PRIVACY POLICY
FLOSMOSIS PTY LTD
ACN [To be inserted]
Effective Date: [Date]
Version: 1.0
1. WHO WE ARE
FLOSMOSIS PTY LTD (ACN [insert]) (FLOSMOSIS, we, us, our) operates a workforce time verification platform for the Australian construction labour hire industry.
Our registered office is at [address].
We are committed to protecting the privacy of the personal information we collect and hold. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
1.1 Application of the Privacy Act
⚠️ Regulatory note: The Privacy Act 1988 (Cth) applies to FLOSMOSIS. The previous small business exemption (for businesses with annual turnover of $3 million or less) has been progressively removed through 2024–2025 reforms, bringing approximately 95% of Australian businesses under the Act's scope. Additionally, FLOSMOSIS handles personal information of third-party workers (not its own employees), which would have triggered obligations even under the previous regime. FLOSMOSIS is therefore subject to the full requirements of the Australian Privacy Principles (APPs 1–13).
2. WHAT INFORMATION WE COLLECT
2.1 Worker Information
We collect the following personal information about Workers whose time is recorded and verified through the Platform:
| Category | Information Collected | Purpose |
|---|
| Identity | Full name | Identifying the Worker for shift records |
| Contact | Mobile phone number | OTP verification via SMS for clock-in/clock-out |
| Location | GPS coordinates at clock-in and clock-out | Verifying the Worker's presence at the designated worksite |
| Shift Data | Clock-in time, clock-out time, shift duration, worksite, verification status | Recording and verifying hours worked |
| Verification | OTP verification records, hash chain verification records | Maintaining the integrity of shift records |
2.2 Supervisor Information
| Category | Information Collected | Purpose |
|---|
| Identity | Full name | Identifying the Supervisor |
| Contact | Email address, phone number | Communicating shift confirmations and notifications |
| Actions | Shift confirmation records, approval timestamps | Recording Supervisor confirmations |
2.3 Customer (Employer) Information
| Category | Information Collected | Purpose |
|---|
| Business | Company name, ABN, business address | Identifying and administering the Customer account |
| Contact | Contact person name, email, phone | Account management and support |
| Billing | Payment information (processed via third-party payment provider) | Subscription billing |
3. HOW WE COLLECT INFORMATION
3.1 Collection Methods
We collect personal information:
- (a) Directly from the Customer — when the Customer sets up an account and registers Workers and Supervisors;
- (b) From Workers — when Workers interact with the Platform via SMS OTP verification and clock-in/clock-out events;
- (c) Automatically — GPS coordinates are collected automatically from Workers' mobile devices at the time of clock-in and clock-out; and
- (d) From Supervisors — when Supervisors confirm shift records through the Platform.
3.2 Consent
- (a) Worker personal information is provided to FLOSMOSIS by the Customer (the Worker's employer or labour hire company). The Customer warrants that it has obtained all necessary consents from Workers for the collection, use, and disclosure of their personal information by FLOSMOSIS.
- (b) Workers are informed of the collection of their personal information (including GPS data) through:
- (i) the initial SMS message sent when the Platform is first used;
- (ii) information provided by the Customer; and
- (iii) this Privacy Policy (available on the FLOSMOSIS website).
- (c) If we collect personal information from a third party (i.e., from the Customer rather than directly from the Worker), we take reasonable steps to ensure that the individual has been made aware of the matters covered by APP 5 (notification of the collection of personal information).
4. WHY WE COLLECT INFORMATION
We collect personal information for the following purposes:
- (a) to provide the FLOSMOSIS workforce time verification service to our Customers;
- (b) to record and verify hours worked by Workers;
- (c) to send OTP verification messages to Workers via SMS;
- (d) to capture and record GPS coordinates for worksite verification;
- (e) to create tamper-evident shift records using the WLES hash chain methodology;
- (f) to enable Supervisors to confirm and manage shift records;
- (g) to administer Customer accounts and billing;
- (h) to improve and develop the Platform;
- (i) to communicate with Customers and their Authorised Users;
- (j) to comply with legal and regulatory obligations; and
- (k) to protect our rights and the rights of our Customers and Workers.
Strictly for time verification: We collect and use personal information strictly for the purpose of workforce time verification. We do NOT use personal information to calculate wages, award entitlements, superannuation, or tax, and we do NOT provide payroll services.
5. HOW WE USE INFORMATION
We use personal information in accordance with APP 6 — only for the primary purpose for which it was collected, or for a directly related secondary purpose that would reasonably be expected by the individual.
Specifically:
- (a) Worker Data is used to provide the time verification service and to generate shift records;
- (b) GPS data is used solely to verify Worker presence at the worksite at clock-in and clock-out — it is NOT used for continuous tracking;
- (c) Supervisor information is used to manage shift confirmations;
- (d) Customer information is used for account administration and billing; and
- (e) Aggregated, de-identified data may be used for analytics and service improvement purposes.
