Privacy Policy
Effective: 1 September 2025 · Version 1.0
1. Introduction
Faaro (ABN 74 611 345 530) ("Faaro", "we", "us", or "our") operates workforce technology integration services. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our website at www.faaroglobal.com (the "Site") and our workforce integration platform, services, and related products (collectively, the "Services").
We are committed to handling personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where our Services are used by individuals located in the European Union, United Kingdom, California, or New Zealand, additional rights and protections apply as described in Sections 14, 15, and 16 below.
By accessing or using our Services, you acknowledge that you have read this Privacy Policy. If you do not agree with our practices, please do not use our Services.
2. Who We Are
Faaro is an Australian company that provides workforce technology integration services. We connect best-of-breed HR, rostering, time tracking, and payroll systems into one governed, automated stack.
Our registered address is:
Faaro
C/- Margetson & Associates
Unit 21, 598-602 Forest Road
Penshurst, NSW 2222
Australia
For privacy-related inquiries, contact our privacy team at privacy@faaroglobal.com.
3. Information We Collect
We collect and process the following categories of personal information depending on how you interact with our Services:
3.1 Account and Identity Data
When you create an account or engage with us, we collect:
- Full name, email address, phone number
- Job title, employer/organisation name
- Account credentials (passwords are stored using industry-standard hashing)
- Multi-factor authentication identifiers
- Profile preferences and settings
3.2 Workforce and Employment Data
When our Services are used to integrate workforce systems, we may process on behalf of our customers:
- Employee identifiers, names, contact details
- Employment details (position, department, start date, employment type)
- Rostering and scheduling data
- Time and attendance records (clock-in/out times, break records, geolocation if enabled)
- Leave balances and leave requests
- Payroll data (pay rates, allowances, deductions, superannuation details)
- Credential and qualification records (certificates, licence numbers, expiry dates)
- Performance and compliance data
In most cases, this data is processed by Faaro as a data processor on behalf of our customers (the data controllers). Our customers are responsible for ensuring they have appropriate legal bases and consents for the collection of this data.
3.3 Product-Specific Data
Depending on which Faaro products and integration packs are in use, additional data may be collected:
- Care Minutes Governance: Care recipient identifiers, care minute allocations, facility compliance data, AN-ACC funding categories
- Credential Management: Certificate/licence images, verification records, expiry tracking data
- Payroll Integration: Award interpretation results, pay run summaries, compliance audit logs
- Timesheet Integration: Timesheet approval workflows, cost centre allocations, integration mapping data
3.4 Technical and Usage Data
We automatically collect certain technical information when you use our Services:
- IP address, browser type and version, operating system
- Device identifiers and device type
- Pages visited, features used, clickstream data
- Date and time of access, session duration
- Referring URL and search terms
- Error logs and performance data
- Cookie identifiers and similar tracking technologies (see our Cookie Policy)
3.5 Marketing and Prospect Data
When you interact with our marketing activities, we may collect:
- Contact information provided via forms, events, or enquiries
- Communication preferences and marketing consent status
- Event attendance and webinar participation records
- Content download and engagement history
3.6 Information from Third Parties
We may receive personal information from third parties including:
- Integration partners (HR, rostering, time tracking, and payroll systems) when connecting workforce data
- Identity verification services
- Business contact databases for sales and marketing purposes
- Publicly available sources (company websites, LinkedIn, professional registries)
4. Lawful Basis for Processing (Australian Privacy Principles)
Under the Australian Privacy Principles (APPs), we collect and process personal information on the following bases:
- Consent (APP 3): Where you have provided explicit consent, such as subscribing to communications or enabling optional features
- Contractual necessity: Where processing is necessary to perform our contractual obligations to you or your employer (e.g., providing the Services under a subscription agreement)
- Legitimate business purposes (APP 6): Where processing is reasonably necessary for our business functions and activities, and you would reasonably expect us to use your information in that way
- Legal obligation: Where processing is required to comply with Australian law, including the Fair Work Act 2009, taxation laws, and record-keeping obligations
5. How We Use Your Information
We use personal information for the following purposes:
- Service delivery: To provide, maintain, and improve our workforce integration platform and related services
