Privacy Policy
Creator Capital Pty Ltd
Suite 302, 13/15 Wentworth Ave, Sydney NSW 2000
Email: admin@creatorcapitalmgmt.com
Last Updated: August 2025
Introduction
Riskify Pty Ltd (“Riskify”, “we”, “us” or “our”) is committed to protecting your privacy and handling your personal information with care and transparency. This Privacy Policy outlines how we collect, use, disclose, and protect personal information when you use our website and services (collectively, “the Platform”). It also explains your rights and choices regarding your personal information. We are an Australian-based service and adhere to the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) in our handling of personal data . By using Riskify, you consent to the practices described in this Privacy Policy.
1. Personal Information We Collect
We collect personal information that is reasonably necessary for our business functions and activities – primarily to provide you with the SWMS generation service and to improve our Platform. The types of personal information we may collect include:
Account Information: When you register on Riskify, we collect information such as your name, email address, company name (if applicable), billing address, and contact details. For paid subscribers, we (or our payment processor) collect payment details (e.g., credit card number, PayPal ID). Payment information is handled securely via our payment provider and not stored in full on our servers (only necessary tokens or references are stored).
Profile and Usage Data: If you create a user profile, any additional details you provide (such as job title, industry, or preferences) may be stored. We also collect information about your interactions with our Platform. This includes the SWMS generation activities (e.g., the projects or templates you create), login dates/times, the features you use, and clicks or page views. This usage data helps us understand what parts of the service are most useful to users.
Content You Provide: When using Riskify to generate documents, you input various details about your work activities, hazards, controls, etc. These details may sometimes include personal or sensitive information (for example, if you mention a worker’s name or a specific location). All content you actively input into the Platform is stored in our database under your account. You control what information is included in these inputs. We advise you not to include unnecessary personal information in the free-text fields of SWMS, and especially to avoid any sensitive personal details that are not required for the safety document.
Communication Data: If you contact us (via email, support chat, or contact forms), we will collect the information you provide in those communications (such as your name, email, the content of your message, and any attachments). We keep these communications to respond to you and maintain records of our support service.
Automatic Information (Cookies & Logs): Like many online services, we use cookies and similar technologies to collect certain technical information automatically when you use our Platform. This may include:
Device and Browser Data: e.g., your IP address, browser type, operating system, device type, device identifiers, and regional settings.
Usage Logs: We log certain information about your use of the Platform, such as the pages or screens you access, the time spent, errors encountered, and so forth.
Cookies: Cookies are small text files stored on your device by your web browser. They allow us to remember your preferences (like staying logged in), track site usage, and personalize your experience. For instance, we use session cookies to maintain your login session and analytics cookies to understand how users navigate our site. (See Section 7: Cookies & Tracking below for more details.)
We generally do not collect sensitive information (such as health, biometric, or financial information) unless it is volunteered by you (for example, if you were to type such information into a SWMS free-text field or send it to us in a support query). We do not knowingly collect personal information from anyone under the age of 16. Our Platform is intended for adult use (business and professional users). If you are a parent or guardian and believe your child under 16 has provided personal information to us, please contact us so we can delete it.
2. How We Use Your Information
Riskify collects and uses personal information for the following purposes:
To Provide the Service: We use the information you input (both personal info and SWMS content) to generate the Safe Work Method Statement documents you request. For example, our AI needs the details you enter about a job’s hazards to produce the corresponding safety measures in a SWMS. We will process your inputs through our AI engine (OpenAI’s GPT) to create the output text. The AI processing is an essential part of our service; any personal data included in your inputs could be transmitted to and processed by this engine. We also use your account data to authenticate you and allow access to your saved projects and documents.
To Manage Your Account and Subscription: We use contact details to send account confirmations, login alerts, or password reset emails. Billing information is used to charge subscription fees and send invoices or receipts. We also use your data to manage subscription status (for example, to notify you of upcoming renewals, or if your payment method needs updating).
To Communicate with You: We may use your email or phone number to send service-related announcements (e.g., changes to terms, privacy policy updates, security alerts) or customer support responses. We may also send newsletters or promotional materials about new features, tips for creating effective SWMS, or other relevant updates. You can opt out of marketing emails at any time (each marketing email will include an “unsubscribe” link or instructions). Please note that you cannot opt out of important service or administrative communications, such as billing notices or security notifications, as these are not promotional in nature.
To Improve and Develop Our Platform: We analyze usage data, feedback, and aggregated user inputs (in anonymized form) to improve our service. For example, we might look at commonly generated SWMS sections to refine our templates or AI responses. We also use crash reports, error logs, and performance data to debug and enhance the stability and security of the Platform. Additionally, understanding how users navigate our interface helps us make the user experience more intuitive. Any analytics or research we conduct is generally on de-identified data (we remove personal identifiers).
Legal Compliance and Protection: We may use or disclose your information as required by applicable law, or when we believe in good faith that such use is necessary to comply with legal obligations (for example, responding to a court order or a request from law enforcement). We also may process personal information to enforce our Terms of Service or to protect the rights, property, or safety of Riskify, our users, or others. This includes fraud prevention, verifying identity where necessary, and mitigating cybersecurity threats.
