Last updated: 24 April 2026. Effective date: 24 April 2026.
Who we are. This policy is published by 360 Maker, a registered business name of Monika Almasy, sole trader, Australian Business Number 44 137 669 949, Queensland, Australia. "Ahead at Work" is the brand under which 360 Maker offers digital career guides. In this policy "we", "us", "our" and "360 Maker" refer to the same business. 360 Maker is the data controller (under GDPR and UK-GDPR) and the APP entity (under the Australian Privacy Act 1988) for the personal information described below.
Contact for all privacy matters. hello@aheadatwork.com. We treat that inbox as our privacy mailbox. We do not currently maintain a separate Data Protection Officer; because our processing is limited in scope and sensitivity, none is required under GDPR Article 37. If you prefer to write, request a postal address by email and we will respond.
Lemon Squeezy is our Merchant of Record. When you buy a guide, Lemon Squeezy collects your first name, last name (if provided), email address, billing country, and payment method information. Lemon Squeezy's own privacy policy governs what it collects, how it uses it, and who it shares it with. See lemonsqueezy.com/privacy.
We receive from Lemon Squeezy a subset of that information: your name and email address, plus the guide you bought and the purchase date. We do not receive your full payment details, card number, card-issuer data, full billing address, or any other sensitive payment information.
We use what we receive only to:
Our site is hosted on Cloudflare Pages. Cloudflare receives your IP address and user-agent string in the course of delivering the page, as every web host does. We use Cloudflare Web Analytics to count page views in aggregate. Cloudflare Web Analytics is privacy-preserving: it does not set cookies, does not fingerprint your browser, does not track individuals across websites, and does not store your IP address. Your IP is processed transiently to infer your country and is then discarded. We receive aggregate counts only; we never see individual visitor records. Cloudflare's privacy notice is at cloudflare.com/privacypolicy.
Beyond Cloudflare Web Analytics, our only tracking technology is the LinkedIn Insight Tag, which is active on this site when we are running a LinkedIn Ads campaign and loads only after you consent via the cookie banner shown on your first visit. Detailed disclosure below. All fonts are self-hosted, so no font-CDN data transfer occurs. We do not embed chat widgets, social-login buttons, share-buttons, heat-mapping tools, session-replay tools, or any other third-party script not listed in this policy.
LinkedIn Insight Tag (conversion measurement and retargeting). When an ad campaign is active, a small JavaScript snippet from LinkedIn (URL: snap.licdn.com/li.lms-analytics/insight.min.js) sets first-party and third-party cookies (including li_gc, bcookie, lidc, UserMatchHistory, AnalyticsSyncHistory) when you load a page. The tag transmits your IP address, timestamp, URL and referrer, user-agent, and a LinkedIn-member identifier (when you are logged in to LinkedIn on the same browser) to LinkedIn Ireland Unlimited Company (for EU/EEA/UK visitors) or LinkedIn Corporation (for US and other-region visitors). LinkedIn uses this data to (a) tell us which ad clicks led to a purchase or other action on our site, (b) build retargeting audiences (LinkedIn Matched Audiences) so we can show follow-up ads to people who visited a guide page, and (c) build lookalike audiences for us. LinkedIn is a joint controller for the Insight Tag data under GDPR Article 26; the joint-controller arrangement is documented at linkedin.com/legal/l/dpa. We receive only aggregate and anonymised reports; we never see an individual's LinkedIn-member ID. The data retention on LinkedIn's side is governed by the LinkedIn privacy policy at linkedin.com/legal/privacy-policy. You can opt out of LinkedIn ad targeting at any time in your LinkedIn account settings under "Ads" or by using the cookie banner on this site.
Cookie banner. On your first visit from any IP address we geolocate to the EU, EEA, UK, or Switzerland (where the ePrivacy Directive and GDPR require prior affirmative consent), we show a cookie banner with three clearly labelled options: "Accept all", "Reject non-essential", "Manage". Cloudflare Web Analytics runs regardless (it is essential and cookieless). The LinkedIn Insight Tag runs only if you choose "Accept all" or enable it in "Manage". For visitors from other jurisdictions, the banner offers the same controls on a consent-or-legitimate-interest basis as appropriate for that region. Your choice is stored for 12 months in a first-party cookie; you can change it any time by clearing your cookies or clicking the "Privacy choices" link in our footer.
If no LinkedIn campaign is active at the time of your visit, the Insight Tag is not loaded and no LinkedIn cookies are set, regardless of your consent choice. The banner still respects your preference so that if a campaign later becomes active, your choice is honoured immediately.
If you email hello@aheadatwork.com, we receive the content of your message, your email address, and any attachments you choose to include. We use that information to answer your query and to keep a support record for quality and dispute-resolution purposes. Do not send us sensitive information you would not want on paper; email is not encrypted end to end.
We do not collect sensitive personal information as defined in the Australian Privacy Act 1988 s 6C(1) (including health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, biometric templates, or criminal records). We do not collect GDPR Article 9 special-category data. We do not collect children's data; our product is offered only to buyers aged 16 and over (see section 10).
