Privacy Policy

This Privacy Policy ("Policy") applies to AxionSite (ABN 49 634 013 629). It describes how we collect, hold, use, disclose, and safeguard personal information when you visit our website at axionsite.com, use our platform, mobile applications, APIs, or any related services (collectively, the "Service"). This Policy applies to all visitors, prospective customers, registered users, administrators, and any individual whose personal information we process in connection with the Service. If you provide us with personal information of third parties (e.g. worker details for SWMS sign-on rosters), you warrant that you have obtained their consent or are otherwise authorised to provide that information and that you have made this Policy available to them.

To the extent that additional privacy laws apply to our processing of your information (for example, the General Data Protection Regulation for individuals in the EEA/UK, or the New Zealand Privacy Act 2020), we will comply with those laws where applicable.

Role of the parties. For account, subscription, support, and marketing data, we generally act as the data controller (or equivalent). For Customer Data uploaded and managed in workspace features, we generally act as a service provider/processor on your instructions, while your organisation remains responsible for lawful collection and use.

AxionSite is used for construction safety and compliance workflows that may involve personal information about workers, subcontractors, visitors, supervisors and other people on or connected with a worksite. This may include names, roles, employers, contact details, sign-on and acknowledgement records, signatures, emergency contact details, licences, tickets, competency or induction information, incident and injury details, uploaded documents, site photographs and related safety records ("Worker and Site Safety Information").

We handle Worker and Site Safety Information with additional care because construction safety records can include sensitive information. Your organisation remains responsible for ensuring it has a lawful basis to collect and upload this information, including any required worker notices, consents or consultation processes.

We do not use worker sign-on, incident, injury, medical, emergency contact or contractor compliance records for direct marketing. We also do not create cross-customer profiles of individual workers or combine worker safety records across customer workspaces for marketing or profiling.

Worker and Site Safety Information is kept within the customer workspace or organisation context in which it is provided, subject to authorised access, support, security, legal and service-operation requirements described in this Policy. Durable workspace records for Australian customers are stored in Australia where configured for the Service; limited overseas processing may occur through subprocessors such as AI inference, email, analytics, support, identity, payment, observability or edge-delivery services.

We maintain access, audit and workflow logs for key actions involving Customer Data where supported by the Service.

We use personal information for the following purposes:

(a) Providing the Service — to operate, maintain, and deliver the features of the Service, including drafting SWMS and compliance materials with permit requirements in-document, JHA, toolbox talks, and related WHS outputs; processing sign-on/off rosters; and providing customer support.

(b) Account management — to create and manage your account, process payments, send invoices, and manage subscriptions.

(c) Service communications — to send transactional emails (e.g. account verification, password resets, export confirmations, billing receipts) and service announcements.

(d) Marketing — with your consent or where permitted by law, to send promotional communications about new features, product updates, industry content, and offers. You may opt out of marketing communications at any time using the unsubscribe link in any email or by contacting us.

(e) Product improvement and analytics — to analyse usage patterns, diagnose technical issues, conduct A/B testing, measure feature adoption, and improve the functionality, usability, reliability, and performance of the Service.

(f) AI and service improvement — to evaluate and improve the Service using aggregated, anonymised, or de-identified data derived from usage of the Service. This may include analysis of prompt patterns, output quality, and interaction flows to improve the accuracy, relevance, and safety of AI-assisted content. We do not use identifiable Customer Data to train public AI models.

(g) Benchmarking and research — to produce aggregated, anonymised industry benchmarks, compliance trend reports, safety statistics, and research insights. Such aggregated data will not identify any individual or organisation.

(h) Security and fraud prevention — to detect, investigate, and prevent fraudulent, unauthorised, or illegal activity, and to protect the rights, safety, and property of AxionSite and its users.

(i) Legal compliance — to comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to enforce our Terms of Service and other agreements.

(j) Other purposes — for other purposes described at the time of collection, with your consent, or as otherwise permitted or required by law.

Under the Australian Privacy Principles, we collect and process personal information where it is reasonably necessary for, or directly related to, one or more of our functions or activities (APP 3). In addition, where the GDPR or similar overseas legislation applies, our legal bases include: (a) performance of a contract (providing the Service); (b) legitimate interests (product improvement, security, analytics, and direct marketing to existing customers); (c) your consent (marketing communications, optional data sharing); and (d) legal obligation (compliance with laws and regulations).

In accordance with the Privacy and Other Legislation Amendment Act 2024 (Cth) amendments to APP 1, which take effect from 10 December 2026, we disclose the following:

The Service uses computer programs — including artificial intelligence, machine learning models, and rule-based logic — to generate WHS compliance documents (including permit requirements in the pack, SWMS, JHA, toolbox talks, risk matrices) based on information you provide. These automated processes analyse your inputs (task description, site details, industry, state/territory) to produce tailored outputs.

Kinds of personal information used: task and site descriptions, state/territory, industry, worker names (for sign-on rosters), and uploaded site photographs.

Types of decisions: content generation (selection of applicable hazards, controls, legislation references, PPE requirements, emergency procedures); risk-level assessments; and document formatting. These automated outputs are designed as drafts that must be reviewed and verified by a competent person before workplace use. They do not make decisions that directly and solely determine legal rights, employment, or financial outcomes for individuals.

