Privacy Policy

Last Updated: 25/05/2026

Privacy at a glance

This summary is provided for convenience only and does not form part of our Privacy Policy. The full Policy below is the authoritative version.

  • Who are we? Zipline.io Pty Ltd, an Australian company providing a worker compliance, screening, credentialing and site access platform.
  • Whose information do we handle? Customers and their admin users, Workers (candidates, employees, contractors, volunteers), Visitors to Customer sites, Referees, website visitors, and our own personnel.
  • What sensitive information do we handle? Information such as Identity documents, background check outcomes (conducted by accredited screening providers), Working with Children Check and NDIS Worker Screening outcomes, and health-related credentials where relevant.
  • Where is your data stored? In Australia.
  • Do you sell personal information? No.
  • Do you use AI? Yes, in limited and disclosed ways — to support identity document handling, screening review, anomaly detection, reference check conversations and Customer support. AI assists humans; it does not make final decisions affecting individuals on its own.
  • How can I access or correct my information? Contact our Privacy Officer. See section 12.
  • How do I make a complaint? Contact our Privacy Officer first. If unresolved, escalate to the OAIC. See section 12.6.

1. About this Privacy Policy

Zipline.io Pty Ltd (ACN 619 791 187, ABN 88 619 791 187) (Zipline, we, us, our) is committed to protecting personal information and respecting the privacy of the individuals whose information we handle. This Privacy Policy explains how we collect, hold, use, disclose and protect personal information across our products and services.

This Policy is issued in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). We also have regard to state and territory privacy laws and sector-specific regimes that apply to our business and our Customers, including the Aged Care Act 2024 (Cth) and the National Disability Insurance Scheme Act 2013 (Cth).

By using our website, our services or otherwise providing personal information to us, you acknowledge that you have read and understood this Policy.

2. Who this Policy applies to

Zipline provides a worker compliance, screening, credentialing and site access platform (the Platform) to organisations operating in regulated sectors, including aged care, healthcare and disability (NDIS) services. The categories of individuals whose personal information we handle include:

  • Customers — organisations that subscribe to the Platform;
  • Customer admin users — individuals at our Customers granted access to the Platform to manage their organisation's use of our services;
  • Workers — candidates, employees, agency staff, contractors or volunteers whose compliance, credentials, screening and site access are managed through the Platform on behalf of a Customer;
  • Visitors — members of the public who attend a Customer site and check in through our Platform;
  • Referees — individuals nominated by a candidate to provide a reference, who interact with our Platform (including with a conversational AI assistant);
  • Website visitors — individuals who visit our website or interact with our marketing channels;
  • Other individuals — including our representatives, business contacts, applicants for employment with Zipline, and members of the public who contact us.

3. Our role in handling personal information

Our role varies depending on the individual and the context:

  • Where we process information about Workers, Visitors or Referees on behalf of a Customer, the Customer generally determines the purposes of collection and use. We handle that information in accordance with our agreement with the Customer and the directions they provide. Customers remain responsible for their own collection notices, consents and lawful basis for collection.
  • In respect of Customer admin users, website visitors, our own personnel and other individuals, we are responsible directly.

In all cases, Zipline is directly responsible under the Privacy Act for how we hold, secure, transmit, retain and dispose of personal information in our systems.

If you are a Worker, Visitor or Referee and want to understand how a Customer uses your information, please also review the Customer's own privacy policy.

4. The personal information we collect

The categories of personal information we collect depend on your relationship with us.

4.1 Customer representatives and admin users
  • Name, position title, business contact details;
  • Account credentials and authentication data;
  • Billing and transactional information for the Customer organisation;
  • Platform activity data (see section 6.3 for how this is used).
4.2 Workers

Where Workers are onboarded to the Platform by a Customer, we may collect:

  • Identification information, including government-issued identifiers used to verify identity;
  • Employment and engagement information;
  • Credentials, qualifications and their expiry dates;
  • Screening outcomes — including Working with Children Check outcomes and NDIS Worker Screening Check outcomes (see section 5);
  • Consent, authorisation and compliance records;
  • Site access and time-and-attendance information collected at kiosks or QR check-in;
  • Records of communications with us.
4.3 Visitors

