Privacy Policy

This Privacy Policy ("Policy") applies to Protocol Labs (ABN 49 634 013 629), a sole trader business trading as AxionSite. It describes how we collect, hold, use, disclose, and safeguard personal information when you visit our website at axionsite.com, use our platform, mobile applications, APIs, or any related services (collectively, the "Service"). This Policy applies to all visitors, prospective customers, registered users, administrators, and any individual whose personal information we process in connection with the Service. If you provide us with personal information of third parties (e.g. worker details for SWMS sign-on rosters), you warrant that you have obtained their consent or are otherwise authorised to provide that information and that you have made this Policy available to them.

To the extent that additional privacy laws apply to our processing of your information (for example, the General Data Protection Regulation for individuals in the EEA/UK, or the New Zealand Privacy Act 2020), we will comply with those laws where applicable.

We use personal information for the following purposes:

(a) Providing the Service — to operate, maintain, and deliver the features of the Service, including generating permits, SWMS, JHA, toolbox talks, and related WHS compliance materials; processing sign-on/off rosters; and providing customer support.

(b) Account management — to create and manage your account, process payments, send invoices, and manage subscriptions.

(c) Service communications — to send transactional emails (e.g. account verification, password resets, export confirmations, billing receipts) and service announcements.

(d) Marketing — with your consent or where permitted by law, to send promotional communications about new features, product updates, industry content, and offers. You may opt out of marketing communications at any time using the unsubscribe link in any email or by contacting us.

(e) Product improvement and analytics — to analyse usage patterns, diagnose technical issues, conduct A/B testing, measure feature adoption, and improve the functionality, usability, reliability, and performance of the Service.

(f) AI and machine learning — to train, improve, fine-tune, and develop our AI models and algorithms using aggregated, anonymised, or de-identified data derived from usage of the Service. This may include analysis of prompt patterns, output quality, and interaction flows to improve the accuracy, relevance, and safety of AI-generated content. We do not use individually identifiable Customer Data to train AI models for purposes unrelated to providing or improving the Service, unless you have given us explicit consent.

(g) Benchmarking and research — to produce aggregated, anonymised industry benchmarks, compliance trend reports, safety statistics, and research insights. Such aggregated data will not identify any individual or organisation.

(h) Security and fraud prevention — to detect, investigate, and prevent fraudulent, unauthorised, or illegal activity, and to protect the rights, safety, and property of AxionSite and its users.

(i) Legal compliance — to comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to enforce our Terms of Service and other agreements.

(j) Other purposes — for other purposes described at the time of collection, with your consent, or as otherwise permitted or required by law.

Under the Australian Privacy Principles, we collect and process personal information where it is reasonably necessary for, or directly related to, one or more of our functions or activities (APP 3). In addition, where the GDPR or similar overseas legislation applies, our legal bases include: (a) performance of a contract (providing the Service); (b) legitimate interests (product improvement, security, analytics, and direct marketing to existing customers); (c) your consent (marketing communications, optional data sharing); and (d) legal obligation (compliance with laws and regulations).

In accordance with the Privacy and Other Legislation Amendment Act 2024 (Cth) amendments to APP 1, which take effect from 10 December 2026, we disclose the following:

The Service uses computer programs — including artificial intelligence, machine learning models, and rule-based logic — to generate WHS compliance documents (permits, SWMS, JHA, toolbox talks, risk matrices) based on information you provide. These automated processes analyse your inputs (task description, site details, industry, state/territory) to produce tailored outputs.

Kinds of personal information used: task and site descriptions, state/territory, industry, worker names (for sign-on rosters), and uploaded site photographs.

Types of decisions: content generation (selection of applicable hazards, controls, legislation references, PPE requirements, emergency procedures); risk-level assessments; and document formatting. These automated outputs are designed as drafts that must be reviewed and verified by a competent person before workplace use. They do not make decisions that directly and solely determine legal rights, employment, or financial outcomes for individuals.

We do not sell your personal information. We may disclose personal information in the following circumstances:

(a) Service providers and sub-processors — trusted vendors who assist us in operating the Service, including cloud hosting (Google Cloud / Firebase — Australian regions), payment processing (Stripe), email delivery (Resend), AI processing (OpenAI — subject to a data processing agreement that prohibits use of your data for model training), analytics, and customer support tools. These providers are contractually bound to protect your information and use it only for the purposes we specify.