We do not sell your personal information. We may disclose personal information in the following circumstances:

(a) Service providers and sub-processors — We engage categories of service providers who process personal information on our behalf to operate the Service, including: cloud infrastructure and application hosting (with primary storage configured in Australian regions where we offer that); payment processing; transactional email and product communications; machine-learning and document-generation inference; edge delivery and observability; analytics; authentication and identity; and customer-support tooling. They are contractually required to protect personal information and to use it only for the purposes we specify, including data-processing terms that restrict use for unrelated purposes (such as model training) where those restrictions apply to the service they provide.

We do not publish a public directory of vendor trade names on this website. Commercial customers may contact us for a written summary of current sub-processor categories, typical processing purposes, and jurisdictions; where commercially reasonable we may provide further identification under suitable confidentiality arrangements.

For eligible commercial customers, we can provide a data processing addendum (DPA) that describes processing roles, instructions, confidentiality, security obligations, and sub-processor safeguards.

(b) Legal and regulatory — where required or authorised by law, court order, subpoena, or government authority; where we reasonably believe disclosure is necessary to protect the rights, property, or safety of AxionSite, our users, or the public; or in connection with the investigation or prevention of fraud or illegal activity.

(c) Corporate transactions — in connection with a merger, acquisition, sale of assets, corporate restructuring, or similar transaction, subject to the successor entity being bound by privacy obligations at least as protective as this Policy.

(d) Professional advisors — to our lawyers, accountants, auditors, and insurers where necessary for them to provide professional services to us.

(e) With your consent — for any other purpose you have agreed to.

(f) Aggregated and anonymised data — we may share aggregated, anonymised, or de-identified data that does not identify any individual or organisation with any third party, including for industry research, benchmarking, and marketing purposes. Such data is not personal information.

We maintain an internal sub-processor register and change control process. Commercial customers may request updates to relevant sub-processor categories, processing locations, and notification process through our contact channel.

Primary application data and Customer Data are stored in Australia. Some of our sub-processors may store or process personal information outside Australia, including in the United States and other countries where those categories of providers operate. Where we disclose personal information overseas, we take reasonable steps to ensure recipients comply with privacy standards comparable to the APPs (APP 8), including by entering into data processing agreements, standard contractual clauses, or relying on comparable privacy frameworks. You consent to such overseas disclosure where it is necessary for the operation and delivery of the Service. You may contact us for a current list of countries in which recipients are likely to be located.

We implement technical and organisational measures appropriate to the risk to protect personal information against unauthorised access, alteration, disclosure, destruction, and loss. These measures include, but are not limited to:

(a) encryption of data in transit (TLS 1.2+) and at rest (AES-256); (b) role-based access controls and least-privilege principles; (c) multi-factor authentication for administrative access; (d) regular security assessments and penetration testing; (e) secure software development lifecycle practices; (f) incident response and disaster recovery procedures; and (g) employee security awareness training.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, as soon as practicable and in any event within the timeframes required by law.

We also maintain a vulnerability reporting process. Security researchers and customers may submit vulnerability reports via our contact channel so we can triage, remediate, and coordinate disclosure responsibly.

We retain personal information for as long as reasonably necessary to: (a) provide the Service and fulfil the purposes described in this Policy; (b) comply with legal, tax, audit, accounting, and regulatory obligations; (c) resolve disputes and enforce agreements; and (d) maintain security, activity and audit records where required for WHS compliance (e.g. sign-on/off records).

During the MVP pilot, deletion and de-identification requests are handled by a manual admin process rather than an automated retention job. When you close your account or request deletion, we will verify the request, identify the relevant account, workspace, and Customer Data, and delete or de-identify personal information where we are not required or permitted to retain it by law or for legitimate business purposes (e.g. backup archives that are overwritten on a rolling schedule, legal holds, billing records, security audit records, or records required under WHS legislation). Aggregated and anonymised data that does not identify you may be retained indefinitely for analytics, benchmarking, and product improvement.

We use cookies and similar technologies (pixels, local storage, web beacons) to operate the Service, remember your preferences, authenticate sessions, analyse usage, and measure marketing effectiveness. We categorise cookies as follows:

(a) Strictly necessary — essential for the Service to function (e.g. authentication, session management, security). These cannot be disabled.

(b) Analytics and performance — help us understand how users interact with the Service so we can improve it. We use tag management and analytics tools to collect aggregated usage data.

(c) Functional — remember your preferences and settings (e.g. selected state/territory, theme).

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service. We do not use third-party advertising cookies that track you across other sites for behavioural advertising without your consent. For full details, see our Cookie Policy.

We may use your personal information to send you direct marketing communications about our products, services, features, and events where: (a) you have consented; or (b) you are an existing customer and the communication relates to similar products or services, and we provide a simple opt-out mechanism in each communication (in accordance with the Spam Act 2003 (Cth) and APP 7). We will not provide your personal information to unrelated third parties for their direct marketing purposes without your express consent.

We do not use worker sign-on, incident, injury, medical, emergency contact or contractor compliance records for direct marketing.

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.

The Service may contain links to third-party websites, services, or resources that are not operated by us. We are not responsible for the privacy practices, content, or security of any third-party sites. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.

If you believe we have breached the Australian Privacy Principles or this Policy, please contact us first so we can investigate and try to resolve your concern. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au
Phone: 1300 363 992

For all privacy-related enquiries, access or correction requests, deletion requests, or complaints, contact us via our Contact page or at the contact details published on our website. AxionSite (ABN 49 634 013 629), Sydney, New South Wales, Australia.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Policy on this page and update the "Last updated" date. For material changes that reduce your rights or expand our use of your information, we will provide at least 30 days' notice via email or prominent in-product notification before the changes take effect. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you must stop using the Service and may request deletion of your information.