Other purposes with your consent: If we ever need to use your personal information for a purpose not covered above, we will seek your consent (for instance, if we wanted to feature a customer testimonial with your name on our website, we would ask for your permission).
3. Disclosure of Personal Information
We understand the importance of keeping your personal information private. We do not sell or rent your personal data to third-party marketers. We only share personal information in a limited set of circumstances, described below:
Service Providers (“Data Processors”): We employ trusted third-party companies to perform certain functions on our behalf and to help us deliver our services. These providers are given access to only the information necessary to perform their tasks and are contractually obligated to handle it securely and in compliance with applicable privacy law. Key service providers include:
OpenAI (AI Engine): As noted, our Platform uses OpenAI’s GPT technology to generate content. When you input text to create a SWMS, that text is sent securely to OpenAI’s systems and the AI-generated output is returned to us. OpenAI is a third-party service provider in this context, and we have taken steps to ensure your data is treated confidentially (OpenAI’s API terms state that it will not use API-submitted data to train their models, and they retain it only for 30 days for abuse monitoring, unless otherwise agreed). However, because this processing happens on servers possibly outside Australia, it constitutes an overseas disclosure of personal information – see Cross-border Disclosure below for how we handle this.
Payment Processors: If you are a subscriber, your payment transactions are handled by [Payment Provider Name, e.g., Stripe or PayPal]. These providers will process your payment details (credit card numbers, etc.) securely in accordance with financial regulations. We do not store full credit card details on our own servers. We share with the payment processor the necessary personal information to complete transactions (such as your name, email, billing address, and the transaction amount).
Cloud Hosting and IT Infrastructure: Our Platform is hosted on secure cloud servers (e.g., AWS or Azure data centers). Personal data is stored and processed on these servers. We also use standard cloud-based tools for functions like email delivery ([e.g., SendGrid/AWS SES for sending emails]), data analytics ([e.g., Google Analytics or an Australian-based analytics solution]) – in each case, we aim to choose reputable providers with strong security practices.
Email/CRM and Support Tools: If we use a customer relationship management (CRM) tool or support ticketing system, your contact details and communications with us may pass through those systems. For example, if you email support, your email and our reply might be managed through a third-party helpdesk software. These providers are bound by privacy obligations and only use your info to facilitate our communications with you.
We ensure all service providers are subject to appropriate contracts that enforce confidentiality, data security, and privacy obligations. They are not permitted to use your info for any purpose other than providing services to us.
Business Transfers: If Riskify (or substantially all of its assets) is involved in a merger, acquisition, sale of assets, or corporate restructuring, your personal information may be transferred to the new entity as part of that deal. We would ensure the new owner is bound by terms that protect your data in a manner consistent with this Privacy Policy. We will notify users (for example, via email or a prominent notice on our site) of any change in ownership or use of personal information, as well as any choices you may have regarding your personal information, in the event of such a transaction .
Legal Requirements and Safety: We may disclose personal information if required by law, regulation, legal process, or enforceable governmental request . This includes responding to lawful subpoenas or court orders. We may also disclose information if we believe, in good faith, that it is necessary to: enforce our Terms of Service or other agreements; investigate or protect against harmful activities to our users, employees, or property (including fraud, security incidents or misuse of our Platform); or to protect personal safety or vital interests of any person.
Your Consent: In some cases, you may request or authorize us to share your information with others. For example, if you are using Riskify in collaboration with colleagues and ask us to integrate with another service or share data with another specific third party, we would do so with your direction. Outside of the above scenarios, we will seek your consent before sharing your personal data with third parties for purposes not covered by this Privacy Policy.
4. Cross-Border Disclosure of Personal Information
Riskify is an Australian service, and we primarily store data on servers located in Australia or jurisdictions with equivalent data protection standards. However, certain personal information may be disclosed overseas in order to provide our services effectively – particularly due to our use of international service providers and cloud infrastructure.
The most notable example is our use of OpenAI’s GPT API to generate content. When you use our AI feature, the input text (which could include personal information if you have included any) is transmitted to OpenAI’s servers. OpenAI’s servers are predominantly located in the United States, and possibly other countries for redundancy. Therefore, your data may be processed in the United States or other countries that may not have the same level of data protection laws as Australia. Similarly, if we use email delivery or analytics services based outside Australia (e.g., a US-based email service), some metadata or contact info might go to those systems overseas.
Under Australian Privacy Principle 8 (APP 8), before disclosing personal information to an overseas recipient, we must take reasonable steps to ensure the recipient does not breach the APPs in relation to that information. We take the following steps for cross-border data flows:
We choose reputable providers who have strong privacy and security commitments. For example, our contract with OpenAI or other providers includes terms to safeguard your data.
Where feasible, we implement data processing agreements that include standard data protection clauses, requiring the overseas provider to handle personal info in line with Australian standards (or equivalent).
