SiSat – Privacy Policy (Australia)

Last updated: January 2025

1. Introduction

SiSat only provides services to schools and education institutions located in Australia. We do not provide services to customers based in other countries...

Your privacy is important to us. SiSat is committed to protecting your personal information and maintaining your trust.

This Privacy Policy describes how we collect, handle, use, disclose and store your personal information, and how we comply with:

• Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
• Privacy Amendment (Enhancing Privacy Protection) Act 2012; and
• Privacy Amendment (Notifiable Data Breaches) Act 2017.

In this Privacy Policy, “SiSat”, “we”, “us” and “our” refer to School Information Systems & Technology, a business of KD Facility Services Pty Ltd (ABN 42 640 639 943), with its registered office at Level 1, 141 O'Connell Street, North Adelaide, South Australia 5006.

This Privacy Policy explains how we look after your personal information where it is collected either directly from you or via a third party, including when you:

• visit our sites or portals under the sisat.com.au domain (our “Website(s)” and “SiSat Platform”);
• download or use our software and mobile applications (for example, the SiSat FMS Android app);
• use other services that link to this Privacy Policy; or
• communicate with us by email, phone, in writing or in person.

When we refer to “Services” we mean the sisat.com.au domain and associated subdomains, all related websites, products, services, software, the SiSat SaaS platform, and our mobile or desktop applications.

Please read this Privacy Policy together with any other privacy notice or fair collection notice we may provide on specific occasions. This Privacy Policy supplements those notices and is not intended to override them.

2. Definitions

In this Privacy Policy:

• Client – a school or education customer of SiSat (paid or free trial).
• Client Data – personal data, records, addresses, files and other information in electronic form that a Client or User provides to us through the Services.
• Public Area – parts of the Website, applications or SiSat platform that can be accessed without logging in.
• Restricted Area – parts of the Website, applications or SiSat platform that can only be accessed by logged-in Users.
• User – an employee, contractor, student, parent, guardian or representative of a Client who uses the Restricted Areas of the Services.
• Visitor – an individual who uses the Public Areas but does not have access to Restricted Areas.
• WWCC – Working With Children Check (Department of Justice, Victoria, Australia).
• KDFS – KD Facility Services Pty Ltd and its businesses and trading entities (the “KDFS Group”).

3. Our role

Our role in relation to your personal information depends on how you interact with us:

1. Direct interactions with SiSat
   For most personal information collected:
   • via our Websites (for example, contact forms, enquiries);
   • where we market directly to you; or
   • where you contact us directly,
   SiSat generally acts as the organisation responsible for that data.
2. Use of the SiSat Platform by schools
   For most personal information stored inside the SiSat platform, applications or portals, SiSat acts as a service provider to the relevant school or education institution. The school (Client) is primarily responsible for how that personal information is collected and used. We process Client Data on the instructions of the Client.
3. Questions about your data
   If you have questions about your data or SiSat account, you may email [email protected]. Please include:
   • the URL of the service/portal you are using;
   • your full name; and
   • your username or account ID (if available).
   If your account is provided via a school, we may ask you to contact the school directly in the first instance.

4. Personal information we collect

“Personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in a material form or not.

The type and amount of personal information we collect will depend on how you use the Services, your role (for example, staff, parent, contractor, student) and the choices made by your school or organisation. The following categories may be collected:

• Identity Data – name, title, date of birth, gender, username or similar identifier, city, profile photo URL, and unique identifiers.
• Contact Data – billing and delivery addresses, email address, phone numbers, school or workplace details, and location information.
• Financial Data – bank account details, payment card details and billing information (where applicable).
• Transaction Data – details of payments to and from you and other details of products or services you or your school have purchased from us.
• Technical Data – device identifiers, IP address, login data, browser type and version, time-zone settings, browser plug-in types and versions, operating system, platform, and details of pages you visit before or after using the Services.
• Profile Data – usernames, passwords, preferences, feedback, survey responses, and records of interactions with the Services.
• Usage Data – information about how you use our Websites, applications and platform features.
• Location Data – information about your approximate or actual location, where location services are enabled.
• Special category/sensitive information – in some cases, and usually under the control of a school client, this may include details about health (for example, medical/sickbay records), and other information required to support duty of care and safety obligations. The extent and type of sensitive information is determined by the school.
• Marketing and Communications Data – your preferences in receiving marketing from us and your communication settings.

We may also create and use aggregated or de-identified data, such as statistics or analytics about how the Services are used. Aggregated data does not identify individuals and is not treated as personal information under privacy law. If we combine this data with other information so that it can identify you, we will treat it as personal information.

We do not intentionally provide areas of the platform for collecting criminal conviction records. In Victoria and other states, we may record limited information relating to the validity or status of a WWCC (Working With Children Check) for staff, contractors or volunteers, where required by the school.

