Privacy Policy
Precision CAD Australia (ABN 61 451 007 505), trading as RTOFlow
Version 2.0 — Last updated: 18 March 2026
1. Introduction
Precision CAD Australia (ABN 61 451 007 505), trading as RTOFlow ("we", "us", "our"), is committed to protecting the privacy of individuals who use our platform. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.
This Policy also addresses our obligations in relation to the use of artificial intelligence in content generation, consistent with the Australian Government's Voluntary AI Safety Standard (2024) and emerging regulatory expectations from the Privacy Act Review reform process.
By accessing or using RTOFlow, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the platform.
2. What Personal Information We Collect
2.1 Account Information
- Full name
- Email address
- Organisation name and details
- Role within the organisation
- Password (stored in hashed form only)
2.2 Usage and Activity Data
- Login timestamps and session duration
- Features accessed and actions performed
- Content generation requests and parameters
- Document uploads and downloads
- Search queries within the platform
2.3 Technical Data
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Referring URLs
2.4 Payment Information
- Billing name and address
- Payment card details (processed and stored by Stripe; we do not store full card numbers)
- Transaction history
- Invoice records
2.5 Newsletter and Lead Magnet Data
When you sign up for our newsletter or download free resources (lead magnets), we collect:
- Name
- Email address
- Source page URL (the page you signed up from)
- IP address (for rate limiting and fraud prevention)
Newsletter subscriptions use a double opt-in process: after submitting your email, you must confirm your subscription via a link sent to your email address. We will only send you marketing communications after you have confirmed your subscription. You may unsubscribe at any time using the unsubscribe link included in every email. We send a weekly VET industry digest to confirmed subscribers.
2.6 Student and Learner Data
If your Organisation uses our contextualization features, we may process the following learner data on your Organisation's behalf:
- Student names (first name, last name)
- Email addresses and phone numbers
- Date of birth
- Apprenticeship numbers
- Language, Literacy, and Numeracy (LLN) assessment levels (reading, writing, oral communication, numeracy, digital)
- LLN support notes
- Learning styles and learning goals
- Employer name, job title, primary tasks, equipment and processes, shift patterns
- Supervisor name and contact details
- Prior qualifications and experience summaries
Important — Sensitive Information (APP 3): LLN assessment data may reveal information about a learner's cognitive abilities or learning disabilities, which the Privacy Act classifies as sensitive information. Sensitive information attracts stricter consent requirements under APP 3. Your Organisation is responsible for obtaining explicit, informed consent from learners before uploading sensitive information to the Platform.
2.7 Content Data
- Training and assessment materials created using the platform
- Documents uploaded for compliance checking or AI processing
- Notes, comments, and feedback submitted within the platform
2.8 Communication Data
- Support requests and correspondence
- Feedback and survey responses
- In-app chat and help interactions
2.9 Signature Data
- Digital signatures captured within the platform (e.g., user profile signatures)
2.10 Internal Analytics Data
- Page view history (path, referrer, session ID) — collected for internal analytics only; no third-party analytics services are used
3. How We Collect Personal Information
We collect personal information through:
- Direct collection: When you create an account, update your profile, submit forms, upload documents, or contact us.
- Automated collection: Through cookies, server logs, and internal analytics tools when you use the platform.
- Third-party sources: From training.gov.au (publicly available training package data), payment processors (transaction confirmations), and OAuth authentication providers (Google, Microsoft, or Replit — when you choose to sign in with these services, we receive your name, email address, and profile photo as authorised by you during the login flow).
Where practicable, we collect personal information directly from you. If we receive personal information about you from a third party, we will take reasonable steps to ensure you are made aware of this Policy.
4. How We Use Personal Information
We use personal information for the following purposes:
| Purpose | APP Reference |
|---|---|
| Providing and maintaining the RTOFlow platform | APP 6.1 — primary purpose |
| Processing payments and managing subscriptions | APP 6.1 — primary purpose |
| Generating training and assessment content using AI | APP 6.1 — primary purpose |
| Personalising content for specific learners (contextualization) | APP 6.1 — primary purpose |
| Performing compliance checks against training packages | APP 6.1 — primary purpose |
| Providing customer support and responding to enquiries | APP 6.1 — primary purpose |
| Sending service-related communications (outage notices, feature updates) | APP 6.1 — related secondary purpose |
| Improving platform features and performance | APP 6.2(a) — related secondary purpose |
| Detecting and preventing fraud or security incidents | APP 6.2(a) — related secondary purpose |
| Complying with legal obligations | APP 6.2(b) — required by law |
| Generating anonymised and aggregated analytics | APP 6.1 — de-identified data |
| Sending newsletter and weekly VET industry digest (double opt-in required) | APP 7.1 — express consent |
| Providing gated downloadable resources (lead magnets) after email confirmation | APP 7.1 — express consent |
We do not use personal information for direct marketing without your express consent. Newsletter subscribers must complete a double opt-in process before receiving marketing communications, and may unsubscribe at any time via the link in each email.
