Don’t Tax Our Future

Privacy policy.

Last updated 20 May 2026

This page explains what personal information Don't Tax Our Future collects from you, why we collect it, how long we keep it, who we share it with, and how you can ask us to access, correct, or delete it. We’ve tried to write this in plain English, not legalese, because a policy you can’t read isn’t one you can rely on.

Don't Tax Our Future isn’t affiliated with any political party or organisation. We handle personal information in line with the Australian Privacy Principles under the Privacy Act 1988 (Cth).

What we collect

The site collects information in three places, and only those three:

1. When you leave a comment

We ask for your first name and your view on the proposed changes (up to 500 characters). Last name and postcode are optional. We don’t collect your email at this stage. Postcode, if you provide it, helps us report a soft stat (“comments from every electorate”) without identifying anyone individually.

2. When you opt in to be notified about a future petition

On the screen after your comment is submitted, you can tick a box to be contacted if a formal petition is later lodged with the Australian Parliament. If you tick it, we ask for your email address and send you a single confirmation email. You have to click the link in that email for your address to be added to the list. If you never click, the address is never used and is deleted after 30 days.

3. When you write to us through the contact form

We collect your name, email, the category of your enquiry, and your message. We use that information only to respond to you.

Automatically, on every form submission

To detect spam and coordinated abuse, we also record a small amount of technical information for each submission: a one-way hash of your IP address (we never store the raw IP), your browser’s user-agent, and a timestamp. This submission log is kept for 90 days, then permanently deleted. We never sell it, share it with advertisers, or use it to build a profile of you.

Why we collect it

  • Comments: so visitors who choose to share their view have a place to do so, and so that view can appear on the public comment wall after our admin moderation review.
  • Email addresses (opt-in): only to notify you if and when a formal petition is later lodged with the Australian Parliament. We don’t use these addresses for anything else. We don’t send newsletters, fundraising appeals, or campaign updates.
  • Contact-form messages: so we can respond to your enquiry.
  • Submission log: to detect coordinated abuse and protect the site from spam and bot traffic.

How we use it

Comments are reviewed by a human before they appear publicly. Our published review SLA is 48 hours from submission. Comments that are approved are shown on the public wall and counted in the visible stats; comments that are pending or rejected are never displayed publicly anywhere on the site — not on the wall, not on the home-page scroller, not in any counter.

When we display approved comments publicly, we show your first name, your postcode (if you supplied one), and your comment. We don’t show last names or email addresses publicly anywhere on the site.

We don’t sell your personal information, share it with political parties or campaign organisations, or use it to build behavioural or advertising profiles. Some of the technical service providers we use are based outside Australia — details below.

Third parties that process your data

We use a small number of third-party services to run the site. Each one only receives the data needed for its specific job. We’ve chosen providers that don’t sell personal data and that comply with the EU General Data Protection Regulation (GDPR) or equivalent regimes.

  • Vercel (United States) — hosts the site. Vercel’s edge servers see every page request and your IP address at the moment the request lands.
  • Neon (Sydney, Australia) — the database where comments, contact records, and the submission log are stored. Data is encrypted at rest and in transit.
  • Cloudflare Turnstile (United States) — runs an invisible bot challenge on every form. Cloudflare sees your IP address and limited browser metadata in order to do the challenge.
  • Vercel BotID (United States) — a second bot-detection layer on the form pages.
  • Resend (United States) — sends the single confirmation email when you opt in to future updates. Resend receives your email address; it doesn’t receive your comment or any other field.
  • Plausible (Germany) — cookieless web analytics. Plausible doesn’t set cookies, doesn’t store IP addresses, and can’t identify individual visitors.
  • Sentry (United States; data stored in Frankfurt, Germany) — error tracking. Sentry is configured to never receive your name, email, comment text, postcode, or IP address.
  • Clerk (United States) — used only for the admin sign-in. Public visitors don’t interact with Clerk and no public visitor data is sent to it.

How we store and protect it

The database is operated by Neon in the Sydney region. Data is encrypted in transit and at rest. We never write your raw IP address to disk — only a one-way hash. The site is served over HTTPS only. Admin access requires two-factor authentication, and every admin action is recorded.

How long we keep it

Concrete retention periods per record type:

RecordHow long we keep it
Approved commentsIndefinitely while the site is live
Pending comments (not yet moderated)Auto-rejected if not reviewed within 30 days
Rejected comments90 days, then permanently deleted
Email addresses (unconfirmed opt-in)30 days, then permanently deleted
Email addresses (confirmed opt-in)Indefinitely until you unsubscribe, then 30 days, then permanently deleted
Submission log (hashed IPs, user-agents)90 days, then permanently deleted
Contact-form messagesKept while the conversation is active; permanently deleted once resolved

If the site is ever taken offline, all personal information will be permanently deleted within 30 days of closure.

Your rights and how to exercise them

Under the Privacy Act you have the right to:

  • Access your personal information — ask us for a copy of what we hold about you.
  • Correct it — ask us to fix something inaccurate or out of date.
  • Delete it — ask us to remove your data from our systems.
  • Unsubscribe — if you confirmed an opt-in, every email we send carries a one-click unsubscribe link. The link never expires.
  • Complain — first to us, and if you’re not satisfied with our response, to the Office of the Australian Information Commissioner (OAIC).

How quickly we respond

We commit to the following published response windows:

  • Privacy requests (access, correction, deletion): we acknowledge within 14 days and complete the request within 30 days.
  • Content takedown requests: we acknowledge within 48 hours and action or formally decline (with reason) within 7 days.
  • Comment moderation review: every pending comment is reviewed within 48 hours of submission.

Contact us about your data

For any privacy request — access, correction, deletion, complaint, or just a question — email privacy@donttaxourfuture.au. If you’d prefer the general contact form, you can also write to us through the contact page.

For requests to take down a specific comment or piece of content, please use takedown@donttaxourfuture.au.

Changes to this policy

We’ll update this page when our data practices change — for example, if we add or remove a third-party service. The “Last updated” date at the top of the page tracks the most recent revision. We don’t notify confirmed opt-in subscribers about policy changes by email; for material changes, we’ll publish a short note at the top of this page describing what changed.