Privacy Policy

1. Introduction

This Privacy Policy sets out how RedBird Group Pty Ltd, ABN 24 686 659 683 (referred to in this Privacy Policy as RedBird, we, us or our) collects, holds, uses and discloses personal information in connection with the Workforce Stability workforce planning platform (Platform).

We take our privacy obligations seriously and are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs) and any other applicable privacy legislation.

The Platform is a business-to-business (B2B) software-as-a-service tool. We process personal information on behalf of our client organisations (each a Client) in connection with workforce planning, rostering and related operational functions. Each Client is responsible for its own compliance with applicable privacy laws in respect of the personal information it collects and provides to us through the Platform.

This Privacy Policy is primarily directed to our Clients and their authorised users (being individuals designated by a Client to access and use the Platform on the Client's behalf). Where we hold personal information about employees or workers of a Client (Employee Data Subjects), those individuals should direct any questions or requests regarding their personal information to the relevant Client in the first instance, as the Client is responsible for managing the data it provides to us.

By creating an account, accessing or using the Platform, or providing personal information to us, you consent to our collection, use and disclosure of personal information in accordance with this Privacy Policy.

We may update this Privacy Policy from time to time by posting an updated version on the Platform. We encourage you to check the Platform regularly to ensure that you are aware of our most current Privacy Policy. Where we make material changes, we will notify affected Clients by email or through the Platform.

If you have any questions or concerns about this Privacy Policy or our handling of personal information, you can contact us at info@redbirdgroup.com.au.

2. Types of Personal Information We Collect

We only collect personal information that is reasonably necessary for the provision and operation of the Platform and our related functions and activities. The personal information we collect or process on behalf of our Clients may include the categories described in this section.

We may collect the following employee and workforce information: (a) first name and last name; (b) date of birth; (c) contact details (email address and phone number); (d) job role, qualifications and competencies; (e) availability and roster information (including rotation patterns, swing schedules and leave); (f) employment history relevant to workforce planning; and (g) system usage data (including login activity and actions taken within the Platform).

We may process limited sensitive information where provided by a Client for operational or compliance-related purposes, such as fitness for work declarations or similar workforce-related inputs. This information is not independently generated or assessed by us and is processed solely to support Platform functionality on behalf of the relevant Client.

By providing sensitive information to us through the Platform, the Client warrants that it has obtained all consents required under the Privacy Act (including under APP 3.3) for the collection and disclosure of that information to us, and that the relevant individuals have been informed of the purposes for which their sensitive information will be used.

We may collect the following client account information: (a) Client organisation name and contact details; (b) authorised user names and email addresses; (c) billing and payment information (collected and stored by our payment processor — never stored by us directly); and (d) subscription and account status.

We may collect the following device and technical data: (a) IP addresses; (b) browser type and version; (c) device and operating system information; (d) pages visited and features used; and (e) request timing and performance data.

We may collect the following cookies and tracking data: (a) essential cookies required for authentication, session management and security within the Platform; and (b) analytics data collected through tools such as Google Analytics or similar services for performance monitoring and product improvement.

We do not knowingly collect personal information from individuals under the age of 18.

3. How We Collect Personal Information

We collect personal information in the following ways.

Information is primarily collected through Client organisations who input employee and workforce data into the Platform for the purposes of workforce planning, rostering and related operational functions.

We may collect personal information through user interaction with the Platform, including: (a) account creation and profile management; (b) roster management, updates and availability entries; and (c) other actions taken within the Platform.

We may collect information through integrations with third-party systems where configured by the Client (for example, payroll or HR systems).

We may collect personal information automatically through use of the Platform, including: (a) server-side request logging (IP address, browser information, pages visited); (b) analytics and tracking tools (such as Google Analytics or similar services); and (c) error monitoring and performance data.

4. Use of Personal Information

We collect and use personal information for the purposes described in this section.

In connection with the provision and operation of the Platform, we use personal information for: (a) workforce planning, rostering and rotation management; (b) fatigue and compliance rule checking; (c) workforce coverage and deficit identification; (d) generating recommended options to resolve workforce gaps; and (e) enabling integrations with third-party systems where configured by the Client.

We also use personal information to manage Client and user accounts, including: (a) user authentication and account security; (b) subscription and billing management; and (c) platform-related notifications and transactional communications.

To support analytics and product improvement, we may use personal information (on an anonymised or aggregated basis where possible) for: (a) tracking feature usage and platform performance; and (b) monitoring system reliability and identifying areas for improvement.

Personal information may also be used for security and compliance purposes, including: (a) error tracking and debugging; (b) request logging for security monitoring and abuse prevention; and (c) complying with applicable legal and regulatory obligations.

We do not use personal information for direct marketing to employees of our Clients. Any communication to employees is limited to platform-related notifications and functionality.

We may from time to time send marketing or promotional communications to Client contacts (such as account administrators) in connection with the Platform and our services. If we do so, we will provide clear opt-out mechanisms in accordance with the Spam Act 2003 (Cth).

5. Disclosure to Third Parties

We may disclose personal information to the following categories of third-party service providers in connection with the operation of the Platform:

Cloud hosting provider (e.g. AWS or similar) — Data shared: all platform data (employee, workforce, technical). Purpose: infrastructure, hosting, database and related services. Location: Australia (where possible).

Xero — Data shared: billing and invoicing data. Purpose: accounting and financial management. Location: United States (AWS).

Payment processor (e.g. Stripe or similar) — Data shared: payment card details, billing address. Purpose: payment processing and subscription management. Location: United States.

