Privacy Policy

1. Definitions and Interpretation

In this Privacy Policy:

• "Personal Information" has the meaning given in the Privacy Act 1988 (Cth) and means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in material form or not.
• "Sensitive Information" means personal information about an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, health information, genetic information, biometric information, sexual orientation, or criminal record.
• "Platform" means the TradeitUp web application, mobile applications, APIs, and all related services.
• "User" means any individual who accesses or uses the Platform, including Apprentices, Employers, TAFE Staff, and Administrators.
• "Educational Records" means any personal information relating to an individual's vocational education, training, assessment, course progress, attendance, or qualifications.
• "NCVER" means the National Centre for Vocational Education Research Ltd.
• "USI" means the Unique Student Identifier as defined under the Student Identifiers Act 2014 (Cth).

2. Scope and Application

2.1 Who This Policy Applies To

This Privacy Policy applies to:

• Apprentices enrolled in Australian vocational education programs
• Employers who engage apprentices and use the Platform
• TAFE and Registered Training Organisation (RTO) staff
• Platform administrators
• Visitors to our website who do not create an account
• Any other individual whose personal information we collect or process

2.2 Regulatory Framework

We comply with:

• Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs)
• Privacy and Other Legislation Amendment Act 2024 (Cth)
• National Vocational Education and Training Regulator Act 2011 (Cth)
• Student Identifiers Act 2014 (Cth) regarding Unique Student Identifiers
• State and Territory privacy legislation where applicable
• General Data Protection Regulation (GDPR) for users located in the European Economic Area

2.3 APP Entity Status

TradeitUp is an "APP entity" for the purposes of the Privacy Act 1988 (Cth) and is bound by the Australian Privacy Principles. We are registered with the Office of the Australian Information Commissioner (OAIC).

3. Information We Collect

3.1 Personal Information

We collect the following categories of personal information:

3.2 Sensitive Information

In accordance with APP 3.3, we only collect sensitive information where:

• You have provided express consent; or
• Collection is required or authorised by Australian law; or
• Collection is necessary for the establishment, exercise, or defence of a legal claim

We may collect the following sensitive information where relevant to your apprenticeship:

• Ethnicity and cultural background: As required by NCVER for statistical reporting under the National VET Data Collection
• Disability status: To provide appropriate accommodations and support services
• Health information: Where relevant to workplace safety or training requirements

3.3 Information We Do Not Collect

We do not collect:

• Tax File Numbers (TFN)
• Full credit card or bank account numbers (these are processed by our payment providers)
• Political opinions or religious beliefs (unless voluntarily provided)
• Criminal record information (unless required by law or regulation)
• Biometric data for identification purposes

4. How We Collect Information

In accordance with APP 3.5, we collect personal information by lawful and fair means. We collect information:

4.1 Directly From You

• When you register for an account
• When you complete your profile information
• When you submit forms or enquiries
• When you send messages through the Platform
• When you contact our support team
• When you participate in surveys or provide feedback

4.2 From Third Parties

• TAFE Institutions and RTOs: Course enrolment data, progress records, attendance, qualifications
• Learning Management Systems (LMS): Canvas, Moodle, and other integrated systems for academic data
• Employers: Training contract information, workplace details
• State Training Authorities: Apprenticeship registration and compliance data
• NCVER: National VET data as required by law
• Australian Apprenticeship Centres: Registration and support service information

4.3 Automatically

• Through cookies and similar technologies when you use the Platform
• Server logs recording access to the Platform
• Analytics tools measuring Platform usage and performance

5. Purpose of Collection

In accordance with APP 6, we only use or disclose personal information for the primary purpose for which it was collected, or for secondary purposes where:

• You have consented to the secondary use; or
• You would reasonably expect such use or disclosure; or
• It is required or authorised by Australian law or a court/tribunal order

5.1 Primary Purposes

• Providing the Platform and its features to you
• Managing your account and authentication
• Tracking and displaying apprenticeship progress
• Facilitating communication between apprentices, employers, and TAFEs
• Managing class schedules and attendance records
• Identifying at-risk students for intervention and support
• Processing payments and managing subscriptions
• Providing customer support and responding to inquiries

