Privacy Policy

OneCast Media is a trading name of OneCast Productions Pty Ltd (ABN 25 654 123 494) (“OneCast”, “we”, “us”, “our”), an Australian company based in Adelaide, South Australia. OneCast operates as a photography and videography production studio, working with commissioning clients across Australia.

This Privacy Policy explains how we collect, hold, use, disclose, store, and protect personal information about the people we interact with through our production engagements and through this website. We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and we apply the APPs as our standard of practice regardless of whether we are, at any given time, an APP entity required to comply with them under the turnover and information-type thresholds in that Act.

By engaging us, appearing in material we capture, or using this website, you acknowledge that personal information about you will be handled as described in this policy.

This policy applies to three categories of individuals:

• Commissioning clients — the businesses, agencies and individuals who engage OneCast for a production, and their authorised representatives (project leads, marketing managers, producers, agency contacts).
• Recorded individuals — talent, models, presenters, employees, customers, event attendees and members of the public whose image, voice or likeness is captured during a shoot we deliver for a commissioning client.
• Website visitors — anyone who visits our site at onecast.media, including people who submit an enquiry through our quote form.

The relationship between OneCast and each category is different, so the way we handle personal information is different too. The sections below explain how.

From commissioning clients:

• Business contact details — name, role, business name, ABN where relevant, email, phone.
• Billing and payment details — invoicing address, billing contact; card and bank details are processed by our payment processors (Stripe and, where applicable, Xero) and are not stored by us in plain text.
• Project brief and creative material — locations, schedules, scripts, shot lists, talent contacts, brand assets and any other material the client provides for the production.
• Communications — emails, messages and call notes exchanged with the client through the engagement.

From recorded individuals:

• Image, voice and other audio-visual recordings captured during the shoot, in the form of photographs, video footage, behind-the-scenes material and Raw Materials.
• Name, role and other identifying details where supplied by the commissioning client via a model release, talent release or call sheet.
• Where the recorded individual is engaged directly by us as crew or talent, their contact and payment details and (for individual ABN-holders) their ABN.

From website visitors:

• Information you choose to submit through our quote and contact forms — name, business, email, phone and project details.
• Aggregate site-performance data collected automatically by Vercel Web Analytics and Vercel Speed Insights (see §5 and §10).
• Optional product-analytics events collected by PostHog if you accept analytics in our cookie banner (see §10).

We collect personal information:

• Directly from the commissioning client during onboarding, briefing and the engagement itself.
• From the commissioning client about recorded individuals — for example, talent lists, call sheets and model releases supplied to us before a Shoot Day.
• Directly from recorded individuals on or around the Shoot Day — for example, where we capture an interview, a vox pop or a presenter performance, the recording itself is the collection.
• From you when you submit a quote enquiry, send us an email, call us, or otherwise contact us.
• Automatically from your device when you visit our website (request logs, IP address, browser and device type, the page requested).

Where it is reasonable and practicable to do so, we collect personal information directly from the individual it relates to. Where the commissioning client provides personal information about other individuals to us (talent, employees, customers, attendees), the commissioning client is responsible — both under our Terms of Service and under the APPs — for ensuring it has the lawful basis and consents needed to provide that information to us.

We use personal information for the following purposes:

• To plan, schedule and deliver the production engagement, including pre-production briefing, the Shoot Day itself, and post-production.
• To produce, edit, master and deliver the final Deliverables to the commissioning client in the agreed formats.
• To invoice, collect payment and otherwise administer the commercial relationship with the commissioning client.
• To use the Deliverables and behind-the-scenes material in our portfolio, showreel, website, social channels and awards submissions — subject to the portfolio-use opt-out in Clause 14.2 of our Terms of Service, and subject to any embargo we have agreed.
• To respond to enquiries submitted through this website.
• To send transactional emails relevant to a quote, project or invoice.
• To improve and maintain this website using cookieless first-party performance telemetry from Vercel and (only if you opt in) product-analytics events from PostHog.
• To meet statutory record-keeping obligations under Australian tax, corporations and work-health-and-safety law.
• To investigate complaints, defend our legal interests, and otherwise comply with the law.

We do not use personal information for purposes that you would not reasonably expect given the nature of the engagement, and we do not sell personal information to third parties.

We share personal information only with the trusted service providers we engage to run the agency, and only to the extent each service provider needs to do its job. These providers are subject to their own privacy obligations, and we select them with that in mind.

• Supabase, hosted on Amazon Web Services (AWS ap-southeast-2, Sydney) — our internal production-management database and file storage. Client briefs, project records and any working copies of Deliverables held in our system live here. Data is stored within Australia.
• Vercel Inc. (United States) — application hosting and edge delivery for this website, and (via Vercel Web Analytics and Vercel Speed Insights) cookieless aggregate web-performance telemetry on visits to onecast.media (see §10).
• PostHog (United States) — opt-in product analytics on this website (only loads if you accept analytics in our cookie banner — see §10).
• Resend (resend.com) — delivery of transactional email relevant to a quote, project or invoice.
• Stripe Payments Australia Pty Ltd — payment processing for retainers, deposits and invoices. Stripe handles card data; we do not see or store card numbers.
• Xero Limited — accounting, invoicing and bookkeeping for the agency. Client invoicing and payment records are held in Xero in the ordinary course of running the business.
• Google LLC — Google Workspace (Gmail and Google Drive) for business email and document storage, and (where used) Google Calendar for scheduling.
• Our crew — the photographers, videographers, editors, audio operators, drone operators and producers engaged on the Engagement. Crew handle personal information only as needed to perform their work on the production, and are subject to confidentiality obligations.

We may also disclose personal information where required by law, court order, or an authorised government authority, or where reasonably necessary to investigate a suspected breach of our Terms of Service, to protect our legal interests, or to protect the safety of any person.