Where we need to collect personal information by law, or under a contract we have with you or your school, and you do not provide that information, we may not be able to provide access to certain features or services.

5. How we collect personal information

We collect personal information in several ways, including:

• Directly from you – for example, when you:
  • create or update an account;
  • use the Websites, applications or SiSat platform;
  • complete forms, surveys, bookings or requests;
  • interact with messaging or communication tools within the Services;
  • use self-service terminals, canteen POS or contractor/visitor check-in services;
  • request support or contact us; or
  • subscribe to newsletters or other communications.
• Automatically – as you use the Services, we collect Technical, Usage and Location data using cookies, pixels, “clear gifs”, local storage, beacons, and similar technologies. Please see our Cookie Policy for more details.
• Integrated services – you may be able to sign in or connect to the Services using third-party accounts (for example, Google Workspace, Microsoft 365 or SSO providers). These services may share certain information with us. You should review the privacy settings and policies of any integrated service you choose to connect.
• Via Clients and Users – schools and authorised staff may enter or upload information about you into the platform. In these cases, the school is responsible for ensuring it has the appropriate legal basis and notices in place. This may include Identity, Contact, Financial and sensitive information.
• From third parties or public sources – such as analytics providers (e.g. Google, Cloudflare), payment providers, credit-reporting bodies, or public registers such as ASIC and ABR.
• Other KDFS Group entities – where they provide related or supporting services to SiSat.

6. How we use personal information

We will only use your personal information when permitted by law. Common reasons include:

• to perform a contract with you or your school;
• where it is necessary for our legitimate interests (or those of a third party) and your interests and rights do not override those interests;
• where we need to comply with a legal obligation; or
• where you have given your consent.

Examples of how we use personal information include:

• Registration and account management – to register you as a user, create and manage user accounts, and provide login access.
• Delivery of services – to operate, maintain and provide all features of the Services, including responding to enquiries, support requests and operational needs.
• Duty of care and school operations – to assist Clients in fulfilling their duty of care, enrolment and operational obligations (for example, attendance, medical/sickbay records, visitor management).
• Payments – to process payments, fees and charges (where applicable), and to recover amounts owed.
• User interaction – to enable communication and interaction between Users where permitted by the school (e.g. messaging, notice boards, visitor flows).
• Communications – to send service messages, changes to terms or policies, security alerts, and administrative notices.
• Marketing – to send you information about features, updates, events or services that may be relevant to your role, consistent with your preferences and legal requirements.
• Maintenance and security – to troubleshoot, test, monitor, audit, support and secure the Services, including fraud prevention and network security.
• Improvements and analytics – to understand how the Services are used, to develop new features and improve design, performance and user experience.
• Cookies and tracking – to personalise content, remember settings, and measure performance of the platform and communications.

We may use personal information for other purposes that are compatible with the above, or where you have consented. If we need to use your personal information for a purpose unrelated to the reason it was collected, we will normally inform you and explain the legal basis.

7. Children’s information

Because we provide services to schools, we may collect, store and process personal information about children and young people. We apply additional care to this information, including:

• implementing appropriate technical and organisational security measures;
• requiring all SiSat staff and contractors to hold a valid and current WWCC (where relevant) and follow our Child Safe policies and frameworks; and
• limiting use of children’s information strictly to educational, safety and operational purposes as directed by the school.

8. Marketing and your choices

We aim to provide you with control over how your personal information is used for marketing:

• You may receive updates or service-related communications where you use our Services or have requested information from us.
• We may send limited marketing based on your role (for example, admin user or principal), but you can opt out at any time.
• We will seek your express consent before sharing your details with non-associated third parties for their own direct marketing.

Schools may also use the platform to send notices or communications to their own communities. If you wish to stop receiving those, you should contact the school directly.

You can manage marketing preferences or opt out via the instructions in our messages or by contacting [email protected].

9. Biometric and two-factor authentication (2FA)

Some Clients may enable biometric or 2FA options (for example, fingerprint or facial recognition on your device, or one-time codes) to improve security and speed up authentication.

Where used, biometric data is generally handled by your device or operating system provider (e.g. Apple, Google, Microsoft). SiSat does not store your raw biometric data. Any use of 2FA tokens or similar is subject to our security frameworks and the relevant school’s policies.

10. Payment and EFTPOS services

Where we provide payment or EFTPOS features, you may be able to link your credit or debit card details to the platform. We use tokenisation to reduce the need to re-enter card details.

We do not store full card numbers in our systems. Instead:

• card details are sent securely to our payment provider;
• we store a token (reference key) and limited card details such as card type, expiry and last four digits for identification purposes;
• our payment provider is PCI DSS compliant.

You can find more information about PCI DSS at: www.pcisecuritystandards.org .