5.2 Secondary Purposes

• Complying with legal and regulatory obligations
• Reporting to NCVER as required under the National VET Data Collection
• Improving the Platform through analytics and user research
• Sending service-related notifications
• Detecting and preventing fraud, security threats, and abuse
• Enforcing our Terms of Service
• Aggregating and de-identifying data for research and statistical purposes

5.3 Purposes We Will Not Use Your Information For

• Selling your personal information to third parties
• Direct marketing without your consent (APP 7)
• Profiling for purposes unrelated to your apprenticeship
• Any purpose incompatible with the primary purpose of collection

6. Legal Basis for Processing

Under Australian law and the GDPR (where applicable), we process personal information based on the following legal bases:

7. Disclosure of Information

In accordance with APP 6, we may disclose your personal information to the following categories of recipients:

7.1 Within the Apprenticeship Ecosystem

• Your TAFE or RTO: Educational records, attendance, progress
• Your Employer: Training progress, class schedules, attendance (as authorised by your training contract)
• Australian Apprenticeship Support Network providers: Support service coordination

7.2 Government and Regulatory Bodies

• NCVER: As required under the National VET Data Collection
• State/Territory Training Authorities: Compliance and registration purposes
• Australian Skills Quality Authority (ASQA): Regulatory compliance
• Services Australia (Centrelink): Where authorised for income support purposes
• Department of Home Affairs: For visa holders as required by law

7.3 Service Providers

We engage trusted third-party service providers who process personal information on our behalf, under strict contractual obligations:

• Cloud hosting and infrastructure providers
• Payment processors
• Email and communication service providers
• Analytics and monitoring services
• Customer support platforms

7.4 Other Disclosures

We may also disclose personal information:

• Where required or authorised by Australian law, regulation, or court order
• To enforce our Terms of Service or protect our legal rights
• In connection with a merger, acquisition, or sale of assets (subject to confidentiality obligations)
• With your explicit consent

8. Cross-Border Disclosure

In accordance with APP 8, before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles.

8.1 Overseas Recipients

Some of our service providers are located in or operate from the following countries:

• United States: Cloud infrastructure, email services, analytics
• European Union: Data processing services
• Other countries: As required for specific service providers

8.2 Safeguards

We ensure appropriate safeguards are in place, including:

• Contractual obligations requiring compliance with Australian privacy standards
• For EU transfers: Standard Contractual Clauses approved by the European Commission
• Data processing agreements with all service providers
• Regular security and compliance assessments of overseas recipients

8.3 Primary Data Storage

Your personal information is primarily stored on servers located in Australia. Where we use overseas service providers, we ensure they provide adequate protection in accordance with APP 8.

9. Data Security

In accordance with APP 11, we take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

9.1 Technical Measures

• 256-bit AES encryption for data at rest
• TLS 1.2/1.3 encryption for data in transit
• Multi-factor authentication (MFA) available for all accounts
• Regular security penetration testing and vulnerability assessments
• Web Application Firewall (WAF) protection
• DDoS mitigation
• Automated security monitoring and alerting

9.2 Organisational Measures

• Role-based access controls limiting data access to authorised personnel
• Staff training on privacy and security obligations
• Background checks for staff with access to personal information
• Incident response and data breach notification procedures
• Regular security audits and compliance reviews

9.3 Data Breach Response

In accordance with Part IIIC of the Privacy Act 1988 (Notifiable Data Breaches scheme), if we experience a data breach that is likely to result in serious harm to any individuals, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals as soon as practicable
• Take steps to contain the breach and minimise harm

10. Data Retention

In accordance with APP 11.2, we only retain personal information for as long as necessary for the purposes for which it was collected, or as required by law.

10.1 Retention Periods

10.2 How to Delete Your Data

You can delete your account and all associated personal data at any time directly within the Platform:

1. Log in to your account
2. Go to your Profile page (click your name in the top right)
3. Scroll down to the "Delete Account" section
4. Click "Delete Account"
5. Type "delete" to confirm
6. Click "Delete Account" to complete the process

When you delete your account, all your personal data is permanently removed from our servers, including your profile information, training progress, competency records, job hours logs, and evidence documents. This action cannot be undone.

