Privacy Policy

Your HR System Pty Ltd (“Your HR System”, “we”, “us” or “our”) provides human resources software and related services, including the Your HR System platform, websites, support services and Forms feature.

This Privacy Policy explains how we collect, hold, use and disclose personal information. It applies to people who visit our websites, contact us, request information from us, use our platform, receive our services, or have their information submitted to or stored in the Your HR System platform by one of our customers.

We handle personal information in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles, where they apply.

1. Our role

Your HR System provides software used by employers and other organisations (“Customers”) to manage human resources records, documents, workflows, employment information and forms.

In many cases, our Customer decides what personal information is collected, why it is collected, who within the Customer’s organisation may access it, and how long it should be retained. In those cases, we handle the information for the purpose of providing, securing, maintaining and supporting the platform and related services.

If you are an employee, contractor, job applicant, consultant, emergency contact or other person whose information has been submitted to or stored in the platform by one of our Customers, you should contact that Customer first for questions about why your information is being collected, how it is used, who can access it, or how long it will be retained.

Australian privacy law includes an employee records exemption for some acts and practices of private sector employers in relation to current and former employee records. That exemption does not mean employment-related information is low risk, and it does not remove all privacy, confidentiality, employment, tax, record-keeping or data security obligations. We handle personal information in accordance with this Privacy Policy and our customer agreements where the Australian Privacy Principles apply to us.

2. Personal information we collect

“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable.

The personal information we collect and hold depends on how you interact with us and how our Customers configure the platform. It may include:

• identity and contact details, such as name, email address, phone number, address and date of birth;
• employment details, such as job title, position, employment status, start date, manager, location, salary, pay information, leave information and performance information;
• HR records, such as policies acknowledged, training records, qualifications, licences, certifications, emergency contacts, notes, documents, incident records and workflow history;
• payroll, tax and superannuation-related information where a Customer chooses to store or request it through the platform;
• bank account details or other payment information where a Customer chooses to request or store it for legitimate employment, payroll or reimbursement purposes;
• right-to-work, visa, licence, qualification or identity document information where a Customer chooses to request or store it;
• account information, such as login details, user role, permissions, support requests and account activity;
• billing and subscription information, such as billing contact details, subscription details, invoice records and payment status;
• technical information, such as IP address, browser type, device information, log data, cookie identifiers and usage analytics;
• information submitted through Forms, including onboarding information, employee details, emergency contact details, payroll details, bank account details, superannuation information, tax-related information, health or safety information, incident information, right-to-work information and other information requested by the Customer using the platform; and
• any other information provided to us directly or submitted into the platform.

We do not intentionally collect personal information from children through our websites or platform unless it is submitted by a Customer for a legitimate employment, HR, emergency contact, family, benefits, leave, compliance or related purpose.

3. Sensitive and high-impact information

Some information submitted to the platform may be “sensitive information” under the Privacy Act, such as health information, racial or ethnic origin, criminal record information, trade union membership information, or membership of a professional or trade association.

Some information may not always be sensitive information under the Privacy Act but can still create significant risk if misused or disclosed without authorisation. We refer to this in this policy as “high-impact information”. It includes bank account details, payroll information, tax file number information, superannuation information, identity documents, right-to-work information, health and safety information, and other information that could reasonably cause financial, identity, employment, reputational, physical or psychological harm if mishandled.

Tax file number information is subject to specific Australian rules. Customers should only request tax file number information where they are authorised to do so, should not use it as a general identifier, and should provide any notices required by law.

Customers should only request sensitive or high-impact information through the platform where it is lawful, reasonably necessary and proportionate for their legitimate HR, employment, payroll, work health and safety, legal, compliance or business purposes.

4. How we collect personal information

We collect personal information:

• directly from you, such as when you contact us, request a demo, create an account, use the platform, submit a support request or complete a form;
• from our Customers, where they upload, enter, import, request or manage information through the platform;
• from Authorised Users of a Customer account;
• from third-party services connected to the platform, where the Customer or user has authorised the connection; and
• automatically through our websites and platform, such as through cookies, logs, analytics tools and security monitoring.

