Privacy Policy

Effective Date: April 2026 · Version 1.0 · Last reviewed: April 2026

1. Introduction

Mobely ("we", "us", or "our") is committed to protecting the privacy and security of personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.

This Privacy Policy applies to our Personnel Mobilisation and Certification Management System (the "System"), which is used to record employee details, professional certifications, and to coordinate the deployment of personnel to operational tasks. It explains how we collect, hold, use, disclose, and protect personal information, and how individuals can access and correct their information.

By using the System or providing personal information to us, you acknowledge that you have read and understood this Privacy Policy.

2. Scope and Applicable Law

This policy applies to all individuals whose personal information is stored in or processed by the System, including current employees, contractors, and seconded personnel.

We comply with the following legislative instruments:

• Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth)
• Any applicable state or territory privacy legislation
• Relevant workplace and employment legislation where personal information overlaps

Where applicable, we also have regard to the guidelines and resources published by the Office of the Australian Information Commissioner (OAIC).

3. What Personal Information We Collect

3.1 Employee and Personnel Information

The System collects and holds the following categories of personal information:

• Full name, date of birth, and contact details (phone, email, address)
• Employee or contractor identification numbers
• Emergency contact details
• Employment status, role, and work location
• Availability and roster information
• Task deployment and mobilisation history

3.2 Certification and Qualification Information

• Professional licences, tickets, and certifications (e.g. trade licences, safety tickets)
• Issuing authority and certification number
• Issue dates, expiry dates, and renewal status
• Copies of certification documents (where provided)

3.3 Sensitive Information

Certain information held in the System may constitute "sensitive information" under the Privacy Act 1988 (Cth), including health-related certifications or medical fitness assessments required for specific roles. We collect sensitive information only where it is necessary for operational purposes and with the consent of the individual, or as otherwise permitted by law.

4. How We Collect Personal Information

We collect personal information:

• Directly from individuals when they are onboarded into the System by an authorised administrator
• From HR or payroll systems where integration exists
• From certification bodies or training providers (with the individual's consent)
• When individuals or their managers update records in the System

We do not collect personal information by unlawful means, and we take reasonable steps to ensure individuals are aware of the purposes of collection at or before the time of collection, in accordance with APP 5.

5. Purposes for Which We Hold and Use Personal Information

Personal information held in the System is used solely for legitimate business and operational purposes, including:

• Managing and verifying employee and contractor certifications and qualifications
• Mobilising and assigning appropriately qualified personnel to operational tasks
• Ensuring compliance with workplace health and safety obligations
• Monitoring certification expiry and coordinating renewals
• Generating reports for operational planning and workforce management
• Maintaining employment and contractor records as required by law

We will not use personal information for any purpose that is incompatible with the purposes listed above without first obtaining consent, or as otherwise permitted by the APPs.

6. Disclosure of Personal Information

6.1 Internal Disclosure

Access to personal information within the System is restricted to authorised personnel who require access to perform their duties. Role-based access controls are enforced to ensure individuals can only view information relevant to their function.

6.2 Third-Party Disclosure

We may disclose personal information to third parties only in the following circumstances:

• To government agencies, regulators, or law enforcement bodies where required or authorised by law
• To auditors or compliance bodies for the purposes of verifying certification records
• To contracted service providers who assist us in operating the System, subject to binding data processing agreements and confidentiality obligations

We do not sell, rent, or trade personal information to third parties.

6.3 No Overseas Disclosure

All personal information held in the System is stored and processed within Australia. We do not transfer, disclose, or otherwise make personal information available to any overseas recipients. All virtual private servers (VPS), cloud infrastructure, databases, and backup systems are physically located on Australian soil.

This approach ensures compliance with APP 8 (cross-border disclosure of personal information) by avoiding overseas disclosure entirely.

7. Data Storage, Security, and Infrastructure

7.1 Australian Jurisdiction

All data infrastructure supporting the System is hosted exclusively within Australia. We do not use data centres, cloud regions, or third-party hosting providers that store or replicate data outside of Australian borders. All hosting and storage vendors are contractually required to maintain data sovereignty within Australia.

7.2 Encryption

We implement industry-standard encryption measures to protect personal information:

• All data in transit is encrypted using TLS 1.2 or higher
• All data at rest is encrypted using AES-256 or equivalent strong encryption
• Database backups are encrypted using the same standard as primary data storage
• Encryption keys are managed securely and are not stored in proximity to the data they protect

7.3 Access Controls

• Multi-factor authentication (MFA) is required for all System logins
• Role-based access control (RBAC) limits data access to what is necessary for each user's function
• All administrator access is logged and auditable
• Accounts are deactivated promptly when employees or contractors leave the organisation

7.4 Network Security

• All servers are protected by enterprise-grade firewalls
• Intrusion detection and prevention systems (IDS/IPS) are deployed
• Regular vulnerability scanning and penetration testing is conducted
• Security patches and updates are applied on a timely basis

7.5 Physical Security

Data centre facilities hosting the System's infrastructure implement physical access controls, including security personnel, CCTV, and access logging, consistent with Australian data centre industry standards.

8. Data Retention and Destruction

We retain personal information only for as long as it is needed for the purposes described in this policy, or as required by applicable law:

• Active employment records are retained for the duration of the employment or engagement, and for a minimum of 7 years following its conclusion
• Certification records are retained for the life of the certification plus a minimum of 7 years
• System access logs and audit trails are retained for a minimum of 3 years

When personal information is no longer required, it is securely destroyed or de-identified in accordance with APP 11.2. Destruction methods include secure deletion of electronic records such that the data cannot be reconstructed.

9. Individual Rights Under the Australian Privacy Principles

9.1 Access to Personal Information (APP 12)

Individuals have the right to request access to personal information we hold about them. Requests should be made in writing to our Privacy Contact (see Section 13). We will respond within 30 days. In limited circumstances, we may deny access where permitted by the Privacy Act 1988 (Cth), and we will provide written reasons for any refusal.

9.2 Correction of Personal Information (APP 13)

If an individual believes that personal information we hold is inaccurate, out of date, incomplete, irrelevant, or misleading, they may request a correction. We will take reasonable steps to correct the information within 30 days of the request. Where we decline to make a correction, we will provide reasons in writing.

9.3 Anonymity and Pseudonymity (APP 2)

Where practicable and lawful, individuals may interact with us using a pseudonym or without identifying themselves. However, given the operational nature of the System, which requires verified identities for certification and deployment purposes, anonymity is generally not feasible for system records.

9.4 Complaints (APP 1)

Individuals who believe their privacy rights have been interfered with may lodge a complaint. Our complaints process is described in Section 12 below.

10. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach, being an unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm, we will:

• Contain the breach and assess the risk of harm as quickly as practicable
• Notify the Office of the Australian Information Commissioner (OAIC) as soon as possible and no later than 30 days after becoming aware of the eligible data breach
• Notify affected individuals directly where it is practicable and appropriate to do so

We maintain an internal data breach response plan and conduct regular training to ensure our team is equipped to identify and respond to potential breaches promptly.

11. Cookies and System Logging

The System may use session cookies and authentication tokens to manage user sessions. These are functional in nature and are required for the System to operate correctly. We also maintain server-side access logs for security and audit purposes. These logs record user activity within the System and are accessible only to authorised administrators.

We do not use tracking cookies, analytics cookies, or any third-party advertising technologies.

12. Privacy Complaints

If you believe we have breached your privacy, we encourage you to raise the matter with us in the first instance. To lodge a complaint:

• Contact our Privacy Officer in writing (details in Section 13)
• Provide details of your concern, including your name, contact details, and a description of the issue
• We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days

If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

13. Privacy Contact

All privacy-related enquiries, access requests, correction requests, and complaints should be directed to:

14. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the System. The current version of this policy will always be available within the System and, where practicable, we will notify affected individuals of material changes.

This policy was last reviewed and updated in April 2026. Previous versions are available upon request.

This document has been prepared with reference to the Privacy Act 1988 (Cth) and the Australian Privacy Principles.