We inform you (as we are doing here) about the potential overseas locations of your data and obtain your consent by virtue of you agreeing to this Privacy Policy and using our services with knowledge of these disclosures. By using Riskify, you consent to this transfer, processing, and storage of your personal information outside of Australia where applicable.
Use of the Platform may involve overseas disclosure of personal information (for example, via OpenAI API processing in the United States). Riskify takes reasonable steps under Australian Privacy Principle 8 to ensure that any overseas recipient will handle such information in a manner consistent with the APPs. Where legally required, users must inform affected individuals that their personal information may be processed outside Australia before inputting it into the Platform.
Please note, if an overseas service provider breaches the APPs, we will, in most cases, be accountable under the Privacy Act for that breach (unless an exception applies). We will continue to monitor our data flows and ensure compliance with any updates in law regarding overseas data transfers. If you have questions about where your data is stored or sent, feel free to contact us.
5. Data Security and Storage
We take data security seriously at Riskify. We employ a variety of administrative, technical, and physical safeguards to protect the personal information we hold against loss, theft, and unauthorized access, use, modification, or disclosure . Some of the measures we implement include:
Encryption: All communications between your browser and our Platform are encrypted using HTTPS (TLS). Any sensitive data (such as passwords or payment details) are additionally encrypted at rest. We follow industry best practices to ensure data is encrypted in transit and storage where appropriate.
Access Controls: Personal information is only accessible to those employees, contractors, and service providers who need access to perform their duties. Our team members are trained on the importance of confidentiality and privacy. We implement role-based access control so that each person only accesses the minimum necessary data. Administrative access to our systems requires strong authentication (such as multi-factor authentication).
Secure Infrastructure: We host our application and database on reputable cloud infrastructure with robust security certifications (such as ISO 27001). Our servers are protected by firewalls, intrusion detection systems, and regular security monitoring. We apply security updates and patches promptly to protect against vulnerabilities.
Backup and Recovery: We perform regular backups of data to prevent loss. Backup data is encrypted and stored securely. In case of any incident, we have a disaster recovery plan to restore availability of the Platform.
Monitoring: We log access and actions within our system and monitor for any unusual activities. Automated alerts may notify us of potential unauthorized access, which we will investigate.
Testing: We conduct periodic security assessments. This may include vulnerability scanning and, occasionally, third-party penetration testing to identify and address potential weaknesses.
Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data; there is always some risk in any online service. You can also play a part in protecting your information: keep your account password secure, avoid sharing login credentials, and notify us immediately if you suspect any unauthorized access to your account. If we become aware of a data breach that is likely to result in serious harm (as defined by the Notifiable Data Breaches scheme under the Privacy Act), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with our legal obligations.
6. Data Retention and Deletion
We retain personal information only for as long as it is needed for the purposes described in this policy or as required by law. How long we keep specific information depends on the type of data and the purposes for which we process it. For example:
Account Data: We will retain your account registration details while your account is active and for a reasonable period after you close your account, in case you decide to reactivate, or for record-keeping purposes. If you delete your account or request deletion, we will remove or anonymize personal data associated with your account, except for data we are required or permitted to keep by law (e.g., financial records for tax/audit).
Generated SWMS and Content: The documents and projects you create on Riskify are stored in your account. If you remain a customer, we will keep this content so you have continuous access. If you cancel your subscription or account, we may keep your generated SWMS for a limited time (for example, 30-60 days) in case you return or need a copy, and thereafter we will delete or anonymize them. If you want them deleted sooner, you can export and remove them yourself, or contact support for deletion.
Communications: Emails and support tickets may be retained for a period (e.g., up to 2 years) to help us reference past communications if you reach out again and to improve our support processes.
Logs and Analytics: Our server logs and analytics data (which may include IP addresses or device info) are typically retained for a shorter period, such as 12 months, for troubleshooting and analysis. We may preserve aggregated, non-identifiable analytics indefinitely for historical analysis.
Legal Records: If any personal data is part of an enforcement action, dispute, or legal requirement, we will retain that information as long as necessary to resolve the issue and comply with law/court orders.
When we no longer need personal information for our business or legal requirements, we will take reasonable steps to destroy it or de-identify it. We aim to ensure that personal information is not kept longer than necessary.
7. Cookies and Tracking Technologies
Riskify uses cookies and similar tracking technologies to provide and optimize our service:
Necessary Cookies: These are essential for the operation of our website. For example, they enable you to log in and stay logged in as you navigate between pages. Without these cookies, certain features (like account login or document editing) would not function.
Functional Cookies: These remember your preferences and settings to enhance your experience. For instance, a cookie might remember your preferred language or that you’ve dismissed a particular notification so it doesn’t pop up again.
Analytics Cookies: We use these to collect information about how users interact with our site (pages visited, time on page, buttons clicked, etc.). This helps us understand usage patterns and improve the Platform. We might use Google Analytics or a similar tool that provides aggregated statistics. The information collected typically includes IP address (truncated or anonymized in some cases), browser type, and pages visited. These analytics data do not directly identify you, and we do not allow analytics providers to use or share the data for their own purposes.
