Privacy Policy

Effective date: 1 April 2025 · Last updated: 1 April 2025

CertVault is committed to protecting your privacy. This policy explains how we collect, use, disclose, and safeguard your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. About Us

CertVault Pty Ltd ("CertVault", "we", "us", or "our") operates the CertVault platform at certvault.com.au. CertVault enables workers to store and share professional certificates and compliance documents with employers.

This Privacy Policy applies to all personal information we collect through the Platform. By using CertVault, you consent to the collection and use of your information as described here.

2. What Personal Information We Collect

2.1 Workers

When you register and use CertVault as a Worker, we may collect:

Identity information: full name, profile photo.
Contact information: email address.
Location: state/territory, country of residence.
Professional information: industries, work types, availability status.
Documents: certificates, licences, qualifications, and other compliance documents you upload.
Account activity: login timestamps, document upload dates, platform usage data.

2.2 Employers

When you register and use CertVault as an Employer, we may collect:

Identity and contact information: name, email address, company name.
Account activity: search history (within the platform), documents viewed, login timestamps.

2.3 Automatically Collected Information

Log data: IP address, browser type, pages visited, time spent.
Device information: operating system, screen resolution.
Cookies and similar tracking technologies (see Section 10).

2.4 Security Scanning

All documents uploaded to CertVault are submitted to third-party security scanning services to check for malware and other threats. This process involves transmitting the file to the scanning provider. Please see Section 5 for details on our third-party service providers.

3. Why We Collect Your Personal Information

We collect personal information to:

Create and manage your account.
Enable Workers to store and share professional documents.
Enable Employers to search for and view Worker profiles and documents.
Scan uploaded documents for security threats.
Send account-related notifications (password resets, document expiry reminders, platform updates).
Improve and personalise the Platform.
Comply with our legal obligations.
Detect and prevent fraud, abuse, and security incidents.

4. How We Use Your Information

To provide and operate the Platform.
To communicate with you about your account, including transactional emails.
To send service-related announcements (such as changes to these policies).
For internal analytics and product improvement using aggregated or de-identified data where possible.
To enforce our Terms of Service and protect the integrity of the Platform.

We will not use your personal information for direct marketing without your separate consent.

5. Disclosure of Your Personal Information

5.1 Worker-to-Employer Sharing

A core function of the Platform is enabling Workers to share their profile and documents with Employers. When you create a Worker profile, your profile information and any documents you make visible may be accessed by Employers. By uploading a document to your profile, you consent to that document being viewable by Employers using the Platform.

5.2 Service Providers

We share personal information with trusted third-party service providers, including:

Supabase, Inc. — database and authentication infrastructure.
Resend — transactional email delivery.
Vercel — web hosting and infrastructure.
VirusTotal (Google LLC) — security scanning of uploaded documents.

These providers are bound by contractual obligations to use your information only as directed by us and to maintain appropriate security measures. VirusTotal may retain submitted files for threat analysis purposes in accordance with their own privacy policy.

5.3 Legal Requirements

We may disclose your personal information if required to do so by law, court order, or where we believe in good faith that disclosure is necessary to comply with a legal obligation, or to protect the rights, property, or safety of CertVault, our users, or the public.

5.4 Overseas Disclosure

Some of our third-party service providers are located outside Australia (including the United States). Where we disclose personal information to overseas recipients, we take reasonable steps to ensure those recipients handle your information in accordance with the APPs or a comparable standard.

6. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access. Our security measures include:

Encrypted data transmission (HTTPS/TLS).
Row-level security controls so users can only access their own data.
Automated security scanning of all uploaded documents.
Authentication and access controls, including admin-only access to sensitive features.
Regular security reviews of our infrastructure.

No method of data transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you as required under the Notifiable Data Breaches scheme if a breach is likely to cause you serious harm.

7. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth). If we become aware of a data breach likely to result in serious harm, we will:

Assess the breach as quickly as practicable.
Notify the Office of the Australian Information Commissioner (OAIC).
Notify affected individuals directly, where required.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide our services. When you close your account:

We will delete or de-identify your personal profile information within 90 days.
Documents you uploaded will be deleted within 90 days.
We may retain certain information for longer periods where required by law.

9. Your Rights — Access, Correction, and Complaints

9.1 Access and Correction

Under the Privacy Act 1988, you have the right to access the personal information we hold about you and to request correction of any inaccurate information. Contact us at legal@certvault.com.au. We will respond within 30 days.

9.2 Deletion Requests

You may request deletion of your account and associated personal information at any time. We will action your request within 90 days, subject to any legal obligations that require us to retain certain records.

9.3 Complaints

If you believe we have breached the APPs, please contact us at legal@certvault.com.au. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to maintain your session, remember your preferences, and understand how users interact with the Platform. We do not use third-party advertising cookies. You can control cookies through your browser settings, though disabling them may affect Platform functionality.

11. Children's Privacy

The Platform is intended for users aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you become aware that a child has provided us with personal information, please contact us at legal@certvault.com.au.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The current version is always available at certvault.com.au/privacy.

13. Contact Us

For privacy-related inquiries, access requests, or complaints:

CertVault Pty Ltd
Email: legal@certvault.com.au

Office of the Australian Information Commissioner (OAIC)
Phone: 1300 363 992 · oaic.gov.au