Where practicable, you may interact with us anonymously or using a pseudonym, such as when making a general website enquiry. This will not usually be practicable where you need access to the platform, request support, submit a form, or where we need to verify your identity or provide services to a Customer.

5. Why we use personal information

We collect, hold, use and disclose personal information to:

• provide, maintain, secure and support the Your HR System platform;
• enable Customers to manage HR records, employment information, workflows, documents, forms and employee-related processes;
• configure accounts, authenticate users and manage roles and permissions;
• process and store form submissions on behalf of Customers;
• respond to support requests, service enquiries and administrative requests;
• manage subscriptions, billing, invoices and customer accounts;
• monitor, maintain and improve platform reliability, security and performance;
• detect, investigate and prevent suspected misuse, security incidents, unlawful activity or breaches of our terms;
• communicate with Customers and users about the platform, including service, security, product, billing and administrative notices;
• provide marketing communications where permitted by law and allow recipients to opt out;
• comply with legal obligations, regulatory requirements and lawful requests; and
• enforce our agreements and protect our rights, users, Customers and services.

We do not sell personal information.

6. Forms

Customers may use Forms to request information from employees, contractors, job applicants, consultants or other individuals. The type of information requested through Forms is controlled by the Customer.

Customers are responsible for deciding whether they are legally permitted to collect the information requested through Forms. Customers should only request information that is reasonably necessary for the relevant employment, HR, payroll, work health and safety, legal, compliance or business purpose.

Customers must not use Forms to collect personal information, sensitive information, tax file number information, bank account details, health information, identity documents or other high-impact information unless:

• the Customer has a lawful and legitimate reason to collect it;
• the information requested is reasonably necessary and proportionate for that purpose;
• the Customer has provided any required collection notice, consent wording or other legally required information;
• the Customer has considered whether a less intrusive alternative is available; and
• access to submitted information is limited to people who reasonably need it.

Your HR System stores and processes Forms information for the purpose of providing the platform and related services. We may access form submissions where reasonably necessary to provide support, maintain or secure the platform, investigate an issue, comply with law, or as otherwise permitted by our agreement with the relevant Customer.

7. Automated processing and AI-assisted features

The platform may use automated routines to operate HR workflows, route tasks, send reminders, validate fields, apply permissions, generate reports, maintain audit logs, monitor security and perform administrative functions.

The platform may also include AI-assisted or automation-assisted features that help Customers draft, summarise, classify, analyse, generate reports, identify possible issues, suggest wording or support HR administration tasks.

These features support Customers in managing HR processes. Unless expressly stated in a relevant product notice or agreement, Your HR System does not use personal information in the platform to make employment decisions, disciplinary decisions, hiring decisions, termination decisions, payroll decisions or other decisions that determine an individual’s legal rights or employment outcomes. Customers remain responsible for decisions they make using information in the platform.

AI-assisted or automated outputs should be reviewed by the Customer before they are relied on, shared with another person, or used to make decisions affecting an employee, contractor, applicant or other individual.

Your HR System will not use Customer Data to train third-party general-purpose AI models unless the Customer has expressly agreed to that use or enabled a feature that clearly discloses that use.

If we introduce a feature that uses personal information to make or substantially support decisions with a legal or similarly significant effect on individuals, we will update this Privacy Policy and any relevant notices as required.

8. Disclosure of personal information

We may disclose personal information to:

• the Customer that controls the relevant account;
• Authorised Users within that Customer account, according to configured permissions;
• our personnel and contractors who need access to provide, secure, maintain or support the platform;
• hosting, infrastructure, software, analytics, communication, security and support service providers;
• third-party services connected to the platform, where the Customer or user has authorised the connection;
• professional advisers, insurers, auditors and financiers;
• government agencies, regulators, courts, tribunals, law enforcement or other parties where required or authorised by law;
• another party in connection with a merger, acquisition, financing, restructure or sale of our business or assets; and
• other third parties where the relevant individual or Customer has authorised the disclosure.

Where we use third-party service providers, we take reasonable steps to require them to protect personal information and use it only for the purposes for which we disclose it.