We do not sell, rent or trade personal information to third parties for marketing purposes.

The production-management database that holds our internal records about clients, projects and Deliverables sits on AWS infrastructure in Sydney, Australia (ap-southeast-2).

A number of the service providers listed in §6 — Vercel, PostHog, Stripe, Xero and Google — are operated by entities outside Australia (primarily in the United States, with some processing in other jurisdictions). When we provide personal information to those providers we take reasonable steps for the purposes of Australian Privacy Principle 8 to ensure they handle the information consistently with the APPs, including by selecting providers that publish privacy commitments and security practices appropriate for the data involved.

Final Deliverables we send to a commissioning client may be delivered through a third-party platform nominated by the client (for example a cloud file-transfer service or a shared drive). Once a Deliverable has been received by the commissioning client, its onward handling is governed by the commissioning client's own arrangements.

Many of our Engagements involve capturing the image or voice of identifiable individuals — talent, presenters, employees, customers, event attendees, members of the public. The position on releases is set out in Clause 12 of our Terms of Service. In summary:

• The commissioning client is responsible for ensuring that each identifiable individual recorded for the Engagement has signed an appropriate model release / talent release (or other valid consent under the Privacy Act 1988 (Cth)) covering the intended use of the Deliverables.
• Where any individual recorded is under 18 or is a vulnerable person, the commissioning client is responsible for obtaining written consent from a parent, legal guardian or other appropriate consent-holder before the Shoot Day.
• If you appear in material we have captured and you wish to ask about how that material is being used, please contact us using the details in §13. We will, where reasonably possible, help facilitate that conversation between you and the commissioning client.

We retain personal information only for as long as we need it for the purposes for which it was collected, or for as long as Australian law requires us to keep it.

• Project records (briefs, schedules, correspondence) and Raw Materials — held in our archive for at least twelve (12) months from delivery of the final Deliverables, in line with Clause 18.5 of our Terms of Service. Beyond that period we may delete Raw Materials at our discretion; long-term archival storage is available as a paid add-on.
• Final Deliverables — retained as long as is operationally useful to support reissue requests, portfolio use and our own quality records.
• Statutory records — tax records, invoices and other records required to be kept under Australian tax and corporations law are retained for at least seven (7) years.
• Quote enquiries that do not lead to an engagement — retained for up to two (2) years and then deleted, unless we are in active discussion with you about a future project.
• Website usage data — request logs are typically retained for 90 days; aggregate analytics events have their own retention with our analytics providers.

If you would like us to delete personal information we hold about you, please contact us using the details in §13. We will action the request to the extent our legal record-keeping obligations and the rights of any commissioning client permit, and we will tell you if we are unable to fully comply (with reasons).

Essential cookies. This website uses a small number of essential cookies (for example, to remember the cookie-banner choice you have made) so that the site works properly. These are not used to track you across other websites and are not used for advertising.

Cookieless first-party telemetry. This website is hosted on Vercel and uses Vercel's built-in Web Analytics and Speed Insights products. These products are first-party and cookieless: they do not set tracking cookies, they do not use a persistent device identifier, and they do not identify individual visitors. They collect aggregate page-view counts, the page path, the referrer, the visitor's country (derived from the request IP), device class, and page-performance metrics (such as Core Web Vitals). We use this information only to understand how the site is being used and to keep it fast. Because this telemetry is cookieless and operates at the platform level, it stays on regardless of the cookie-banner choice; it is disclosed here so you can make an informed decision before continuing to use the site.

Opt-in product analytics. If you select “Accept” on our cookie banner, we additionally load PostHog, a product-analytics tool. PostHog sets cookies in your browser and records de-identified usage events and pageviews so we can understand which parts of the site are useful. PostHog stores this data on servers in the United States. If you select “Decline”, PostHog is not loaded at all. You can change your choice at any time using the “Cookie preferences” link in the website footer.

We do not use advertising cookies and we do not sell cookie or analytics data to third parties.

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. Those steps include:

• Transport-layer encryption (HTTPS) for traffic to and from this website and our internal tools.
• Encryption at rest for the production-management database, as provided by our hosting infrastructure.
• Access controls on our internal systems, with role-based access and authentication on administrative functions.
• Confidentiality obligations on crew, contractors and other personnel engaged on an Engagement.
• Regular review of our infrastructure, third-party providers and access arrangements.

No system or method of transmission or storage is completely secure, and we cannot guarantee absolute security. If a data breach occurs that we assess as an eligible data breach under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth), we will notify the affected individuals and the Office of the Australian Information Commissioner as, and within the time, required by that Act.

Under the Australian Privacy Act and the APPs, you have the right to:

• Access the personal information we hold about you (APP 12).
• Request correction of inaccurate, outdated, incomplete, irrelevant or misleading information (APP 13).
• Opt out of any direct marketing communications.
• Make a complaint about how we have handled your personal information.

To exercise any of these rights, please contact our Privacy Officer using the details in §13. We will respond within 30 days. We may need to verify your identity before responding so that we do not disclose personal information to the wrong person.

Where the information you are asking about was provided to us by a commissioning client (for example, talent details you would like corrected), we may also need to coordinate the response with that client, and we will tell you if that is the case.

For privacy enquiries, access requests, corrections or complaints, please contact our Privacy Officer:

• Privacy Officer, OneCast Productions Pty Ltd (ABN 25 654 123 494) trading as OneCast Media
• Email: info@onecast.media
• Adelaide, South Australia

We take privacy complaints seriously and will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Mail: GPO Box 5218, Sydney NSW 2001

We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. When we make material changes, we will note the updated date at the top of this page. The current version of this policy is always available at onecast.media/privacy.