5. Third-Party Processors
We share personal information with the following categories of third-party service providers, each of which is bound by contractual obligations to protect your data:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| OpenAI | AI content generation | Document content, prompts, and — when the contextualization feature is used — student names, LLN levels, employer details, and workplace context | United States |
| Anthropic | AI content generation | Document content, prompts, and — when the contextualization feature is used — student names, LLN levels, employer details, and workplace context | United States |
| Google (Gemini) | AI content generation and document OCR | Document content, prompts, uploaded document images, and — when the contextualization feature is used — student names, LLN levels, employer details, and workplace context | United States |
| DeepSeek | AI content generation | Document content, prompts, and — when the contextualization feature is used — student names, LLN levels, employer details, and workplace context | Singapore / China |
| xAI (Grok) | AI content generation | Document content, prompts, and — when the contextualization feature is used — student names, LLN levels, employer details, and workplace context | United States |
| Perplexity | AI-powered research and packaging rule verification | Training package identifiers, unit codes, industry context (no personal data) | United States |
| Replicate | Image processing (upscaling and background removal) | Uploaded images for processing (no personal data) | United States |
| Amazon Web Services (AWS) | Cloud hosting, storage, backups | All platform data | Australia (ap-southeast-2) where available; United States for some services |
| Stripe | Payment processing | Billing name, email, payment card details, transaction amounts | United States |
| Resend | Transactional email delivery | Email address, name, email content | United States |
| OAuth authentication (optional) | Email address, name, profile photo (as authorised by user during login) | United States | |
| Microsoft | OAuth authentication (optional) | Email address, name (as authorised by user during login) | United States |
| Replit | OAuth authentication (optional) | Email address, name, profile photo (as authorised by user during login) | United States |
| training.gov.au | Training package data source | No personal data sent (public data retrieved) | Australia |
We do not sell personal information to any third party.
6. Cookies and Tracking Technologies
6.1 What We Use
| Cookie / Technology | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication and session management | 7 days |
| CSRF token | Security — prevents cross-site request forgery | Session (per-request) |
| Preferences cookie | Stores user interface preferences | 12 months |
6.2 What We Do Not Use
We do not use third-party advertising cookies, social media tracking pixels, behavioural targeting technologies, or third-party analytics services (such as Google Analytics). All analytics are collected internally.
6.3 Managing Cookies
You can configure your browser to refuse cookies. However, disabling session cookies will prevent you from using the platform, as they are essential for authentication.
7. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Type | Retention Period |
|---|---|
| User account data | Duration of account plus 12 months after deletion request |
| Generated content and documents | Duration of subscription plus 30 days after cancellation |
| Student and learner data | Duration of subscription plus 30 days after cancellation |
| Audit and activity logs | 24 months |
| Payment and billing records | 7 years (Australian tax law requirements) |
| Backups | 7 daily, 4 weekly, 12 monthly (Grandfather-Father-Son rotation) |
| Support correspondence | 24 months after resolution |
| Server and access logs | 90 days |
After the applicable retention period, personal information is securely deleted or de-identified.
8. Data Security
We implement reasonable technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure, including:
- Encryption at rest: AES-256 encryption for stored data
- Encryption in transit: TLS 1.2 or higher for all data transmission
- Access controls: Role-based access with least-privilege principles
- Authentication: Hashed passwords with industry-standard algorithms
- Tenant isolation: Full per-organisation data separation
- Backup integrity: Automated backup verification on each cycle
- Monitoring: Automated health and security monitoring
- Incident response: Documented incident response procedures
No method of electronic storage or transmission is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.
9. Your Rights
Under the Australian Privacy Principles, you have the following rights:
9.1 Access (APP 12)
You may request access to the personal information we hold about you. We will respond to your request within 30 days. Access may be refused in limited circumstances permitted by law, and we will provide reasons for any refusal.
