Sequenceby Halcyon Agency
PrivacyTermshalcyonagency.com.au

Privacy Policy

Last updated: 16 April 2026

This Privacy Policy describes how Halcyon Agency Pty Ltd (ABN 53 675 138 708, "Halcyon", "we", "us") collects, uses, stores, and discloses personal information in connection with Sequence (the "Platform"), an internal tool we operate to manage social media content on behalf of our agency clients.

Sequence is not a public product. Access is limited to authorized Halcyon staff and to our agency clients whose social media accounts we manage under written service agreements. By using the Platform, you consent to the collection and use of information as described in this policy.

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we process data on behalf of users in other jurisdictions, we additionally honour applicable principles under GDPR (EU/UK) and similar frameworks.

1. Who we are

Halcyon Agency Pty Ltd is a content and conversion systems agency based in Alexandria, Sydney, Australia. We operate Sequence internally to plan, schedule, publish, and report on social media content for client brands.

Contact: hello@halcyonagency.com.au
Website: halcyonagency.com.au

2. Information we collect

2.1 Information from authorized users

When a Halcyon team member or authorized client staff logs in, we collect:

  • Name, email address, and role
  • Profile photo (if provided)
  • Sign-in activity (time, IP address, device) for security logging

2.2 Information from connected social platforms

When a client connects a social media account (Facebook, Instagram, LinkedIn, YouTube, TikTok) to Sequence via OAuth, we receive and store:

  • OAuth access tokens and refresh tokens (used to publish and read analytics on your behalf)
  • Public account identifiers: username, display name, account ID, follower count
  • Content metadata for posts we publish or analyse: captions, media references, post IDs, engagement metrics (likes, comments, shares, views, saves, reach, impressions)

We request only the permissions strictly necessary to operate the Platform. We never request, collect, or store user passwords for connected platforms.

2.3 Content uploaded by clients

Clients upload content such as images, videos, thumbnails, captions, and scripts. This content is stored in Cloudflare R2 object storage hosted in the Asia-Pacific region and is accessible only to authorized Halcyon staff and the specific client who owns it.

3. How we use information

We use collected information only to:

  • Publish approved content to the social media accounts clients have authorized
  • Retrieve engagement metrics to display in reporting dashboards for the client whose content was posted
  • Authenticate users and maintain session security
  • Communicate with clients about their content pipeline
  • Refresh OAuth tokens before expiry so that publishing continues without re-authorization

We do not use client or social platform data for advertising, profiling, resale, or any purpose unrelated to content management services.

4. How we store and protect information

  • Database: Supabase (dedicated PostgreSQL in ap-southeast-2, Sydney)
  • File storage: Cloudflare R2, encrypted at rest
  • Hosting: Vercel (Sydney region)
  • OAuth tokens: Encrypted at rest. Access is restricted to the Platform's server-side runtime.
  • Transport: All connections use HTTPS/TLS 1.2 or higher.

We maintain access controls, monitoring, and regular backups. In the unlikely event of a data breach, we will notify affected users and, where required, the Office of the Australian Information Commissioner, in accordance with the Notifiable Data Breaches scheme.

5. Third-party services

Sequence integrates with the following third parties. When you connect an account, you are subject to their respective privacy policies:

Use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. Data sharing and disclosure

We do not sell personal information. We disclose information only:

  • To the third-party services listed above, strictly to operate the Platform
  • To the client who owns the connected account (their own data, in their own dashboard)
  • Where required by law, court order, or lawful authority

7. Data retention and deletion

We retain OAuth tokens and content only for as long as the client maintains an active service agreement with Halcyon. When a client ends their engagement or disconnects an account:

  • OAuth tokens are revoked and deleted within 30 days
  • Uploaded media, captions, and analytics are deleted within 90 days unless the client requests earlier deletion
  • Backups are purged on a rolling 180-day schedule

8. Your rights

If you are an identifiable individual whose data we hold, you may request to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your information (subject to legal retention requirements)
  • Withdraw consent for data processing
  • Receive a copy of your data in a portable format

To exercise these rights, email hello@halcyonagency.com.au. We will respond within 30 days.

9. International data transfers

Our primary infrastructure is located in Australia (Sydney). Some integrated third parties (e.g. Meta, Google, TikTok, LinkedIn) process data in the United States, Europe, or Asia. By using the Platform you consent to these cross-border transfers, which occur under the third parties' respective privacy frameworks.

10. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. The "Last updated" date at the top of this page indicates when it was last revised. Material changes will be communicated to active clients by email.

11. Contact

Questions, concerns, or complaints regarding this policy or your data:
Email: hello@halcyonagency.com.au
Post: Halcyon Agency Pty Ltd, Alexandria, NSW, Australia

If you are unsatisfied with our response, you may contact the Office of the Australian Information Commissioner: oaic.gov.au.