We use the following third-party services in connection with our business. Each is independently responsible for the data it processes, under the contract we have with it and its own privacy policy.
Apart from the LinkedIn Insight Tag disclosed above (consent-gated, measurement and retargeting on our own site only, no data broker sale), we do not share personal information with any third party for direct-marketing, advertising, profile-building, or data-broker purposes. We have no affiliate-tracking arrangements. We do not sell personal information in the sense that term has under CCPA/CPRA or similar statutes. The Insight Tag data constitutes "sharing for cross-context behavioural advertising" under California CCPA/CPRA only if you consented to it; if you declined, nothing is shared.
We may disclose personal information where required by law (for example, in response to a valid subpoena, court order, or regulator request), where necessary to protect our legal rights, or in the event that our business is sold or restructured and the acquirer steps into our shoes. Any successor is bound by this policy in respect of information transferred.
We are based in Australia. Lemon Squeezy is based in the United States. Cloudflare is based in the United States with a global edge network. When you buy from us, your personal information crosses at least one international border.
For transfers of EU/EEA, UK, or Swiss data to the United States or other countries without an adequacy decision, we rely on the following legal mechanisms:
For transfers from other jurisdictions (Brazil LGPD, Canada PIPEDA, Australia APP 8), we rely on contractual safeguards with each processor equivalent to the protections under your local law. If you want the specific contract clauses that apply to your data, email us.
For EU, EEA, UK, and Swiss residents whose data we process under GDPR or UK-GDPR, our lawful basis is one of the following, depending on the purpose:
For AU residents, we rely on APP 3 (collection with the individual's knowledge) and APP 6 (use for the primary purpose of delivering the product, and related secondary purposes that a reasonable person would expect). For US and other-jurisdiction residents, our basis is the reasonable expectation created by the transaction and your agreement to our Terms.
We retain the personal information we receive from Lemon Squeezy for the following periods, each with a specific legal reason:
You can ask us to delete your data earlier than the retention periods above. We will honour the request within 30 days unless a statutory obligation requires us to keep specific records (for example, records of a completed tax-relevant sale). Where that applies, we delete everything we are not legally required to keep, and we tell you in writing what we retained and why.
After the retention period ends, records are deleted or irreversibly anonymised on the next scheduled quarterly deletion cycle.
We use commercially reasonable measures to protect the personal information we hold:
No system is perfectly secure. If you become aware of a security issue that affects our site or your account, please email hello@aheadatwork.com immediately.
This section sets out the specific rights you have depending on where you live. To exercise any right, email hello@aheadatwork.com with the request and the email address associated with your purchase. We respond within 30 days (shorter where required by local law). There is no fee unless the request is manifestly unfounded or excessive.
You can ask to access the personal information we hold about you (APP 12), and to correct it if it is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13). You can complain to us first; if you are not satisfied, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.
You have the rights to: access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), objection to processing based on legitimate interest (Article 21), and not to be subject to automated decision-making that has legal or similarly significant effects (Article 22, though we do not carry out such decision-making). You can withdraw consent at any time where consent is the basis of processing. You can lodge a complaint with your national supervisory authority; a directory is at edpb.europa.eu.
Equivalent rights to the GDPR list above. Your supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.
Equivalent rights under the revised Federal Act on Data Protection, effective 1 September 2023. Your authority is the Federal Data Protection and Information Commissioner at edoeb.admin.ch.
If you are a California resident, you have the right to know what personal information we have collected about you, the right to correct inaccurate personal information, the right to delete personal information, the right to opt out of any sale or sharing of personal information (we do not sell or share as defined by CCPA/CPRA), the right to limit use of sensitive personal information (we do not collect any), and the right not to be discriminated against for exercising your rights.
To exercise any right, email hello@aheadatwork.com. You can also click the "Do Not Sell or Share My Personal Information" link in our footer; because we do not sell or share, that link confirms our posture and gives you a one-click record of your opt-out. You may authorise an agent to act for you (we may verify the authorisation).
Our categories of personal information collected in the last 12 months: identifiers (name, email, IP address), commercial information (purchase history), internet activity (aggregate page views). Sources: you (via the Merchant of Record at checkout) and your browser. Purposes: delivery, support, and aggregate analytics, as set out in section 2. Categories of third parties we share with: service providers described in section 3. Retention: as set out in section 6.
If you are a resident of a US state with a comprehensive privacy law (including but not limited to the Colorado Privacy Act, Connecticut Data Privacy Act, Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, and others that come into force from time to time), you have rights broadly equivalent to the CCPA list: to know, correct, delete, port, opt out of targeted advertising (we do not engage in this), opt out of sale (we do not sell), and to non-discrimination. To exercise a right, email hello@aheadatwork.com. We will respond within the period required by your state's law (30 to 45 days depending on the statute).
Under the federal Personal Information Protection and Electronic Documents Act and provincial equivalents (Alberta PIPA, British Columbia PIPA, Quebec Law 25), you have the rights to access, correct, and withdraw consent. You can complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca or your provincial commissioner. Our electronic marketing complies with CASL to the extent it applies; see the emails section of our Terms and section 9 of this policy.
