Merge Insights Privacy, Data Retention & Cyber Security Policy

1. Commitment to Privacy

Merge Insights values the trust our clients place in us. We are committed to protecting all personal, business, and operational data through robust technical, physical, and administrative safeguards.

This Policy outlines how we collect, use, store, and protect personal information, and explains:
• What data we collect and why
• How we use and share it
• How we keep it secure
• Your rights under the Australian Privacy Act 1988 and Australian Privacy Principles (APPs)

All client data is handled with strict confidentiality due to the sensitive nature of workforce-safety, risk, and performance data we process. All Merge Insights personnel undergo full police checks and comply with strict confidentiality and cyber-security procedures.

2. Collection of Personal and Operational Information

We collect information when you:
• Register, subscribe, or interact with Merge Insights services or dashboards
• Complete forms or communicate with our team by phone, email, or online chat
• Access platform modules for workforce safety, performance, or compliance
• Generate safety, duress, check-in/out, or analytics data through our systems

This may include:

Name, contact and organisation details

Workforce or operational data (e.g. check-ins, site activity, audit logs)

Device identifiers, GPS or geolocation information

System usage and access history

3. Cookies and Website Analytics

Our website uses cookies and analytics tools to enhance functionality, improve user experience, and maintain secure sessions.

Types of cookies we use:
• Essential Cookies – enable secure login and service access.
• Analytical Cookies – monitor navigation patterns and usage for optimisation.
• Functional Cookies – remember preferences (language, region, role-based dashboards).

You can disable cookies in your browser, but doing so may limit site functionality.

4. Use and Disclosure of Information

Merge Insights uses personal and operational data to:
• Deliver, support, and improve platform services
• Provide user support and incident response
• Fulfil contractual, compliance, and legal obligations
• Enable emergency escalation, risk notifications, and automated reporting

We never sell or trade data.
Information may be disclosed only to:
• Authorised monitoring or emergency-management centres
• First responders during critical incidents
• Approved third-party providers bound by confidentiality and data-security agreements

5. Marketing and Communications

We will not use personal information for direct marketing without your explicit consent.
All marketing communications are opt-in only, with an easy, no-cost opt-out mechanism at any time.

6. Anonymity and Pseudonymity

Where practical and lawful, you may engage with Merge Insights anonymously or under a pseudonym—such as when submitting general feedback or non-monitored queries.
However, anonymity is not possible for monitored, safety-critical, or compliance-required functions (e.g. duress activations or workforce verification).

7. Data Retention Policy

We retain information only for as long as required for operational, legal, or safety obligations:
• Incident, audit, and safety records – 7 years
• General enquiries and marketing contacts – 2 years or until consent withdrawn
• Employee and contractor records – as required under employment and tax law

Data that is no longer needed is securely deleted, anonymised, or destroyed following annual compliance review.

8. Cyber Security and Data Protection

Merge Insights employs multi-layered cyber-defence measures to protect data integrity, confidentiality, and availability, including:
• Multi-Factor Authentication (MFA) and modern identity protection
• Encryption — data at rest and in transit
• Data Loss Prevention (DLP) controls to prevent unauthorised sharing
• Role-Based Access Control (RBAC) enforcing least-privilege permissions
• Microsoft 365 Purview monitoring and continuous threat assessment
• Security audits aligned with ISO 27001 (Information Security) and ISO 9001 (Quality Management)
• Defined Incident Response Plan for suspected or confirmed data breaches

In the event of a notifiable data breach, affected parties and the Office of the Australian Information Commissioner (OAIC) will be notified in accordance with the Notifiable Data Breaches Scheme.

9. Cross-Border Data Storage and Processing

If data is hosted or processed outside Australia, Merge Insights ensures equivalent or stronger safeguards through contractual and technical controls, ensuring compliance with the APPs and ISO 27001.

10. Access and Correction Rights

You have the right to access the personal information we hold about you and to request corrections if any data is inaccurate or incomplete.
Requests are managed promptly in line with the Australian Privacy Act 1988 and APP Guidelines.

11. Privacy Complaints and Resolution

If you believe Merge Insights has breached your privacy rights, please contact us in writing.
We will investigate and respond within 30 days.
If unresolved, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) via www.oaic.gov.au.

12. Contact Us

Privacy Officer — Merge Insights
Email: [email protected]
Phone: 07 3821 4681