Skip to main content
TrustSignal
Home/Legal/Privacy policy

Privacy policy.

Last updated · 22 April 2026
1 · The document

1. About this Privacy Policy

1.1 Who we are

Exodite Pty Ltd (ABN 89 694 358 177), trading as TrustSignal ("TrustSignal", "we", "us", "our"), operates TrustSignal.com.au — a self-service platform that compiles and delivers background-check reports on Australian builders and construction-industry entities from authorised third-party data sources. TrustSignal is bound by the Australian Privacy Act 1988 (Cth) (as amended, including the Privacy and Other Legislation Amendment Act 2024) and the Australian Privacy Principles ("APPs").

1.2 Purpose of this Policy

This Privacy Policy is published under APP 1.3. It describes, in clear terms, how TrustSignal collects, holds, uses, discloses, and protects personal information, and how individuals can exercise their rights under the Privacy Act.

1.3 Availability

This Privacy Policy is available free of charge at privacy.trustsignal.com.au and in alternative formats on request to the Privacy Officer (contact details in Section 14).

1.4 Who this Policy applies to

This Policy applies to the personal information of the following groups of individuals:

  • Customers and prospective customers— individuals (or representatives of corporate customers) who purchase, register for, or enquire about TrustSignal reports or services.
  • Report subjects— natural persons whose information appears in a TrustSignal report, including (without limitation) sole traders, company directors, nominated/qualified supervisors, licensees, named parties in court or tribunal records, and named parties in regulator registers. Report subjects may or may not have directly interacted with TrustSignal.
  • Website visitors— individuals who visit TrustSignal.com.au or related domains without registering for an account.
  • Staff, contractors, and applicants— individuals whose personal information we handle in connection with employment, engagement, or recruitment.

1.5 What this Policy does not apply to

This Policy does not apply to information about Australian corporate entities (companies, partnerships, trusts) that does not identify a natural person and does not render a natural person reasonably identifiable. Information of that kind is not personal information under the Privacy Act.

1.6 Two data-subject groups, in plain English

Because TrustSignal's core product is a background-check report, many of the individuals whose information we handle are the subjects of those reports, not our paying customers. If a report has been compiled about you, Section 8 ("If a report has been compiled about you") is written specifically for you.

2. What personal information we collect

2.1 Information we collect from customers

When you register for or use a TrustSignal account, we collect:

  • Identity and contact details— name, email, phone.
  • Account credentials— username, password hash.
  • Billing information— payment card or direct-debit details (processed by our payment processor; full card numbers are not stored by TrustSignal), invoices, and transaction history.
  • Communications— support requests, feedback, survey responses.

TrustSignal does not perform identity verification as a product or service, and does notcollect government-issued identifiers (such as driver's licence or passport numbers) from customers as a routine part of account setup or platform use.

2.2 Information about report subjects (collected from third parties)

To compile a report, TrustSignal collects information about the subject of the report from authorised third-party data sources. Where that information relates to a natural person, it is personal information. Typical elements include:

Identity and business activity data - from the Australian Business Register (ABR) and ABN Lookup, including where the subject trades as a sole trader or partnership.

Corporate and director history, civil court and tribunal records, insolvency records, licence history, and civil/administrative adverse-action data - from one or more aggregated commercial intelligence providers. These feeds do not include records of criminal proceedings.

Commercial credit information - from one or more commercial credit reporting providers, limited to commercial credit data about businesses. TrustSignal does not collect or use consumer credit information (information of the kind regulated by Part IIIA of the Privacy Act). Consistent with OAIC guidance, the court records included in commercial credit files are limited to credit- and finance-related matters.

Consumer protection and fair trading records - from the ACCC, NSW Fair Trading, Consumer Affairs Victoria, NSW Home Building Compensation, NSW Building Commission, and VerifyNSW Trades.

Work health and safety enforcement and prosecution information - from SafeWork NSW, SafeWork SA, WorkSafe ACT, WorkSafe NT, WorkSafe Queensland, WorkSafe Tasmania, WorkSafe Victoria, and WorkSafe WA. This may include outcomes of regulatory prosecutions under the relevant State or Territory WHS Act that have been lawfully made publicly available by the regulator. See Section 2.4 for how this category is treated as sensitive information.

Where a data source or record names a natural person (for example, a licensee, nominated supervisor, director, bankrupt, or defendant), that information is collected and handled as personal information under this Policy.

2.3 Information we collect automatically

When you visit TrustSignal.com.au or use our platform, we collect:

  • Device and browser information (device type, operating system, browser, language).
  • IP address and derived approximate location (country, state, city).
  • Usage logs (pages and features accessed, timestamps, referrer).
  • Cookies and similar technologies (see Section 11).

2.4 Sensitive information

TrustSignal's data sources are scoped to commercial conduct, licensing, and work-health-and-safety regulation in the building and construction industry. We do not collect general criminal-record information about natural persons (the kind of information that would appear on a National Police Check). Specifically:

  • Our commercial credit data sources are limited to commercial credit information about businesses and, consistent with the OAIC's position on credit reporting, do not include credit-unrelated court records or general criminal records.
  • Our commercial intelligence and court / tribunal data sources do not include records of criminal proceedings.
  • Our regulator and licensing data sources are limited to civil and administrative outcomes (and, in the case of WHS regulators, work-health-and-safety prosecution outcomes - see below).

Within that scope, two narrow categories of information collected by TrustSignal may amount to sensitive information under section 6 of the Privacy Act:

(a) Professional or trade association membership - occupational licensing. Licence and registration information for builders, trades, and supervisors held by State and Territory regulators (for example, NSW Fair Trading licences, VBA registrations, QBCC licences). This is collected in reliance on APP 3.4(a)- collection is authorised by or under an Australian law (the relevant State or Territory licensing legislation), which provides for the public availability of the licence register so that consumers and counterparties can verify a licensee's status.

(b) Work-health-and-safety enforcement and prosecution information. Enforcement outcomes published by State and Territory WHS regulators (for example, SafeWork NSW, WorkSafe Victoria), which may include outcomes of regulatory prosecutions under the relevant WHS Act naming a natural person (for example, a company officer or duty-holder). These outcomes are regulatory in substance, are published by the regulator under express statutory authority for deterrence and consumer-protection purposes, and are collected in reliance on APP 3.4(a)— collection is authorised by or under an Australian law (the relevant State or Territory WHS Act and its publication provisions). TrustSignal does not collect WHS enforcement information that has not been lawfully made publicly available by the regulator.

The basis on which sensitive information is collected, by category and source, is documented in our internal APP 3 Sensitive Information Assessment, which is reviewed at least annually and whenever a new data source is onboarded. Where no applicable APP 3.4 exception exists for a given category, that category is not collected.

We do not collect information about a natural person's health, genetic information, race, ethnic origin, political opinions, political-association membership, religious beliefs, philosophical beliefs, sexual orientation or practices, trade union membership, biometric information, or biometric templates.

2.5 Unsolicited personal information (APP 4)

If we receive personal information we did not solicit, we will determine within a reasonable time whether we could have collected it under APP 3. If not, and where lawful to do so, we will destroy or de-identify it.

3. How we collect personal information

3.1 From you

We collect personal information directly from customers when they create an account, make a purchase, communicate with us, or use the platform.

3.2 From third parties - about report subjects

TrustSignal collects personal information about report subjects from the third-party data sources listed in Section 2.2. Collection directly from the report subject is unreasonable or impracticable within the meaning of APP 3.6 because:

the subject's identity is not known to TrustSignal until a report is requested by a customer;

TrustSignal does not hold contact details for the subject and could not, at the point of collection, practicably approach the subject directly;

  • seeking direct collection at scale across the volume of public-record subjects ingested would be disproportionate to the privacy impact, given that the underlying records are already lawfully publicly available; and
  • direct pre-collection approach to the subject is inconsistent with the integrity of a commercial background-check service.

