Privacy Policy

Last updated: 1 May 2026

Remote Reviewer ("we", "us", or "our") is committed to protecting your privacy. This policy explains what personal data we collect, why we process it, how we protect it, who we share it with, and what rights are available to you. It applies to all users of the Remote Reviewer platform, including Account Owners, Reviewers, and Participants.

Remote Reviewer is the data controller for personal data we collect directly (for example, account registration and billing data). Where we process personal data on behalf of an Account Owner organisation, we act as a data processor following the Account Owner's instructions.

Contact us at info@remotereviewer.com.au for any privacy-related questions.

1. Scope and Applicable Law

This policy is designed to comply with privacy laws applicable across the jurisdictions in which we operate, including but not limited to:

• Australia: Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
• European Economic Area: General Data Protection Regulation (EU) 2016/679 (GDPR).
• United Kingdom: UK GDPR and the Data Protection Act 2018.
• United States (California): California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) where applicable.
• Other jurisdictions: We acknowledge that users in other countries may have additional rights under their local privacy or data protection laws. We aim to respect those rights to the extent practicable.

Where laws in different jurisdictions apply to you, the more protective standard generally applies.

2. Personal Data We Collect

1. Account data: name, email address, organisation name, phone number, job role, and profile details provided at registration or updated in your account settings.
2. Assessment data: task metadata, checklist responses, scores, comments, timestamps, reviewer notes, assessment outcomes, and xAPI statements generated from assessments.
3. Billing data: subscription plan details, billing contact information, and payment method metadata (card type and last four digits). Full card numbers are not stored by us — payments are processed by Stripe.
4. Technical data: IP address, browser type and version, device type, operating system, session identifiers, and security and access logs.
5. Communications data: emails and messages you send to us, including support requests.

We collect personal data directly from you when you register, use the platform, or contact us, and automatically through cookies and server logs as described in Section 7.

3. Video and Audio Recordings

A core function of Remote Reviewer is the capture and assessment of video and audio recordings submitted by Participants. These recordings are sensitive by nature — they may capture a person's voice, face, and environment, and in some jurisdictions may constitute or contain biometric or sensitive personal data.

We handle recordings as follows:

• Storage: Recordings are stored in secure cloud infrastructure. Access is restricted to the Account Owner organisation, their authorised Reviewers, and Remote Reviewer personnel who require access to operate and support the service.
• Access controls: Recordings are accessible only to users authorised within the relevant account. We do not make recordings publicly accessible.
• Retention: Recordings are retained for as long as the account is active and for a post-cancellation period as described in Section 10. Account Owners may delete recordings at any time from within the platform.
• AI processing: Recordings may optionally be processed using AI tools (such as transcription services) as described in Section 6. This is an opt-in feature controlled by the Account Owner.
• Consent responsibility: It is the Account Owner's responsibility to ensure that Participants have been informed about and have provided any required consent for their recording, in compliance with laws applicable in their jurisdiction (including workplace surveillance laws in various Australian states and territories).

4. Legal Basis for Processing

Where GDPR or UK GDPR applies, we rely on the following legal bases under Article 6:

1. Contract (Article 6(1)(b)): Processing necessary to provide account access, run assessment workflows, generate reports, deliver support, and fulfil our contractual obligations to you.
2. Legitimate interests (Article 6(1)(f)): Service security, fraud prevention, abuse detection, system diagnostics, and platform improvement — where these interests are not overridden by your fundamental rights.
3. Consent (Article 6(1)(a)): Non-essential cookies and analytics, and optional marketing communications, where you have provided consent. You may withdraw consent at any time.
4. Legal obligation (Article 6(1)(c)): Processing required to comply with applicable legal obligations, including tax, accounting, and regulatory requirements.

Where we process special categories of personal data (Article 9 GDPR), such as recordings that may capture health or biometric information, we rely on explicit consent obtained by the Account Owner from the Participant, or another applicable Article 9 basis, and require Account Owners to maintain records of consent.

Under Australian law, we rely on the same grounds as reflected in the Australian Privacy Principles, particularly APPs 3 and 6 (collection and use for primary purposes, or with consent).

5. How We Use Personal Data

1. Provide, operate, and secure the platform and all its features.
2. Process assessments, reviews, exports, reports, and customer-requested integrations (including xAPI/LRS forwarding).
3. Manage accounts, billing, and subscriptions.
4. Respond to support requests and send service-related communications (such as account notifications, billing receipts, and security alerts).
5. Diagnose technical issues and monitor platform reliability and performance.
6. Comply with legal obligations, including responding to lawful requests from authorities.
7. Where consent is given: send product updates or marketing communications (you can unsubscribe at any time).

We do not use your Content (including recordings) for any purpose beyond providing the Service to you, unless required by law or with your explicit consent.

6. AI and Automated Processing

Remote Reviewer offers optional AI-powered features, currently including:

• Audio transcription: Submitted audio or video recordings can be transcribed using OpenAI Whisper.
• Checklist generation: AI assistance for generating assessment criteria using OpenAI GPT models.
• AI evidence review: AI-assisted review of submitted content against checklist criteria.

When you or your Account Owner enables these features:

• Relevant Content (audio files, text prompts, checklist data) is transmitted to OpenAI's API for processing. OpenAI's privacy policy and terms govern their handling of this data.
• We do not use your Content to train AI models, and we have configured our integration to opt out of OpenAI's data use for training where this option is available.
• AI-generated outputs are provided as an assistive tool. All assessment decisions remain the responsibility of the human Reviewer and Account Owner. Automated outputs do not constitute a final assessment determination.
• AI features are clearly identified in the platform interface and can be enabled or disabled by Account Owners.