Analytics providers (e.g. Google Analytics or similar) — Data shared: usage data, IP address, device information. Purpose: platform analytics and performance monitoring. Location: United States.

We may also disclose personal information to third-party systems with which the Platform integrates (for example, payroll or HR systems), where such integrations have been configured by the relevant Client.

We take reasonable steps to ensure that any third-party service provider or subcontractor deals with personal information in a manner consistent with the APPs and this Privacy Policy. Where we use third-party infrastructure providers (including cloud hosting and related services) as subcontractors in connection with the operation of the Platform, we remain responsible for the handling of personal information by those subcontractors.

We do not sell, rent or trade personal information to any third party for marketing or advertising purposes.

We may disclose personal information where required by law, regulation, court order or governmental authority.

6. Overseas Disclosure

Some of the third-party service providers identified in section 5 store or process personal information outside of Australia, including in the United States. The countries in which personal information is processed may change from time to time as we update our service providers.

Where personal information is transferred overseas, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.

Where we are unable to ensure compliance, we will only disclose personal information with informed consent or where otherwise permitted under the Privacy Act.

7. Cookies and Tracking Technologies

We use essential cookies that are strictly necessary for the operation of the Platform, including authentication tokens and session management cookies.

We may also use analytics and tracking tools (such as Google Analytics or similar services) to support platform functionality, performance monitoring and product improvement. These tools may collect data such as IP addresses, browser information and usage patterns.

If you do not wish information to be stored as a cookie, you can disable cookies in your web browser settings. However, disabling essential cookies may prevent you from using the Platform.

8. Data Ownership and Processing

All data entered into the Platform by or on behalf of a Client (Client Data) remains the property of the relevant Client at all times.

We process Client Data solely for the purpose of providing the Platform and performing our obligations. We do not use Client Data for any purpose other than as set out in this Privacy Policy and any applicable agreement with the Client.

Each Client is responsible for ensuring that it has obtained all necessary consents and authorisations to provide personal information to us through the Platform, and that its use of the Platform complies with applicable privacy laws.

In particular, each Client is responsible for ensuring that Employee Data Subjects are notified, in accordance with APP 5, of the matters required by that principle in relation to our collection and handling of their personal information. This may include making this Privacy Policy available to Employee Data Subjects or including equivalent disclosures in the Client's own privacy notices.

We may use anonymised, aggregated data derived from use of the Platform for analytics, product improvement and research purposes, provided that such data will not identify any individual or Client.

9. Data Retention

We retain personal information for as long as a Client's account is active and as needed to provide the Platform.

On termination or expiry of a Client's subscription, we will retain Client Data for a period of 30 days to allow for data export. After that period, all Client Data associated with the account will be deleted.

Some data may be retained in backup systems for a limited period following account deletion, consistent with our standard backup and disaster recovery practices. Such data will be securely deleted in the ordinary course of our backup rotation.

Notwithstanding the above, we may retain personal information to the extent required by applicable law or regulation, or where reasonably necessary to establish, exercise or defend legal claims. Any personal information retained for these purposes will be held securely and will not be used for any other purpose.

10. Security

We take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. Our security measures include: (a) password-protected information technology systems; (b) encryption of all data in transit using Transport Layer Security (TLS); (c) multi-tenant architecture with logical data isolation between Clients; (d) access controls limiting access to personal information to authorised personnel; and (e) server infrastructure hosted with reputable cloud service providers.

While we take reasonable steps to protect personal information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of personal information.

In the event of a data breach that is likely to result in serious harm to any individual, we will comply with our notification obligations under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act and will promptly notify the affected Client.

11. Links

The Platform may contain links to other websites. Those links are provided for convenience and may not remain current or be maintained. We are not responsible for the privacy practices of those linked websites and we recommend that you review the privacy policies of those websites before providing any personal information.

12. Accessing and Correcting Personal Information

Individuals whose personal information we hold may request access to that information. In most cases, requests for access to employee data held within the Platform should be directed to the relevant Client organisation, as the Client is responsible for the accuracy and management of that data.

If you wish to request access to personal information directly from us, or if you believe any personal information we hold is inaccurate, incomplete or out of date, please contact us at info@redbirdgroup.com.au.

We may need to verify your identity before providing access. In some cases, we may be unable to provide access to all personal information, and where this occurs, we will explain why.

We will deal with all requests for access to or correction of personal information within a reasonable timeframe.

If an Employee Data Subject requests deletion of their personal information, that request should be directed to the relevant Client. We will action deletion requests received from a Client in respect of its employee data in accordance with our obligations under any applicable agreement with the Client. We are not in a position to independently verify or action deletion requests received directly from Employee Data Subjects without the Client's instruction, as the Client is responsible for managing that data.

We rely on Clients to ensure that the personal information provided to us through the Platform is accurate, up to date and complete. We do not independently verify the accuracy of personal information provided by Clients. If you believe that personal information held within the Platform is inaccurate, please contact the relevant Client to request a correction.

13. Complaints

If you wish to make a complaint about how we handle personal information or believe that we have breached the APPs, please contact us at info@redbirdgroup.com.au. Please include your name, contact details and a description of your complaint.

We will investigate your complaint promptly and respond to you within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): Website: www.oaic.gov.au; Phone: 1300 363 992; Email: enquiries@oaic.gov.au.

14. Contact Us

For further information about this Privacy Policy or our practices, or to access or correct personal information, or to make a complaint, please contact us at info@redbirdgroup.com.au.