No Third-Party Marketing Cookies: We currently do not use third-party advertising networks or cookies for targeted advertising on our Platform. You will not see third-party ads on riskify.com, so we have not implanted cookies for that purpose. If this ever changes, we will update this policy and ask for consent where required.
Your Choices: Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. You may also clear cookies from your browser at any time. Keep in mind, however, that blocking or deleting cookies might affect the functionality of our service – for example, you might be logged out or certain preferences may not be saved. We have a Cookie & Tracking Policy available (if separate, link provided on our site) which provides more details on the cookies in use and how you can manage them. By continuing to use our site, you consent to our use of cookies as described above, unless you have disabled them through your browser.
8. Your Rights and Choices
As an individual in Australia (and in line with global privacy principles), you have certain rights in relation to your personal information held by Riskify:
Access: You have the right to request access to the personal information we hold about you. Typically, you can do this by logging into your account and viewing information in your profile or settings. If you require additional information or a full copy of your personal data, you can contact us (see Contact section below) to make an access request. We will need to verify your identity before providing access. We will respond within a reasonable time (usually within 30 days). There is generally no fee for an access request, but in rare cases if your request is complex or onerous, we may charge a reasonable fee to cover retrieval costs (we would inform you of any fee and get your agreement before proceeding).
Correction: We take reasonable steps to ensure that the personal information we collect is accurate, up-to-date, and complete. If you believe any information we hold about you is incorrect, incomplete, or out-of-date, you have the right to request that we correct it. You can update much of your information directly through your account settings (e.g., you can change your contact details or update profile info). For anything you cannot change yourself, contact us with the details to update, and we will correct our records. If we disagree that the information is incorrect (uncommon, but for instance if it’s an opinion record or we have a legal reason to keep it as is), we will provide an explanation and you have the right to request we associate a statement with the record noting your disagreement.
Deletion (Right to Erasure): You may request that we delete your personal information. For example, if you have closed your account, you can ask that we remove personal data we still hold. Note that we may need to retain certain information for lawful purposes (see Data Retention section above). If data can be deleted, we will take reasonable steps to do so, or if deletion is not feasible, we can discuss anonymization. Account data can be deleted by contacting support; generated documents you wish to remove you can delete from your account interface.
Withdrawal of Consent: Where our processing of your personal information is based on consent (for example, if you agreed to receive marketing emails), you have the right to withdraw your consent at any time. You can unsubscribe from marketing emails via the link in those emails or adjust settings in your account if available. For any other consents, contact us to let us know you withdraw consent. Note that withdrawal of consent will not affect processing already carried out, and if you withdraw consent for essential processing (like the AI processing of your inputs), we may not be able to provide the service properly.
Complaints: If you have a concern or complaint about how we have handled your personal information, you have the right to lodge a complaint with us and/or with the Office of the Australian Information Commissioner (OAIC). We encourage you to contact us first, so we can attempt to resolve your issue directly. We take privacy complaints seriously and will work to address your concerns in a timely manner. See the “Contact Us” section below for how to reach us and our internal complaint process.
No fee generally: You will not have to pay a fee to exercise the above rights (access, correction, deletion), except in the limited circumstance mentioned for complex access requests. We will inform you beforehand if any charges apply.
We also note, for completeness, that as we are an Australian business primarily serving Australian users, rights like the EU’s GDPR rights (e.g., data portability or objection) are not explicitly provided here; however, many of the core principles overlap with the APP rights above. If you are an overseas user (e.g., in EU or elsewhere) and believe you have certain statutory privacy rights, please contact us and we will try to honor reasonable requests in line with applicable laws.
9. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. When we do, we will revise the “Last updated” date at the top of this policy. If changes are significant, we will provide a more prominent notice – for example, by placing a notice on our website or by emailing you (if the changes materially affect your rights or how we use your data). We encourage you to review this policy periodically to stay informed about how we are protecting your information . Your continued use of Riskify after any update constitutes your acceptance of the revised Privacy Policy.
10. Contact Us
If you have any questions, comments, or concerns about this Privacy Policy or about how we handle your personal information, please contact us:
Email: privacy@riskify.com.au (or support@riskify.com.au)
Postal Mail: Privacy Officer, Riskify Pty Ltd, [Address, City, State, Postcode, Australia]
We will respond to privacy inquiries as soon as reasonably possible, generally within 10 business days. If you make a complaint, we will:
Acknowledge your complaint in writing (usually within 5 business days).
Investigate the issue by reviewing our relevant records and speaking with the team members involved.
Provide you with a written response outlining the outcome of our investigation and any steps we will take to address your concerns. We aim to do this within 30 days of receiving the complaint. If we need more time (due to complexity), we will let you know the reason and an expected timeframe.
If you are not satisfied with our response, you can escalate the matter to the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted at 1300 363 992 or via their website www.oaic.gov.au. The OAIC can investigate privacy complaints and has the authority to make determinations and issue directions to organizations to take certain steps.
Thank you for trusting Riskify with your Safe Work Method Statement needs. We value your privacy and will continue to safeguard your personal information.