- Account management: To create and manage your account, authenticate your identity, and provide customer support
- Workforce integration: To connect and synchronise data between your workforce systems (HR, rostering, time tracking, payroll) as configured by your organisation
- Compliance and governance: To generate compliance reports, audit trails, and governance dashboards as part of our platform features
- Security: To detect, prevent, and respond to security incidents, fraud, and abuse
- Analytics: To understand how our Services are used and to improve performance, reliability, and user experience
- Communications: To send transactional notifications (e.g., system alerts, integration status updates) and, with your consent, marketing communications
- Legal compliance: To comply with applicable laws, regulations, and legal processes
- Business operations: To manage our business, including billing, invoicing, and internal reporting
6. Automated Decision-Making
Our Services may involve automated processing in the following areas:
- Award interpretation: Automated calculation of pay rates, allowances, and penalties based on Modern Award rules and employment conditions
- Compliance monitoring: Automated alerts when credential expiries, roster non-compliance, or care minute shortfalls are detected
- Data validation: Automated checks for data consistency across integrated workforce systems
- Tag projection: Automated classification and tagging of workforce data based on configurable rules
These automated processes support decision-making but do not make decisions that produce legal effects or similarly significant effects on individuals without human review. Your employer (our customer) retains control over all workforce decisions.
7. How We Share Your Information
We do not sell personal information. We may share personal information in the following circumstances:
7.1 Sub-processors
We engage trusted sub-processors to help deliver our Services. These include:
- Cloud infrastructure providers (Amazon Web Services)
- Database hosting services
- Email delivery services
- Analytics and monitoring tools
- Customer support platforms
All sub-processors are bound by data processing agreements that require them to protect personal information to at least the same standard as this Privacy Policy.
7.2 Our Customers (Your Employer)
Where we process workforce data on behalf of a customer, that customer (typically your employer) has access to the data they have provided or that has been generated through their use of our Services.
7.3 Integration Partners
When our Services are used to integrate third-party workforce systems, data is transmitted to and from those systems as configured by the customer. We act as an integration conduit and do not use this data for our own purposes beyond providing the integration service.
7.4 Professional Advisors
We may share information with our legal, accounting, and insurance advisors where necessary for professional advice and business operations.
7.5 Regulatory and Legal
We may disclose personal information where required by law, regulation, court order, or governmental request, or where necessary to protect our rights, property, or safety, or the rights, property, or safety of others.
7.6 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected individuals and provide choices where required by law.
8. Cross-Border Data Transfers
Faaro primarily stores and processes data in Australia using Amazon Web Services (AWS) Sydney region (ap-southeast-2). However, some personal information may be transferred to or accessed from other countries in the following circumstances:
- Sub-processors in the United States: Certain sub-processors (e.g., analytics, email delivery, monitoring services) may process data in the United States
- Customer-directed integrations: Where a customer uses a third-party workforce system hosted outside Australia, data will be transferred to that system's location as part of the integration
- Support and maintenance: Authorised personnel may access data from locations outside Australia for support purposes
Where personal information is transferred overseas, we take reasonable steps to ensure that the overseas recipient handles the information in accordance with the APPs (APP 8). For transfers to the EU/EEA, we rely on Standard Contractual Clauses or equivalent safeguards.
9. Data Security
We implement robust technical and organisational measures to protect personal information from unauthorised access, loss, misuse, or alteration. These include:
- Encryption in transit: All data transmitted between clients and our Services is encrypted using TLS 1.2 or higher
- Encryption at rest: All stored data is encrypted using AES-256 encryption
- Access controls: Role-based access control (RBAC) ensures that users only access data relevant to their role
- Multi-factor authentication: MFA is supported and recommended for all user accounts
- Network security: Virtual private cloud (VPC) isolation, web application firewall (WAF), and intrusion detection systems
- Monitoring: Continuous security monitoring and logging of access to personal information
- Incident response: Documented incident response procedures for security events
- Vendor management: Security assessments of all sub-processors and third-party integrations
For more details on our security practices, see our Security page.
10. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention periods are:
| Data Category |
Retention Period |
Basis |
| Account data (after account closure) |
90 days |
Account recovery, fraud prevention |
| Workforce and employment data |
7 years |
Fair Work Act 2009 record-keeping obligations |
| Compliance and audit data |
7 years |
Regulatory and legal requirements |
| Technical logs |
90 days |
Security monitoring, debugging |
| Analytics data |
12 months |
Service improvement (aggregated/anonymised where possible) |
| Marketing engagement data |
30 days after consent withdrawal |
Consent-based processing |
When retention periods expire, personal information is securely deleted or anonymised. Customers may request earlier deletion of their data, subject to our legal obligations.
11. Your Privacy Rights (Australian Privacy Principles)
Under the Australian Privacy Act 1988, you have the following rights:
- Access (APP 12): You may request access to the personal information we hold about you. We will respond within 30 days.
- Correction (APP 13): You may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
- Complaint (APP 1): You may complain about our handling of your personal information. We will investigate and respond within 30 days.
- Opt-out of marketing: You may opt out of receiving marketing communications at any time by clicking the unsubscribe link in our emails or contacting us.
If you are an employee whose data is processed through our platform, please direct your requests to your employer in the first instance, as they are the data controller for your workforce data.
To exercise any of these rights, contact us at privacy@faaroglobal.com.
12. Accessing and Correcting Your Information
You may access and update your account information at any time by logging into your account. For information that cannot be updated through your account settings, or to request a copy of all personal information we hold about you, please contact us at privacy@faaroglobal.com.
We may refuse access in limited circumstances permitted by the APPs, such as where access would unreasonably impact the privacy of others, or where the request is frivolous or vexatious. If we refuse access, we will provide written reasons.
13. Complaints and the OAIC
If you believe we have breached the Australian Privacy Principles, you may lodge a complaint by contacting us at privacy@faaroglobal.com. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
14. Additional Rights for EU/UK Individuals (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional rights:
- Right to erasure: You may request deletion of your personal data in certain circumstances
- Right to restriction: You may request that we restrict the processing of your personal data
- Right to data portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format
- Right to object: You may object to processing based on legitimate interests, including profiling
- Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces legal effects
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
For GDPR-related requests, contact our Data Protection Officer at dpo@faaroglobal.com. You also have the right to lodge a complaint with your local supervisory authority.
The legal bases for processing under GDPR include: performance of a contract, compliance with legal obligations, legitimate interests (platform security, service improvement, fraud prevention), and consent.
15. Additional Rights for California Residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights:
- Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, purposes, and third parties with whom we share it
- Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions
- Right to correct: You may request correction of inaccurate personal information
- Right to opt-out of sale/sharing: We do not sell personal information. We do not share personal information for cross-context behavioural advertising
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
To exercise these rights, contact us at privacy@faaroglobal.com. We will verify your identity before fulfilling your request.
In the preceding 12 months, we have collected the categories of personal information described in Section 3 above. We have not sold personal information. We may have disclosed personal information for business purposes as described in Section 7.
16. Additional Rights for New Zealand Individuals (NZ Privacy Act 2020)
If you are located in New Zealand, the Privacy Act 2020 (NZ) provides you with rights substantially similar to the Australian Privacy Principles. In addition:
- You have the right to request access to and correction of your personal information under Information Privacy Principles 6 and 7
- We will notify the NZ Privacy Commissioner and affected individuals in the event of a notifiable privacy breach
- You may lodge a complaint with the NZ Privacy Commissioner at www.privacy.org.nz
17. Notifiable Data Breaches
In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988, if we become aware of a data breach that is likely to result in serious harm, we will:
- Notify the OAIC as soon as practicable
- Notify affected individuals as soon as practicable
- Include in our notification: a description of the breach, the kinds of information involved, and recommendations about steps individuals should take
For security incidents, contact security@faaroglobal.com.
18. Children's Privacy
Our Services are designed for business use and are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information promptly.
19. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Services. When we make material changes, we will:
- Update the "Effective" date at the top of this page
- Notify account holders by email or through an in-product notification
- Provide a summary of changes where practicable
We encourage you to review this Privacy Policy periodically. Continued use of our Services after changes are posted constitutes acceptance of the updated policy.
20. Related Documents
21. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: