Last updated: 2026-May-11
1. Who We Are
Core Australia (“CORE”, “we”, “our”, “us”) is a not-for-profit, community-operated platform providing WordPress + CiviCRM + other software for sites for community groups, causes, and campaigns.
This Privacy Policy applies to:
- The main CORE website (coreaustralia.org.au)
- Any site hosted under a CORE subdomain (e.g., *.coreaustralia.org.au, *.cibapp.net)
- Any custom-domain site hosted on the CORE platform
- All plugins, integrations, and tools provided by CORE
Each CORE -hosted site is operated by the organisation that controls it (“Site Owner”).
Site Owners act as data controllers for the information they collect.
CORE itself acts as a platform provider (similar to a hosting provider).
2. What This Policy Covers
This privacy policy explains:
- What information CORE collects and processes
- What information individual CORE sites collect
- How data is stored, used, and protected
- Your rights
- How to contact us
3. Information We Collect
CORE (the platform) collects some data automatically. Each individual CORE site may also collect additional information (e.g., supporter data).
3.1 Information You Provide Directly
Depending on your interaction, this may include:
- Account registration details (name, email, password)
- Contact forms, profiles, submissions, or survey data
- Information you upload, publish, or store on your CORE site
- Comments that you submit on a CORE-hosted website
- Volunteer or supporter information (if managed by a Site Owner)
3.2 Automatically Collected Data
CORE may collect:
- IP address
- Browser and device information
- Access logs
- Security logs (e.g., failed login attempts)
- Error reports
- Analytics data (anonymous)
- Session information
3.3 Sensitive Data
CORE does not intentionally collect or require:
- Government ID numbers
- Financial account details
- Medical or health information
- Highly sensitive personal information
Site Owners should avoid storing such data unless they have lawful grounds to do so.
4. WordPress-Specific Information Collection
All CORE sites run on WordPress. The following behaviours apply automatically.
4.1 Comments
When visitors leave comments on a CORE-hosted site, WordPress collects:
- Data entered in the comment form
- IP address
- Browser user agent string
This helps with spam detection and security.
Additionally:
- An anonymised hash of your email may be sent to Gravatar to check for an associated profile
- After approval, your profile image may become publicly visible
4.2 Media Uploads
When uploading images to a CORE site:
- EXIF metadata (including GPS location) may be retained
- Visitors can download and extract location data if present
CORE does not automatically strip metadata.
4.3 Cookies
WordPress uses several types of cookies.
Comment cookies:
If you leave a comment, you may opt to save your name, email, and website in cookies for convenience.
Login cookies:
When logging in:
- Authentication cookies last for up to 2 days
- Display preference cookies last for up to 1 year
- “Remember Me” extends login up to 2 weeks
- Logging out removes these cookies
Temporary cookies:
A cookie is set on the login page to test whether your browser accepts cookies.
Editor cookies:
When editing or publishing a post, WordPress sets a cookie that stores the post ID.
It contains no personal data and expires after 1 day.
4.4 Embedded Content from Other Websites
Content on CORE sites may embed third-party media such as:
- YouTube videos
- Maps
- Vimeo players
- Social media posts
- External articles
- Iframed forms
Embedded content behaves as if you visited the external website directly.
These external sites may:
- Collect data
- Set cookies
- Track user behaviour
- Monitor interactions
CORE does not control how external sites handle your data.
4.5 Password Reset Requests
If you request a password reset, the request email may include:
-
Your IP address
This is standard WordPress behaviour for security purposes.
5. CiviCRM-Specific Information Collection
Many CORE sites use CiviCRM to store supporter and engagement data.
Information may include:
- Names, email addresses, phone numbers
- Event registrations
- Volunteer interests
- Survey responses
- Membership information
- Donations (processed through external gateways)
- Activity logs
The Site Owner determines what data is collected and for what purpose.
CORE does not use or process CiviCRM data for its own purposes, other than hosting and system operations.
6. How We Use Data
CORE uses platform-level data for:
- Operating, maintaining, and improving the platform
- Troubleshooting issues
- Security and fraud prevention
- Backups and recovery
- System analytics
- Responding to support requests
Individual CORE sites may use your data for:
- Supporter engagement
- Community organising
- Communications (email/SMS)
- Event management
- Volunteer coordination
-
Any purpose described on their own privacy statements
7. How We Store and Protect Data
CORE uses:
- Encrypted HTTPS connections
- AWS cloud infrastructure
- Cloudflare security layers
- Access control & logging
- Regular updates & patching
However:
- No system is perfectly secure
- Site Owners must manage user access and permissions
- You should use strong passwords and 2FA
8. Sharing Your Information
We may share data with trusted service providers for hosting and operations, such as:
- Amazon Web Services
- Cloudflare
- Email/SMS providers (SES, Mailgun, SendGrid, Twilio)
- CiviCRM services
- Backup systems
- Volunteer developers administering the platform
We may disclose information if required by:
- Law
- Court order
- Regulatory authority
- To prevent harm or illegal activity
We never sell personal data or use it for advertising.
9. Third-Party Services & Integrations
CORE sites often connect to external tools.
These may collect and process data independently, including:
- Email gateways
- Payment processors (Stripe, PayPal, etc.)
- Analytics platforms
- Mapping services
- CAPTCHA/spam tools
- Form integrations
CORE is not responsible for third-party privacy practices.
You should review the privacy policies of any connected service.
10. Data Retention
CORE retains platform-level data only as long as necessary.
WordPress:
- Comments may be stored indefinitely
- User profile data is stored until deleted
CiviCRM:
The Site Owner controls retention periods.
Platform:
When a site or account is closed:
- Data may be deleted immediately
- Backups are not guaranteed
- You must export your data before requesting closure
Some log files may be retained for security or compliance.
11. Your Rights
Depending on your location, you may have rights to:
- Access your personal data
- Request corrections
- Request deletion
- Object to certain processing
- Request data portability
Requests relating to CiviCRM or WordPress site data should be directed to that site’s owner.
Requests relating to platform-level data can be made to CORE
CORE may refuse requests where required by law or to maintain platform security.
12. Automated Decision-Making & Spam Detection
CORE and individual sites may use automated systems for:
- Spam filtering (e.g., Akismet or equivalent)
- Security alerts
- Duplicate detection
- Login protection
- Email deliverability checks
These systems may analyse:
- IP address
- Browser details
- Content submitted
- Behaviour patterns
13. International Data Transfers
CORE uses cloud services that may store or process data in:
-
Australia
By using CORE, you consent to these international transfers.
14. Children’s Privacy
CORE is not intended for children under 16 without adult supervision.
Site Owners should ensure their use complies with relevant child data protection laws.
15. Changes to This Privacy Policy
We may update this Privacy Policy at any time.
Significant updates will be announced on coreaustralia.org.au
Continued use of the platform after changes indicates acceptance.
16. Contact Us
For platform-level privacy concerns:
📧 [email protected]
For data stored by a specific CORE-hosted site:
Contact the Site Owner directly using their published contact details.