Last updated: 16 March 2026
Last Updated: 16 March 2026
Effective Date: 16 March 2026
ZooYak Pty Ltd, a company registered in Australia ("ZooYak", "we", "us", "our"), operates the ZooYak security guard workforce management platform. We are committed to protecting the privacy and security of all personal information we collect and process.
This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in connection with our platform, including the manager portal, client portal, mobile application, website, and APIs (collectively, the "Service"). It applies to all individuals whose personal information we process, including customers, authorised users, guards, website visitors, and client portal users.
This Privacy Policy is designed to comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles ("APPs"), and applicable Australian state and territory workplace surveillance legislation.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our privacy practices, you should not use the Service.
This summary provides a quick overview of key points. Please read the full Privacy Policy for complete details.
| Who we are | ZooYak Pty Ltd, an Australian company providing cloud-based security guard workforce management software. |
| What we collect | Account details, workforce data (on behalf of your employer), location and surveillance data, incident reports, billing information, technical logs, and communications. |
| Why we collect it | To provide the Service, manage accounts, process payments, ensure security, improve our platform, and comply with legal obligations. |
| Who we share with | Amazon Web Services (AWS), payment processors (Stripe), your employer (as data controller), and law enforcement when legally required. We never sell your data. |
| Where we store data | Primarily in AWS Sydney, Australia (ap-southeast-2). See Section 10 for international transfers. |
| Your rights | Access, correction, deletion, data portability, and complaint to regulators. For workforce data, contact your employer first. |
| Contact us | Email: privacy@zooyak.com |
This Privacy Policy applies to personal information collected through:
This Privacy Policy applies to all individuals whose personal information we process, including:
This Privacy Policy forms part of, and should be read together with, our Terms of Service. Definitions used in the Terms of Service have the same meaning in this Privacy Policy unless otherwise defined.
The distinction between when ZooYak acts as a data controller and when it acts as a data processor is fundamental to understanding your rights. See Section 4 for full details. In summary:
In this Privacy Policy, the following terms have the meanings set out below:
ZooYak determines the purposes and means of processing, and is therefore the data controller, for the following categories of personal information:
ZooYak processes the following categories of personal information on behalf of and under the instructions of the Customer (who is the data controller):
If you are a guard, employee, or contractor whose data is managed through ZooYak: Your employer (the Customer) is the data controller for your workforce data. To exercise your privacy rights (access, correction, deletion) over this data, you should contact your employer directly in the first instance. Your employer may then instruct ZooYak to action your request.
If you are a Customer or account holder: ZooYak is the data controller for your account and billing data. You may exercise your privacy rights by contacting us directly at privacy@zooyak.com.
Where applicable data protection legislation requires it, the parties shall enter into a Data Processing Agreement ("DPA") governing ZooYak's processing of personal data on behalf of the Customer. The DPA is available at zooyak.com/legal/dpa and is incorporated by reference into the Terms of Service.
We collect and process different categories of personal information depending on how you interact with the Service. The categories below describe the types of information we may collect.
When you create an account or are added as an Authorised User, we collect:
Processed on behalf of the Customer as data processor.
When Customers manage their workforce through the Service, we process:
Processed on behalf of the Customer as data processor.
When enabled by the Customer, the Service may collect the following location and surveillance data:
Indoor positioning via Bluetooth Low Energy (BLE) beacon infrastructure may be used to track guard movements within buildings. This includes trilateration-based X/Y coordinate estimation, floor level identification, and positioning accuracy metrics derived from beacon signal strength readings.
IMPORTANT: WORKPLACE SURVEILLANCE NOTICE
The location and surveillance data described above may constitute "surveillance" under applicable workplace surveillance legislation, including the Workplace Surveillance Act 2005 (NSW) and the Surveillance Devices Act 1999 (Vic).
THE CUSTOMER (YOUR EMPLOYER) IS SOLELY AND EXCLUSIVELY RESPONSIBLE FOR PROVIDING ALL REQUIRED NOTICES, OBTAINING ALL REQUIRED CONSENTS, AND OTHERWISE COMPLYING WITH ALL APPLICABLE WORKPLACE SURVEILLANCE LAWS BEFORE ENABLING OR USING ANY LOCATION TRACKING, MONITORING, OR SURVEILLANCE FEATURES OF THE SERVICE.
ZooYak provides the technology platform. The decision to enable tracking features, and all legal obligations arising from that decision, rest entirely with the Customer.
Processed on behalf of the Customer as data processor.
When incidents are reported through the Service, we process:
When Customers subscribe to the Service or make payments, we collect:
When you access and use the Service, we automatically collect:
Processed on behalf of the Customer as data processor.
When communications are sent through the Service, we process:
Processed on behalf of the Customer as data processor.