(b) Legal and regulatory — where required or authorised by law, court order, subpoena, or government authority; where we reasonably believe disclosure is necessary to protect the rights, property, or safety of AxionSite, our users, or the public; or in connection with the investigation or prevention of fraud or illegal activity.

(c) Corporate transactions — in connection with a merger, acquisition, sale of assets, corporate restructuring, or similar transaction, subject to the successor entity being bound by privacy obligations at least as protective as this Policy.

(d) Professional advisors — to our lawyers, accountants, auditors, and insurers where necessary for them to provide professional services to us.

(e) With your consent — for any other purpose you have agreed to.

(f) Aggregated and anonymised data — we may share aggregated, anonymised, or de-identified data that does not identify any individual or organisation with any third party, including for industry research, benchmarking, and marketing purposes. Such data is not personal information.

Primary application data and Customer Data are stored in Australia. Some of our sub-processors may store or process personal information outside Australia, including in the United States (e.g. OpenAI for AI processing, Stripe for payment processing, Resend for email delivery, Vercel for edge hosting). Where we disclose personal information overseas, we take reasonable steps to ensure recipients comply with privacy standards comparable to the APPs (APP 8), including by entering into data processing agreements, standard contractual clauses, or relying on comparable privacy frameworks. You consent to such overseas disclosure where it is necessary for the operation and delivery of the Service. You may contact us for a current list of countries in which recipients are likely to be located.

We implement technical and organisational measures appropriate to the risk to protect personal information against unauthorised access, alteration, disclosure, destruction, and loss. These measures include, but are not limited to:

(a) encryption of data in transit (TLS 1.2+) and at rest (AES-256); (b) role-based access controls and least-privilege principles; (c) multi-factor authentication for administrative access; (d) regular security assessments and penetration testing; (e) secure software development lifecycle practices; (f) incident response and disaster recovery procedures; and (g) employee security awareness training.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, as soon as practicable and in any event within the timeframes required by law.

We retain personal information for as long as reasonably necessary to: (a) provide the Service and fulfil the purposes described in this Policy; (b) comply with legal, tax, audit, accounting, and regulatory obligations; (c) resolve disputes and enforce agreements; and (d) maintain immutable audit trails where required for WHS compliance (e.g. sign-on/off records).

When you close your account or request deletion, we will delete or de-identify your personal information within 90 days, except where we are required or permitted to retain it by law or for legitimate business purposes (e.g. backup archives that are overwritten on a rolling schedule, legal holds, or records required under WHS legislation). Aggregated and anonymised data that does not identify you may be retained indefinitely for analytics, benchmarking, and product improvement.

We use cookies and similar technologies (pixels, local storage, web beacons) to operate the Service, remember your preferences, authenticate sessions, analyse usage, and measure marketing effectiveness. We categorise cookies as follows:

(a) Strictly necessary — essential for the Service to function (e.g. authentication, session management, security). These cannot be disabled.

(b) Analytics and performance — help us understand how users interact with the Service so we can improve it. We use Google Tag Manager (GTM) and analytics tools to collect aggregated usage data.

(c) Functional — remember your preferences and settings (e.g. selected state/territory, theme).

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service. We do not use third-party advertising cookies that track you across other sites for behavioural advertising without your consent. For full details, see our Cookie Policy.

We may use your personal information to send you direct marketing communications about our products, services, features, and events where: (a) you have consented; or (b) you are an existing customer and the communication relates to similar products or services, and we provide a simple opt-out mechanism in each communication (in accordance with the Spam Act 2003 (Cth) and APP 7). We will not provide your personal information to unrelated third parties for their direct marketing purposes without your express consent.

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.

The Service may contain links to third-party websites, services, or resources that are not operated by us. We are not responsible for the privacy practices, content, or security of any third-party sites. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.

If you believe we have breached the Australian Privacy Principles or this Policy, please contact us first so we can investigate and try to resolve your concern. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au
Phone: 1300 363 992

For all privacy-related enquiries, access or correction requests, deletion requests, or complaints, contact us via our Contact page or at the contact details published on our website. Protocol Labs (ABN 49 634 013 629), trading as AxionSite, Sydney, New South Wales, Australia.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Policy on this page and update the "Last updated" date. For material changes that reduce your rights or expand our use of your information, we will provide at least 30 days' notice via email or prominent in-product notification before the changes take effect. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you must stop using the Service and may request deletion of your information.