This reliance on APP 3.6 is documented in our internal privacy procedures and is reviewed at least annually and whenever a new data source is onboarded.

3.3 APP 5 notification of indirect collection

Where TrustSignal collects personal information about a report subject, we take reasonable steps to notify the report subject of the matters required by APP 5 by:

  • publishing this Privacy Policy as a readily accessible document that includes all APP 5 matters (in particular Section 8, which is written specifically for report subjects);
  • providing a clearly signposted "If a report has been compiled about you" page at privacy.trustsignal.com.au/report-subjects;
  • responding to enquiries from report subjects in accordance with Sections 8 and 14.

We have assessed what constitutes "reasonable steps" under APP 5 having regard to the OAIC's Privacy Guidelines (Chapter 5) and the practical circumstances of TrustSignal's operations. In particular:

  • TrustSignal does not hold contact details for report subjects and has no practicable means of obtaining them. The information ingested from third-party sources rarely includes a current email address, postal address, or telephone number, and the cost and intrusiveness of locating and contacting each subject would be disproportionate to the privacy benefit of direct notice.
  • The personal information collected is sourced exclusively from records that have been lawfully made publicly available by Australian courts, tribunals, regulators, registers, and authorised aggregators. Subjects of those records are on notice, by virtue of those records being public, that the records may be accessed and republished.
  • Publication of this Policy, together with the dedicated report-subject landing page and a responsive Privacy Officer channel, provides a meaningful and continuously available means for report subjects to learn what is held and to exercise their rights.
  • The basis on which TrustSignal relies on publication-only notification is documented in our internal APP 5 Reasonable Steps Assessment, which is reviewed at least annually and whenever a new data source is onboarded. Where direct notification is reasonable in the circumstances of a particular report or is requested by a customer, we will provide direct notification.

4. Why we collect, hold, use, and disclose personal information

4.1 Purposes

We collect and use personal information for the following purposes:

  • Provide the TrustSignal platform and reports. To deliver the report product ordered by a customer, including collecting, aggregating, and presenting information about report subjects from third-party sources.
  • Account management and billing. To register and maintain customer accounts, process payments, issue invoices, and manage subscriptions.
  • Fraud prevention and platform security. To protect TrustSignal, our customers, and report subjects from unauthorised access, misuse of the platform, and fraudulent activity.
  • Customer support. To respond to enquiries, complaints, and access/correction requests.
  • Legal and regulatory compliance. To comply with Australian law, respond to lawful requests from courts, regulators, and law enforcement, and to cooperate with our insurers.
  • Service improvement. To analyse usage, monitor for errors, and improve the platform.
  • Direct marketing to customers who have opted in.To send customers and prospective customers who have given consent information about TrustSignal's products and services (see Section 4.4).

4.2 What we do not do

We do not sell personal information.

We do not use personal information collected about report subjects for direct marketing to the report subject.

We do not use personal information about report subjects to make decisions about them outside the report they appear in.

4.3 No automated decision-making

TrustSignal does not perform automated decision-making about any individual. Reports present information sourced from the third-party data sources listed in Section 2.2 as retrieved from those sources. TrustSignal does not generate its own scores, risk ratings, flags, recommendations, or other derived indicators about a report subject. Any decision made on the basis of a TrustSignal report is made by the customer who purchased the report, not by TrustSignal.

If TrustSignal introduces any automated decision-making or derived indicators in the future, this Policy will be updated before that functionality is made available, and TrustSignal will comply with any transparency obligations under the Privacy and Other Legislation Amendment Act 2024 that apply at the time. (The automated decision-making transparency obligations introduced by that Act commence on 10 December 2026.)

4.4 Direct marketing (APP 7)

TrustSignal operates on an opt-in basis for direct marketing. We send marketing communications only to customers and prospective customers who have actively given consent to receive them. Every marketing communication includes a simple unsubscribe mechanism, and we honour opt-out requests promptly. On request, we will tell an individual the source of the personal information we used to send them a marketing communication. We do not send direct marketing to report subjects. In addition to APP 7, TrustSignal complies with the Spam Act 2003 (Cth) in respect of commercial electronic messages (including identifying the sender, obtaining consent, and providing a functional unsubscribe facility) and with the Do Not Call Register Act 2006 (Cth) in respect of any telephone marketing.