9.2 Correction (APP 13)
You may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond to correction requests within 30 days.
9.3 Deletion
Although not explicitly required by the APPs, we honour reasonable deletion requests. Upon receiving a verified deletion request:
- Your account and profile data will be deleted within 30 days.
- Content you generated will be deleted or de-identified within 30 days.
- Data retained in backups will be purged as backups rotate (up to 12 months).
- Records required by law (e.g., payment records) will be retained for the legally mandated period.
9.4 Data Portability
You may request an export of your data in a commonly used, machine-readable format. Exports are available for user-generated content and account data.
9.5 Complaint (APP 1)
If you believe we have breached the APPs, you may lodge a complaint with us (see Section 17). If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
10. Student and Learner Data — Controller and Processor Roles
10.1 Your Organisation as Controller
Where your Organisation uploads or enters student and learner personal information into the Platform (including for contextualization, cohort management, or RPL assessment), your Organisation is the data controller for that information. RTOFlow processes this data solely on your Organisation's behalf and in accordance with your instructions.
10.2 RTOFlow as Processor
RTOFlow acts as a data processor for student and learner personal information. We process this data only to provide the Platform services, and we do not use learner data for any independent purpose.
10.3 Your Obligations
Your Organisation is responsible for:
- Obtaining all necessary consents from students and learners before uploading their personal information to the Platform, including explicit consent for sensitive information (APP 3)
- Informing students that their data may be processed by AI providers located overseas (see Section 11) as part of the contextualization feature
- Ensuring that student data uploaded to the Platform is accurate and up to date
- Complying with all applicable privacy laws in relation to the learner data you control
10.4 AI Processing of Student Data
Important: When the contextualization feature is used, student personal information — including names, LLN levels, employer details, and workplace context — is sent to third-party AI providers (see Section 5) for the purpose of personalising training and assessment content. This data is sent via encrypted connections and AI providers are contractually prohibited from retaining or using this data for model training. Your Organisation must ensure learners are informed that their data will be processed in this manner.
11. AI Data Handling and Governance
11.1 How AI-Generated Content Is Produced
RTOFlow uses multiple third-party large language model (LLM) providers to generate training and assessment content. When you initiate a content generation request:
- The Platform constructs a prompt containing training package requirements, organisational context, and — where the contextualization feature is used — relevant learner data.
- The prompt is sent to one or more AI providers via encrypted API connections (TLS 1.2+).
- The AI provider processes the prompt and returns generated text.
- RTOFlow stores the generated content in its own infrastructure; AI providers do not retain the content after processing.
11.2 AI Provider Data Handling
We use AI providers under enterprise or API agreements that include the following protections:
- No model training: Customer data sent to AI providers is not used for training, fine-tuning, or improving their models.
- No data retention: AI providers process data transiently and do not retain input prompts or output content beyond the processing window (typically seconds to minutes).
- Data minimisation: We minimise the personal information included in prompts. Where possible, we use de-identified or pseudonymised data.
12. Children's Privacy
RTOFlow is a business-to-business platform designed for professional use by organisations. We do not knowingly collect personal information from children under the age of 18. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.
13. Cross-Border Data Transfers
Some of our third-party service providers are located outside Australia (see Section 5). Before disclosing personal information overseas, we take reasonable steps in accordance with APP 8 to ensure that overseas recipients do not breach the APPs. This includes entering into contractual arrangements requiring overseas processors to handle personal information in accordance with standards substantially similar to the APPs.
Countries to which personal information may be transferred: United States (OpenAI, Anthropic, xAI, Google, Microsoft, Replit, Perplexity, Replicate, Stripe, Resend, AWS) and Singapore / China (DeepSeek).
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The current version of the Privacy Policy is always available at https://rtoflow.au/privacy.
15. Do Not Track Signals
RTOFlow does not track users across third-party websites and does not respond to Do Not Track (DNT) browser signals. We do not use third-party advertising or behavioural tracking technologies.
16. Third-Party Links
The Platform may contain links to third-party websites (e.g., training.gov.au, payment processors). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing personal information.
17. Contact and Complaints
For privacy enquiries, data access or correction requests, or to lodge a privacy complaint, please contact:
Privacy Officer
Precision CAD Australia
Trading as RTOFlow
- Email: privacy@rtoflow.au
- Support: support@rtoflow.au
- Website: https://rtoflow.au
We will acknowledge your complaint within 5 Business Days and provide a substantive response within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992