Privacy Policy

Australian Consulting & Training Solutions Pty Ltd (ABN 123 456 789) ("we", "us", or "our") operates the Zealifi RTO Management Platform. We are committed to protecting the privacy of individuals whose information we handle, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains what personal information we collect, how we use and protect it, and your rights in relation to that information. By using our Service, you consent to the practices described in this policy.

1. What Information We Collect

Account and Subscriber Information

When you register for an account we collect:

• Organisation name and RTO details
• Administrator name and contact email address
• Phone number (optional)
• Billing information (processed securely by Stripe; we do not store full card details)
• Selected subscription plan

Student Data

Subscribers enter student data into the Platform as part of their RTO operations. This may include:

• Student names, dates of birth, addresses, and contact details
• Unique Student Identifiers (USI)
• Enrolment, assessment, and completion records
• State compliance identifiers (e.g. Queensland LUI, NSW Commitment ID)
• Payment records related to course fees
• Communication history (SMS, email)

Student Data is provided to us by the Subscriber (the RTO) and is processed on the Subscriber's behalf. We act as a data processor for Student Data; the Subscriber is the data controller responsible for obtaining appropriate consents from their students.

Usage and Technical Data

We automatically collect certain technical information when you use the Service, including IP addresses, browser type, pages visited, and error logs. This data is used to maintain and improve the Service and is not linked to individual student records.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Platform.
• Process subscription payments and manage billing.
• Send transactional communications (account setup, invoices, password resets).
• Provide customer support.
• Monitor the security and performance of the Service.
• Comply with our legal obligations, including responding to lawful requests from regulators.
• Improve and develop new features of the Platform (using aggregated, de-identified data).

We do not use Student Data for our own marketing purposes or share it with third parties for their marketing.

3. Sharing of Information

We do not sell personal information. We may share information in the following limited circumstances:

Service Providers

We engage trusted third-party providers to help deliver the Service. These providers process data only on our instructions and are bound by appropriate data processing and confidentiality obligations:

• Supabase — Database hosting and infrastructure
• Amazon Web Services (AWS) — Document and certificate storage
• Stripe — Payment processing
• Twilio — SMS delivery
• Sentry — Error monitoring (configured to exclude personal information)

Legal Requirements

We may disclose personal information where required by law, court order, or regulatory authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of the Service, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information held by us may be transferred to the successor entity, subject to equivalent privacy protections.

4. Student Data Protection

We recognise the sensitivity of student data in the vocational education context. We take the following measures to protect it:

• Tenant isolation. Each RTO's data is stored in a separate database schema, preventing cross-tenant access.
• Encryption. Data is encrypted in transit (TLS) and at rest.
• Access controls. Access to the Platform is protected by authentication, and user roles limit access to data on a need-to-know basis.
• Audit logging. Material actions within the Platform are recorded in an audit log.
• Minimal error logging. Our error monitoring system is configured to exclude personally identifiable information from error reports.

Subscribers are responsible for ensuring their use of Student Data within the Platform complies with the Privacy Act 1988, the APPs, and any applicable state legislation or regulatory requirements imposed by ASQA or state training authorities.

5. Cookies and Tracking

We use cookies and similar technologies to operate and improve the Service. Specifically:

• Session cookies are used to maintain your authenticated session. These are essential for the Platform to function and are deleted when you close your browser.
• Preference cookies may store your settings (e.g. theme preference) between sessions.

We do not use third-party advertising trackers or behavioural profiling cookies. You can configure your browser to refuse cookies, but this may affect the functionality of the Service.

6. Data Retention

We retain personal information for as long as necessary to provide the Service and meet our legal obligations:

• Subscriber account information is retained for the duration of the subscription and for a reasonable period afterward for legal and audit purposes.
• Student Data entered by Subscribers is retained while the Subscriber's account is active. Following account termination, Subscribers may request an export of their data within 30 days, after which data may be deleted.
• Billing records are retained for seven years as required by Australian tax law.
• Audit logs are retained for a minimum of two years.

7. Your Privacy Rights

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you.
• Correct personal information that is inaccurate, out of date, or misleading.
• Complain if you believe we have handled your personal information in breach of the APPs.

To exercise these rights, please contact us using the details in Section 9. We will respond to access and correction requests within 30 days. If you are a student whose data has been entered by an RTO, please contact that RTO directly as they are the data controller for your information.

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

8. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify Subscribers of material changes by email or by posting a notice within the Service. The updated policy will take effect from the date posted. We encourage you to review this policy periodically.

9. Contact Us

For privacy enquiries, requests for access or correction, or to make a complaint, please contact our Privacy Officer:

We aim to acknowledge all privacy enquiries within five business days and resolve complaints within 30 days.