6. WHO WE SHARE INFORMATION WITH
6.1 Customer Access
Each Customer can only access the personal information of their own Workers and Supervisors. Customers cannot access the data of other Customers' Workers.
6.2 Third-Party Service Providers
We share personal information with the following third-party service providers, who process data on our behalf:
| Provider | Service | Data Shared | Location |
|---|
| Twilio | SMS delivery (OTP verification) | Worker mobile phone numbers, OTP messages | USA (with data processing agreements in place) |
| Supabase | Database hosting and data storage | All Customer Data, Worker Data, Shift Data | Australia / USA (depending on instance configuration) |
| Resend | Email delivery | Email addresses, notification content | USA |
| Vercel | Application hosting | Application data processed during server-side rendering | USA / Australia (edge network) |
6.3 Overseas Disclosure — APP 8
Where personal information is disclosed to overseas recipients (as listed above), FLOSMOSIS takes reasonable steps to ensure that the overseas recipients:
- (a) comply with the Australian Privacy Principles (or substantially similar privacy protections); and
- (b) are bound by contractual obligations to protect personal information.
6.4 Other Disclosures
We may also disclose personal information:
- (a) where required or authorised by law (including by court order or subpoena);
- (b) to law enforcement agencies in connection with an investigation;
- (c) to our professional advisers (lawyers, accountants) in confidence;
- (d) in connection with a sale, merger, or acquisition of FLOSMOSIS's business (subject to confidentiality obligations on the acquirer); or
- (e) where necessary to lessen or prevent a serious threat to the life, health, or safety of any individual.
6.5 No Sale of Personal Information
FLOSMOSIS does not sell personal information to third parties for marketing or any other purpose.
7. GPS AND LOCATION DATA
7.1 GPS Data Collection
- (a) The Platform collects GPS coordinates from Workers' mobile devices at two specific points:
- (i) Clock-in: GPS coordinates are captured at the time the Worker clocks in; and
- (ii) Clock-out: GPS coordinates are captured at the time the Worker clocks out.
- (b) No continuous tracking: FLOSMOSIS does NOT continuously track Workers' locations. GPS data is captured only at the discrete clock-in and clock-out moments.
7.2 Purpose
GPS data is collected for the sole purpose of verifying that the Worker was at or near the designated worksite at the time of clock-in and clock-out. It is used to:
- (a) provide evidence of worksite presence to the Customer;
- (b) detect potential discrepancies between the Worker's location and the designated worksite; and
- (c) form part of the tamper-evident shift record under WLES.
7.3 Sensitivity of GPS Data
⚠️ Regulatory analysis: Under the Privacy Act 1988 (Cth), "sensitive information" is defined in s 6(1) and includes information about health, genetics, biometrics, criminal record, and sexual orientation — but does NOT explicitly include location data. GPS coordinates are therefore classified as personal information (not sensitive information) under the current Act. However:
- (a) The Office of the Australian Information Commissioner (OAIC) has recognised that location data can reveal sensitive details about individuals and should be treated with a high degree of care.
- (b) Privacy reform proposals have considered whether location data should be classified as sensitive information.
- (c) As a matter of best practice, FLOSMOSIS treats GPS data with the same level of care as sensitive information, including limiting collection to what is strictly necessary and not using GPS data for any purpose other than worksite verification.
7.4 Worker Awareness
Workers are informed of GPS data collection through:
- (a) the Customer's obligation to inform Workers before they use the Platform;
- (b) the initial SMS interaction when a Worker first uses the Platform; and
- (c) this Privacy Policy.
8. DATA SECURITY
8.1 Security Measures
FLOSMOSIS implements the following security measures to protect personal information:
- (a) Encryption: Data is encrypted in transit using TLS/SSL and at rest using AES-256 encryption (or equivalent);
- (b) Access controls: Role-based access controls ensure that only authorised personnel can access personal information;
- (c) Authentication: Multi-factor authentication for FLOSMOSIS administrative access;
- (d) WLES Hash Chain: Shift records are secured using SHA-256 hash chain verification, which creates a tamper-evident record of each shift event. If any record is altered after creation, the hash chain will be broken, indicating tampering;
- (e) Supabase security: Customer Data is stored in Supabase's managed PostgreSQL database infrastructure, which includes Row Level Security (RLS) policies to enforce data isolation between Customers;
- (f) Regular review: FLOSMOSIS conducts regular reviews of its security practices and updates them as necessary.
Note: FLOSMOSIS does not warrant that the SHA-256 hash chain creates legally admissible evidence or constitutes a legally recognised digital signature. The hash chain provides a technical mechanism for detecting unauthorised modifications to shift records. Its legal status and evidentiary weight are matters for the relevant court or tribunal.
