PRIVACY, SECURITY & CREDIT REPORTING POLICY

Last updated date: 08/07/2025

Introduction

This is the privacy policy for Rapid Global Pty Ltd ACN 161 913 882 (“Rapid Global”, “we”, “us”). This privacy policy details:

What Information we Collect
How We Use Your Information
Sub-processors that we use
How we store and protect information
When we Destroy Information
How we Comply with Local Laws
How we Comply with Overseas Laws
How we Update this Privacy Policy
Contacting Government about Privacy

This privacy policy refers to the Rapid Global website (www.rapidglobal.com), the Rapid Global Platform (which is provided on a software as a service basis and can be accessed via a web browser) and Rapid’s applications and software, which run on iPads and other terminals and devices (Collectively these are referred to as the “Rapid Global Service”)

1. What Information We Collect

1.1. Business Information

We collect information about organisations who use the Rapid Global Service (“Customers”) or may sell or support the Rapid Global Service (“Partners”). This includes basic details of the organisation, contact details for its employees and administrators, and information about the systems of the Customers and Partners necessary for the provision by us of the Rapid Global Service.

We collect this information so we can communicate with Customers and Partners about the Rapid Global Service and keep them informed about relevant and important changes.

1.2. Customer Information

The Rapid Global Platform allows Customers to manage how the Customer and their Users use the Rapid Global Service. This includes information such as the Customer’s subscriptions or transactions history with us and their locations, access rules and policies and procedures, as well as any information submitted by the Customer in order to receive and supply services through the Rapid Global Platform.

The Rapid Global Platform also allows Customers to manage information related to Users, so that Customers can control which Users can make use of the Rapid Global Service and how they can use it.

Rapid Global does not use your Customer or User information for our own purposes, nor do we share it with others (other than as necessary to provide the Rapid Global Service) or sell it to others.

1.3. User Information

We provide the Rapid Global Service to our Customers to allow them to quickly identify workers, contractors and visitors and to assist them in complying with their obligations under work, health and safety laws by inducting workers, managing hazards, incidents and risks, performing audits (including through the use of object detection software) and by ensuring the health and safety of their workers, contractors and visitors (Users).

As such, if Users use the Rapid Global Service, their Information may be shared with our Customer (being the entity which the User is being inducted by, is an employee or contractor of or visiting).

Users’ information may also be provided to governmental authorities if required under laws or guidelines imposing obligations on entities relating to COVID-19 contact tracing (and your information may be used or stored by the relevant governmental authority for that purpose).

Information that we may collect from Users includes information such as the User’s name, date of birth and contact details (e.g. email address and mobile phone number), biometric information, and the camera footage of the User collected by cameras providing the Rapid Global Service.

The Rapid Global System also allows Users to submit their insurance certificates of currency, evidence of their permits and authorisations to work, driver’s licence document and details, and biometric data (e.g. key facial features captured in an individual’s profile picture).

Users can deal with us anonymously (without identifying themselves) or under a pseudonym (fictitious name), except where this would be inconsistent with the services we are providing to our Customers or where it would otherwise be impractical or unlawful to deal with individuals anonymously or under a pseudonym.

Depending on the features of the Rapid Global Service selected by our Customer, we may use and store information about Users geographical location via GPS (using location services on your device or other electronic means) (“Geolocation Data”). Users may allow or disallow us to collect Geolocation Data by enabling or disabling location services by way of their device settings.

We may hold credit card details and bank account numbers if provided to us directly. However, credit card details are not processed through or retained on our servers if goods or services are purchased via our website (in which case credit card information is processed via the Stripe, eWay, St George Bank or National Australia Bank credit card processing system).

1.4. Biometric Information

Depending on the features of the Rapid Global Service selected by our Customer, the Rapid Global Service may incorporate facial recognition technology.

With the consent of Users, when they use or sign up to the Rapid Global Service, their profile photo is taken and their biometric information (e.g. their unique facial characteristics) is extracted from it. The use of facial recognition allows Users to be automatically identified on subsequent uses. We collect biometric information from Users who are recorded using the Rapid Global Service but could not be automatically matched to an existing profile on the Rapid Global Platform or have not yet created a profile on the Rapid Global Platform. Customers can request that the biometric information collected from Users be added to an existing or new profile on the Rapid Global Platform.

The Rapid Global Service provides important capabilities to support the responsible collection and use of biometric information, including:

Requiring Users to acknowledge a simple privacy statement and to actively consent to the capture of biometric data when creating a profile on the Rapid Global Platform.
Requiring Customers to inform Users of the Customer’s use of the Rapid Global Service prior to their arrival at any Customer site that uses the Rapid Global Service or as soon as practical following their arrival/attendance at the said site, to ensure that consent to the use of a User’s biometric information has been provided (unless a general permitted situation exists).
Requiring Customers to warrant to us that a permitted general situation (as defined in the Privacy Act) exists in relation to the collection, use and disclosure of a User’s biometric information through the Rapid Global Service or that Users have otherwise consented to the collection, use and disclosure of a User’s biometric information through the Rapid Global Service.
Allowing non-consenters to use an alternative means of identification (in the sense that while biometric templates are automatically generated, the information will not be linked to a new or existing profile on the Rapid Global Platform).
Allowing Users to remove their consent at any time, at which time biometric data associated with their profile on the Rapid Global Platform is destroyed (unless a general permitted situation, as defined in the Privacy Act, exists).