When documents and media are uploaded to the Service, we process:
When guards enrol biometric authentication, a cryptographic hash of the biometric template is stored on our servers. Raw biometric data is never stored — only a one-way cryptographic hash that cannot be reversed to recreate the original biometric data. Device-level biometric verification (Face ID, fingerprint) is processed entirely on the guard's device and is not transmitted to our servers.
We collect personal information through the following means:
We use personal information for the following purposes:
Note: We do not send direct marketing communications to guards or employees whose data is processed on behalf of a Customer. Service-related notifications to guards (e.g., shift assignments, schedule changes) are sent on behalf of the Customer.
Aggregated Data cannot be used to identify any individual or Customer and is not considered Personal Information under this Privacy Policy.
We may disclose personal information to the following categories of recipients:
We use third-party sub-processors and service providers to help operate the Service. These providers process personal information only on our instructions and are bound by appropriate data processing agreements. See Section 16 for a full list of sub-processors.
Payment card data is processed by Stripe, Inc. in accordance with Stripe's privacy policy and PCI DSS compliance standards. ZooYak does not have access to full payment card numbers.
All Customer Data is hosted on Amazon Web Services (AWS) infrastructure located in Sydney, Australia. AWS processes data in accordance with the AWS Data Processing Addendum and maintains SOC 2, ISO 27001, and other certifications.
We may disclose personal information to our legal, accounting, and other professional advisors where necessary for us to obtain their advice or assistance.
We may disclose personal information where we are required or authorised to do so by applicable law, regulation, court order, or governmental request. We will endeavour to notify the affected Customer before making such disclosure, unless prohibited by law.
In the event of a merger, acquisition, corporate reorganisation, or sale of all or substantially all of ZooYak's assets, personal information may be transferred to the acquiring entity. We will provide at least 30 days' notice of any such transfer and ensure that the acquiring entity is bound by privacy obligations at least as protective as those in this Privacy Policy.
Where ZooYak processes personal information on behalf of a Customer, that Customer has access to the data as the data controller. Customers may access, export, and manage all Customer Data through the Service.
We never sell personal information to third parties. We do not share personal information with third parties for their direct marketing purposes.
The Service includes the following location tracking and monitoring features that may be enabled by the Customer:
Location tracking features are only active when all of the following conditions are met:
Location data is not collected when a guard is not on shift, unless the Customer has specifically configured the Service to do so (in which case the Customer bears all legal responsibility for such collection).
THE CUSTOMER IS SOLELY AND EXCLUSIVELY RESPONSIBLE FOR COMPLIANCE WITH ALL APPLICABLE WORKPLACE SURVEILLANCE LEGISLATION BEFORE ENABLING OR USING ANY TRACKING FEATURES.
This includes, but is not limited to:
ZooYak provides the technology platform only. ZooYak does not provide legal advice and accepts no liability for the Customer's failure to comply with workplace surveillance laws.
If you are a guard whose location data is collected through the Service:
Location data is retained for 12 months from the date of collection, after which it is securely deleted. Customers may request earlier deletion of location data by contacting ZooYak. See Section 12 for full retention details.
All Customer Data is primarily stored and processed on Amazon Web Services (AWS) infrastructure located in Sydney, Australia (ap-southeast-2 region).
In limited circumstances, personal information may be transferred outside Australia where necessary for the provision of the Service. This may occur through:
Where personal information is transferred outside Australia, we ensure that:
The locations of our sub-processors are listed in Section 16. The majority of our sub-processors operate from Australian data centres. Stripe, our payment processor, operates from the United States with appropriate data protection safeguards including SCCs.
We implement comprehensive technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction.
The Service operates a multi-tenant architecture with strict logical data isolation. Each Organisation's data is separated using organisation-scoped database queries that are enforced at the application layer. No Customer can access another Customer's data.
ZooYak is committed to achieving and maintaining SOC 2 Type II compliance. Information about our current security posture and compliance certifications is available upon request, subject to appropriate confidentiality obligations.
We maintain a documented incident response plan that includes procedures for identification, containment, eradication, recovery, and post-incident review. See Section 14 for our Notifiable Data Breaches obligations.
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following table sets out our standard retention periods:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 7 years | Tax and legal compliance obligations |
| Workforce data (Customer Data) | Duration of Customer account + 30-day export period | Customer's instructions; export window per Terms of Service |
| Location data | 12 months from collection | Operational need; proportionality principle |
| Incident data | Duration of Customer account + 7 years | Legal, insurance, and regulatory compliance |
| Financial and billing data | 7 years from transaction date | ATO record-keeping requirements |
| Technical logs | 90 days | Security monitoring and debugging |
| Communications data | Duration of Customer account | Service provision |
| Marketing consent records | Until consent is withdrawn | Consent-based processing |
When the retention period for personal information expires, we securely delete or de-identify the data using one or more of the following methods:
Customers may request deletion of specific Customer Data at any time by contacting ZooYak. We will process deletion requests within 30 days, subject to any legal obligations that require us to retain the data.
