Privacy Policy

1. Introduction

HyEnergy Solutions Pty Ltd ("we", "our", or "us") operates this web application to provide design services, project management tools, training resources, and related software products. We are committed to protecting your personal information and your right to privacy.

As an organisation with an annual turnover exceeding $3 million, we are required to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy outlines how we manage personal information in accordance with these legal requirements and our commitment to protecting your privacy.

If you have any questions or concerns about this privacy notice, or our practices with regard to your personal information, please contact us using the Contact page or email legal@hyenergysolutions.com.au.

2. Information We Collect

We collect the following types of information:

• Account Information — including your name, email address, password, user roles, and account status (pending approval, approved, banned).
• Contact and Company Details — such as company information, postal address, phone number, ABN (Australian Business Number), and contact person details when you submit project forms or register.
• Project Data — including project submissions, form templates, project details, development addresses, lot numbers, council authorities, and any attachments you upload through our platform.
• Training Progress — records of training videos viewed, completion status, and learning progress through our training system.
• Usage and Activity Data — including your IP address, browser type and version, device information, pages you visit, login attempts, user actions, and the date/time of each activity. We log both successful and failed authentication attempts for security purposes.
• API Usage Data — when you use our API services, we collect authentication tokens, request details, and usage patterns.
• File Uploads — documents, images, videos, and other files you upload to our platform for project submissions or training purposes.
• Communication Records — messages sent through contact forms, feedback submissions, and bulk email interactions.
• Cookies and Similar Technologies — small data files stored on your device that help us improve site performance, maintain user sessions, and provide authentication services.
• Biometric Authentication Data — when using passkeys/WebAuthn, we store cryptographic credentials and authentication data on your device and our servers.

3. Anonymity and Pseudonymity

Under the Australian Privacy Principles, you have the right to deal with us anonymously or using a pseudonym where it is lawful and practicable to do so. However, due to the nature of our services, we generally require you to identify yourself when:

• Creating an account to access our platform and client portal services
• Submitting project forms and electrical design requests that require accurate contact and business information
• Accessing training materials and tracking certification progress
• Using API services that require authenticated access
• Engaging with our professional electrical design and consulting services

This identification requirement is necessary to provide you with our account-based services, maintain accurate project records, ensure security, and fulfill our professional obligations. For general enquiries through our contact form, you may choose to provide limited information if preferred.

4. How We Use Your Information

We use your information to:

• Provide, operate, and maintain our web application and services.
• Process and manage user account registrations, including our approval-based registration system.
• Authenticate users and maintain secure access to accounts, including passkey/WebAuthn authentication.
• Manage project submissions, form sharing, and template services.
• Track training progress and provide educational content.
• Process API requests and maintain API access tokens.
• Store and manage uploaded files and documents.
• Process enquiries and service requests through contact forms and support channels.
• Send administrative information, such as account approvals, confirmations, invoices, technical notices, updates, security alerts, and support messages.
• Prevent fraud, enforce our terms of service, and maintain platform security through activity logging and monitoring.
• Improve and personalise our services based on usage patterns and user feedback.
• Monitor and analyse usage and activity trends to enhance the user experience and platform performance.
• Comply with our legal obligations and resolve disputes.
• Enable administrative functions such as user management, content moderation, and technical support.

5. Sharing Your Information

We only share your information in the following situations:

• Service Providers — We may share data with trusted third-party vendors who perform services for us, including:
  • Cloudflare — for DNS management, content delivery, security, and bot protection via Turnstile CAPTCHA
  • Namecheap — for domain registration and web hosting
  • Amazon Web Services (AWS) — for cloud file storage and infrastructure services
  • Sentry — for error monitoring, performance tracking, and application diagnostics
  • Matomo — for website analytics and usage insights (self-hosted on Oracle Cloud infrastructure)
  • Email delivery services for notifications and administrative communications
• Project Sharing — When you create and share project forms using our platform, the shared information is accessible to recipients with the appropriate access tokens.
• Administrative Access — Administrators may access user information for account management, technical support, content moderation, and platform maintenance purposes.
• Legal Requirements — We may disclose your information if required to do so by law or in response to valid requests by public authorities.
• Business Transfers — If we are involved in a merger, acquisition, or asset sale, your personal information may be transferred as part of that transaction.
• Safety and Security — We may share information when necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, threats to safety, or violations of our terms of service.

6. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required or permitted by law. In accordance with APP 11, we have implemented processes to continually assess whether personal information needs to be retained and routinely destroy or de-identify information that is no longer required.

