Queensland Startup Legal Guide: Business, Tech and AI Law Explained

Starting a business in Queensland is an exercise in optimism but it is also an exercise in legal complexity. From the moment you register a business name, hire a developer, sign a commercial lease, or deploy a software application, the full weight of Australian commercial, employment, and regulatory law applies to your enterprise. For technology and artificial intelligence startups, this complexity is multiplied by frameworks struggling to adapt to algorithmic data processing and global software deployment.

This master guide walks you through every major legal area your Queensland startup needs to understand and address from day one, integrating general commercial principles with the highly specific requirements of the technology sector.

Part 1: Business Structure, Formation, and Asset Protection

Choosing the right business structure is the single most consequential legal decision a founder makes. The consequences of that choice dictate how the business is taxed, how personal assets are protected, how capital is raised, and how the business is eventually sold. Queensland founders have four principal structural options, but for high-growth tech startups, a specific dual-entity architecture is required.

Standard Corporate Structures

A proprietary limited company registered under the Corporations Act 2001 (Cth) is the dominant vehicle for startups with growth ambitions or any intention to raise external capital.¹ The company is a separate legal entity from its shareholders and directors. Shareholders are generally protected from personal liability beyond the amount unpaid on their shares.

Directors owe strict statutory duties under the Corporations Act 2001 (Cth). The duty to act in good faith (s 181), the duty to exercise reasonable care and diligence (s 180), and the duty to avoid insolvent trading (s 588G) are actively enforced by regulators and liquidators. A director who allows a company to incur a debt when the company is already insolvent can be held personally liable for that debt.

A general partnership does not create a separate legal entity. Each partner is jointly and severally liable for the debts of the partnership, exposing personal assets to unlimited liability. A sole trader structure is similarly exposed. While a discretionary trust offers tax distribution flexibility, it is administratively complex and highly unattractive to institutional venture capital investors who prefer standard corporate equity.

The Tech Startup Dual-Company Structure (HoldCo and OpCo)

For technology and AI startups, intellectual property is the core asset. The industry standard for protecting this asset is the dual-company structure. This comprises a Holding Company (HoldCo) and an Operating Company (OpCo), both registered as proprietary limited companies.

The Holding Company sits at the apex. Its sole legal purpose is to own the intellectual property, including copyright in the source code, trade marks, and proprietary datasets. It does not trade and does not hire employees. The Operating Company is a wholly-owned subsidiary of the Holding Company. It is the outward-facing entity that assumes all commercial risk, signs SaaS contracts, employs staff, and incurs debt.

The legal bridge between these entities is an Intercompany Intellectual Property Licence, granting the Operating Company the right to commercialise the IP. To secure this arrangement, the Holding Company must register a security interest over the Operating Company on the Personal Property Securities Register under the Personal Property Securities Act 2009 (Cth) .² If the Operating Company is sued for a software failure and forced into liquidation, the core intellectual property remains securely shielded in the Holding Company.

Founders Agreements and Vesting

A founders agreement (or early shareholders agreement) is critical. The most important mechanism is founder vesting. Vesting ensures that founders earn their equity over time rather than receiving it outright at incorporation. A standard tech vesting schedule operates over four years with a one-year cliff. If a co-founder leaves the startup in month eleven, they walk away with zero equity. This mechanism protects the cap table from dead equity sitting with departed founders and is an absolute requirement for venture capital investment.

Explore our Business Law practice page for more guidance on corporate structuring.

Part 2: Employment Law Essentials

The moment your startup engages its first worker, the Fair Work Act 2009 (Cth) applies.³ Employment law is the area where startups most commonly miscalculate their obligations.

The National Employment Standards and Awards

The National Employment Standards (NES) in Part 2-2 of the Fair Work Act 2009 (Cth) provide 13 minimum entitlements that apply to all national system employees.³ An employment contract cannot undercut the NES. Entitlements include maximum weekly hours, four weeks of annual leave, ten days of paid personal leave, ten days of paid family and domestic violence leave (for all employees including casuals), and minimum notice of termination.

Modern awards underpin the NES and set industry-specific minimum pay rates, penalty rates, and allowances. The first task when hiring is identifying the correct modern award. Underpayment of award entitlements is a priority enforcement area for the Fair Work Ombudsman and can result in substantial civil penalties and potential criminal prosecution under wage theft provisions.

