Privacy Policy

01About This Policy

Diba Technology Pty Ltd ("Diba", "we", "us", or "our") is committed to protecting the privacy of individuals whose personal information we handle in the course of our business operations.

This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It applies to all personal information collected by Diba in connection with our products and services, including our gate access control hardware, installation services, and the Diba SaaS Platform.

By engaging our services or using our platform, you acknowledge that you have read and understood this Privacy Policy.

02Personal Information We Collect

We may collect the following categories of personal information:

2.1  Business Contact Information

• Names, job titles, and roles of client contacts and site managers;
• Business email addresses and phone numbers;
• Business addresses and site addresses.

2.2  Biometric & Access Data

• Facial recognition data collected at the point of gate entry or exit, where the Diba Platform's facial recognition feature is enabled;
• Access event logs, including timestamps, gate entry/exit records, and user identification data;
• Induction records and trade attendance data captured through the Commnia integration.

2.3  Platform & Technical Data

• Login credentials and user account information for the Diba Platform;
• Device and browser information for platform users;
• Usage logs and activity records within the Diba Platform.

2.4  Data We Do Not Collect

We do not collect sensitive personal information such as health records, financial account details, tax file numbers, or government identifiers, except where specifically required and authorised by law.

03How We Collect Personal Information

We collect personal information in the following ways:

• Directly from clients and their personnel during the sales, contracting, and onboarding process;
• Through the Diba Platform, including access event logs, facial recognition data, and user activity records;
• Through the Commnia integration, where enabled, capturing site diary, induction, and trade attendance data;
• From publicly available sources, such as business directories, where relevant to providing our services.

The Customer (our client) is responsible for obtaining all necessary consents from workers, contractors, and visitors whose personal information is collected via the Diba Platform, including biometric data consents as required by applicable law.

04Why We Collect & Use Personal Information

We collect and use personal information for the following purposes:

• To provide, install, commission, and support gate access control hardware and the Diba Platform;
• To manage client relationships, including communications, invoicing, and contract administration;
• To operate the Diba Platform's core features, including access control, facial recognition gate entry, headcount, and compliance reporting;
• To comply with our legal obligations under applicable Australian law;
• To improve our products and services using aggregated, de-identified usage data;
• To respond to enquiries, complaints, or support requests.

We will not use personal information for purposes that are incompatible with the reason it was collected without first obtaining your consent.

05Biometric Data & Facial Recognition

Where the facial recognition feature of the Diba Platform is enabled, biometric data (facial geometry) is collected and processed to verify identity at site access points.

5.1  Customer Responsibilities

The Customer (our client) is solely responsible for:

• Informing workers, contractors, and visitors that biometric data is being collected;
• Obtaining informed, voluntary consent from each individual before their biometric data is enrolled in the Diba Platform;
• Displaying appropriate signage at the Site notifying individuals of data collection;
• Complying with any applicable state or territory workplace health and safety or surveillance laws.

5.2  Diba's Role

Diba processes biometric data solely to provide gate access functionality as directed by the Customer. Diba does not use biometric data for any other purpose.

5.3  Retention

Access event log data (including facial recognition records) is retained for 90 days by default, unless the Customer has agreed to a different retention period in the Client Service Agreement. On expiry or earlier termination, Diba will delete or de-identify this data within 30 days.

06Disclosure of Personal Information

We may disclose personal information to:

• Subcontractors and service providers engaged to assist with installation, maintenance, or platform infrastructure, who are bound by confidentiality obligations;
• The Commnia platform, where the Commnia integration is enabled by the Customer, subject to Commnia's own privacy policy;
• Regulatory bodies, law enforcement, or courts where required by law;
• Successors in the event of a business sale or restructure, on written notice to affected clients.

We do not sell, rent, or trade personal information to third parties for marketing or commercial purposes.

07Overseas Disclosure

Our hardware is sourced from overseas suppliers. In limited circumstances, technical or operational data may be shared with overseas hardware suppliers for warranty, support, or firmware update purposes. Where this occurs, we take reasonable steps to ensure those parties provide an adequate level of privacy protection consistent with the APPs.

We do not otherwise disclose personal information to overseas recipients unless required by law or with your consent.

08Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Role-based access controls for the Diba Platform;
• Encrypted data transmission (TLS/HTTPS) between platform components;
• Regular platform security reviews and updates;
• Confidentiality obligations imposed on subcontractors and staff.

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

09Data Retention

We retain personal information for as long as necessary to fulfil the purpose for which it was collected, or as required by law:

• Access event logs (including facial recognition records) are retained for 90 days by default, unless otherwise agreed;
• Client contact and contract records are retained for 7 years after the end of the Agreement, in accordance with Australian tax and commercial law;
• Platform usage logs are retained for 12 months and then deleted or anonymised.

On expiry or termination of a Client Service Agreement, we will provide the Customer with a reasonable opportunity to export their data before it is deleted from our systems.

10Access, Correction & Deletion

Under the Privacy Act, individuals have the right to:

• Request access to personal information we hold about them;
• Request correction of personal information that is inaccurate, out of date, incomplete, or misleading;
• Request deletion of personal information where we are no longer required by law to retain it.

To exercise these rights, please contact us using the details in Section 12. We will respond to all requests within 30 days. We will not charge a fee for making an access or correction request, but may charge a reasonable fee for providing access in certain circumstances.

11Privacy Complaints

If you believe we have mishandled your personal information or breached the APPs, we encourage you to contact us directly in the first instance using the details in Section 12. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

12Contact Us

For any privacy-related queries, requests, or complaints, please contact Diba Technology:

13Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or regulatory guidance. We will post the updated version on our website and update the version number and date accordingly.

This Policy was last updated in June 2025 (Version 1.0).