Specifically, our data retention practices include:

• Active Accounts — User data is retained while your account remains active.
• Project Data — Project submissions and related data are retained to maintain service continuity and historical records, subject to periodic review for ongoing necessity.
• Training Records — Training progress and completion data is retained to track learning history.
• Activity Logs — Security and activity logs are retained for fraud prevention and security monitoring purposes, then routinely deleted or de-identified when no longer required.
• Rejected Applications — Information from rejected account applications is retained to prevent re-registration with the same email address.
• API Tokens — Authentication tokens remain valid until manually revoked or expired.

7. Your Rights

Under the Australian Privacy Principles, you have certain rights regarding your personal information, including:

• Access — Request access to the personal information we hold about you.
• Correction — Request correction of inaccurate or incomplete personal information.
• Deletion — Request deletion of your personal information, subject to legal and operational requirements.
• Restriction — Request restriction of processing of your personal information.
• Data Portability — Request transfer of your data to another service provider where technically feasible.
• API Access Control — Manage and revoke API tokens and access permissions through your account settings.

To exercise these rights, please contact us using the details provided on our Contact page. Please note that some data may be retained for legal, security, or operational purposes even after a deletion request.

Privacy Complaint Handling

If you have concerns about how we handle your personal information, you have the right to lodge a complaint. Our complaint handling process is:

1. Submit Your Complaint — Contact us using our Contact page or email legal@hyenergysolutions.com.au with details of your privacy concern.
2. We Will Respond — We will acknowledge your complaint and provide a substantive response within 30 days.
3. Escalation to OAIC — If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
   • Phone: 1300 363 992
   • Email: enquiries@oaic.gov.au
   • Web Form: Online Complaint Form
   • Website: www.oaic.gov.au

The OAIC has the authority to investigate privacy complaints and may impose penalties of up to $1.8 million for corporate entities found to have seriously or repeatedly interfered with an individual's privacy.

8. Security

We implement comprehensive technical and organisational measures to protect your information, including:

• Authentication Security — Multi-factor authentication options, passkey/WebAuthn support, and secure password requirements.
• Access Controls — Role-based permissions, session management, and administrative access logging.
• Data Protection — Encryption of sensitive data, secure file storage, and protected data transmission.
• Monitoring — Activity logging, failed login attempt tracking, and automated security monitoring.
• Infrastructure Security — Secure hosting environments, regular security reviews, and industry-standard security practices.

However, no internet transmission or storage system can be guaranteed to be 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

9. Serious Privacy Invasions

As of 10 June 2025, Australia introduced a new statutory tort for serious invasions of privacy. This means that individuals now have the legal right to sue organisations or individuals who intentionally or recklessly invade their privacy in a serious manner.

We are committed to respecting your privacy rights and have implemented policies and procedures to prevent any serious invasions of privacy. If you believe we have seriously invaded your privacy, you have the right to:

• Lodge a complaint with us using our complaint handling process outlined in Section 7
• Escalate your complaint to the OAIC
• Seek legal remedies through civil action if the invasion was intentional or reckless and caused serious harm

10. Account Registration and Approval

Our platform uses an approval-based registration system. When you register for an account:

• Your registration is initially placed in a pending status and requires administrator approval.
• We will notify you via email once your account is approved or if your application is rejected.
• Rejected applications are recorded to prevent duplicate registrations with the same email address.
• We may request additional information or verification during the approval process.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain user sessions and authentication state
• Remember user preferences and settings
• Provide security features and prevent fraud
• Analyse website usage through Matomo (self-hosted analytics)
• Protect against automated attacks using Cloudflare Turnstile

You can control cookie settings through your browser, but disabling certain cookies may limit platform functionality.

12. Third-Party Links

Our website may contain links to external sites that are not operated by us. We are not responsible for the content or privacy practices of those sites. We encourage you to review the privacy policies of any third-party websites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements, including amendments to the Privacy Act 1988 (Cth) and Australian Privacy Principles. The updated version will be indicated by an updated "Last Updated" date and will be effective as soon as it is accessible. We encourage you to review this policy periodically to stay informed of any updates.

Please note that from 10 December 2026, if we implement automated decision-making systems (such as AI or algorithmic processing) that could significantly affect your rights or interests, we will update this policy to include specific information about those processes as required by Australian privacy law.

14. Contact Us

If you have any questions or concerns about this policy, please contact us via our Contact page or email us directly at legal@hyenergysolutions.com.au.

Last Updated: October 24, 2025