1.  Our Commitment to Privacy

This Privacy Policy explains what personal information we collect, why we collect it, how we use and disclose it, and how you can access, correct, or request deletion of your information.

 

2.  What Personal Information We Collect

The platform collects 'sensitive information' as defined by the Privacy Act — specifically, photo identification documents. This attracts stricter consent requirements under APP 3.3.

2.1  Trainers

We collect the following personal information from Trainers:

• Full name, email address, phone number, state/territory, and city
• Profile photo
• Professional biography and industry sectors
• ABN (if provided)
• Qualifications — including institution name, date issued, and certificate documents
• Photo identification documents (e.g. driver's licence, passport) — these are sensitive documents and are treated with the highest level of care
• Professional development records
• Licences and tickets (where applicable)
• Trainer Matrix entries
• Account activity, login history, and file access logs
• Payment information (processed by Stripe — we do not store card details)

2.2  Education Providers (RTOs)

We collect the following from Education Providers:

• Organisation name, ABN, ASQA RTO code, address, state
• Contact person name, title, email, and phone number
• Staff member details (for multi-user accounts)
• Payment and billing information
• Account activity logs

2.3  PD Service Providers

We collect the following from PD Service Providers:

• Organisation name, ABN, website, description
• Contact person name, email, and phone
• Event listings and industry links
• Payment and billing information

2.4  Automatically collected information

We automatically collect certain technical information when you use the Platform, including IP addresses, browser type, device information, pages visited, and session duration. This information is used for security, fraud prevention, and platform improvement purposes.

3.  How We Collect Personal Information

We collect personal information:

• Directly from you when you register, complete your profile, or upload documents
• From your use of the Platform (automatic collection)
• From the training.gov.au API (qualification and unit of competency data, not personal data)
• From AI analysis tools, where you choose to use the AI-assisted Trainer Matrix builder. You control which documents are provided to the AI tool.

We collect sensitive information (photo ID) only with your explicit consent at the time of upload, and only for the purpose of maintaining your Trainer File for compliance purposes.

4.  Why We Collect and Use Personal Information

We use your personal information to:

• Create and manage your account
• Provide the Platform's core services — trainer file management, compliance tracking, and RTO connectivity
• Process payments and issue invoices
• Send transactional notifications (reminders, expiry alerts, file access notifications)
• Send broadcast communications where you have opted in
• Respond to support requests
• Maintain audit logs and security records
• Improve the Platform and diagnose technical issues
• Comply with legal obligations

We do not use your personal information for any purpose unrelated to operating the Platform without your consent.

5.  Disclosure of Personal Information

5.1  To Education Providers

If you are a Trainer and you connect with an Education Provider, that provider will have access to your Trainer File, including your personal contact details, qualifications, and uploaded documents. You control which Education Providers you connect with. You can disconnect at any time.

Education Providers access your file only for the purpose of compliance review and workforce management. They are bound by these Terms and by law not to use your information for other purposes.

5.2  Shareable audit links

If an Education Provider generates a shareable audit link to your file (for ASQA audit purposes), your file will be accessible to anyone who has that link during the link's active period. You will be notified when a shareable link is created and when it is accessed.

5.3  Service providers

We share personal information with third-party service providers who assist us in operating the Platform, including:

• Stripe: Payment processing (subject to Stripe's Privacy Policy)
• Amazon Web Services (AWS S3): Secure document storage
• [EMAIL SERVICE PROVIDER]: Email delivery
• [AI SERVICE PROVIDER — e.g. Anthropic]: AI-assisted Trainer Matrix generation (only where you choose to use this feature)

These providers are required to handle your information only as directed by us and in accordance with our instructions.

5.4  Legal requirements

We may disclose your personal information to government authorities, regulators (including ASQA), or law enforcement where required by law, court order, or to protect the rights, property, or safety of any person.

5.5  No sale of data

We do not sell, rent, or trade your personal information to any third party for marketing or commercial purposes.

6.  Storage and Security of Personal Information

6.1  Where your information is stored

 

6.2  Security measures

We implement the following security measures to protect your personal information:

• All documents stored with AWS S3 server-side encryption
• Documents accessible only via time-limited signed URLs — no direct public access
• All Platform connections use TLS/HTTPS encryption in transit
• Passwords stored using bcrypt hashing — we cannot retrieve your password
• Two-factor authentication mandatory for admin and Education Provider accounts
• Access to Trainer Files is logged and visible to the Trainer
• Regular automated backups to a separate geographic region

6.3  Data breach response

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme within 30 days of becoming aware of the breach.

7.  Retention of Personal Information

We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by law:

• Trainer accounts: data retained while account is active. On deletion request, a 30-day grace period applies, after which personal data and documents are permanently deleted.
• RTO audit snapshots: retained until the expiry of the connected Education Provider's paid subscription period, then deleted.
• Financial records (invoices, payment history): retained for 7 years in accordance with the Corporations Act 2001 (Cth).
• Audit log entries: retained for 7 years for compliance purposes.
• Automatically collected technical data: retained for up to 12 months.

8.  Your Privacy Rights

Under the Australian Privacy Principles, you have the following rights:

8.1  Access

 

8.2  Correction

If you believe information we hold about you is inaccurate, incomplete, or out of date, you may update it directly through your account settings or contact us to request a correction.

8.3  Deletion (right to erasure)

You may request deletion of your account and personal information at any time through your account settings. See clause 10 of the Terms and Conditions for details of the deletion process and data retained for legal purposes.

8.4  Complaints

 

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

9.  Cookies and Tracking

We use session cookies to maintain your login state. We do not use advertising cookies or third-party tracking cookies. You can configure your browser to refuse cookies, but this may affect your ability to use the Platform.

10.  Children's Privacy

The Platform is not directed at or intended for use by persons under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child, we will delete it promptly.

11.  Overseas Disclosure

Some of our third-party service providers (including Stripe and AWS) may store or process your information outside Australia. By using the Platform, you consent to your information being transferred to and processed in overseas jurisdictions, including the United States. We take reasonable steps to ensure these providers protect your information consistent with the APPs.

12.  Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or legal requirements. We will notify you of material changes by email or in-platform notification at least 14 days before the change takes effect. The current version of this Policy is always available on our website.

13.  Contact Us

For any privacy-related queries, access requests, or complaints, please contact:

Privacy Officer: Gaven Ferguson

Email: gaven@rplassess.com.au

Postal Po Box 441 Officer, Victoria 3809