4.5 Use and disclosure for secondary purposes (APP 6)

Where personal information is used or disclosed for a purpose other than the primary purpose for which it was collected, we do so only where permitted by APP: for example, where the secondary purpose is related (or, for sensitive information, directly related) to the primary purpose and the individual would reasonably expect the use or disclosure, or where the use or disclosure is required or authorised by an Australian law. Personal information classified as sensitive information (the licensing and WHS enforcement information described in Section 2.4) is used and disclosed only for the primary purpose for which it was collected - inclusion in a TrustSignal report, and is not used for any secondary purpose without the individual's consent or another applicable APP 6 exception.

5. Who we share personal information with

5.1 Our customers

The core function of the TrustSignal platform is to disclose the content of a report (including any personal information about the report subject contained in it) to the customer who purchased the report.

By purchasing a report, a customer is contractually bound by our Terms of Use to:

  • declare a permitted purpose for the report at the time of purchase (for example, due diligence on a prospective contractor, supplier, or counterparty);
  • handle personal information contained in the report only for that declared permitted purpose;
  • handle that personal information consistently with the Australian Privacy Principles, regardless of whether the customer is independently bound by the Privacy Act;
  • not disclose, repackage, resell, or syndicate the report or its contents to any third party without TrustSignal's written consent; and
  • securely destroy or de-identify the report when it is no longer required for the declared purpose.

These contractual obligations apply equally to all customers, including small-business customers who are not themselves bound by the Privacy Act under section 6D. TrustSignal records the declared permitted purpose against each report at the point of purchase and may suspend or terminate access for misuse. TrustSignal monitors for, and investigates, indications of misuse and cooperates with the OAIC and other regulators in response to complaints.

5.2 Our service providers (sub-processors)

We engage service providers who host, transmit, or process personal information on our behalf. These service providers are contractually bound to handle personal information only on TrustSignal's instructions and in accordance with the APPs (or equivalent protections). Our categories of service provider are:

Cloud hosting and infrastructure: our cloud infrastructure provider (configured to Australian regions for personal information). The provider hosts and stores TrustSignal's systems and data; it does not use TrustSignal data for its own purposes. For overseas access by this provider in the course of support, security, and platform administration, see Section 6.

Productivity and email: our business productivity and email provider (configured to the Australian data region). The provider stores and transmits TrustSignal business email and documents; it does not use TrustSignal data for its own purposes. For overseas access by this provider in the course of support, security, and platform administration, see Section 6.

Payment processing: our payment provider (processes cardholder data; TrustSignal does not store full card numbers).

Data sources: aggregated commercial intelligence providers, commercial credit reporting providers (commercial credit only), and the regulator/register sources listed in Section 2.2. Specific current providers are named in the sub-processor list described below.

Customer support, analytics, error monitoring, and security tooling: selected providers bound by written agreements.

Each service provider is engaged under a written agreement that requires them to handle personal information in accordance with the APPs (or equivalent protections) and to notify us of any security incident affecting TrustSignal data. A current list of our sub-processors will be published on TrustSignal.com.au prior to the public launch of the platform, and is available on request to the Privacy Officer in the interim.

5.3 Legal, regulatory, and law enforcement disclosures

We may disclose personal information where it is required or authorised by Australian law, including in response to a subpoena, court or tribunal order, search warrant, statutory notice, or a lawful request from an Australian regulator or law enforcement agency. Where the law permits, we will consider notifying the affected individual. All such disclosures are reviewed and approved by the Privacy Officer and recorded in TrustSignal's internal Disclosure Register.

5.4 Professional advisors and insurers

We may disclose personal information to our external legal counsel, accountants, auditors, insurers, and insurance brokers, on a confidential basis, for the purposes of obtaining professional advice, defending or pursuing legal claims, or managing our insurance.