Contractor Misclassification

The distinction between employees and independent contractors has undergone significant legal reform. The High Court of Australia in Construction, Forestry, Maritime, Mining and Energy Union v Personnel Contracting Pty Ltd held that the employment relationship should be assessed primarily by the rights and duties established in the written contract.⁴

However, Parliament subsequently amended the Fair Work Act 2009 (Cth) via the Fair Work Legislation Amendment (Secure Jobs, Better Pay) Act 2022 (Cth) .⁵ The statutory test now requires an assessment of the real substance, practical reality, and true nature of the relationship, explicitly overriding the pure contractual approach. Misclassifying a software developer as a contractor when they are legally an employee exposes the startup to substantial superannuation liabilities under the Superannuation Guarantee (Administration) Act 1992 (Cth) , alongside annual leave back-pay and civil penalties.⁶

Probation and Dismissal Risk

A probationary period in a contract is commercially sensible but does not operate as an absolute shield against claims. Under s 383 of the Fair Work Act 2009 (Cth), the minimum employment period before an employee can access the unfair dismissal jurisdiction is one year for small businesses (fewer than 15 employees) and six months for all other businesses.³ A dismissal during probation may still be reviewable in the general protections jurisdiction if the employee alleges they were dismissed for exercising a workplace right or for a discriminatory reason.

Explore our Employment Law practice page for contract templates and workplace advice.

Part 3: Workplace Policies

Employment contracts establish individual terms, but workplace policies establish the operating rules governing the entire workforce. Certain policies are legally required, while others are essential to manage misconduct and defend claims.

The Work Health and Safety Act 2011 (Qld) imposes a primary duty of care on a business to ensure the health and safety of workers.⁷ WorkSafe Queensland expects documented policies as part of safety management systems. The Anti-Discrimination Act 1991 (Qld) prohibits discrimination and harassment.⁸ An employer who fails to take reasonable steps to prevent unlawful discrimination faces vicarious liability for employee misconduct.

Every startup should implement:

1. Code of Conduct: Setting behavioural standards and disciplinary consequences.
2. IT Acceptable Use Policy: Governing the use of company systems and establishing the employer’s right to monitor usage.
3. Anti-Discrimination and Bullying Policy: Essential for defending vicarious liability claims.
4. Privacy and Data Handling Policy: Instructing employees on secure data management.
5. Domestic and Family Violence Leave Policy: Managing the statutory paid leave entitlement confidentially.

A policy must be communicated to employees and acknowledged in writing to be effectively enforced. The employment contract should state that the employee agrees to comply with workplace policies as amended from time to time, but that the policies do not form part of the employment contract itself.

Part 4: Contracts with Customers and SaaS Agreements

Every time your startup provides goods or services, a contract is formed. Startups trading without written standard terms are relying on implied common law terms and the Australian Consumer Law, leaving substantial commercial risk unmanaged.

The Australian Consumer Law (ACL) Guarantees

The Australian Consumer Law, located in Schedule 2 of the Competition and Consumer Act 2010 (Cth) , applies forcefully to commercial contracts, including Software-as-a-Service.⁹

A critical threshold is the definition of a consumer. Under s 3 of the ACL, a business acquiring goods or services is deemed a consumer if the price does not exceed $100,000, OR if the goods or services are of a kind ordinarily acquired for personal, domestic, or household use, regardless of price. If either limb of this test is met, the statutory consumer guarantees apply, including guarantees of acceptable quality (s 54) and due care and skill (s 60).

Under s 64 of the ACL, a startup cannot exclude these guarantees. A SaaS agreement attempting to blanket-exclude all warranties is void to the extent it attempts to exclude the ACL guarantees. Startups must instead rely on s 64A, which permits a supplier to limit liability to the resupply of the services or the cost of having the services resupplied.

The Unfair Contract Terms Regime

The Unfair Contract Terms regime under Part 2-3 of the ACL is now strictly enforced. Unfair terms in standard form small business contracts are illegal and attract civil penalties of up to $50 million for corporations. A term is unfair if it causes a significant imbalance in the parties’ rights and is not reasonably necessary to protect legitimate interests. Common clauses at high risk include unilateral variation clauses allowing the vendor to change pricing without notice, and broad termination for convenience rights that benefit only the vendor.