Account Owners are responsible for ensuring that their use of AI features complies with any applicable obligations, including obtaining necessary consents from Participants where AI processing of their recordings is undertaken.

7. Cookies and Tracking

We use the following types of cookies:

• Essential cookies: Required for login session management and security. These cannot be disabled without impairing core platform functionality.
• Analytics cookies: Optional cookies used to understand how the platform is used and to improve it. These are only set after you provide consent where required by law.

You can manage your cookie preferences through the cookie preference banner displayed on first visit. To reset your preferences, clear your browser cookies and re-select your preference on next visit. Most browsers also allow you to control cookies through browser settings.

8. Who We Share Personal Data With

We share personal data only as necessary to provide the Service:

• Authorised staff: Remote Reviewer personnel who need access to operate and support the Service, subject to confidentiality obligations.
• Subprocessors: Trusted third-party service providers who process data on our behalf, including cloud hosting and storage (AWS), payment processing (Stripe), AI processing (OpenAI), and email delivery. A current list of our subprocessors is available at /subprocessors.
• Account Owner organisations: Data about Participants and assessment outcomes is accessible to the Account Owner who initiated the assessment.
• LRS/xAPI integrations: Where an Account Owner has configured an xAPI Learning Record Store integration, assessment records will be forwarded to the LRS endpoint they specify. This is an Account Owner-controlled feature.
• Legal requirements: We may disclose personal data if required by law, court order, or to protect our legal rights or the safety of others.

We do not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes.

9. International Data Transfers and Data Residency

Remote Reviewer is based in Australia. Our primary data storage is on Amazon Web Services (AWS) infrastructure. Data may be stored and processed in AWS regions including Australia (ap-southeast-2) and potentially other regions depending on service configuration and disaster-recovery requirements.

Where personal data is transferred outside your jurisdiction — for example, when using AI processing services hosted in the United States — we apply appropriate safeguards as required by applicable law, including:

• For EEA/UK data: Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required under GDPR/UK GDPR.
• For Australian data: Measures consistent with APP 8 cross-border disclosure obligations.
• Contractual data processing agreements with all subprocessors.

If you have specific data residency requirements (such as keeping all data within a particular country), please contact us to discuss whether this can be accommodated.

10. Data Retention

We retain personal data for as long as necessary to provide the Service and meet our legal obligations:

• Account and assessment data: Retained for the duration of the active account and for 30 days following cancellation or deactivation, after which it is deleted from active systems. Account Owners may delete their data at any time from within the platform.
• Billing records: Retained for a minimum of 7 years to satisfy tax and accounting obligations.
• Security and access logs: Retained for up to 12 months.
• Backup copies: Backup snapshots may persist for a limited additional period (typically up to 30 days) as part of our disaster-recovery processes before being permanently deleted.

Where you exercise a right to erasure (see Section 13), we will act on your request to the extent permitted by law, recognising that some data may need to be retained to satisfy legal obligations.

11. Security

We apply technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• Encrypted data transmission via HTTPS/TLS.
• Access controls restricting data access to authorised personnel on a need-to-know basis.
• Session security controls including OTP verification.
• Regular review of our security practices and subprocessor arrangements.

No method of transmission or storage is completely secure. While we work hard to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at info@remotereviewer.com.au.

12. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to individuals, we will comply with our mandatory notification obligations, including:

• Australia: Notifying the Office of the Australian Information Commissioner (OAIC) and affected individuals under the Notifiable Data Breaches (NDB) scheme within the required timeframes.
• EU/UK: Notifying the relevant supervisory authority within 72 hours of becoming aware of the breach, and notifying affected individuals where required, in accordance with GDPR/UK GDPR Article 33–34.

We will also notify affected Account Owners promptly so they can meet their own notification obligations to Participants.

13. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

To exercise any of these rights, contact us at info@remotereviewer.com.au. We may need to verify your identity before fulfilling a request. We will respond within the timeframe required by applicable law (generally 30 days, extendable where permitted).

Note: Where you are a Participant whose data is controlled by an Account Owner organisation, you should direct your rights request to that organisation in the first instance. We will assist Account Owners in meeting their obligations to Participants.

14. Children

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16 without appropriate authorisation from a parent, guardian, or the educational/training institution acting in loco parentis.

If an Account Owner uses the Service in a context involving participants under 16 (for example, vocational training for school-based learners), the Account Owner is responsible for ensuring appropriate consents and safeguards are in place under applicable child data protection laws.

If you believe a child has submitted personal data to us without appropriate authorisation, please contact us at info@remotereviewer.com.au so we can investigate and take appropriate action.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the Service. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, notify you by email or via a notice within the platform.

We encourage you to review this policy periodically. Your continued use of the Service after a material update constitutes acceptance of the revised policy.

16. Contact and Complaints

For any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

Remote Reviewer
Brisbane, Queensland, Australia
Email: info@remotereviewer.com.au

We will endeavour to respond to all privacy enquiries within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the relevant supervisory authority in your jurisdiction:

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
• EU: Your national data protection authority (find yours at edpb.europa.eu).
• UK: Information Commissioner's Office (ICO) — ico.org.uk