11. Disclosing personal information

We may share personal information with:

• Other KDFS Group entities – where they provide related or support services (such as hosting, support or maintenance).
• Professional advisers – including lawyers, bankers, auditors and insurers, where required for advice, compliance and business operations.
• Payment providers and financial institutions – for payment processing, refunds, fraud detection and related services.
• Analytics and infrastructure providers – such as Google, Cloudflare or similar, for hosting, security, analytics and performance monitoring.
• Government agencies and regulators – where required by law, regulation or to assist with enforcement, safety or compliance.
• Third parties in a business transaction – such as a merger, acquisition or sale of assets, where personal information may be transferred as part of that transaction.
• Integrated service providers – such as school-approved photo providers, learning platforms or identity providers, where the Client has chosen to integrate those services and we share data strictly for that purpose.

We require all third parties to protect your personal information and use it only for the purposes we specify, in accordance with privacy law and our instructions.

We may also disclose personal information:

• where required to comply with law, court orders or regulatory requests;
• to protect someone’s vital interests (for example, in an emergency); or
• to establish, exercise or defend legal claims.

12. Support and international ICT engineers

All day-to-day customer support is provided by Australian-based SiSat staff.

In some cases, we may engage specialist infrastructure or engineering support. Any such access is tightly controlled, limited to what is necessary, and designed to avoid exposing identifiable personal information to non-Australian support personnel wherever practicable.

You acknowledge that personal information published to public-facing areas of the platform may be accessible via the internet worldwide. We cannot control how others use information you choose to make public.

13. Data security

We use a range of technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. These include:

• encrypted connections (SSL/TLS) to access the SiSat platform;
• restricted access based on role and need-to-know;
• logging and monitoring of access and system activity;
• physical and logical security controls in our hosting environments; and
• staff training and confidentiality obligations.

We have procedures in place to manage suspected data breaches and will notify affected parties and regulators where required under the Notifiable Data Breaches scheme.

The SaaS platform is optimised for modern browsers. Our preferred supported browsers are Google Chrome and modern Chromium-based browsers.

14. Data retention

We retain personal information only for as long as reasonably necessary to:

• deliver the Services to you and our Clients;
• meet legal, regulatory, tax or accounting requirements; and
• resolve disputes and enforce agreements.

Retention periods may vary depending on the type of information and the requirements of the school or education authority. Where possible, we de-identify or aggregate information when it is no longer required in identifiable form.

In some cases, schools may control their own retention settings inside the platform. In those cases, you should contact the school for more information about how long your information is kept.

15. Your privacy rights

Depending on your circumstances and the laws that apply, you may have rights to:

• Access – request access to the personal information we hold about you.
• Correction – request correction or updating of inaccurate or incomplete information.
• Deletion – request deletion of information in some circumstances (subject to legal and contractual obligations).
• Restriction – request that we limit how we use your information in certain situations.
• Objection – object to certain types of processing, including direct marketing.
• Data portability – request a copy of certain information in a machine-readable format, where technically feasible.
• Withdraw consent – where we rely on consent, you may withdraw it at any time.

Where your account is provided through a school or education organisation, that organisation will often be the primary contact for privacy requests. Please direct your request to your school in the first instance. If needed, we can assist the school in responding.

To make a request to SiSat directly, please contact: [email protected].

We may need to verify your identity before responding. We aim to respond within a reasonable time. We will not charge a fee for most requests, but may charge a reasonable amount or refuse a request if it is clearly unfounded, repetitive or excessive.

16. Third-party links

Our Websites, applications and the SiSat platform may contain links to third-party websites, plug-ins or applications. Clicking those links or enabling those connections may allow third parties to collect or share information about you.

We do not control these third-party sites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every site you visit.

17. Contact details

If you have questions about this Privacy Policy or our privacy practices, including any request to exercise your rights, please contact:

School Information Systems & Technology – Privacy Officer
KD Facility Services Pty Ltd
Level 1, 141 O'Connell Street
North Adelaide SA 5006
Email: [email protected]

18. Complaints

If you have a concern or complaint about how we handle your personal information, please contact us using the details above. We will acknowledge and investigate your complaint and aim to respond within a reasonable timeframe.

You also have the right to lodge a complaint with the Australian regulator:

Office of the Australian Information Commissioner (OAIC)
GPO Box 5218
Sydney NSW 2001
Website: https://www.oaic.gov.au/

19. Changes to this Privacy Policy

We review this Privacy Policy regularly and may update it from time to time. The “Last updated” date at the top of this page indicates the most recent version.

We encourage you to check this page periodically to stay informed about how we protect your information. If we make material changes, we may provide a more prominent notice (for example, via the platform or by email).

It is important that the personal information we hold about you is accurate and current. Please keep your school and/or SiSat informed if your details change.