SaaS Agreements and AI Hallucination Liability

For AI startups, the customer contract must address the unique risks of generative algorithms. Generative AI systems are probabilistic and inherently prone to generating false information, known as hallucinations.

An AI-specific Terms of Service must explicitly disclose this probabilistic nature. The contract must contain express disclaimers stating that the AI output does not constitute professional advice, that the customer is solely responsible for verifying accuracy, and that the startup provides no warranty regarding factual correctness. The limitation of liability clause must cap aggregate liability to the fees paid in the preceding 12 months and explicitly exclude liability for consequential losses such as loss of profits or corrupted data, subject always to the ACL restrictions outlined above.

Explore our Commercial Law practice page for assistance with B2B and B2C contracting.

Part 5: Contracts with Suppliers

A startup’s relationship with its suppliers is as legally consequential as its relationship with its customers. A supplier who fails to deliver, raises prices without warning, or enters liquidation can destroy a startup’s operational capacity.

Due Diligence and the PPSR

Before entering a significant supply agreement, conduct an ASIC search to confirm the supplier’s corporate registration and a search of the Personal Property Securities Register via ppsr.gov.au. The PPSR search reveals whether secured creditors hold registered interests over the supplier’s assets, providing insight into their financial stability.

The Personal Property Securities Act 2009 (Cth) is critical for supply arrangements.² If your startup supplies hardware or goods to customers on retention of title terms (where you retain legal ownership until payment is received), you must register a Purchase Money Security Interest (PMSI) on the PPSR. An unregistered retention of title clause is completely ineffective against a liquidator. If your customer goes insolvent, you lose the goods and rank merely as an unsecured creditor.

Supply Agreement Provisions

Supply agreements must clearly define specifications, delivery schedules, and price escalation mechanisms. In bespoke supply arrangements where a supplier creates custom software, designs, or components for the startup, intellectual property ownership is a frequent source of dispute. The supply agreement must contain a clear IP assignment clause vesting ownership of all bespoke deliverables in the startup upon creation, alongside a moral rights waiver. Without this, the supplier retains copyright in the materials they produce.

Part 6: Confidentiality and Non-Disclosure Agreements

Confidential information is frequently a startup’s most valuable asset prior to product launch. Non-Disclosure Agreements (NDAs) are the primary legal tool for protecting business models, algorithms, and financial projections when engaging with investors, potential partners, or contractors.

When an NDA is Appropriate

An NDA is appropriate whenever information with genuine commercial value must be shared. A mutual NDA imposes confidentiality obligations on both parties and is appropriate for joint venture discussions. A one-way NDA imposes obligations only on the receiving party and is appropriate for investor pitches or contractor briefings.

However, many venture capital firms routinely decline to sign NDAs before initial meetings because they cannot practically administer obligations across their vast deal pipelines. Founders must calibrate their disclosures, sharing enough to generate commercial interest while reserving highly sensitive algorithmic details or source code for later stages when formal due diligence and a strict NDA are in place.

The Limits of Protection

The equitable doctrine of breach of confidence protects information that has the necessary quality of confidence and was imparted in circumstances importing an obligation of confidence. An NDA crystallises this obligation contractually. However, an NDA does not protect ideas in the abstract. It protects the specific expression of information. An NDA cannot prevent a party from independently developing a similar product using their own resources without reference to the disclosed material.

The primary remedy for breach is an urgent interlocutory injunction in the Supreme Court of Queensland to restrain further disclosure, followed by a claim for damages or an account of profits. Because litigation is expensive, practical security measures such as restricted access environments and watermarked documents are the most effective first line of defence.

Part 7: Intellectual Property and Artificial Intelligence

Intellectual property law converts technical effort into an exclusive commercial right. Startups that fail to secure their IP allow competitors to legally copy their innovations.

Trade Marks vs Business Names

Registering a business name with ASIC confers no proprietary rights. It merely authorises you to trade under that name. Similarly, registering a domain name provides no intellectual property rights.

Trade mark registration through IP Australia under the Trade Marks Act 1995 (Cth) is the only mechanism that confers a monopoly right to use a distinctive sign in connection with goods or services in Australia.¹⁰ A registered trade mark allows the owner to prevent competitors from using substantially identical or deceptively similar marks. Startups must file trade mark applications for their core brand assets early to secure priority.