5.5 Business transfer

If TrustSignal is involved in a merger, acquisition, sale of assets, or corporate restructure, personal information may be disclosed to the acquirer or successor entity. Any such disclosure will be made in accordance with the APPs, and the personal information transferred will be used by the acquirer or successor only for the purposes for which it was originally collected, unless we (or the acquirer) obtain your further consent or another APP 6 exception applies. The acquirer or successor will be bound by privacy protections at least equivalent to this Policy. Affected individuals will be notified of any material change to privacy practices.

6. Overseas disclosure (APP 8)

Personal information of customers and report subjects is processed and stored within Australia by default. Our cloud infrastructure and productivity tooling are configured to Australian data regions for customer and report data. Our current providers and their Australian regions are identified in the sub-processor list described in Section 5.2.

Although our cloud and productivity providers store TrustSignal data in Australian regions, some technical support, security operations, and platform administration access from outside Australia may occur (for example, follow-the-sun support engineering, security incident response, or vendor-side platform telemetry). These accesses are governed by written agreements with the relevant provider that contain undertakings consistent with APP 8.1, and TrustSignal accepts accountability under section 16C of the Privacy Act for any acts or practices of those providers in relation to the personal information disclosed.

Auxiliary services that do not process personal information about customers or report subjects (for example, marketing blog hosting) may be operated from outside Australia.

Where an overseas disclosure of personal information is necessary, the Privacy Officer assesses the disclosure against APP 8. Before disclosing, we take reasonable steps to ensure the overseas recipient is bound by obligations substantially similar to the APPs, or rely on an APP 8.2 exception where available. A list of countries to which personal information is disclosed, if any, is maintained by the Privacy Officer and available on request.

7. How we protect personal information

7.1 Technical controls

Personal information is encrypted at rest using AES-256, managed through a cloud-provider key management service.

Personal information is encrypted in transit using TLS 1.3 (TLS 1.2 minimum during transition; TLS 1.1 and earlier are not permitted).

Access to systems holding personal information is authenticated via single sign-on with multi-factor authentication, and is restricted on a least-privilege basis.

Security logging, vulnerability scanning, and penetration testing are conducted in accordance with our Information Security Policy (TS-POL-001) and related standards.

7.2 Organisational controls

All staff and contractors receive privacy and security awareness training on onboarding and annually.

Access to personal information is limited to staff who need it for their role.

Pre-engagement background checks proportionate to role sensitivity are conducted before staff are granted access to Confidential or Restricted data.

Staff acknowledge their obligations under this Policy and the Information Security Policy.

7.3 Eligible data breaches

If TrustSignal has reasonable grounds to suspect that an eligible data breach involving personal information has occurred, we conduct an assessment expeditiously and, in any event, within 30 days unless that is not practicable, in accordance with section 26WH of the Privacy Act. If the breach is an eligible data breach, we notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable in accordance with the Privacy Act, unless an exception under section 26WN applies (for example, where notification would be inconsistent with a secrecy provision or would prejudice an enforcement-related activity). Incident response is managed under our Cyber Incident Response Plan (TS-POL-035) and our Data Breach Response Plan (TS-POL-036).

8. If a report has been compiled about you

This section is written for report subjects— natural persons whose information appears in a TrustSignal report. It applies to you regardless of whether you have ever directly interacted with TrustSignal or are a TrustSignal customer.

8.1 What we hold about you

If a report has been compiled about you, we typically hold information sourced from one or more of the third-party data sources listed in Section 2.2. The exact content depends on the report tier requested and what the underlying sources contain. It may include your name, business identifiers (ABN/ACN where you trade as a sole trader or are named in a company record), licence history, professional appointments, civil court or tribunal records naming you, civil and administrative regulator enforcement outcomes naming you, insolvency records, and - where you have been the subject of a regulatory prosecution under a State or Territory WHS Act that has been lawfully made publicly available by the WHS regulator, that outcome. We do not hold general criminal-record information (the kind that would appear on a National Police Check).