10.3 Deletion and Anonymisation

When personal information is no longer needed, we will take reasonable steps to destroy it or ensure it is de-identified. Where deletion is not possible due to legal requirements, we will ensure the information is stored securely with restricted access.

11. Your Rights

11.1 Rights Under Australian Law

Under the Privacy Act 1988 and the APPs, you have the following rights:

• Access (APP 12): You may request access to the personal information we hold about you. We will respond within 30 days.
• Correction (APP 13): You may request correction of any inaccurate, incomplete, out-of-date, irrelevant, or misleading personal information.
• Anonymity (APP 2): Where lawful and practicable, you have the option to deal with us anonymously or using a pseudonym.
• Complaint (APP 1.4): You may lodge a complaint about our handling of your personal information.

11.2 Additional Rights Under GDPR (EU Users)

If you are located in the European Economic Area, you also have the following rights:

• Erasure ("Right to be Forgotten"): Request deletion of your personal information, subject to legal retention requirements.
• Data Portability: Receive your personal information in a structured, machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Object: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.
• Automated Decision-Making: Not be subject to decisions based solely on automated processing that significantly affect you.

11.3 How to Exercise Your Rights

To exercise any of these rights, you may:

• Use the account settings in the Platform
• Submit a request through our Contact page
• Email us at privacy@tradeitup.app

12. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience on the Platform.

12.1 Types of Cookies

12.2 Your Cookie Choices

You can manage your cookie preferences through:

• Our cookie consent banner when you first visit the Platform
• Your browser settings to block or delete cookies
• The "Cookie Settings" link in the footer

Note that disabling certain cookies may affect Platform functionality. Strictly necessary cookies cannot be disabled as they are required for the Platform to function.

13. Children's Privacy

TradeitUp may be used by apprentices who are under 18 years of age. We recognise the importance of protecting children's privacy.

13.1 Collection From Minors

• Apprentices under 15: Account creation requires parental or guardian consent
• Apprentices 15-17: May create accounts with awareness that their parent/guardian may request access
• We collect only information necessary for the apprenticeship management purposes

13.2 Parental Rights

Parents or guardians of apprentices under 18 may request access to their child's personal information, request correction of inaccurate information, or request deletion of their child's account (subject to training contract and legal requirements).

14. Third-Party Services

The Platform integrates with third-party services. Each has its own privacy policy:

• Learning Management Systems (Canvas, Moodle): Governed by your TAFE's privacy policy
• Payment Processors: Payment information is processed directly by our payment providers and not stored on our servers
• Analytics Services: We use privacy-focused analytics that do not track individuals across sites

We recommend reviewing the privacy policies of any third-party services you interact with through the Platform.

15. Automated Decision-Making

In accordance with the Privacy and Other Legislation Amendment Act 2024, we disclose the following uses of automated decision-making:

15.1 At-Risk Identification

We use automated systems to identify apprentices who may be at risk of not completing their training. This analysis considers:

• Attendance patterns
• Course progress and completion rates
• Engagement with the Platform

Important: These automated assessments are used only to flag potential issues for human review. No adverse decisions are made solely on the basis of automated processing.

15.2 Your Rights

You have the right to request human review of any automated assessment, obtain an explanation of how the assessment was made, and contest any decision influenced by automated processing.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• We will notify you of material changes via email or through the Platform
• The "Last Updated" date will be revised
• Continued use of the Platform after changes constitutes acceptance of the updated policy
• Previous versions are available upon request

17. Complaints

If you believe we have breached the Australian Privacy Principles or your privacy rights, you may lodge a complaint.

17.1 Internal Complaint Process

1. Submit your complaint in writing to privacy@tradeitup.app
2. We will acknowledge receipt within 5 business days
3. We will investigate and respond within 30 days
4. If you are not satisfied with our response, you may escalate to the OAIC

17.2 External Complaints

If you are not satisfied with our response, you may lodge a complaint with:

EU residents may also lodge a complaint with their local Data Protection Authority.

18. Contact Us

For any questions about this Privacy Policy or our privacy practices, please contact our Privacy Officer: