Privacy Policy

Version: v1.0 Effective Date: 1 September 2025 Last Updated: 1 September 2025

Document ID: privacy-policy

1. Introduction

Smartplace Pty Ltd (ACN 639 781 678) ("Smartplace," "Smartta," "we," "us," or "our") is committed to protecting your privacy and handling your personal information in an open and transparent manner. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our websites (www.getsmartta.com, www.smartta.ai) and use our workforce governance platform and related services (collectively, the "Services").

We comply with the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) and, where applicable, the EU General Data Protection Regulation ("GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act ("CCPA"), the New Zealand Privacy Act 2020, and the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA").

2. Who We Are

Smartplace Pty Ltd is an Australian company that develops and operates the Smartta workforce governance platform. Our registered office is C/- Margetson & Associates, Unit 21, 598-602 Forest Road, Penshurst, NSW 2222, Australia. For GDPR purposes, we are the data controller for personal data we collect directly from you and a data processor when processing personal data on behalf of our customers.

3. Information We Collect

(a) Account Information

When you register for an account, we collect your name, email address, phone number, job title, company name, and billing information. If you are an Authorized User invited by a Customer, we receive basic identity information from the Customer.

(b) Workforce Data

Through the Services, Customers and Authorized Users may submit workforce-related data including employee records, timesheets, rosters, credential details, payroll data, and compliance documents ("Workforce Data"). Workforce Data is owned by the Customer. We process it solely on the Customer's behalf in accordance with our Data Processing Agreement.

(c) Product-Specific Data

Depending on the domain packs and features you use, we may process additional categories of data such as care minutes records, credentialing evidence, award interpretation inputs, clocking and attendance data, and payroll compliance outputs.

(d) Technical Information

We automatically collect device information, IP addresses, browser type, operating system, referring URLs, pages visited, access times, and interaction data through server logs and analytics tools.

(e) Marketing Information

If you subscribe to our newsletter, attend a webinar, or download a resource, we collect your name, email address, company, and any preferences you provide.

(f) Information from Third Parties

We may receive information about you from our business partners, identity verification providers, integration partners (such as payroll systems, WFM systems, and HRIS), and publicly available sources.

4. Lawful Basis for Processing (GDPR)

Where the GDPR applies, we rely on the following lawful bases:

  • Contract: Processing necessary to perform our contract with you or to take pre-contractual steps at your request.
  • Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Services, preventing fraud, and ensuring security, where those interests are not overridden by your rights.
  • Consent: Where you have given us specific, informed, and unambiguous consent (e.g., for marketing communications).
  • Legal obligation: Processing necessary to comply with a legal obligation to which we are subject.

5. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain our Services
  • Process and complete transactions, and send you related information including purchase confirmations and invoices
  • Improve, personalise, and expand our Services
  • Understand and analyse how you use our Services
  • Develop new products, services, features, and functionality
  • Communicate with you, including for customer service, updates, and marketing or promotional purposes (where you have consented)
  • Send you push notifications if you have opted in
  • Process compliance checks, credential verifications, and award interpretations as part of the Services
  • For compliance, fraud prevention, and safety purposes
  • Enforce our terms, conditions, and policies

6. Automated Decision-Making

Our Services include automated processing features such as award interpretation engines, credential expiry alerts, roster compliance checks, and care minutes calculations. These features process Workforce Data according to rules configured by the Customer. The outputs are recommendations and alerts; they do not constitute solely automated decisions with legal or similarly significant effects on individuals. Customers retain full control over acting on any automated outputs.

Where GDPR Article 22 applies, you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. Contact us or your employer (the Customer) to exercise this right.

7. How We Share Your Information

We may share your information in the following circumstances:

  • Service providers and sub-processors: Third-party vendors who perform services on our behalf, such as cloud hosting (AWS), analytics, payment processing, and customer support. These providers are contractually obligated to protect your data.
  • Customer's other systems: Where the Customer has configured integrations (e.g., payroll systems, WFM systems, HRIS), Workforce Data may be transmitted to those systems.
  • Business partners: With partners who help us deliver the Services, under appropriate data protection agreements.
  • Legal requirements: To comply with applicable law, regulation, legal process, or enforceable governmental request.
  • Protection of rights: To enforce our Terms of Use or protect the rights, property, or safety of Smartplace, our users, or the public.
  • Business transfers: In connection with a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, your information may be transferred as part of that transaction.

8. Cross-Border Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our primary infrastructure is hosted in Australia (AWS Sydney, ap-southeast-2). Where we transfer personal data outside of Australia, the EU/EEA, or the UK, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Addendum
  • Binding Corporate Rules where applicable
  • Adequacy decisions by relevant authorities
  • Compliance with APP 8 (cross-border disclosure) under Australian privacy law

9. Data Security

We implement industry-standard technical and organisational measures to protect your personal information, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls (RBAC)
  • Multi-factor authentication for administrative access
  • Regular security assessments and penetration testing
  • SOC 2 Type II compliance programme (in progress)
  • Employee security training and awareness programmes
  • Incident response procedures

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. For more detail, see our Security page.

10. Data Retention

We retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law. The criteria we use to determine retention periods include:

  • The duration of our relationship with you or the Customer
  • Whether there is a legal obligation to retain the data (e.g., tax, employment, or regulatory records)
  • Whether retention is advisable in light of our legal position (e.g., applicable limitation periods, litigation, or regulatory investigations)

Workforce Data is retained for the duration of the Customer's subscription and deleted or returned within 90 days of subscription termination, unless otherwise agreed or required by law.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Under Australian Privacy Principles (APPs)

  • Access: You may request access to the personal information we hold about you (APP 12).
  • Correction: You may request correction of any inaccurate or out-of-date information (APP 13).
  • Complaint: You may lodge a complaint if you believe we have breached the APPs.

Under EU/UK GDPR

  • Access: Right to obtain confirmation and a copy of your personal data.
  • Rectification: Right to correct inaccurate personal data.
  • Erasure: Right to request deletion of your personal data ("right to be forgotten").
  • Restriction: Right to restrict processing in certain circumstances.
  • Portability: Right to receive your data in a structured, machine-readable format.
  • Objection: Right to object to processing based on legitimate interests or direct marketing.
  • Withdraw consent: Right to withdraw consent at any time where processing is based on consent.

Under Canadian Law (PIPEDA)

  • Right to access your personal information held by us.
  • Right to challenge the accuracy and completeness of your information and have it amended.
  • Right to withdraw consent to the collection, use, or disclosure of your personal information.

To exercise any of these rights, contact us at privacy@smartplace.ai. We will respond within the timeframe required by applicable law (generally 30 days). If you are an Authorized User and your request relates to Workforce Data controlled by a Customer, we may direct you to the Customer.

12. Cookies

We use cookies and similar tracking technologies to track activity on our Services and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. For full details, see our Cookie Policy.

13. Children's Privacy

Our Services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information. If you believe we have collected information from a child, please contact us at privacy@smartplace.ai.

14. EU/UK GDPR Supplemental Provisions

If you are located in the European Economic Area (EEA) or the United Kingdom, the following additional provisions apply:

  • Data Controller: Smartplace Pty Ltd is the data controller for personal data collected through our websites and marketing activities. Where we process Workforce Data on behalf of a Customer, the Customer is the data controller and we act as data processor.
  • Data Protection Officer: You may contact our privacy team at privacy@smartplace.ai.
  • Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority.
  • Legal Basis: See Section 4 above.
  • International Transfers: See Section 8 above.

15. California Consumer Privacy Act (CCPA) Notice

If you are a California resident, you have the following rights under the CCPA:

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
  • Right to Delete: You have the right to request the deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out: You have the right to opt out of the sale of your personal information. We do not sell personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Categories of Personal Information Collected: Identifiers, professional or employment-related information, internet or other electronic network activity information, and inferences drawn from the above. We do not sell personal information as defined by the CCPA.

To exercise your CCPA rights, contact us at privacy@smartplace.ai or call us. We will verify your identity before processing your request.

16. New Zealand Privacy Act 2020

If you are located in New Zealand, you have the right to access and request correction of your personal information under the New Zealand Privacy Act 2020. You may also lodge a complaint with the Office of the Privacy Commissioner of New Zealand. Our obligations under the Information Privacy Principles (IPPs) are met through the measures described in this policy.

17. Complaints and the OAIC

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us at privacy@smartplace.ai. We will investigate and respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

18. Notifiable Data Breaches

In accordance with Part IIIC of the Privacy Act 1988 (Cth), we will notify the OAIC and affected individuals of eligible data breaches as soon as practicable. An eligible data breach occurs when there is unauthorised access to, or disclosure of, personal information that is likely to result in serious harm to any individual to whom the information relates, and we have been unable to prevent the likely risk of serious harm through remedial action.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Where required by law, we will obtain your consent or provide additional notice. We encourage you to review this Privacy Policy periodically for any changes.

20. Related Documents

21. Contact Us

If you have any questions about this Privacy Policy, your personal information, or wish to exercise your rights, please contact us:

  • Email: privacy@smartplace.ai
  • Post: Privacy Officer, Smartplace Pty Ltd, C/- Margetson & Associates, Unit 21, 598-602 Forest Road, Penshurst, NSW 2222, Australia

Smartplace Pty Ltd (ACN 639 781 678)

C/- Margetson & Associates, Unit 21, 598-602 Forest Road, Penshurst, NSW 2222, Australia

Related Legal Documents

Terms of Use Cookie Policy Security
Back to home