Orro Privacy Policy

This Privacy Policy sets out how Orro Pty Ltd (ABN 72 111 999 663) and all its related entities with operations in Australia, New Zealand, the Philippines and the United Kingdom (together, Orro Group) collect, hold, use, disclose, transfer, protect and otherwise handle Personal Information. It applies to Personal Information we handle in the context of employment, recruitment, supplier management, service delivery to customers, marketing, website and app use, and physical security (e.g., CCTV, access control).

In this Privacy Policy, capitalised terms have the following meanings unless the context otherwise requires:

• Personal Information / Personal Data means information, whether recorded in material form or not, about an individual who is identified or reasonably identifiable from that information or other information combined  with that information; and
• Sensitive Information includes data relating to health, race or ethnicity, religious or philosophical beliefs, trade union membership, genetic and biometric data, sexual orientation and criminal convictions/offences.

The types of Personal Information we collect about you will depend on the purpose for which the Personal Information is collected. This may include:

• Identification and contact information (including name, title, DOB, IDs, addresses, phone, email and photos);
• Personal Information to allow us to carry out Employment and HR functions (including, in addition to the identification and contact information identified above, information relating to the right‑to‑work, payroll, tax, leave, performance, learning, full name of dependent spouse and children and their DOB, when necessary, full name of dependent parents and their DOB, social security number, tax identification number and social medical benefits numbers);
• Technical and security data (including device identifiers, IP addresses, system and application logs, access cards, CCTV and device telemetry and performance data);
• Customer and supplier information (including contact details such as name, phone number, email address and account number);
• Special categories of data/Sensitive Information where necessary and permitted at law (including your health information and biometric information); and
• Criminal convictions/offences data where necessary and permitted at law.

We collect Personal Information directly from you, including through forms, portals, support tickets and calls between you and an Orro Group entity. We may also collect Personal Information through surveillance systems (including CCTV and network and cybersecurity monitoring tools) as well as automatically via our systems and websites.

We also use cookies, which are data files that are placed on your device and often include an anonymous unique identifier (see Section 13).  For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

In limited circumstances, we may collect Personal Information about you from publicly available sources such as the internet, as well as from third parties (such as recruiters, background check providers, referees or partners) where lawful and appropriate.

Whilst we will always maintain robust privacy practices, we are not responsible for the privacy practices of third parties, so you should review their relevant privacy policy to satisfy yourself as to how they protect and handle your Personal Information.

We use Personal Information for purposes collected including managing our business and providing our products and services to you, including for:

• provision of our products and services to our customers or to receive goods or services from third parties;
• service provision and customer support;
• HR, recruitment, employment, payroll, and performance management;
• security, fraud prevention, and threat detection;
• compliance with legal/contractual obligations;
• analytics, service improvement, and reporting;
• marketing and communications with opt‑out;
• physical security (CCTV, access control);
• direct marketing purposes (see Section 5);
• enabling the processing of device identifiers, system logs, and telemetry data for security monitoring, compliance, system performance, fraud detection, and the improvement of Orro Group’s business systems and services; and
• contacting you regarding any of the above, including via electronic messaging such as SMS and email, by mail, by phone or in any other lawful manner.

If you are based in the UK and/or Philippines, then the lawful bases for the processing of your Personal Information in connection with each of the purposes below is set out below:

Orro may utilise Artificial Intelligence (AI) within business systems and tools, including those provided by third‑party vendors and those developed in‑house. Any application of AI shall be limited to work‑related information and undertaken strictly in accordance with this Privacy Policy, the Australian Privacy Principles (APPs), and applicable data protection laws in other jurisdictions in which Orro Group entities operate. AI processing will not involve the use of personal data for model training unless appropriate safeguards are applied.

We may disclose your Personal Information to third parties in connection with the purposes described above (see Section 5 above).

This may include disclosing your Personal Information to the following types of third parties:

• other Orro Group entities;
• service providers and professional advisers;
• customers (where necessary to maintain business relationships and consistent with contracts);
• regulators or law enforcement when legally required;
• parties to corporate transactions (including any potential third party acquirer of our business or assets and advisors to that third party);
• third parties to whom you have authorised us to disclose your personal information; and
• to any other person as required or permitted by law.

Please note that we do not sell your Personal Information.

Where permitted by law, Orro may use Personal Information for direct marketing. Individuals can opt out at any time via the unsubscribe link or by contacting us (see Section 20)

Orro may process an employee’s, prospective employee’s or individual independent contractor’s Personal Information for recruitment, onboarding, payroll, performance, compliance, and security. We may monitor our systems and facilities (e.g., CCTV, email, internet, access control, device telemetry) in accordance with local laws and internal policies. Any monitoring is for the legitimate business purposes set out in this Privacy Policy and subject to appropriate safeguards and compliance with applicable laws.