Privacy Policy
Creator Capital Pty Ltd
Suite 302, 13/15 Wentworth Ave, Sydney NSW 2000
Email: admin@creatorcapitalmgmt.com
Last Updated: August 2025
Introduction
Riskify Pty Ltd (“Riskify”, “we”, “us” or “our”) is committed to protecting your privacy and handling your personal information with care and transparency. This Privacy Policy outlines how we collect, use, disclose, and protect personal information when you use our website and services (collectively, “the Platform”). It also explains your rights and choices regarding your personal information. We are an Australian-based service and adhere to the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) in our handling of personal data . By using Riskify, you consent to the practices described in this Privacy Policy.
1. Personal Information We Collect
We collect personal information that is reasonably necessary for our business functions and activities – primarily to provide you with the SWMS generation service and to improve our Platform. The types of personal information we may collect include:
Account Information: When you register on Riskify, we collect information such as your name, email address, company name (if applicable), billing address, and contact details. For paid subscribers, we (or our payment processor) collect payment details (e.g., credit card number, PayPal ID). Payment information is handled securely via our payment provider and not stored in full on our servers (only necessary tokens or references are stored).
Profile and Usage Data: If you create a user profile, any additional details you provide (such as job title, industry, or preferences) may be stored. We also collect information about your interactions with our Platform. This includes the SWMS generation activities (e.g., the projects or templates you create), login dates/times, the features you use, and clicks or page views. This usage data helps us understand what parts of the service are most useful to users.
Content You Provide: When using Riskify to generate documents, you input various details about your work activities, hazards, controls, etc. These details may sometimes include personal or sensitive information (for example, if you mention a worker’s name or a specific location). All content you actively input into the Platform is stored in our database under your account. You control what information is included in these inputs. We advise you not to include unnecessary personal information in the free-text fields of SWMS, and especially to avoid any sensitive personal details that are not required for the safety document.
Communication Data: If you contact us (via email, support chat, or contact forms), we will collect the information you provide in those communications (such as your name, email, the content of your message, and any attachments). We keep these communications to respond to you and maintain records of our support service.
Automatic Information (Cookies & Logs): Like many online services, we use cookies and similar technologies to collect certain technical information automatically when you use our Platform. This may include:
Device and Browser Data: e.g., your IP address, browser type, operating system, device type, device identifiers, and regional settings.
Usage Logs: We log certain information about your use of the Platform, such as the pages or screens you access, the time spent, errors encountered, and so forth.
Cookies: Cookies are small text files stored on your device by your web browser. They allow us to remember your preferences (like staying logged in), track site usage, and personalize your experience. For instance, we use session cookies to maintain your login session and analytics cookies to understand how users navigate our site. (See Section 7: Cookies & Tracking below for more details.)
We generally do not collect sensitive information (such as health, biometric, or financial information) unless it is volunteered by you (for example, if you were to type such information into a SWMS free-text field or send it to us in a support query). We do not knowingly collect personal information from anyone under the age of 16. Our Platform is intended for adult use (business and professional users). If you are a parent or guardian and believe your child under 16 has provided personal information to us, please contact us so we can delete it.
2. How We Use Your Information
Riskify collects and uses personal information for the following purposes:
To Provide the Service: We use the information you input (both personal info and SWMS content) to generate the Safe Work Method Statement documents you request. For example, our AI needs the details you enter about a job’s hazards to produce the corresponding safety measures in a SWMS. We will process your inputs through our AI engine (OpenAI’s GPT) to create the output text. The AI processing is an essential part of our service; any personal data included in your inputs could be transmitted to and processed by this engine. We also use your account data to authenticate you and allow access to your saved projects and documents.
To Manage Your Account and Subscription: We use contact details to send account confirmations, login alerts, or password reset emails. Billing information is used to charge subscription fees and send invoices or receipts. We also use your data to manage subscription status (for example, to notify you of upcoming renewals, or if your payment method needs updating).
To Communicate with You: We may use your email or phone number to send service-related announcements (e.g., changes to terms, privacy policy updates, security alerts) or customer support responses. We may also send newsletters or promotional materials about new features, tips for creating effective SWMS, or other relevant updates. You can opt out of marketing emails at any time (each marketing email will include an “unsubscribe” link or instructions). Please note that you cannot opt out of important service or administrative communications, such as billing notices or security notifications, as these are not promotional in nature.
To Improve and Develop Our Platform: We analyze usage data, feedback, and aggregated user inputs (in anonymized form) to improve our service. For example, we might look at commonly generated SWMS sections to refine our templates or AI responses. We also use crash reports, error logs, and performance data to debug and enhance the stability and security of the Platform. Additionally, understanding how users navigate our interface helps us make the user experience more intuitive. Any analytics or research we conduct is generally on de-identified data (we remove personal identifiers).
Legal Compliance and Protection: We may use or disclose your information as required by applicable law, or when we believe in good faith that such use is necessary to comply with legal obligations (for example, responding to a court order or a request from law enforcement). We also may process personal information to enforce our Terms of Service or to protect the rights, property, or safety of Riskify, our users, or others. This includes fraud prevention, verifying identity where necessary, and mitigating cybersecurity threats.
