Privacy Policy

Last updated on September 1, 2025

1. Introduction

Smartplace Pty Ltd (ACN 639 781 678), trading as Smartta AI ("Smartta AI," "we," "us," "our") operates a multi-tenant, web-based SaaS platform and REST APIs (the "Smartta AI Platform") that aggregates workforce data and provides a compliance overlay for employers, payroll providers, and workforce management professionals.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). Where we process personal data of individuals located in the European Union, United Kingdom, or California, the additional provisions in Sections 14, 15, and 16 also apply.

By accessing or using the Smartta AI Platform, our websites, or our services (collectively, the "Services"), you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are

Data Controller / APP Entity: Smartplace Pty Ltd, trading as Smartta AI

Registered Address: C/- Margetson & Associates, Unit 21, 598-602 Forest Road, Penshurst, NSW 2222, Australia

Data Protection Officer: dpo@smartplace.ai

Privacy Enquiries: privacy@smartplace.ai

3. Information We Collect

(a) Account and Identity Information

When you or your employer registers for an account, we collect:

• Full name, email address, phone number
• Job title, employer name, department
• Login credentials (passwords are hashed and salted; we never store plaintext passwords)
• Multi-factor authentication tokens

(b) Workforce and Employment Data

When your employer uses the Smartta AI Platform to manage workforce operations, we process (on behalf of your employer as data processor):

• Employment details: employment type, start date, award classification, pay rates
• Time and attendance records: clock-in/out times, timesheet entries, leave balances
• Payroll data: gross/net pay calculations, tax withholding, superannuation
• Credential and compliance records: licence numbers, expiry dates, training certificates

(c) Product-Specific Data

Depending on the features and domain packs activated by your employer, additional data categories may be processed. These are disclosed in the applicable Data Usage Framework and Product-Specific Terms. Examples include:

• Biometric data (e.g., facial recognition templates for time clocking)
• Geolocation data (e.g., GPS coordinates for field worker clock-in)
• Health-adjacent data (e.g., care minutes staffing ratios in aged care)

Where sensitive information (as defined in APP 3) is collected, we obtain explicit consent or rely on a permitted general situation under the Privacy Act.

(d) Technical and Usage Data

When you use our Services, we automatically collect:

• IP address, browser type, operating system, device identifiers
• Pages visited, features used, session duration, click patterns
• Error logs and performance data
• Cookies and similar technologies (see our Cookie Policy)

(e) Marketing and Prospect Data

When you interact with our marketing communications, visit our website, or are contacted by our sales team, we may collect:

• Business contact details from publicly available business registers
• Email engagement data (opens, clicks) from marketing campaigns
• Call recordings and transcripts from outbound sales calls (with disclosure at the start of each call)

(f) Information from Third Parties

We may receive personal information from:

• Your employer (as our customer), who provides employee data for platform use
• Identity providers (e.g., Auth0) during single sign-on authentication
• Business partners and resellers who refer you to our Services
• Publicly available sources such as business registers and professional networks

4. Lawful Basis and Purpose of Processing

We process personal information on the following legal grounds:

• Performance of a contract (APP 6.2(b)): To provide the Services under our Master Platform Agreement and related agreements
• Consent (APP 6.2(a)): For marketing communications, analytics opt-in, and sensitive information collection
• Legitimate interest: For platform security, fraud prevention, service improvement, and business operations (where not overridden by your rights)
• Legal obligation: To comply with the Fair Work Act 2009 record-keeping requirements, tax obligations, and regulatory reporting

5. How We Use Your Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Smartta AI Platform
• Process workforce compliance calculations (award interpretation, pay rules, leave accruals)
• Generate compliance evidence and audit trails for regulatory purposes
• Process transactions and send transactional communications (invoices, receipts, alerts)
• Authenticate users and enforce access controls
• Provide customer support and respond to enquiries
• Send marketing and promotional communications (where you have consented or where permitted by law)
• Detect, prevent, and address fraud, security issues, and technical problems
• Comply with legal obligations and enforce our agreements

6. Automated Decision-Making

The Smartta AI Platform uses automated processing in the following areas:

• Award interpretation engine: Automatically calculates pay rates, overtime, penalties, and allowances based on applicable Modern Awards, Enterprise Agreements, and employment contracts. Outputs are presented to authorised users for review.
• Compliance validation: Automatically flags potential underpayment, roster non-compliance, and credential expiry. These flags are advisory and require human action.
• Tag-based classification: Automatically categorises workforce records (e.g., employment type, award coverage) based on configured rules.

No automated decision produces legal effects or similarly significant effects on individuals without human review. You may contact us to request an explanation of any automated processing that affects you.

7. How We Share Your Information

We may disclose personal information to:

• Sub-processors: Third-party service providers who assist in operating our Services (see our Sub-processor List for the current list). All sub-processors are bound by Data Processing Agreements with equivalent data protection obligations.
• Your employer: As our customer, your employer has access to workforce data processed through the platform in accordance with their subscription.
• Integration partners: Where your employer has enabled connectors (e.g., payroll software, accounting systems), data is shared as configured by your employer. See our Third-Party Services Catalog.
• Professional advisors: Lawyers, auditors, and accountants where necessary for our business operations.
• Regulatory authorities: Where required by law, court order, or regulatory request (e.g., Fair Work Ombudsman, Australian Taxation Office, OAIC).
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

We do not sell personal information for monetary or other valuable consideration.

8. Cross-Border Data Transfers

The Smartta AI Platform is primarily hosted in Australia (AWS Sydney, ap-southeast-2). However, some of our sub-processors are located overseas. Before disclosing personal information to an overseas recipient (APP 8), we take reasonable steps to ensure the recipient complies with the APPs or is subject to a substantially similar privacy regime.