Where the Platform is used to manage visitor access to a Customer site, we may collect:

  • Name and contact details;
  • Reason for visit and host details (the person being visited);
  • Health-related declarations required by the Customer (for example, vaccination status or infection control screening);
  • Time of arrival and departure.
4.4 Referees

Where a candidate nominates a referee, we may collect:

  • Name, contact details and relationship to the candidate (provided by the candidate);
  • The substance of the referee's responses, provided via a chat-based interface that may include interaction with an AI assistant (see section 6.2);
  • Technical information about the referee's interaction with the platform, including IP address, browser type and device information, which we use for fraud detection, security and platform integrity purposes;
  • Records of the interaction, including timestamps and consent.
4.5 Website visitors
  • Contact details you provide via forms;
  • Technical information — IP address, device identifiers, browser type, pages viewed;
  • Cookies and similar tracking information (see section 11).
4.6 Other individuals
  • Business contact details for suppliers, partners and prospects;
  • Recruitment information for applicants for employment with Zipline;
  • Information you provide when contacting our support channels.

5. Sensitive information

Some of the information we handle is sensitive information for the purposes of the Privacy Act. We only collect sensitive information where you have provided your consent and the collection is reasonably necessary for one of our functions or activities, or where the collection is required or authorised by law, or where another exception under APP 3.4 applies.

5.1 Health information

We may handle health-related information where it is collected in connection with vaccination status, fitness-for-work credentials, or visitor health declarations required by a Customer. Such information is sensitive information and is handled subject to the consent and lawful basis requirements above.

6. Why we collect, hold, use and disclose personal information

We collect, hold, use and disclose personal information only for purposes connected with operating our business and providing the Platform, and only to the extent each purpose has a lawful basis. We do not use sensitive information (including health information) for marketing or business development purposes, and we do not use sensitive information for any secondary purpose unless that purpose is directly related to the primary purpose for which it was collected and you would reasonably expect us to do so.

Section 7 sets out the recipients to whom personal information may be disclosed in the course of these purposes.

The purposes for which we collect, hold and use personal information include:

  • Providing the Platform and related services — including worker compliance management, identity verification, credentialing, ongoing compliance tracking, site access management, time-and-attendance recording, and reference checking;
  • Holding and displaying screening outcomes received from Customers or Workers;
  • Verifying identity, detecting fraud, and maintaining the security and integrity of the Platform;
  • Improving the Platform, using aggregated or de-identified information wherever practicable;
  • Marketing and business development with respect to Customers and prospective Customers, using business contact information only and subject to opt-out;
  • Recruiting and managing our own personnel;
  • Managing complaints, disputes, audits and legal proceedings;
  • Complying with our legal and regulatory obligations.
6.1 Automated processing

The Platform applies rules-based logic to assess compliance status — for example, flagging an expired credential or a screening outcome that requires review. These rules-based outcomes do not constitute solely automated decisions producing legal or similarly significant effects on an individual. Decisions about engagement, suitability for a role or other employment consequences are made by the Customer, not by Zipline.

6.2 Use of artificial intelligence

Some features of the Platform use artificial intelligence (AI) to support our services. The specific AI capabilities available depend on Customer configuration and the stage of product lifecycle; not all are active in every interaction. AI capabilities that may be present in the Platform include:

  • Classification, extraction or validation of information from identity documents and credentials;
  • Identity matching at check-in;
  • Identification of anomalies, expirations or compliance issues for prioritisation and human review;
  • Conversational interactions with referees through a chat-based interface, where AI is used we make this clear at the start and throughout the interaction, and referees may decline to participate;
  • Conversational support features (for example, in-product help and search).