8.2 Notifiable Data Breaches
FLOSMOSIS complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If FLOSMOSIS becomes aware of an eligible data breach (or suspects an eligible data breach has occurred), it will:
- (a) conduct an assessment within 30 days to determine whether the breach is likely to result in serious harm to any individual;
- (b) if the breach is an eligible data breach, notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals as soon as practicable; and
- (c) take reasonable steps to contain the breach and mitigate its impact.
8.3 Customer Notification
In the event of a data breach affecting Customer Data, FLOSMOSIS will notify the Customer as soon as practicable after becoming aware of the breach.
9. DATA RETENTION
9.1 Retention Period
- (a) FLOSMOSIS retains Customer Data for the duration of the Customer's subscription and for 90 days after termination, during which the Customer may export the data.
- (b) After the 90-day post-termination period, FLOSMOSIS will take reasonable steps to destroy or de-identify the personal information, unless retention is required or authorised by law.
9.2 Legal Requirements
FLOSMOSIS may retain personal information for longer periods where required by law, including:
- (a) records required for tax or accounting purposes (7 years under tax legislation);
- (b) records required by any court order, subpoena, or regulatory directive; and
- (c) records required for FLOSMOSIS's legitimate legal interests (e.g., in connection with a dispute).
9.3 De-identification
Where FLOSMOSIS de-identifies personal information for analytical or research purposes, the de-identified data will not be re-identified.
10. ACCESS AND CORRECTION
10.1 Access
- (a) Under APP 12, individuals have the right to request access to the personal information FLOSMOSIS holds about them.
- (b) To request access, contact FLOSMOSIS at the contact details in clause 12. FLOSMOSIS will respond to access requests within 30 days.
- (c) FLOSMOSIS may charge a reasonable fee for providing access to information, reflecting the cost of retrieval and provision.
- (d) FLOSMOSIS may refuse access in the circumstances permitted by APP 12.3, including where access would unreasonably impact the privacy of other individuals.
10.2 Correction
- (a) Under APP 13, individuals have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
- (b) To request correction, contact FLOSMOSIS at the contact details in clause 12. FLOSMOSIS will respond to correction requests within 30 days.
- (c) If FLOSMOSIS refuses to correct personal information, FLOSMOSIS will provide reasons in writing and advise the individual of their right to make a complaint.
10.3 Worker Access
Workers who wish to access or correct their personal information should, in the first instance, contact their employer (the Customer). If the Customer is unable to assist, the Worker may contact FLOSMOSIS directly.
11. COMPLAINTS
11.1 Internal Complaints
If you have a complaint about how FLOSMOSIS handles personal information, you may contact us at the details in clause 12. We will:
- (a) acknowledge receipt of the complaint within 5 Business Days;
- (b) investigate the complaint; and
- (c) provide a written response within 30 days.
11.2 External Complaints
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
- Post: GPO Box 5218, Sydney NSW 2001
12. CONTACT DETAILS
Privacy Officer
FLOSMOSIS PTY LTD
[Registered office address]
Email: privacy@flosmosis.com
Phone: [phone number]
Website: www.flosmosis.com
13. CHANGES TO THIS POLICY
FLOSMOSIS may update this Privacy Policy from time to time. We will notify Customers of material changes by email and will update the "Effective Date" at the top of this Policy. The current version of this Privacy Policy is always available on the FLOSMOSIS website.
14. AUSTRALIAN PRIVACY PRINCIPLES — COMPLIANCE SUMMARY
| APP | Subject | FLOSMOSIS Compliance |
|---|
| APP 1 | Open and transparent management of personal information | This Privacy Policy; internal privacy procedures |
| APP 2 | Anonymity and pseudonymity | Workers must be identified for time verification; anonymity is not practicable for this service |
| APP 3 | Collection of solicited personal information | Only personal information reasonably necessary for time verification is collected |
| APP 4 | Dealing with unsolicited personal information | Any unsolicited personal information not required is destroyed or de-identified |
| APP 5 | Notification of the collection of personal information | Workers are notified via Customer, initial SMS, and this Policy |
| APP 6 | Use or disclosure of personal information | Used only for primary purpose (time verification) or directly related secondary purposes |
| APP 7 | Direct marketing | FLOSMOSIS does not use Worker personal information for direct marketing |
| APP 8 | Cross-border disclosure of personal information | Overseas disclosures to Twilio, Supabase, Resend, Vercel — contractual protections in place |
| APP 9 | Adoption, use or disclosure of government related identifiers | FLOSMOSIS does not collect government identifiers (TFN, Medicare, etc.) |
| APP 10 | Quality of personal information | Reasonable steps to ensure accuracy and currency |
| APP 11 | Security of personal information | Encryption, access controls, hash chain verification, NDB compliance |
| APP 12 | Access to personal information | Individuals may request access (clause 10.1) |
| APP 13 | Correction of personal information | Individuals may request correction (clause 10.2) |
End of Document
© 2026 FLOSMOSIS PTY LTD. Flostruction is a product of FLOSMOSIS PTY LTD.