Version 3.0 - Last updated: 26 March 2026

1. Introduction

Precision CAD Australia (ABN 61 451 007 505), trading as RTOFlow ("we", "us", "our"), is committed to protecting the privacy of individuals who use our platform. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

This Policy also addresses our obligations in relation to the use of artificial intelligence in content generation, consistent with the Australian Government's Voluntary AI Safety Standard (2024) and emerging regulatory expectations from the Privacy Act Review reform process.

By accessing or using RTOFlow, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the platform.

2. What Personal Information We Collect

2.1 Account Information

Full name
Email address
Organisation name and details
Role within the organisation
Password (stored in hashed form only)

2.2 Usage and Activity Data

Login timestamps and session duration
Features accessed and actions performed
Content generation requests and parameters
Document uploads and downloads
Search queries within the platform

2.3 Technical Data

IP address
Browser type and version
Operating system
Device identifiers
Referring URLs

2.4 Payment Information

Billing name and address
Payment card details (processed and stored by Stripe; we do not store full card numbers)
Transaction history
Invoice records

2.5 Newsletter and Lead Magnet Data

When you sign up for our newsletter or download free resources (lead magnets), we collect:

Name
Email address
Source page URL (the page you signed up from)
IP address (for rate limiting and fraud prevention)

Newsletter subscriptions use a double opt-in process: after submitting your email, you must confirm your subscription via a link sent to your email address. We will only send you marketing communications after you have confirmed your subscription. You may unsubscribe at any time using the unsubscribe link included in every email. We send a weekly VET industry digest to confirmed subscribers.

2.6 Student and Learner Data

If your Organisation uses our contextualization features, we may process the following learner data on your Organisation's behalf:

Student names (first name, last name)
Email addresses and phone numbers
Date of birth
Apprenticeship numbers
Language, Literacy, and Numeracy (LLN) assessment levels (reading, writing, oral communication, numeracy, digital)
LLN support notes
Learning styles and learning goals
Employer name, job title, primary tasks, equipment and processes, shift patterns
Supervisor name and contact details
Prior qualifications and experience summaries

Important - Sensitive Information (APP 3): LLN assessment data may reveal information about a learner's cognitive abilities or learning disabilities, which the Privacy Act classifies as sensitive information. Sensitive information attracts stricter consent requirements under APP 3. Your Organisation is responsible for obtaining explicit, informed consent from learners before uploading sensitive information to the Platform.

2.7 Content Data

Training and assessment materials created using the platform
Documents uploaded for compliance checking or AI processing
Notes, comments, and feedback submitted within the platform

2.8 Communication Data

Support requests and correspondence
Feedback and survey responses
In-app chat and help interactions

2.9 Signature Data

Digital signatures captured within the platform (e.g., user profile signatures)

2.10 Analytics and Tracking Data

Page view history (path, referrer, session ID) - collected for internal analytics
Third-party analytics data collected on public pages (when configured) via Google Analytics 4, Google Ads conversion tracking, Bing UET, and Meta/Facebook Pixel - see Section 6 for details

Important: Third-party analytics and advertising tracking (GA4, Google Ads, Bing UET, Meta Pixel) is used only on public-facing marketing pages (such as the homepage, pricing page, and landing pages). These services are not used within the authenticated application where customer and learner data is processed.

3. How We Collect Personal Information

We collect personal information through:

Direct collection: When you create an account, update your profile, submit forms, upload documents, or contact us.
Automated collection: Through cookies, server logs, internal analytics tools, and - on public pages where configured - third-party analytics and advertising services (see Section 6) when you use the platform.
Third-party sources: From training.gov.au (publicly available training package data), payment processors (transaction confirmations), and OAuth authentication providers (Google, Microsoft, or Replit - when you choose to sign in with these services, we receive your name, email address, and profile photo as authorised by you during the login flow).

Where practicable, we collect personal information directly from you. If we receive personal information about you from a third party, we will take reasonable steps to ensure you are made aware of this Policy.