9. Overseas disclosure

Some of our service providers may store, process or access personal information outside Australia. The countries may change depending on our hosting, support, security, software and communication providers.

At the date of this Privacy Policy, personal information may be stored in or accessed from the following countries: Australia.

Before disclosing personal information to an overseas recipient, we take reasonable steps required by Australian privacy law to ensure the recipient handles the information appropriately, unless an exception applies.

Customers should tell us before submitting information to the platform if they are subject to a law or contract that restricts offshore storage, processing or support access.

10. Security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Our security measures may include:

• role-based access controls and account permissions;
• authentication controls, including support for multi-factor authentication where available;
• encryption in transit;
• hosting and infrastructure controls provided by our service providers;
• logging, monitoring and audit records;
• backup and recovery processes;
• personnel confidentiality obligations;
• supplier due diligence; and
• internal policies and procedures for handling personal information and security incidents.

No system can be guaranteed to be completely secure. Customers and users also play an important role in security, including by using strong passwords, enabling multi-factor authentication where available, limiting permissions, promptly removing access for people who no longer need it, keeping devices and email accounts secure, and avoiding unnecessary collection of sensitive or high-impact information.

11. Data retention and deletion

We retain personal information for as long as reasonably necessary to provide the platform and services, comply with legal obligations, resolve disputes, maintain security, support backups and enforce agreements.

For information stored in a Customer account, the Customer generally controls the retention period and deletion decisions, subject to the functionality available in the platform and our legal obligations.

Where a Customer’s subscription ends, we may retain Customer account data for a limited period to allow export, transition, audit, legal compliance and backup processes. After that period, we will take reasonable steps to delete or de-identify the information unless we are required or permitted by law to retain it.

Where personal information is no longer needed for any lawful purpose, we will take reasonable steps to destroy or de-identify it, subject to backup, audit, legal, security and operational requirements.

12. Access and correction

You may request access to, or correction of, personal information we hold about you.

If your information is held in a Customer account, we may refer your request to the relevant Customer or ask you to contact that Customer directly, because the Customer is usually best placed to verify the request and make decisions about the employment or HR record.

To request access or correction, contact us at:

Email: support@yourhrsystem.com

We may need to verify your identity before responding. We may refuse access or correction where permitted by law and will explain the reason where required.

13. Quality of personal information

We take reasonable steps to ensure that personal information we collect, use or disclose is accurate, up to date, complete and relevant, having regard to the purpose of use or disclosure.

Customers and users are responsible for keeping information in Customer accounts accurate and up to date. If you believe information about you in the platform is inaccurate, contact the relevant Customer first.

14. Cookies and analytics

We use cookies, logs and similar technologies to operate our websites and platform, remember preferences, understand usage, improve services, maintain security and measure marketing performance.

The information collected may include server address, domain name, IP address, browser type, device information, operating system, pages viewed, date and time of visit, referring websites, approximate location information and interaction with our websites or platform.

You can control cookies through your browser settings, although disabling some cookies may affect website or platform functionality.

15. Direct marketing

We may use contact details to send information about our products, services, updates and events where permitted by law. These communications may be sent by email, SMS, phone, mail, in-app message or other electronic means.

You can opt out of marketing communications by using the unsubscribe link or contacting us.

We may still send service, security, billing and administrative messages where needed.

16. Data breaches

If we become aware of a suspected or actual data breach involving personal information, we will assess and respond to it in accordance with applicable law and our incident response processes.

Where the Notifiable Data Breaches scheme applies and a breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner where required. Where the breach relates to a Customer account, we may coordinate notification steps with the relevant Customer.

17. Complaints

If you have a privacy question or complaint, contact our Privacy Officer at:

Email: support@yourhrsystem.com

We will aim to acknowledge and respond to privacy complaints within a reasonable time. We may need to verify your identity or ask for further information.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version will be available on our website.

If we make material changes, we will take reasonable steps to notify affected Customers or users, such as by email, in-app notice or website notice.

19. Contact

For privacy questions, access or correction requests, or complaints, contact:

Your HR System Pty Ltd

Email: support@yourhrsystem.com