8.2 Why we collected it from a third party

Collecting this information directly from you would be unreasonable or impracticable in the circumstances set out in Section 3.2, and we therefore rely on APP 3.6. We take the APP 5 notification steps set out in Section 3.3. This Policy itself forms part of that notification.

8.3 Your right to access (APP 12)

You have the right to ask us for a copy of the personal information we hold about you, including any report generated that names you. We will respond within a reasonable period and, in any case, within 30 days after we receive your request, in accordance with APP 12.4. We may charge a reasonable cost-recovery fee for the effort of compiling and providing the information (we do not charge for making the request itself). Before acting on an access request we will ask you to provide evidence sufficient to confirm your identity, so that we do not disclose your information to someone else; time taken to verify your identity counts within the 30-day response period, and we will request verification documents as quickly as possible to avoid delay. We may decline an access request only where an exception in APP 12.3 applies; if we decline, we will explain why in writing and tell you how to complain.

8.4 Your right to correction (APP 13) - the upstream-source correction model

TrustSignal does not create the underlying records that appear in reports. We aggregate and republish records produced by third parties: aggregated commercial intelligence providers, commercial credit reporting providers, Australian courts and tribunals, regulators, and other authoritative sources listed in Section 2.2. The source holds the authoritative record; TrustSignal holds a cached replication.

If you believe any personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, contact the Privacy Officer (Section 14) and we will:

Tell you the source. We will identify which upstream source the record came from, and provide you with the source's contact details so you can make a correction request directly with them. For most report content this will be our commercial intelligence provider, our commercial credit reporting provider, or the originating court, tribunal, or regulator. Our current providers are identified in the sub-processor list referenced in Section 5.2.

Refresh our copy when the source updates. Once the upstream source has amended its record, our next data refresh will carry that correction through to the TrustSignal platform. Where you ask us to do so and we are able to verify the corrected upstream record, we will expedite an out-of-cycle refresh of the affected report.

Associate a statement of disagreement (APP 13.4). If you ask us to, and whether or not we ourselves correct, we will take reasonable steps to associate a statement of your disagreement with the information we hold, so that anyone subsequently viewing the information is made aware of your position.

Correct our own records. Where the information we hold was created by TrustSignal (rather than replicated from an upstream source), we will assess the request under APP 13 and correct the record if we are satisfied it is inaccurate, out of date, incomplete, irrelevant, or misleading.

Escalate to the upstream source where appropriate. If, in handling your correction request, we identify that the upstream record itself appears to be inaccurate, out of date, incomplete, irrelevant, or misleading, we will (with your consent) raise the issue with the upstream source on your behalf in support of your direct correction request.

Respond within 30 days. If we decline to correct, we will give you written reasons, tell you how to have a statement of disagreement associated with the information under point 3, and tell you how to complain.

8.5 How to contact us about a report

If you believe a report has been compiled about you and you wish to exercise your access, correction, or complaint rights, contact the Privacy Officer using the details in Section 14. We may ask you to verify your identity before acting on a request so that we do not disclose your information to someone else.

9. Anonymity and pseudonymity (APP 2)

Where it is lawful and practicable, you can deal with TrustSignal anonymously or using a pseudonym - for example, when making a general enquiry. It is not practicable to deal with us anonymously when you are purchasing a report, receiving an account, or exercising access or correction rights, because we need to confirm your identity in order to act on your request without risking disclosure of your information to someone else.

10. How long we keep personal information

We keep personal information only for as long as we need it for the purposes set out in this Policy, or as required or authorised by Australian law. When we no longer need personal information for a lawful purpose, we destroy it or de-identify it in accordance with APP 11.2.

Retention periods are set out in our Data Retention Policy (TS-POL-005). Indicative periods include:

Customer account and transaction data: for the life of the customer relationship plus 7 years, reflecting the longest applicable statutory record-keeping obligation (financial and corporate records under section 286 of the Corporations Act 2001 (Cth) - 7 years; tax records under the Income Tax Assessment Act 1997 / Taxation Administration Act 1953 - 5 years; consumer-law limitation periods - 6 years).