Other purposes with your consent: If we ever need to use your personal information for a purpose not covered above, we will seek your consent (for instance, if we wanted to feature a customer testimonial with your name on our website, we would ask for your permission).
3. Disclosure of Personal Information
We understand the importance of keeping your personal information private. We do not sell or rent your personal data to third-party marketers. We only share personal information in a limited set of circumstances, described below:
Service Providers (“Data Processors”): We employ trusted third-party companies to perform certain functions on our behalf and to help us deliver our services. These providers are given access to only the information necessary to perform their tasks and are contractually obligated to handle it securely and in compliance with applicable privacy law. Key service providers include:
OpenAI (AI Engine): As noted, our Platform uses OpenAI’s GPT technology to generate content. When you input text to create a SWMS, that text is sent securely to OpenAI’s systems and the AI-generated output is returned to us. OpenAI is a third-party service provider in this context, and we have taken steps to ensure your data is treated confidentially (OpenAI’s API terms state that it will not use API-submitted data to train their models, and they retain it only for 30 days for abuse monitoring, unless otherwise agreed). However, because this processing happens on servers possibly outside Australia, it constitutes an overseas disclosure of personal information – see Cross-border Disclosure below for how we handle this.
Payment Processors: If you are a subscriber, your payment transactions are handled by [Payment Provider Name, e.g., Stripe or PayPal]. These providers will process your payment details (credit card numbers, etc.) securely in accordance with financial regulations. We do not store full credit card details on our own servers. We share with the payment processor the necessary personal information to complete transactions (such as your name, email, billing address, and the transaction amount).
Cloud Hosting and IT Infrastructure: Our Platform is hosted on secure cloud servers (e.g., AWS or Azure data centers). Personal data is stored and processed on these servers. We also use standard cloud-based tools for functions like email delivery ([e.g., SendGrid/AWS SES for sending emails]), data analytics ([e.g., Google Analytics or an Australian-based analytics solution]) – in each case, we aim to choose reputable providers with strong security practices.
Email/CRM and Support Tools: If we use a customer relationship management (CRM) tool or support ticketing system, your contact details and communications with us may pass through those systems. For example, if you email support, your email and our reply might be managed through a third-party helpdesk software. These providers are bound by privacy obligations and only use your info to facilitate our communications with you.
We ensure all service providers are subject to appropriate contracts that enforce confidentiality, data security, and privacy obligations. They are not permitted to use your info for any purpose other than providing services to us.
Business Transfers: If Riskify (or substantially all of its assets) is involved in a merger, acquisition, sale of assets, or corporate restructuring, your personal information may be transferred to the new entity as part of that deal. We would ensure the new owner is bound by terms that protect your data in a manner consistent with this Privacy Policy. We will notify users (for example, via email or a prominent notice on our site) of any change in ownership or use of personal information, as well as any choices you may have regarding your personal information, in the event of such a transaction .
Legal Requirements and Safety: We may disclose personal information if required by law, regulation, legal process, or enforceable governmental request . This includes responding to lawful subpoenas or court orders. We may also disclose information if we believe, in good faith, that it is necessary to: enforce our Terms of Service or other agreements; investigate or protect against harmful activities to our users, employees, or property (including fraud, security incidents or misuse of our Platform); or to protect personal safety or vital interests of any person.
Your Consent: In some cases, you may request or authorize us to share your information with others. For example, if you are using Riskify in collaboration with colleagues and ask us to integrate with another service or share data with another specific third party, we would do so with your direction. Outside of the above scenarios, we will seek your consent before sharing your personal data with third parties for purposes not covered by this Privacy Policy.
4. Cross-Border Disclosure of Personal Information
Riskify is an Australian service, and we primarily store data on servers located in Australia or jurisdictions with equivalent data protection standards. However, certain personal information may be disclosed overseas in order to provide our services effectively – particularly due to our use of international service providers and cloud infrastructure.
The most notable example is our use of OpenAI’s GPT API to generate content. When you use our AI feature, the input text (which could include personal information if you have included any) is transmitted to OpenAI’s servers. OpenAI’s servers are predominantly located in the United States, and possibly other countries for redundancy. Therefore, your data may be processed in the United States or other countries that may not have the same level of data protection laws as Australia. Similarly, if we use email delivery or analytics services based outside Australia (e.g., a US-based email service), some metadata or contact info might go to those systems overseas.
Under Australian Privacy Principle 8 (APP 8), before disclosing personal information to an overseas recipient, we must take reasonable steps to ensure the recipient does not breach the APPs in relation to that information. We take the following steps for cross-border data flows:
We choose reputable providers who have strong privacy and security commitments. For example, our contract with OpenAI or other providers includes terms to safeguard your data.
Where feasible, we implement data processing agreements that include standard data protection clauses, requiring the overseas provider to handle personal info in line with Australian standards (or equivalent).