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the following rights:
You have the right to request access to the personal information we hold about you. We will provide access within 30 days of receiving your request, subject to any exceptions permitted under the Privacy Act 1988.
You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond to correction requests within 30 days. If we refuse to correct information, we will provide a written notice explaining our reasons and how you may complain.
We will respond to access and correction requests within 30 days of receiving the request. If we need additional time, we will notify you and provide a revised timeframe.
We do not charge a fee for making an access or correction request, or for providing access to your personal information. However, we may charge a reasonable fee for providing access in a non-standard format (e.g., certified copies) if requested.
If you are not satisfied with our response to your request or our handling of your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). See Section 21 for complaint details.
ZooYak complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth), introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth). Under this scheme:
Where a data breach involves Customer Data, ZooYak will notify the affected Customer within 48 hours of confirming the breach. The notification will include:
Cookies are small text files placed on your device when you visit a website. We use cookies and similar technologies to provide, protect, and improve our Service.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session cookies | Maintaining your authenticated session after login. Essential for the Service to function. | Session (expires on logout or browser close) |
| Authentication cookies | Storing encrypted authentication tokens to keep you signed in across requests. | Up to 24 hours |
| CSRF tokens | Protecting against cross-site request forgery attacks. Essential for security. | Session |
| Preference cookies | Storing your display preferences (e.g., sidebar state, theme, language). | 1 year |
| Functional cookies | Remembering your preferences and settings to improve your experience across sessions. | Up to 12 months |
We do not use analytics cookies, advertising cookies, retargeting cookies, or third-party tracking cookies. We do not share cookie data with advertising networks or data brokers.
You can manage cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. Please note that disabling essential cookies (session, authentication, CSRF) will prevent you from using the Service.
We honour Do Not Track (DNT) signals sent by your browser. Since we do not use analytics or tracking cookies, no additional action is required when a DNT signal is detected.
For more detailed information about our use of cookies, please see our Cookie Policy.
We use the following third-party sub-processors to assist in providing the Service. All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures.
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Amazon Web Services (AWS) | Services include: Cognito (authentication), S3 (file storage), SES (email delivery), KMS (encryption key management), Aurora PostgreSQL (database), ECS (compute), CloudFront (content delivery). All data stored in the Sydney, Australia (ap-southeast-2) region. | Sydney, Australia | All Customer Data |
| Stripe, Inc. | Payment processing | USA (with SCCs) | Payment card data, billing information |
We will provide at least 30 days' prior written notice before engaging a new sub-processor or materially changing the scope of an existing sub-processor's engagement. If a Customer has a reasonable objection to a new sub-processor on data protection grounds, the parties will discuss the objection in good faith in accordance with the Terms of Service.
ZooYak does not make any decisions based solely on automated processing, including profiling, that produce legal effects concerning any individual or that similarly significantly affect any individual.
The Service includes certain algorithmic and analytics features that are advisory only, including:
These features provide recommendations and alerts to assist the Customer in making decisions. The Customer retains all decision-making authority over their workforce. No employment, disciplinary, performance, or scheduling decision is made by ZooYak or the Service without human review and authorisation by the Customer.
The Service is designed for use by businesses and their employees in the security industry and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18.
If we become aware that we have collected personal information from a child under 18, we will take steps to promptly delete that information. If you believe we may have collected information from a child under 18, please contact us at privacy@zooyak.com.
The Service and our website may contain links to third-party websites or services. These third-party websites have their own privacy policies, and we are not responsible for their content or privacy practices. We encourage you to read the privacy policy of any third-party website you visit.
The Service offers integrations with third-party applications, including accounting software (Xero, MYOB), payroll systems (KeyPay), and other business tools. When you enable a third-party integration:
ZooYak is not responsible for the privacy practices of third-party integration providers.
If we make material changes to this Privacy Policy (including changes to the categories of data collected, the purposes of processing, or the recipients of data), we will provide at least 30 days' prior notice via email to the address associated with your account and/or via an in-app notification. For existing users, material changes require affirmative consent and will not take effect until accepted.
Non-material changes (such as clarifications, formatting updates, or corrections) may take effect upon posting to this page. We will update the "Last Updated" date at the top of this Privacy Policy whenever any change is made.
Previous versions of this Privacy Policy are available upon request by contacting privacy@zooyak.com.
If you believe we have breached the Australian Privacy Principles or mishandled your personal information:
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
For matters relating to data protection, please contact us at privacy@zooyak.com. We are responsible for overseeing our compliance with applicable data protection laws and for handling all privacy-related enquiries and complaints.
This Privacy Policy was last updated on 16 March 2026 and is effective as of 1 March 2026. Previous versions of this Privacy Policy are available upon request by contacting privacy@zooyak.com.