Copyright Authorship and AI Generation

Under s 10 of the Copyright Act 1968 (Cth) , a computer program is expressly protected as a literary work.¹¹ However, a fundamental tenet of Australian copyright law is that copyright only subsists in a work if it originates from a human author.

The High Court of Australia in IceTV Pty Ltd v Nine Network Australia Pty Ltd confirmed that originality requires independent intellectual effort by a human.¹² This anthropocentric approach was reinforced by the Full Federal Court in Commissioner of Patents v Thaler, which unanimously held that an artificial intelligence system cannot be an inventor for the purposes of a patent application.¹³

The consequence for tech startups is severe. Code generated entirely by an AI system without sufficient human intellectual direction cannot attract copyright protection in Australia. Startups must ensure developers heavily architect and modify AI outputs to inject the required human authorship, ensuring the final codebase remains a protectable asset.

Contractor IP Assignments and Open Source

Under s 35(6) of the Copyright Act 1968 (Cth), copyright in works created by an employee vests automatically in the employer.¹¹ However, where an independent contractor creates a work, the contractor retains the copyright unless a written assignment exists. Every contract with a freelance developer or external agency must contain an explicit, present-tense IP assignment clause.

Startups must also monitor Open Source Software (OSS) contamination. Copyleft licenses (like the GPL) contain viral clauses. If a startup incorporates GPL-licensed code into its proprietary software, the GPL requires that the entire derivative work must also be released under the open-source license. This can destroy the commercial valuation of a software product during investor due diligence.

Explore our Intellectual Property practice page for further guidance.

Part 8: Data Privacy, Cyber Security, and Web Scraping

Data governance is a source of direct regulatory liability, civil penalty exposure, and director personal liability. Queensland startups must treat privacy and cyber security compliance as foundational product architecture.

The Privacy Act and Small Business Exemption

The Privacy Act 1988 (Cth) governs the collection, use, disclosure, and storage of personal information.¹⁴ The 13 Australian Privacy Principles (APPs) regulate the entire data lifecycle. While s 6C provides a small business exemption for entities with an annual turnover under $3 million, this exemption is lost entirely if the startup trades in personal information, handles health information, or contracts with the Commonwealth Government. Proposed federal reforms intend to remove this exemption completely.

Part IIIC of the Act mandates the Notifiable Data Breaches scheme. If a startup suffers a data breach likely to result in serious harm to any affected individual, it must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals. The maximum civil penalty for a serious or repeated privacy interference is now $50 million for a corporation.

Web Scraping and Training Data

Startups training AI models frequently scrape public web data. If scraped data contains personal information, the collection must comply with the APPs. Furthermore, scraping copyrighted text or images constitutes copyright infringement unless a licence exists. Australia does not have a broad United States-style fair use exception for text and data mining; it relies on narrow fair dealing exceptions which do not cover commercial AI training. Mass scraping also routinely breaches website Terms of Use, triggering contractual liability.

Cyber Security and Directors’ Duties

The Federal Court in Australian Securities and Investments Commission v RI Advice Group Pty Ltd established that failing to implement adequate cyber security risk management constitutes a breach of the statutory obligation to provide services efficiently, honestly, and fairly.¹⁵ By extension, company directors who fail to mitigate cyber security risks face personal liability for breaching their duty of care and diligence under the Corporations Act 2001 (Cth).

Furthermore, startups providing software to healthcare, transport, or energy sectors may fall under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), which imposes mandatory cyber incident reporting and strict risk management obligations.¹⁶

Part 9: Restraints of Trade and Non-Competes

Restraint of trade clauses protect a startup’s customer relationships, trade secrets, and proprietary algorithms from competitive exploitation by departing staff. However, they are frequently drafted poorly and rendered unenforceable.

The High Court of Australia in Stenhouse v Coleman established that a restraint will only be enforced if it goes no further than is reasonably necessary to protect the legitimate interests of the party relying on it.¹⁷ A restraint that broadly prohibits a developer from working anywhere in the technology industry will be struck down as an unreasonable restraint of trade.

Cascading Restraints and Garden Leave

Queensland courts will sever an unreasonable restraint from a contract but will not rewrite it. If a single 12-month restraint is deemed unreasonable, it fails entirely. To mitigate this, employment contracts must use cascading restraint clauses, providing multiple alternative periods (e.g., 12 months, 9 months, 6 months) and geographic scopes. The court enforces the maximum combination it finds reasonable.