Under the Lei Geral de Proteção de Dados you have the rights to confirmation of processing, access, correction, anonymisation, portability, deletion, information about sharing, and to withdraw consent. Your authority is the Autoridade Nacional de Proteção de Dados at gov.br/anpd.
You have the rights of access and correction, and the right to complain to the Privacy Commissioner at privacy.org.nz.
If you live in a jurisdiction with a data-protection law not named above (for example, South Africa POPIA, Nigeria NDPR, Turkey KVKK, United Arab Emirates PDPL, Saudi Arabia PDPL, India DPDPA, South Korea PIPA, Japan APPI, Singapore PDPA, Thailand PDPA), you may have rights under that law. Email us and we will do what that law reasonably requires.
We send four post-purchase emails: a welcome email (transactional, sent immediately) and three follow-up emails at 3, 7, and 14 days after purchase. The follow-ups contain practical prompts and workflow tips related to the guide you bought. Every email carries an unsubscribe link and identifies the sender. To stop receiving the follow-ups but keep receiving support replies, click unsubscribe or reply STOP to any email.
We do not send weekly or monthly marketing newsletters. We do not add you to third-party mailing lists. We do not buy or rent mailing lists. We comply with the AU Spam Act 2003 (consent, identification, functional unsubscribe), the US CAN-SPAM Act (opt-out, sender identification, physical address), the UK Privacy and Electronic Communications Regulations, the EU ePrivacy Directive as implemented, and Canada's CASL.
Our product is sold to buyers aged 16 and over. Our checkout does not ask for age; we rely on your representation under our Terms. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us personal information, contact hello@aheadatwork.com and we will delete it. We do not target our site, marketing, or guides at children. The site and guides are not designed under the UK Age-Appropriate Design Code because they are not directed at children; where a child does read a guide, the content is adult-workplace-context material rather than child-appropriate content.
We do not carry out solely automated decision-making that produces legal or similarly significant effects for you. Our email-drip scheduling is rule-based (day-since-purchase) and does not evaluate, score, profile, or classify you. If we ever introduce behavioural personalisation, we will update this policy and request consent where required.
If we become aware of an unauthorised access, loss, or disclosure of personal information we hold that is likely to cause serious harm, we will respond under the following framework:
Our breach playbook lives at `docs/legal/data-breach-response-playbook.md` inside our internal repository. If you want a redacted copy after an incident that affected you, we will provide one.
Our guides recommend specific third-party AI tools such as ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google), Grammarly, Notion AI, Midjourney, Canva, and others. If you sign up for, log into, or paste data into any of those tools, that tool's own privacy policy governs how your data is handled. We are not a party to any contract you have with an AI tool. We do not see, receive, store, or process anything you paste into an AI tool. We have no role or responsibility in any of the following, all of which are between you and the AI tool's provider:
Before you paste client data, patient information, student records, employee data, confidential memos, trade secrets, or other sensitive content into any AI tool, read that tool's privacy policy, check your employer's written AI policy, and where appropriate use anonymised placeholders. Our guides include warnings about this in Chapter 1 and Chapter 4 for regulated professions. They apply equally to every role.
We may update this policy from time to time. The current version is always on this page with a "Last updated" date at the top. If we make a material change (a change that materially affects how we collect, use, or share your personal information, or that adds a new third-party tool to our processing chain), we will note that near the "Last updated" line for at least 30 days after the change. For EU/EEA residents, we will additionally give you an email notice and, where required, seek fresh consent.
If you have a privacy complaint, please contact us first at hello@aheadatwork.com so we have the opportunity to fix it. We aim to acknowledge within 2 business days and resolve within 30 days. If we cannot resolve the matter, you can escalate to:
We do not sell personal information in the sense defined by CCPA, CPRA, CPA, VCDPA, or similar statutes. We do share limited online-identifier data (IP address, cookie ID, LinkedIn-member identifier when logged in) with LinkedIn for cross-context behavioural advertising when a LinkedIn Ads campaign is running and only after you consent to the LinkedIn Insight Tag via our cookie banner (see section 2.2). If you declined consent, nothing is shared. You can opt out at any time by (a) clicking "Privacy choices" in our footer and setting "Reject non-essential", (b) emailing hello@aheadatwork.com with "Do Not Sell or Share My Personal Information" in the subject, or (c) sending a Global Privacy Control (GPC) signal from your browser, which we honour as a binding opt-out. Exercising this right does not affect the price, quality, or availability of our guides (non-discrimination, Cal Civ Code s 1798.125). If you want our position in writing for your records, email the address above and we will reply with a dated letter within the statutory period.
Data controller (GDPR / UK-GDPR), APP entity (Privacy Act 1988), business (CCPA and state laws): 360 Maker (ABN 44 137 669 949), Queensland, Australia. Trading brand: Ahead at Work.
Privacy email: hello@aheadatwork.com.
Postal address: PO Box 233, Runaway Bay QLD 4216, Australia.
Full legal and business-identity disclosure: see our Legal Notice and Impressum.