1.5. Health Information

Depending on the features of the Rapid Global Service selected by our Customer, the Rapid Global Service may include the collection of the User’s health information, such as blood alcohol concentration testing and temperature testing. The User’s health information can either be collected by the Customer and manually added to the User’s profile on the Rapid Global Platform, or with the consent of Users, through the connection of appropriate devices (such as a Bluetooth-enabled infrared thermometer) to the Rapid Global Service. The collection of this health information by Rapid Global allows Customers to achieve compliance with their work, health and safety procedures and obligations as well as local laws and regulations.

The Rapid Global Service provides important capabilities to support the responsible collection and use of health information, including:

Requiring Users to acknowledge a simple privacy statement and to actively consent to the capture of their health data both upon the creation of the User’s profile and at the time of collection by Rapid Global.
Requiring Customers to obtain the consent of their Users to the collection of the health information when Customers manually upload this information on the Rapid Global Software.
Allowing Users to remove their consent at any time, at which time health information is destroyed.

1.6. Usage Information

The Rapid Global System allows us and Customers to collect information about each activity (or event) performed using the Rapid Global System. This includes information such as the date and time, the details of the User (name and username), the type of activity and the details of the activity.

We use Google Analytics to analyse the use of our website. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. Google will store this information. Google’s privacy policy is available at http://www.google.com/privacypolicy.html).

2. How We Use Your Information

Collecting the information referred to above is essential to the operation of the Rapid Global Service and for ensuring the compliance with laws by our Customers.

Rapid Global does not use your biometric information for our own purposes, nor do we share it with or sell it to others.

We may send you marketing communications in line with your previously expressed marketing preferences or as otherwise permitted under relevant laws. If you do not wish to receive such communications, please contact us via the Contact Address or follow the opt-out instructions contained in each marketing communication.

We will not disclose information that we collect and hold about you to any overseas recipients other than to our sub-processors referred to in paragraph 3. If we transfer your information to third parties, we will ensure that reasonable steps are taken to ensure that the overseas recipient does not misuse your information and that the overseas recipient is in a jurisdiction that has an adequate level of protection for your data before we provide them with it.

We use Customer and User information in the following ways:

To provide, maintain and improve the Rapid Global Service (including the Rapid B2B offerings), including to operate certain features and functionality of the Rapid Global Services (including for the purpose of automated biometric verification or biometric identification which can be combined with object detection software as part of the Rapid Global Services);
To process your inquiries and otherwise deliver customer service;
To process your payments, we may use your credit card details and bank account numbers if provided to us directly. However, credit card details are not processed through or retained on our servers if goods or services are purchased via our website (in which case credit card information is processed via the Stripe processing system);
To control unauthorised use or abuse of the Rapid Global Services, or otherwise detect, investigate or prevent activities that may violate our policies or be illegal;
For research and development, we use collective learnings about how people use our Rapid Global Services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and areas for integration and improvement of the Rapid Global Services;
To communicate with you about the Rapid Global Services. We use your contact information to send transactional communications via email and within the Rapid Global Services, including confirming your purchases, reminding you of subscription expirations, responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts, and administrative messages. We also send you communications as you onboard to a particular Rapid Global Service to help you become more proficient in using that Rapid Global Service. These communications are part of the Rapid Global Services and in most cases you cannot opt out of them. If an opt out is available, you will find that option within the communication itself or in your account settings;
To send promotional communications that may be of specific interest to you, including newsletters, promotions and special offers or information about new products and services. If you do not want to receive email or other mail from us, please indicate your preference in by emailing us at [email protected];
Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business;
We use information about you where you have given us consent to do so for a specific purpose not listed above. For example, you may wish to advertise your services or request services using our Rapid B2B platform, or we may publish testimonials or featured customer stories to promote the Rapid Global Services, with your permission;
In the manner described to you at the time of collection or as otherwise described in this Privacy Policy.

3. Sub-processors We Use

Amazon Web Services (AWS) supplies web hosting and customer relationship management services.

Information collected and managed by AWS on our behalf is stored securely on the Asia Pacific (Sydney) region of the AWS platform for Australian customers, and on the Europe (Ireland) region for European customers.

Other subprocessors used by Rapid Global and the details of the service provided can be found here https://rapidglobal.com/rapid-3rd-party-providers/.

4. How We Store and Protect Information

Rapid Global does not share or sell your business information, including your contact details.

Information on businesses that use or may use the Rapid Global Service is stored in our IT systems. We take responsible measures to protect this information. For example:

Access to business information is limited to authorised employees.
Access to business information is password protected.
Business information is backed up.
Customer and User information is encrypted both in transit and at rest.

Rapid Global may also store information on physical servers located at Customer sites. Generally, all on-site servers are secured by Customers using locks, access control or office security.

Biometric information is a special form of information for which additional privacy protections are offered. We take responsible measures to protect this information. For example:

Biometric Information is NOT viewable.
Biometric Information is NOT exportable.
Biometric information is backed up.
Biometric information is encrypted both in transit and at rest.

5. When We Destroy Information

The surveillance footage we collect through the Customer as part of the Rapid Global Service is stored on the Customer’s on-site server for an amount of time that is decided by the Customer – the duration of storage is dependent on the capabilities of the Customer’s on-site server, but generally, footage is destroyed within eight weeks of capture.

The still images of User faces that are extracted from the surveillance footage and separately stored by us on the Rapid Global Platform are destroyed within 90 days of collection. Biometric information that the Customer does not add to an existing or new profile on the Rapid Global Platform is deleted within 90 days of collection.

User information may be destroyed if requested by a User or by a Customer:

When a User is removed from the Rapid Global Service, the associated information and biometric information is destroyed with the user’s profile.
Biometric information is also destroyed immediately once a User removes their consent to the use of their biometrics (unless a general permitted situation, as defined in the Privacy Act, exists). In this case, the User can continue to use the Rapid Global Service by manually identifying themselves using non-biometric methods (e.g.: pinpads or swipe cards).

When our agreement with a Customer ends, all associated User information is destroyed within 90 days of termination of the agreement with the Customer. Customer information such as credit card details and bank account numbers, if provided to us directly, is destroyed promptly after the termination of our agreement with the Customer. The details of transactions that occurred prior to termination are not destroyed.

Biometric information may also be destroyed when a User removes their consent to certain uses of their biometrics. For example, the User may be able to continue to use the Rapid Global App by manually identifying themselves using non-biometric methods (e.g.: pinpads or swipe cards).

6. How We Comply with Local Laws

You can gain access to your Information, subject to certain exceptions contained in the relevant legislation.

To request access to your Information, or to update or correct that Information, please send a written request to either Rapid Global, Level 2, 118 Franklin Street, Adelaide SA 5000 or to email address [email protected] (“Contact Address”). We will check the identity of individuals making requests to determine within 14 days whether the request will be met.

If you are concerned that the way in which we collect, hold, use or disclose your Information may be in breach of the law, please send written details of your complaint to the Contact Address.

After receiving a complaint, we will conduct internal discussions and evaluate whether we believe that such collection, holding, use or disclosure of your Information was in breach of the relevant law. We will endeavour to notify you of the results of our investigation of your complaint within 30 days of receiving your complaint. However, if your complaint involves complex issues or requires extensive investigation, it may not be possible to respond within this timeframe. If the conclusion of our investigation is that our collection, holding, use or disclosure of your Information was in breach of the relevant law, we will take steps to remedy the breach as soon as reasonably practicable. If after dealing with us you are still not satisfied, you are entitled to make a complaint to the Office of the Australian Information Commissioner.

7. How We Comply with Overseas Laws

If you are a resident of the European Union for the purposes of the UK’s Data Protection Act (2018) (“DPA”) or the EU General Data Protection Regulation 2016/679 (the “GDPR”), then in addition to what is set out above, the following applies to you.

We are a data controller and processor for the purposes of the DPA and GDPR and by you consenting to the Customer’s use of the Rapid Global Service (or the Customer satisfying an alternative criteria in Articles 6 and 9.2 of the GDPR or DPA, we are able to process your personal data as defined in the DPA and GDPR (“Personal Data”) in accordance with this privacy policy.

In providing the Rapid Global Service, we may make use of a number of automated processes using your Personal Data and your activity on our website as tracked by us, in order to provide more tailored and relevant services to you.

In addition to your rights set out above, you may:

update or rectify any of the Personal Data that we hold about you by contacting us as per paragraph 6 above;
withdraw your consent to our use of your Information as described in this privacy policy (although this shall not affect the lawfulness of processing based on your consentbefore its withdrawal); and
request that we provide you with a copy of the Personal Data we hold about you in a portable and machine-readable form orshare your Personal Data with a nominated third party.

You may request the above from us by contacting us as per paragraph 6 above.

Should you have any concerns in relation to our collection and/or processing of your Personal Data, then in addition to the process set out in paragraph 6 above, you have the right to complain to a supervisory authority (within the meaning of the DPA and GDPR). Our representative for the purposes of the DPA and GDPR can be contacted as per paragraph 6 above.

8. How We Update this Privacy Policy

The latest version of the privacy policy is held at https://www.rapidglobal.com/privacy-policy/.

We reserve the right, at our sole discretion, to modify or replace this privacy policy at any time to reflect updates to our practices or relevant laws. Any changes to this privacy policy will become effective on posting. The date this privacy policy was last updated is recorded at the top of this privacy policy.