Orro Group allows individuals the option not to identify themselves when dealing with us, where practicable. If you decide to interact with Orro Group anonymously, the products and/or services we are able to provide to you, and how we interact with you, may be limited.

We may process special categories of Personal Information where necessary and lawful (e.g., health information to meet H&S obligations). Criminal convictions/offences data is processed only where permitted by law, where necessary for the purposes set out in this Privacy Policy and are subject to additional technical and operational measures, including stricter role-based access controls, use of multi-factor authentication-protected systems, encryption of data at rest and in transit and use of storage on segregated human resources and security platforms.

In Australia, we will obtain your consent in the collection of such information where they constitute Sensitive Information.

Personal data may be transferred between Orro Group entities and recipients outside the jurisdictions in which the Orro Group entities are located. This may include overseas recipients located in New Zealand, the Philippines and the United Kingdom.

Orro complies with applicable legal requirements in respect of any cross-border disclosures, including applying appropriate safeguards to ensure adequate protection, including through implementation of Standard Contractual Clauses (SCCs) and/or Model Contractual Clauses published by the Global Privacy Assembly – Global Frameworks and Standards Working Group, International Data Transfer Agreements (IDTAs), or comparable safeguards.

For Australia, we take steps as are reasonable in the circumstances to ensure overseas recipients handle Personal Information in accordance with the Privacy Act 1988 (Cth). For New Zealand, we ensure comparable safeguards under the Privacy Act 2020.

Our websites and applications use cookies and similar technologies (e.g., pixels, SDKs, local storage) to enable site functionality, remember preferences, perform analytics, and measure campaigns. Categories include:

• strictly necessary;
• performance/analytics;
• functionality;
• advertising cookies.

Where required by law, we will request consent for non‑essential cookies and provide controls to withdraw consent at any time. You can also manage cookies through your browser settings. Blocking some cookies may impact site performance.

We may use third‑party analytics and advertising partners. These providers may set their own cookies in accordance with their privacy policies.

We apply physical, technical, and organisational measures, including access controls, encryption, logging/monitoring, vulnerability management, secure development practices, and staff training. Third‑party providers are required to implement appropriate security measures and handle or otherwise process Personal Information only on Orro’s instructions.

We retain Personal Information only for as long as necessary to fulfil the purposes described in this Policy or as required by applicable laws and regulations. We securely destroy or de-identify Personal Information when it is no longer needed.

Retention periods vary depending on the nature of the Personal Information and the legal requirements in each country where we operate.

Our services are generally directed at business customers and adult employees/contractors. Where we process children’s data (e.g., dependants for benefits), we do so with appropriate consents and safeguards in accordance with applicable law.

We may use automated processing in respect of your Personal Information to assist in making certain decisions. When we do so, we will provide relevant information about the logic involved, as well as the significance and envisaged consequences of such processing, and offer the right to obtain human intervention, to express a point of view, and to contest the decision, as required by law.

Subject to individual’s rights under applicable law, individuals may request to:

• access, correct, delete, or restrict processing of their Personal Information;
• object to processing (including direct marketing);
• request portability (where applicable).

You may request access to any Personal Information we hold about you at any time by contacting us at [email protected]. We will provide access to that information in accordance with relevant privacy laws, subject to any exemptions that may apply.  We may charge an administration fee in limited circumstances, but we will let you know in advance if that is the case.

If you believe that Personal Information we hold about you is incorrect, incomplete or inaccurate, then you may request us to amend it by contacting us at [email protected]. Where we agree that the information needs to be corrected, we will update it. If we do not agree, you can request that we make a record of your correction request with the relevant information.

You can also ask us to notify any third parties that we provided incorrect information to about the correction. We’ll try and help where we can – if we can’t, then we’ll let you know.

If you have any questions, concerns or complaints about our collection, use, disclosure or management of your Personal Information, please contact us at [email protected].

We are committed to resolving any complaints reasonably and to ensuring that we are doing the right thing by our customers. We will make all reasonable inquiries and your complaint will be assessed with the aim of resolving any issue in a timely and efficient manner.

If you are located in Australia and have raised a complaint with us and you are unsatisfied with the outcome or have further concerns about the way we have handled your Personal Information, you may complain to the Information Commissioner at the Office of the Australian Information Commissioner, whose contact details are set out below:

Office of the Australian Information Commissioner

GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
Online: www.oaic.gov.au
Email: [email protected]

To contact our Privacy Officer if you have an enquiry or a complaint about the way we handle your Personal Information, or to seek to exercise any of your privacy rights in relation to the Personal Information we hold about you, including to request access to or correction of your Personal Information, please use the following details:

Privacy Officer, Orro Group

503, 50 Clarence Street, Sydney 2000

Phone: +61 1300 900 000

Email: [email protected]

This Policy will be reviewed at least annually, or sooner if required by changes in law, regulation, or Orro’s operations. Updates will be published on Orro’s website and internal platforms. Historic versions are available on request.