We inform you (as we are doing here) about the potential overseas locations of your data and obtain your consent by virtue of you agreeing to this Privacy Policy and using our services with knowledge of these disclosures. By using Riskify, you consent to this transfer, processing, and storage of your personal information outside of Australia where applicable.
Use of the Platform may involve overseas disclosure of personal information (for example, via OpenAI API processing in the United States). Riskify takes reasonable steps under Australian Privacy Principle 8 to ensure that any overseas recipient will handle such information in a manner consistent with the APPs. Where legally required, users must inform affected individuals that their personal information may be processed outside Australia before inputting it into the Platform.
Please note, if an overseas service provider breaches the APPs, we will, in most cases, be accountable under the Privacy Act for that breach (unless an exception applies). We will continue to monitor our data flows and ensure compliance with any updates in law regarding overseas data transfers. If you have questions about where your data is stored or sent, feel free to contact us.
5. Data Security and Storage
We take data security seriously at Riskify. We employ a variety of administrative, technical, and physical safeguards to protect the personal information we hold against loss, theft, and unauthorized access, use, modification, or disclosure . Some of the measures we implement include:
Encryption: All communications between your browser and our Platform are encrypted using HTTPS (TLS). Any sensitive data (such as passwords or payment details) are additionally encrypted at rest. We follow industry best practices to ensure data is encrypted in transit and storage where appropriate.
Access Controls: Personal information is only accessible to those employees, contractors, and service providers who need access to perform their duties. Our team members are trained on the importance of confidentiality and privacy. We implement role-based access control so that each person only accesses the minimum necessary data. Administrative access to our systems requires strong authentication (such as multi-factor authentication).
Secure Infrastructure: We host our application and database on reputable cloud infrastructure with robust security certifications (such as ISO 27001). Our servers are protected by firewalls, intrusion detection systems, and regular security monitoring. We apply security updates and patches promptly to protect against vulnerabilities.
Backup and Recovery: We perform regular backups of data to prevent loss. Backup data is encrypted and stored securely. In case of any incident, we have a disaster recovery plan to restore availability of the Platform.
Monitoring: We log access and actions within our system and monitor for any unusual activities. Automated alerts may notify us of potential unauthorized access, which we will investigate.
Testing: We conduct periodic security assessments. This may include vulnerability scanning and, occasionally, third-party penetration testing to identify and address potential weaknesses.
Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data; there is always some risk in any online service. You can also play a part in protecting your information: keep your account password secure, avoid sharing login credentials, and notify us immediately if you suspect any unauthorized access to your account. If we become aware of a data breach that is likely to result in serious harm (as defined by the Notifiable Data Breaches scheme under the Privacy Act), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with our legal obligations.
6. Data Retention and Deletion
We retain personal information only for as long as it is needed for the purposes described in this policy or as required by law. How long we keep specific information depends on the type of data and the purposes for which we process it. For example:
Account Data: We will retain your account registration details while your account is active and for a reasonable period after you close your account, in case you decide to reactivate, or for record-keeping purposes. If you delete your account or request deletion, we will remove or anonymize personal data associated with your account, except for data we are required or permitted to keep by law (e.g., financial records for tax/audit).
Generated SWMS and Content: The documents and projects you create on Riskify are stored in your account. If you remain a customer, we will keep this content so you have continuous access. If you cancel your subscription or account, we may keep your generated SWMS for a limited time (for example, 30-60 days) in case you return or need a copy, and thereafter we will delete or anonymize them. If you want them deleted sooner, you can export and remove them yourself, or contact support for deletion.
Communications: Emails and support tickets may be retained for a period (e.g., up to 2 years) to help us reference past communications if you reach out again and to improve our support processes.
Logs and Analytics: Our server logs and analytics data (which may include IP addresses or device info) are typically retained for a shorter period, such as 12 months, for troubleshooting and analysis. We may preserve aggregated, non-identifiable analytics indefinitely for historical analysis.
Legal Records: If any personal data is part of an enforcement action, dispute, or legal requirement, we will retain that information as long as necessary to resolve the issue and comply with law/court orders.
When we no longer need personal information for our business or legal requirements, we will take reasonable steps to destroy it or de-identify it. We aim to ensure that personal information is not kept longer than necessary.
7. Cookies and Tracking Technologies
Riskify uses cookies and similar tracking technologies to provide and optimize our service:
Necessary Cookies: These are essential for the operation of our website. For example, they enable you to log in and stay logged in as you navigate between pages. Without these cookies, certain features (like account login or document editing) would not function.
Functional Cookies: These remember your preferences and settings to enhance your experience. For instance, a cookie might remember your preferred language or that you’ve dismissed a particular notification so it doesn’t pop up again.
Analytics Cookies: We use these to collect information about how users interact with our site (pages visited, time on page, buttons clicked, etc.). This helps us understand usage patterns and improve the Platform. We might use Google Analytics or a similar tool that provides aggregated statistics. The information collected typically includes IP address (truncated or anonymized in some cases), browser type, and pages visited. These analytics data do not directly identify you, and we do not allow analytics providers to use or share the data for their own purposes.