4. How We Use Personal Information

We use personal information for the following purposes:

Purpose	APP Reference
Providing and maintaining the RTOFlow platform	APP 6.1 - primary purpose
Processing payments and managing subscriptions	APP 6.1 - primary purpose
Generating training and assessment content using AI	APP 6.1 - primary purpose
Personalising content for specific learners (contextualization)	APP 6.1 - primary purpose
Performing compliance checks against training packages	APP 6.1 - primary purpose
Providing customer support and responding to enquiries	APP 6.1 - primary purpose
Sending service-related communications (outage notices, feature updates)	APP 6.1 - related secondary purpose
Improving platform features and performance	APP 6.2(a) - related secondary purpose
Detecting and preventing fraud or security incidents	APP 6.2(a) - related secondary purpose
Complying with legal obligations	APP 6.2(b) - required by law
Generating anonymised and aggregated analytics	APP 6.1 - de-identified data
Sending newsletter and weekly VET industry digest (double opt-in required)	APP 7.1 - express consent
Providing gated downloadable resources (lead magnets) after email confirmation	APP 7.1 - express consent

We do not use personal information for direct marketing without your express consent. Newsletter subscribers must complete a double opt-in process before receiving marketing communications, and may unsubscribe at any time via the link in each email.

5. Third-Party Processors

We share personal information with the following categories of third-party service providers, each of which is bound by contractual obligations to protect your data:

Provider	Purpose	Data Shared	Location
OpenAI	AI content generation	Document content, prompts, and - when the contextualization feature is used - student names, LLN levels, employer details, and workplace context	United States
Anthropic	AI content generation	Document content, prompts, and - when the contextualization feature is used - student names, LLN levels, employer details, and workplace context	United States
Google (Gemini)	AI content generation and document OCR	Document content, prompts, uploaded document images, and - when the contextualization feature is used - student names, LLN levels, employer details, and workplace context	United States
DeepSeek	AI content generation	Document content, prompts, and - when the contextualization feature is used - student names, LLN levels, employer details, and workplace context	Singapore / China
xAI (Grok)	AI content generation	Document content, prompts, and - when the contextualization feature is used - student names, LLN levels, employer details, and workplace context	United States
Perplexity	AI-powered research and packaging rule verification	Training package identifiers, unit codes, industry context (no personal data)	United States
Replicate	Image processing (upscaling and background removal)	Uploaded images for processing (no personal data)	United States
Amazon Web Services (AWS)	Cloud hosting, storage, backups	All platform data	Australia (ap-southeast-2) where available; United States for some services
Stripe	Payment processing	Billing name, email, payment card details, transaction amounts	United States
Resend	Transactional email delivery	Email address, name, email content	United States
Google	OAuth authentication (optional)	Email address, name, profile photo (as authorised by user during login)	United States
Microsoft	OAuth authentication (optional)	Email address, name (as authorised by user during login)	United States
Replit	OAuth authentication (optional)	Email address, name, profile photo (as authorised by user during login)	United States
training.gov.au	Training package data source	No personal data sent (public data retrieved)	Australia
Google Analytics 4	Public page analytics (when configured)	Anonymised page views, traffic sources, device info	United States
Google Ads	Advertising conversion tracking (when configured)	Conversion events, click identifiers	United States
Microsoft Advertising (Bing UET)	Advertising conversion tracking (when configured)	Page views, conversion events, click identifiers	United States
Meta/Facebook Pixel	Advertising conversion tracking (when configured)	Page views, conversion events, click identifiers	United States

We do not sell personal information to any third party.

6. Cookies and Tracking Technologies

6.1 Essential Cookies

Cookie / Technology	Purpose	Duration	Scope
Session cookie	Authentication and session management	7 days	Authenticated app
CSRF token	Security - prevents cross-site request forgery	Session (per-request)	Authenticated app
Preferences cookie	Stores user interface preferences	12 months	Authenticated app
Consent preference cookie (`rtoflow_consent`)	Records your analytics & advertising consent choice so the banner is not shown again and gates injection of GA4, Bing UET, Meta Pixel, and Microsoft Clarity. Stores one of `all`, `analytics:on`, `analytics:off`, or `essential`.	12 months	Public pages only
Google Analytics 4 (GA4)	Website analytics - page views, traffic sources, user engagement	Up to 14 months	Public pages only
Google Ads (gclid)	Advertising conversion tracking	90 days	Public pages only
Microsoft Bing UET	Advertising conversion tracking - page views, conversions	13 months	Public pages only
Meta Pixel (Facebook)	Advertising conversion tracking - page views, conversions	90 days	Public pages only

6.2 Third-Party Analytics and Advertising on Public Pages

On our public-facing pages (marketing site, landing pages), we may use the following third-party analytics and advertising technologies. These services are only active when their respective environment variables are configured, and they are not present on authenticated application pages.

Service	Provider	Purpose	Type	Data Collected
Google Analytics 4 (GA4)	Google LLC	Website measurement and audience analytics	Analytics	Page views, session duration, traffic sources, device information, anonymised IP address
Google Ads Conversion Tracking	Google LLC	Measuring advertising campaign effectiveness	Advertising	Conversion events (e.g., sign-up), click identifiers
Bing UET (Universal Event Tracking)	Microsoft Corporation	Measuring advertising campaign effectiveness on Microsoft Advertising	Advertising	Page views, conversion events, click identifiers
Meta/Facebook Pixel	Meta Platforms, Inc.	Measuring advertising campaign effectiveness on Meta platforms	Advertising	Page views, conversion events, click identifiers

These services may set their own cookies and collect data in accordance with their respective privacy policies. You can opt out of personalised advertising through your browser settings, the Digital Advertising Alliance opt-out page, or the respective platform settings (Google Ad Settings, Facebook Ad Preferences, Microsoft Privacy Dashboard).

6.3 Managing Cookies

On our public pages we also display an in-app cookie banner the first time you visit. You can Accept all analytics cookies, Reject non-essential cookies, or open Manage to choose individual categories. Your choice is recorded in the rtoflow_consent cookie listed in Section 6.1, and we re-render the page with trackers either enabled or fully suppressed accordingly. You can change your mind at any time by clearing that cookie in your browser.

You can configure your browser to refuse cookies. However, disabling session cookies will prevent you from using the platform, as they are essential for authentication. Disabling third-party cookies may prevent analytics and advertising tracking on public pages but will not affect platform functionality.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Data Type	Retention Period
User account data	Duration of account plus 12 months after deletion request
Generated content and documents	Duration of subscription plus 30 days after cancellation
Student and learner data	Duration of subscription plus 30 days after cancellation
Audit and activity logs	24 months
Payment and billing records	7 years (Australian tax law requirements)
Backups	7 daily, 4 weekly, 12 monthly (Grandfather-Father-Son rotation)
Support correspondence	24 months after resolution
Server and access logs	90 days

After the applicable retention period, personal information is securely deleted or de-identified.

8. Data Security

We implement reasonable technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure, including:

Encryption at rest: AES-256 encryption for stored data
Encryption in transit: TLS 1.2 or higher for all data transmission
Access controls: Role-based access with least-privilege principles
Authentication: Hashed passwords with industry-standard algorithms
Tenant isolation: Full per-organisation data separation
Backup integrity: Automated backup verification on each cycle
Monitoring: Automated health and security monitoring
Incident response: Documented incident response procedures

No method of electronic storage or transmission is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

9. Your Rights

Under the Australian Privacy Principles, you have the following rights:

9.1 Access (APP 12)

You may request access to the personal information we hold about you. We will respond to your request within 30 days. Access may be refused in limited circumstances permitted by law, and we will provide reasons for any refusal.

9.2 Correction (APP 13)

You may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond to correction requests within 30 days.

9.3 Deletion

Although not explicitly required by the APPs, we honour reasonable deletion requests. Upon receiving a verified deletion request:

Your account and profile data will be deleted within 30 days.
Content you generated will be deleted or de-identified within 30 days.
Data retained in backups will be purged as backups rotate (up to 12 months).
Records required by law (e.g., payment records) will be retained for the legally mandated period.

9.4 Data Portability

You may request an export of your data in a commonly used, machine-readable format. Exports are available for user-generated content and account data.

9.5 Complaint (APP 1)

If you believe we have breached the APPs, you may lodge a complaint with us (see Section 17). If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

10. Student and Learner Data - Controller and Processor Roles

10.1 Your Organisation as Controller

Where your Organisation uploads or enters student and learner personal information into the Platform (including for contextualization, cohort management, or RPL assessment), your Organisation is the data controller for that information. RTOFlow processes this data solely on your Organisation's behalf and in accordance with your instructions.

10.2 RTOFlow as Processor

RTOFlow acts as a data processor for student and learner personal information. We process this data only to provide the Platform services, and we do not use learner data for any independent purpose.

10.3 Your Obligations

Your Organisation is responsible for:

Obtaining all necessary consents from students and learners before uploading their personal information to the Platform, including explicit consent for sensitive information (APP 3)
Informing students that their data may be processed by AI providers located overseas (see Section 11) as part of the contextualization feature
Ensuring that student data uploaded to the Platform is accurate and up to date
Complying with all applicable privacy laws in relation to the learner data you control

10.4 AI Processing of Student Data

Important: When the contextualization feature is used, student personal information - including names, LLN levels, employer details, and workplace context - is sent to third-party AI providers (see Section 5) for the purpose of personalising training and assessment content. This data is sent via encrypted connections and AI providers are contractually prohibited from retaining or using this data for model training. Your Organisation must ensure learners are informed that their data will be processed in this manner.

11. AI Data Handling and Governance

11.1 How AI-Generated Content Is Produced

RTOFlow uses multiple third-party large language model (LLM) providers to generate training and assessment content. When you initiate a content generation request:

The Platform constructs a prompt containing training package requirements, organisational context, and - where the contextualization feature is used - relevant learner data.
The prompt is sent to one or more AI providers via encrypted API connections (TLS 1.2+).
The AI provider processes the prompt and returns generated text.
RTOFlow stores the generated content in its own infrastructure; AI providers do not retain the content after processing.

11.2 AI Provider Data Handling

We use AI providers under enterprise or API agreements that include the following protections:

No model training: Customer data sent to AI providers is not used for training, fine-tuning, or improving their models.
No data retention: AI providers process data transiently and do not retain input prompts or output content beyond the processing window (typically seconds to minutes).
Data minimisation: We minimise the personal information included in prompts. Where possible, we use de-identified or pseudonymised data.

12. Children's Privacy

RTOFlow is a business-to-business platform designed for professional use by organisations. We do not knowingly collect personal information from children under the age of 18. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.

13. Cross-Border Data Transfers

Some of our third-party service providers are located outside Australia (see Section 5). Before disclosing personal information overseas, we take reasonable steps in accordance with APP 8 to ensure that overseas recipients do not breach the APPs. This includes entering into contractual arrangements requiring overseas processors to handle personal information in accordance with standards substantially similar to the APPs.

Countries to which personal information may be transferred: United States (OpenAI, Anthropic, xAI, Google, Microsoft, Replit, Perplexity, Replicate, Stripe, Resend, AWS, Meta) and Singapore / China (DeepSeek).

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The current version of the Privacy Policy is always available at https://rtoflow.au/privacy.

15. Do Not Track Signals

RTOFlow does not track users across third-party websites and does not respond to Do Not Track (DNT) browser signals. Third-party analytics and advertising services on public pages (see Section 6) are managed by their respective providers; you can opt out through their platform settings or your browser's cookie controls.

16. Third-Party Links

The Platform may contain links to third-party websites (e.g., training.gov.au, payment processors). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing personal information.

17. Contact and Complaints

For privacy enquiries, data access or correction requests, or to lodge a privacy complaint, please contact:

Privacy Officer
Precision CAD Australia
Trading as RTOFlow

Email: privacy@rtoflow.au
Support: support@rtoflow.au
Website: https://rtoflow.au

We will acknowledge your complaint within 5 Business Days and provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: www.oaic.gov.au
Phone: 1300 363 992