Report data (including personal information about report subjects): retained for the period required by TS-POL-005 (Data Retention Policy) - by default, 12 months from the date the report is generated, after which the report and the personal information it contains are de-identified or destroyed in accordance with APP 11.2. Retention may be extended only where (i) an active dispute, complaint, claim, or regulatory enquiry concerns the report, or (ii) Australian law or a court or tribunal order requires longer retention. Where an upstream data provider imposes a shorter retention or mandatory destruction requirement on data sourced from them, that shorter period prevails for our cached copy.

Support communications: 2 years.

Marketing records: until consent is withdrawn, plus 3 years for evidence of consent.

Website and platform logs: 12 months for general logs; longer where required for security monitoring.

11. Cookies and tracking

TrustSignal.com.au uses cookies and similar technologies:

  • Strictly necessary cookies— required for the site to function (authentication, session management, security). These are loaded by default and are not subject to consent.
  • Preference cookies— remember your choices (for example, display settings). Loaded only after you have given consent via our cookie banner.
  • Analytics cookies— help us understand how visitors use the site, so we can improve it. These cookies may collect IP addresses and persistent identifiers, which the OAIC treats as personal information. Analytics cookies are loaded only after you have given consent via our cookie banner. You may withdraw consent at any time by clicking "Cookie preferences" in the site footer, or manage cookies through your browser settings.

We use third-party analytics providers listed in our sub-processor list; you can also opt out of specific providers via their published opt-out mechanisms. Disabling strictly necessary cookies through your browser settings will prevent parts of the site from working.

12. Children

The TrustSignal platform is not directed at, and is not intended to be used by, children under 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided personal information to us, contact the Privacy Officer and we will take appropriate steps to delete it. If the Children's Online Privacy Code contemplated by the Privacy and Other Legislation Amendment Act 2024 is registered and applies to TrustSignal, we will comply with it in addition to the commitments in this section.

13. Changes to this Privacy Policy

We review this Policy at least annually and whenever there is a material change to our practices or to applicable law. Material changes will be communicated by:

  • updating the version and effective date at the top of this Policy;
  • publishing a notice on TrustSignal.com.au (our primary channel for report subjects, who do not have a direct account relationship with us); and
  • notifying customers by email where the change materially affects their rights.

Changes are effective from the date published and are not applied retrospectively.

14. Contact and complaints

14.1 Contact

The Privacy Officer is TrustSignal's designated contact for privacy matters:

Privacy Officer: Angus Luffman

Email: privacy@trustsignal.com.au

Post: Privacy Officer, Exodite Pty Ltd, [INSERT ADDRESS]

Web form: privacy.trustsignal.com.au/request

14.2 Complaints

If you believe TrustSignal has breached the Privacy Act or this Policy, please contact the Privacy Officer first. We will:

  • Acknowledge your complaint within 5 business days.
  • Investigate and respond substantively within 30 days.
  • If we cannot resolve your complaint within 30 days, tell you why and give you a revised timeframe.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au

Phone: 1300 363 992

15. Your rights under the Privacy Act — summary

Subject to applicable exceptions, you may:

  • Accessthe personal information we hold about you (APP 12) — see Section 8.3.
  • Correctinaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (APP 13) — see Section 8.4.
  • Have a statement of disagreement associatedwith information we decline to correct (APP 13.4) — see Section 8.4.
  • Opt out of direct marketing at any time (APP 7).
  • Ask us the source of personal information used for a marketing communication (APP 7.3).
  • Deal anonymously or pseudonymouslywhere practicable (APP 2) — see Section 9.
  • Complainif you believe we have handled your personal information in breach of the Privacy Act — see Section 14.2.

Requests are free of charge (other than the cost-recovery fee that may apply to access requests as set out in Section 8.3) and are actioned within 30 days of receipt.