Where AI is used, we apply the following principles:

  • Human oversight. In the ordinary course of our use of AI in the Platform, AI assists, prioritises or surfaces — it does not make unsupervised final decisions producing legal or similarly significant effects on individuals.
  • Contestability. You may request a human review of any output of the Platform that affects you, including outputs influenced by AI.
  • Training data. We do not train our own AI models on Customer or Worker personal information.
  • Third-party AI providers. Some AI capabilities are supported by third-party AI providers. Where we engage such providers, we apply contractual restrictions where commercially available to limit their use of any personal information we send them to providing the relevant AI service.
  • Prohibited uses. We do not use AI for profiling that infers sensitive attributes from data not provided for that purpose, emotion recognition, advertising or behavioural targeting, or any use intended to produce a legal or similarly significant decision about an individual without human review.
  • Risk assessment. New AI features, and material changes to existing features, are assessed under our internal AI risk and impact assessment process before release, to the extent appropriate to the feature.
6.3 Customer admin user activity

We process Customer admin user activity data — including login times, IP address, pages accessed, actions taken, search queries and other usage telemetry — for security and audit, regulatory and contractual compliance, service operation, and product improvement. Where used for product improvement, we use aggregated or de-identified data wherever practicable.

We do not use individual admin user activity data as the basis for decisions affecting that user's employment, and we do not share individual admin user activity data with third parties for marketing or behavioural advertising purposes.

7. Recipients of personal information

In the course of the purposes described in section 6, we may share personal information with the following categories of recipient. We share personal information only where necessary for those purposes.

  • Customers — to whom we provide the Platform, including compliance, screening, site access and reference information about Workers, Visitors and Referees engaging with that Customer;
  • Government agencies, regulators and screening units — where required by law (for example, state Working with Children Check units, the NDIS Quality and Safeguards Commission, the Aged Care Quality and Safety Commission);
  • Service providers and sub-processors — see section 8;
  • Auditors and assessors — for regulatory or certification audits;
  • Law enforcement, courts or other parties — where required or authorised by law, or where reasonably necessary to protect the rights, property or safety of Zipline, our Customers or others;
  • Successors in business — in connection with a proposed or actual sale, merger, restructure or financing involving Zipline, subject to confidentiality protections and consistent with the protections set out in this Policy.

Where Customers use the Platform to collect data they are required to report to a government agency (for example, time and attendance records used for Care Minutes or NQIP reporting in the aged care sector), we hold that data on behalf of the Customer; the disclosure to the agency is made by the Customer under their own reporting obligations, not by Zipline directly.

We do not sell personal information.

8. Service providers and data location

Production data containing Customer, Worker, Visitor and Referee personal information processed through the Platform is primarily hosted within Australia, using cloud infrastructure providers (such as Microsoft Azure) configured for Australian regions.

We use third-party service providers to support our business operations, including categories such as cloud infrastructure, communications, customer support, CRM and marketing automation, analytics and observability, AI infrastructure (supporting the capabilities described in section 6.2), and payment processing. Some of these providers operate outside Australia and, in the course of providing their services, may store or access limited categories of personal information (such as business contact details, support correspondence and marketing-related information) overseas.

Where personal information is accessible to a recipient outside Australia, we take reasonable steps under APP 8 to ensure they handle it in a manner consistent with the APPs, including through appropriate contractual safeguards where commercially available. A current list of our key sub-processors is available on request from our Privacy Officer.

9. How we protect personal information

Zipline maintains a documented information security program designed to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. The program covers:

  • Technical controls — including encryption of personal information in transit and at rest, role-based access controls with multi-factor authentication applied to administrative and privileged access and other appropriate access controls for other systems, secure software development practices, continuous logging and monitoring, and regular backups;
  • Organisational controls — including background screening of personnel before they are granted access to systems handling sensitive information, security and privacy awareness training, formal access provisioning and review, supplier risk management, and documented incident response procedures;
  • Governance and assurance — including alignment with internationally recognised standards (ISO/IEC 27001:2022), ongoing certification work, and documented AI risk and impact assessments before release of new or materially changed AI features.

Despite these measures, no method of transmission or storage is completely secure. If you believe the security of your personal information has been compromised, please contact us immediately.

10. Data retention and destruction

We retain personal information only for as long as we have a lawful basis to do so. Actual retention periods depend on applicable Australian laws and regulations, the documented retention requirements of the Customer who provided or controls the information (which may exceed statutory minimums), our legitimate business needs (including the management of legal claims, audits, disputes and the integrity of our records), and operational and technical constraints (including the maintenance of backup and disaster-recovery systems).