For highly sensitive technical roles, startups should utilise garden leave. Garden leave allows the employer to direct the employee to remain away from work during their notice period while continuing to pay their salary. Access to source code and systems is immediately revoked. This provides guaranteed protection of proprietary assets without the need to apply for an expensive Supreme Court injunction to enforce a post-employment restraint.

Part 10: Raising Finance and Employee Share Schemes

Scaling a startup requires external capital and equity incentives to attract elite talent. The Corporations Act 2001 (Cth) strictly regulates how securities can be offered.¹

Capital Raising Exemptions

Any offer of securities requires a highly regulated disclosure document (such as a prospectus) unless a statutory exemption applies. Raising money outside these exemptions is a criminal offence. Startups rely on s 708 exemptions:

1. Small scale offering (s 708(1)): Permits raising up to $2 million from a maximum of 20 investors in any rolling 12-month period.
2. Sophisticated investor (s 708(8)): Permits offers to individuals holding a qualified accountant’s certificate confirming net assets of at least $2.5 million or gross income of at least $250,000 for the past two years.

Startups frequently use Simple Agreements for Future Equity (SAFE notes) at the seed stage. A SAFE note provides capital upfront in exchange for the right to receive equity at a future priced round, usually at a discount. While highly efficient, stacking multiple SAFE notes can lead to severe founder dilution during the Series A conversion.

Employee Share Schemes (ESS)

An Employee Share Option Plan (ESOP) allows a startup to offer equity to key employees. Division 1A of Part 7.12 of the Corporations Act 2001 (Cth) provides specific regulatory relief, allowing unlisted startups to issue options without a prospectus.

Under the Division 1A framework, offers made for no monetary consideration (nil-cost options) are broadly exempt from issue caps. Offers requiring monetary payment are generally subject to an issue cap limiting the issue to 20 per cent of the company’s fully paid shares over a rolling three-year period. Startups must provide specific warning statements to participants and carefully document the vesting schedules in formal ESOP plan rules.

Part 11: Dispute Resolution and Debt Recovery

Commercial disputes are inevitable. A startup that understands the dispute resolution framework is positioned to manage conflict efficiently and cost-effectively.

The foundation of dispute resolution is documentation. A dispute occurring against a background of signed contracts and email trails is far easier to resolve than one relying on oral recollections. Every startup must ensure limitation periods under the Limitation of Actions Act 1974 (Qld) are observed.¹⁸ The standard limitation period for a simple contract claim is six years.

Debt Recovery Mechanisms

Where a creditor is owed a liquidated debt of $4,000 or more by a company, they may serve a statutory demand under s 459E of the Corporations Act 2001 (Cth).¹ If the debtor company fails to pay or challenge the demand within a strict 21-day period, it is presumed insolvent. The creditor may then apply to wind up the company. This is a highly effective debt recovery mechanism against solvent but recalcitrant corporate debtors.

For smaller general disputes, the Queensland Civil and Administrative Tribunal (QCAT) handles claims up to $25,000 with limited legal costs. The Magistrates Court handles claims up to $150,000, while the District Court jurisdiction extends to $750,000. Commercial contracts should include alternative dispute resolution clauses requiring mediation or international arbitration before litigation can commence.

Part 12: Regulatory Compliance and International Trade

Regulatory compliance evolves as a startup grows and enters new markets. The Australian Consumer Law prohibits misleading or deceptive conduct in trade or commerce under s 18, applying to website representations, marketing copy, and software capabilities regardless of intent.

Startups must manage ATO obligations, including registering for GST when annual turnover reaches $75,000, and complying with payroll tax thresholds under the Payroll Tax Act 1971 (Qld) when Australian taxable wages exceed $1.3 million.¹⁹ Every employer must hold a workers compensation policy under the Workers’ Compensation and Rehabilitation Act 2003 (Qld) .²⁰

For software startups scaling globally, contracts must contain express governing law and jurisdiction clauses specifying Queensland law. Where physical goods are involved, the United Nations Convention on Contracts for the International Sale of Goods (CISG) applies automatically between signatory countries unless expressly excluded. Startups must also screen international counterparties against autonomous sanctions lists and ensure compliance with anti-bribery prohibitions under the Criminal Code Act 1995 (Cth).

Footnotes