No Third-Party Marketing Cookies: We currently do not use third-party advertising networks or cookies for targeted advertising on our Platform. You will not see third-party ads on riskify.com, so we have not implanted cookies for that purpose. If this ever changes, we will update this policy and ask for consent where required.
Your Choices: Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. You may also clear cookies from your browser at any time. Keep in mind, however, that blocking or deleting cookies might affect the functionality of our service – for example, you might be logged out or certain preferences may not be saved. We have a Cookie & Tracking Policy available (if separate, link provided on our site) which provides more details on the cookies in use and how you can manage them. By continuing to use our site, you consent to our use of cookies as described above, unless you have disabled them through your browser.
8. Your Rights and Choices
As an individual in Australia (and in line with global privacy principles), you have certain rights in relation to your personal information held by Riskify:
Access: You have the right to request access to the personal information we hold about you. Typically, you can do this by logging into your account and viewing information in your profile or settings. If you require additional information or a full copy of your personal data, you can contact us (see Contact section below) to make an access request. We will need to verify your identity before providing access. We will respond within a reasonable time (usually within 30 days). There is generally no fee for an access request, but in rare cases if your request is complex or onerous, we may charge a reasonable fee to cover retrieval costs (we would inform you of any fee and get your agreement before proceeding).
Correction: We take reasonable steps to ensure that the personal information we collect is accurate, up-to-date, and complete. If you believe any information we hold about you is incorrect, incomplete, or out-of-date, you have the right to request that we correct it. You can update much of your information directly through your account settings (e.g., you can change your contact details or update profile info). For anything you cannot change yourself, contact us with the details to update, and we will correct our records. If we disagree that the information is incorrect (uncommon, but for instance if it’s an opinion record or we have a legal reason to keep it as is), we will provide an explanation and you have the right to request we associate a statement with the record noting your disagreement.
Deletion (Right to Erasure): You may request that we delete your personal information. For example, if you have closed your account, you can ask that we remove personal data we still hold. Note that we may need to retain certain information for lawful purposes (see Data Retention section above). If data can be deleted, we will take reasonable steps to do so, or if deletion is not feasible, we can discuss anonymization. Account data can be deleted by contacting support; generated documents you wish to remove you can delete from your account interface.
Withdrawal of Consent: Where our processing of your personal information is based on consent (for example, if you agreed to receive marketing emails), you have the right to withdraw your consent at any time. You can unsubscribe from marketing emails via the link in those emails or adjust settings in your account if available. For any other consents, contact us to let us know you withdraw consent. Note that withdrawal of consent will not affect processing already carried out, and if you withdraw consent for essential processing (like the AI processing of your inputs), we may not be able to provide the service properly.
Complaints: If you have a concern or complaint about how we have handled your personal information, you have the right to lodge a complaint with us and/or with the Office of the Australian Information Commissioner (OAIC). We encourage you to contact us first, so we can attempt to resolve your issue directly. We take privacy complaints seriously and will work to address your concerns in a timely manner. See the “Contact Us” section below for how to reach us and our internal complaint process.
No fee generally: You will not have to pay a fee to exercise the above rights (access, correction, deletion), except in the limited circumstance mentioned for complex access requests. We will inform you beforehand if any charges apply.
We also note, for completeness, that as we are an Australian business primarily serving Australian users, rights like the EU’s GDPR rights (e.g., data portability or objection) are not explicitly provided here; however, many of the core principles overlap with the APP rights above. If you are an overseas user (e.g., in EU or elsewhere) and believe you have certain statutory privacy rights, please contact us and we will try to honor reasonable requests in line with applicable laws.
9. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. When we do, we will revise the “Last updated” date at the top of this policy. If changes are significant, we will provide a more prominent notice – for example, by placing a notice on our website or by emailing you (if the changes materially affect your rights or how we use your data). We encourage you to review this policy periodically to stay informed about how we are protecting your information . Your continued use of Riskify after any update constitutes your acceptance of the revised Privacy Policy.
10. Contact Us
If you have any questions, comments, or concerns about this Privacy Policy or about how we handle your personal information, please contact us:
Email: privacy@riskify.com.au (or support@riskify.com.au)
Postal Mail: Privacy Officer, Riskify Pty Ltd, [Address, City, State, Postcode, Australia]
We will respond to privacy inquiries as soon as reasonably possible, generally within 10 business days. If you make a complaint, we will:
Acknowledge your complaint in writing (usually within 5 business days).
Investigate the issue by reviewing our relevant records and speaking with the team members involved.
Provide you with a written response outlining the outcome of our investigation and any steps we will take to address your concerns. We aim to do this within 30 days of receiving the complaint. If we need more time (due to complexity), we will let you know the reason and an expected timeframe.
If you are not satisfied with our response, you can escalate the matter to the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted at 1300 363 992 or via their website www.oaic.gov.au. The OAIC can investigate privacy complaints and has the authority to make determinations and issue directions to organizations to take certain steps.
Thank you for trusting Riskify with your Safe Work Method Statement needs. We value your privacy and will continue to safeguard your personal information.