Where personal information has been deleted or de-identified from our active systems, copies may persist in backup and disaster-recovery systems. Information held in those systems is placed beyond use — segregated from active processing, accessible only for disaster recovery purposes, and not used for any other purpose. On Customer request, we will action deletion across active and backup systems in accordance with our standard processes.

Our typical retention practice for each category of information is set out below. Where a Customer instructs us to retain information for a longer period in accordance with their own policies or regulatory obligations, we will comply with that instruction to the extent permitted by law. Where retention is no longer justified, we take reasonable steps to securely destroy or de-identify the information, having regard to the operational and technical constraints noted above.

  • Background check outcomes — in accordance with the Customer's documented retention instructions.
  • Identity verification records — for the period required by applicable anti-fraud and identity verification obligations.
  • Active Worker compliance records — for the duration of the Customer's use of the Platform in respect of that Worker, plus a reasonable period for audit and dispute resolution.
  • Visitor check-in records — for the period required by the Customer's site access policy and applicable regulations.
  • Reference check records — for the duration of the Customer's hiring decision and a reasonable period thereafter.
  • Security audit logs — typically 24 months active, then archived in line with our security log retention practice.
  • Account, billing and taxation records — at least 7 years, to meet Australian taxation and corporate record-keeping obligations.
  • Marketing contact records — until you unsubscribe, plus a short period for recordkeeping.
  • Website analytics and server logs — up to 24 months, then de-identified or deleted.

11. Cookies and website analytics

Our website uses cookies and similar technologies to support functionality, measure performance and improve the user experience. We use strictly necessary cookies (required for the website to function), analytics cookies (for example, Google Analytics) and marketing cookies. You can manage cookies through your browser settings or through our cookie preference centre where available. Disabling certain cookies may affect website functionality.

12. Your rights — access, correction and complaints

12.1 Access to your information

You may request access to the personal information we hold about you (APP 12). We will respond within a reasonable period, typically within 30 days. A reasonable cost-recovery charge may apply in limited circumstances. If we are required or permitted to refuse a request, we will explain why in writing to the extent required by law.

Where we hold information about a Worker, Visitor or Referee on behalf of a Customer, requests may need to be coordinated with the relevant Customer. We will assist where appropriate.

12.2 Correction of your information

If you believe the personal information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us. We will take reasonable steps to correct it (APP 13). If we decline, you may request that a statement be associated with the record noting that you consider the information inaccurate.

12.3 Withdrawing consent

Where we rely on your consent (including for use of conversational AI in reference checks), you may withdraw it at any time. Withdrawal may affect our ability (or that of the relevant Customer) to provide certain services. It does not affect the lawfulness of processing carried out before the withdrawal.

12.4 Contesting AI-influenced outputs

You may request a human review of any output of the Platform that affects you, including outputs influenced by automated processing or AI.

12.5 Anonymity and pseudonymity

Where lawful and practicable, you may interact with us anonymously or using a pseudonym. This is generally not practicable for screening, identity verification, credentialing and site access activities, where verified identity is required by law or by the Customer's compliance obligations.

12.6 Making a complaint

Contact our Privacy Officer (see section 14) in the first instance. We aim to resolve complaints within 30 days. If unresolved, you may refer the matter to the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5288, Sydney NSW 2001

13. Data breach notification

We maintain a documented data breach response plan in line with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. Where we suspect an eligible data breach may have occurred, we will assess the incident promptly (and within the period required by law), take reasonable steps to contain the breach and mitigate harm, notify the OAIC and affected individuals where required to do so, and notify affected Customers in line with our contractual commitments.

14. Contacting us

Our Privacy Officer is responsible for the operation of this Policy. Please direct any questions, requests or complaints to:

Privacy OfficerZipline.io Pty Ltd

We will respond to privacy queries and requests within a reasonable period, typically within 30 days.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The most current version will always be available on our website, with the effective date clearly indicated. Where changes are material, we will take additional steps to notify you (for example, by email or in-product notification).

16. Definitions

Terms used in this Policy have the meanings given in the Privacy Act, unless otherwise defined. In particular:

  • personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined in section 6 of the Privacy Act;
  • sensitive information has the meaning given in section 6 of the Privacy Act;
  • APPs means the Australian Privacy Principles in Schedule 1 of the Privacy Act.