Countries where personal information may be processed include:

• Australia — Primary data hosting (AWS Sydney), Atlassian
• United States — Auth0 (authentication), Cloudflare (CDN/security), SendGrid and Twilio (communications), Stripe (payments), GitHub (development), Docker Hub (deployment)
• New Zealand — Xero (accounting integration)

For transfers to countries without adequate data protection laws, we rely on:

• EU Standard Contractual Clauses (SCCs) for GDPR-covered data
• Data Processing Agreements with equivalent protections
• Technical safeguards including encryption in transit (TLS 1.2+) and at rest (AES-256)

For a complete list of sub-processors and their locations, see our Sub-processor List.

9. Data Security

We implement appropriate technical and organisational measures to protect personal information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256, AWS-managed)
• Role-based access controls and tenant-level data isolation
• Audit logging of administrative and data-access events
• Automated dependency scanning (GitHub Dependabot)
• Daily automated backups stored in AWS S3
• Incident response procedures with defined escalation paths

Smartta AI maintains an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022. Stage 1 certification has been approved, with Stage 2 audit in progress. For a current summary of our security measures, see our Security & Compliance Overview.

10. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are:

• Account data: Duration of the subscription plus 90 days (to allow for reactivation), then deleted or anonymised
• Workforce records: As directed by your employer's retention policy, subject to minimum retention periods under the Fair Work Act 2009 (7 years for employee records)
• Compliance evidence and audit trails: 7 years (to meet regulatory record-keeping obligations)
• Technical logs: 90 days for operational logs; 12 months for security logs
• Marketing data: Until you unsubscribe or withdraw consent, then deleted within 30 days
• Backup copies: Retained per our backup schedule and purged according to retention policy

When personal information is no longer required, we securely delete or anonymise it in accordance with our data disposal procedures.

11. Your Privacy Rights

(a) Rights Under the Australian Privacy Principles

Under the Privacy Act 1988 (Cth), you have the right to:

• Access (APP 12): Request access to the personal information we hold about you
• Correction (APP 13): Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information
• Complaint: Lodge a complaint if you believe we have breached the APPs (see Section 17)

(b) Additional Rights (EU/UK/California)

Depending on your location, you may have additional rights including erasure, restriction of processing, data portability, and the right to object. See Sections 14-16 for jurisdiction-specific details.

To exercise any of these rights, visit our Your Privacy Choices page or email privacy@smartplace.ai. We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the platform, remember your preferences, and understand usage patterns. You can manage your cookie preferences at any time.

For full details on the cookies we use and how to control them, see our Cookie Policy.

13. Children's Privacy

The Smartta AI Platform is a business-to-business service designed for use by employers and workforce professionals. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without appropriate consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at privacy@smartplace.ai.

14. Additional Information for EU/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, the following additional provisions apply:

• Legal basis: We process your data under Article 6(1) of the GDPR on the bases of contract performance, consent, legitimate interest, or legal obligation as described in Section 4.
• Data transfers: Transfers outside the EEA/UK are protected by EU Standard Contractual Clauses (SCCs) as incorporated in our Data Processing Agreement.
• Additional rights: You have the right to erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and the right to object to processing (Article 21).
• Automated decisions: You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you (Article 22). Our automated processing is advisory only and does not produce such effects without human review.
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

15. Additional Information for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act provide you with additional rights:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt-out of sale/sharing: Smartta AI does not sell personal information for monetary consideration. Our use of certain analytics cookies may constitute "sharing" under the CPRA; you can opt out via our cookie consent manager.
• Non-discrimination: We will not discriminate against you for exercising your privacy rights.

16. Additional Information for New Zealand Residents

If you are located in New Zealand, we comply with the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs). You have rights of access and correction under IPPs 6 and 7. Complaints may be directed to the Office of the Privacy Commissioner (New Zealand).

17. Complaints and the OAIC

If you believe we have breached the APPs or mishandled your personal information:

1. Contact us first: Email privacy@smartplace.ai with details of your complaint. We will acknowledge receipt within 5 business days and aim to resolve the matter within 30 days.
2. Escalate to the OAIC: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:
   • Online: www.oaic.gov.au/privacy/privacy-complaints
   • Phone: 1300 363 992
   • Post: GPO Box 5218, Sydney NSW 2001

18. Notifiable Data Breaches

In the event of an eligible data breach that is likely to result in serious harm, we will notify the OAIC and affected individuals as required by Part IIIC of the Privacy Act 1988 (the Notifiable Data Breaches scheme). Our incident response plan includes assessment, containment, and notification procedures designed to meet the statutory timeframes.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page with a revised "Last Updated" date
• Sending an email notification for material changes that affect your rights
• Displaying a notice within the Smartta AI Platform

We encourage you to review this Privacy Policy periodically.

20. Related Documents

• Cookie Policy — Details on cookies and tracking technologies
• Your Privacy Choices — Exercise your data subject rights
• Data Processing Agreement — Controller/processor obligations for enterprise customers
• Sub-processor List — Current third-party processors and their locations
• Third-Party Services Catalog — Integration partners and data flows
• Annexure B - Data Usage Framework — Data usage tiers and opt-out controls
• Security & Compliance Overview — Security measures and certifications

21. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

• Privacy enquiries: privacy@smartplace.ai
• Data Protection Officer: dpo@smartplace.ai
• Security concerns: security@smartplace.ai
• Post: Smartplace Pty Ltd, trading as Smartta AI, C/- Margetson & Associates, Unit 21, 598-602 Forest Road, Penshurst, NSW 2222, Australia