market data, and interconnector flows.

This market data is sourced entirely from AEMO’s public NEMweb data portal and the AEMO API under the Creative Commons Attribution 4.0 International (CC BY 4.0) licence. It is public information that contains no personal information about individuals. Generator DUIDs (Dispatchable Unit Identifiers) identify physical electricity generating units, not natural persons.

Accordingly, the collection, processing, storage, and display of AEMO market data on the NemGraph platform is not subject to the Australian Privacy Act 1988. Our handling of AEMO data is governed separately by AEMO’s data licence terms.

7. Your Rights Under the Australian Privacy Principles

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the following rights in relation to the personal information we hold about you:

• Right of access — You may request a copy of the personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for fulfilling access requests that are complex or require substantial retrieval effort.
• Right of correction — If you believe any personal information we hold about you is inaccurate, out of date, incomplete, or misleading, you may ask us to correct it. We will respond within 30 days. If we decline to correct the information, we will explain why in writing.
• Right to complain — If you believe we have breached the Australian Privacy Principles, you have the right to make a complaint to us first (see Section 12). If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.
• Anonymity and pseudonymity — Where practicable, you may interact with us anonymously or using a pseudonym. Note that accessing a registered NemGraph account requires a verified email address and is therefore not anonymous.

To exercise any of these rights, please contact us using the details in Section 12.

8. International Users

NemGraph is primarily designed for Australian energy market participants. However, users from other countries — including the European Union — may access the platform.

If you are located in the European Economic Area (EEA) or United Kingdom, you may also have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to erasure (“right to be forgotten”), the right to data portability, and the right to object to certain processing. We will honour these requests in accordance with applicable law.

Australia does not currently have a formal adequacy decision from the European Commission. Where we transfer personal data from the EEA to Australia, we rely on your explicit consent provided at the time of account registration as the legal basis for that transfer, or on applicable derogations under Article 49 of the GDPR.

If you are an EEA or UK user and wish to exercise your GDPR rights, please contact us at privacy@nemgraph.com.au. We will respond within 30 days (or within one month as required by GDPR).

9. Data Retention

We retain your personal information only for as long as is necessary to provide the service or as required by law. The following retention periods apply:

• Account data (name, email, hashed password, subscription history) — retained for the duration of your account, plus 30 days following account closure to allow for reactivation. After 30 days, account data is permanently deleted.
• Usage and analytics logs — retained in identifiable form for up to 12 months, then anonymised and retained in aggregate form for up to 24 months for trend analysis and capacity planning. Anonymised data cannot be linked back to your account.
• Billing records — retained for 7 years from the date of the transaction to comply with Australian taxation and accounting obligations. After this period, billing records are securely deleted.
• Server access logs — retained for 90 days for security investigation purposes, then automatically purged.

You may request deletion of your account at any time from the Settings page or by contacting us. We will process your request within 30 days and confirm when deletion is complete.

10. Children

NemGraph is a professional analytics platform intended for use by adults working in the Australian energy industry and related sectors. It is not directed at, and is not intended for use by, persons under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that a person under 18 has provided us with personal information, we will take steps to delete it promptly. If you believe a minor has registered an account with us, please contact us at privacy@nemgraph.com.au.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or for other operational reasons. The “Last reviewed” date at the top of this page will always reflect when the policy was most recently updated.

If we make material changes — for example, changes to the types of data we collect, how we use it, or who we share it with — we will notify registered users by email to the address associated with their account at least 14 days before the changes take effect. Continued use of NemGraph after the effective date of an updated policy constitutes your acceptance of the changes. If you do not agree with a material change, you may close your account at any time.

12. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

If you are not satisfied with our response to a complaint, you may escalate to the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• GPO Box 5218, Sydney NSW 2001