Admin Panel

Privacy Policy

Last updated: November 2024

1. Entity and Application of this Policy

1.1 This Privacy Policy applies to the collection, use, disclosure and handling of Personal Information in connection with The Resilience Reset platform and associated services (the Service).

1.2 The Service is owned and operated by Kelly Elsayed trading as The Resilience Reset, ABN 86400157291, based in Queensland, Australia (The Resilience Reset, we, us, our).

1.3 We handle Personal Information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), to the extent they apply to us.

1.4 By providing Personal Information to us or using the Service, you acknowledge that your Personal Information will be handled in accordance with this Privacy Policy.

2. Definitions

2.1 Customer means the organisation or business that has entered into an agreement with us to use the Service.

2.2 Admin User means an employee, contractor or representative of a Customer who is authorised by the Customer to access and administer the Service.

2.3 Participant means an individual (such as an employee or contractor of a Customer) invited by the Customer to complete assessments through the Service.

2.4 Personal Information has the meaning given in the Privacy Act 1988 (Cth) and includes information or an opinion about an identified individual, or an individual who is reasonably identifiable.

2.5 Sensitive Information includes information about an individual's health, mental health, disability, racial or ethnic origin, and other categories specified in the Privacy Act 1988 (Cth).

2.6 Customer Data means all data (including Personal Information and Sensitive Information) supplied to or generated within the Service by or on behalf of a Customer.

3. Types of Information Collected

3.1 We may collect the following types of information:

(a) Customer and Admin User Information

  • Name, job title, position and organisation name
  • Business contact details (including email address, phone number and postal address)
  • Login credentials or authentication identifiers
  • Communication preferences and correspondence with us

(b) Participant Information

  • Contact details (including email address and, where provided, name or unique identifier)
  • Assessment invitations, tokens and access details
  • Assessment responses to work-related surveys
  • Demographic information configured by the Customer

(c) Sensitive Information

Assessment responses and related data may constitute Sensitive Information or health information because they relate to wellbeing, mental health risk factors and workplace conditions. We handle such information with particular care and only for the purposes described in this Privacy Policy and our agreement with the relevant Customer.

(d) Technical, Security and Usage Information

  • IP address, device identifiers, browser type, operating system
  • Dates, times and duration of access, pages viewed, interactions
  • Session identifiers, authentication tokens
  • Security and audit logs including login attempts, blocked access, rate limits

(e) Billing and Transaction Information (Customers)

  • Subscription details, plan type, billing period, payment status
  • Billing contact details
  • Transaction details (we do not typically store full payment card details)

(f) Cookies and Similar Technologies

Information collected via cookies, local storage and similar technologies used for authentication, session management, security and to understand usage of the Service.

4. How Information is Collected

4.1 We may collect Personal Information in the following ways:

(a) Directly from Customers and Admin Users when they create accounts, configure campaigns, provide contact details, upload or enter data, or communicate with us.

(b) Directly from Participants when they open invitations, access the Service or complete assessments.

(c) Automatically through the use of the Service, including via our logging, monitoring and security systems.

(d) From third parties engaged by us to support the operation and security of the Service (including hosting providers, email providers, and monitoring tools).

(e) From public sources where permitted by law.

5. Purposes of Collection, Use and Disclosure

5.1 We collect, use and disclose Personal Information for the following purposes:

(a) Provision and Operation of the Service

  • Creating and managing Customer and Admin User accounts
  • Configuring, launching and administering assessment campaigns
  • Issuing invitations and secure, passwordless access links
  • Delivering assessments and recording responses
  • Aggregating and presenting results, dashboards, metrics

(b) Analysis and Reporting

  • Aggregating and analysing assessment responses
  • Generating reports, scores, metrics, explanations
  • Supporting Customers to make informed organisational decisions

(c) Automated Processing and Generated Content

Using automated systems, algorithms and tools to assist in scoring, aggregating and interpreting data and to assist in producing explanatory content, summaries, draft recommendations and template communications. Such outputs are intended as general information and decision-support only, and are subject to Customer review and judgment.

(d) Security, Fraud and Misuse Prevention

  • Authenticating users, validating sessions and managing access controls
  • Detecting and responding to abuse, misuse, unauthorised access
  • Operating rate limiting, IP controls, anomaly detection
  • Maintaining audit logs and security records

(e) Improvement and Development of the Service

  • Monitoring performance, reliability and usage patterns
  • Developing enhancements, new features and refinements
  • Conducting quality assurance, testing and troubleshooting

(f) Communication and Support

  • Providing service-related communications, notices, alerts
  • Responding to enquiries, support requests, feedback
  • Informing Customers of changes to this Privacy Policy

(g) Legal and Regulatory Compliance

  • Complying with applicable laws, regulations, court orders
  • Exercising and defending legal rights and managing disputes

5A. Automated Decision-Making (Effective 10 December 2026)

5A.1 From 10 December 2026, the following additional disclosures apply where we use automated decision-making systems:

Types of Personal Information Used

Our automated systems may use the following kinds of personal information:

  • Assessment responses (burnout scores, psychological safety indicators, workplace driver ratings)
  • Demographic information (department, role, team, location, tenure, seniority)
  • Historical response patterns and trends
  • Aggregated group-level data

Decisions Made Solely by Automated Systems

The following types of decisions are made solely by our automated systems:

  • Calculation of burnout risk scores and psychological safety metrics
  • Generation of workplace risk indicators and trend analysis
  • Aggregation of group-level statistics and benchmarking
  • Creation of visual dashboards and data presentations

Decisions with Substantial Automated Assistance

The following types of decisions are made with substantial and direct assistance from our automated systems, with final human review:

  • Generation of explanatory text and insights about workplace patterns
  • Creation of draft recommendations for organisational action
  • Production of template communications and reports
  • Identification of areas requiring attention or further investigation

Important Notes

  • All automated outputs are provided as general information and decision-support tools only
  • Customers remain solely responsible for reviewing outputs and making final decisions
  • No automated decision constitutes medical, psychological, legal, or HR advice
  • Automated systems may contain errors and should not be relied upon as complete or accurate

6. Legal Basis for Handling Personal Information

6.1 To the extent required by applicable law, the legal bases on which we handle Personal Information include:

(a) where necessary for the performance of a contract with a Customer or to take steps requested by a Customer prior to entering into a contract;

(b) where necessary for our legitimate interests in operating, securing, maintaining and improving the Service and supporting Customers, in a manner that is balanced against individuals' privacy rights; and

(c) where required or permitted by law, including compliance with legal obligations.

7. Disclosure of Personal Information

7.1 We may disclose Personal Information to:

(a) Customers and their Authorised Users

Customer Data is made available to the relevant Customer and its authorised Admin Users through the Service in accordance with the Customer's configuration and permissions. Reporting is designed primarily for aggregated and group-level insights. Customers determine how to configure demographics, group sizes and reporting thresholds.

(b) Service Providers and Contractors

Third-party service providers engaged to support the Service, including hosting and infrastructure providers, email and communication providers, monitoring and logging providers, backup and storage providers, and professional advisors. These third parties are given access to Personal Information only to the extent reasonably necessary to perform their functions and are subject to confidentiality and appropriate data protection obligations.

(c) Regulators, Law Enforcement and Legal Proceedings

Government authorities, regulators or law enforcement agencies where required or authorised by law, including in response to subpoenas, court orders or lawful information requests. Legal advisers, insurers and other professional advisers in connection with legal claims, disputes, audits, investigations or compliance matters.

(d) Business Transfers

Another entity in connection with a merger, acquisition, restructuring, sale of business or assets, or other corporate transaction involving The Resilience Reset, subject to appropriate confidentiality and data protection safeguards.

7.2 We do not sell Personal Information.

8. Cross-Border Disclosure

8.1 Personal Information may be stored, processed or accessed in Australia or in other countries where our service providers or related systems are located.

8.2 Our service providers may be located in the following jurisdictions:

  • Australia (primary data hosting)
  • United States (cloud infrastructure, email services)
  • European Union (backup and monitoring services)

8.3 Before disclosing Personal Information overseas, we take reasonable steps to ensure that the overseas recipient will protect the information in a manner consistent with this Privacy Policy and the APPs, which may include:

  • Entering into contractual arrangements requiring APP-equivalent protection
  • Verifying the recipient is subject to laws or binding schemes providing substantially similar protection
  • Obtaining your consent where appropriate

8.4 Where an exception applies under the Privacy Act 1988 (Cth), we may disclose Personal Information overseas without taking the steps described above.

9. Data Quality and Retention

9.1 We take reasonable steps to ensure that Personal Information we collect, use and disclose is accurate, complete and up to date. Customers and individuals should notify us promptly if their details change or if they believe information we hold is inaccurate.

9.2 We retain Personal Information:

(a) for as long as reasonably necessary to provide the Service to Customers and Participants (typically for the duration of the Customer's active subscription);

(b) for a period of 7 years after account closure to comply with applicable record-keeping requirements and to resolve disputes;

(c) for any additional period required or authorised by law; and

(d) for a reasonable period for the purposes of backup, archiving, dispute resolution, enforcement of agreements and security incident investigations (typically up to 12 months in secure backup systems).

9.3 We may retain and use de-identified or aggregated data (which does not identify individuals) indefinitely for analytics, benchmarking, research and Service improvement.

10. Security and Cybersecurity

10.1 We take reasonable steps to protect Personal Information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Our security measures include both organisational and technical measures:

Technical Measures

  • Secure hosting environments with controlled physical and logical access
  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of sensitive data at rest
  • Multi-factor authentication options for Admin Users
  • Regular security testing and vulnerability assessments
  • Rate limiting, IP controls, and anomaly detection systems
  • Comprehensive logging and monitoring of access and security events
  • Regular security updates and patching procedures

Organisational Measures

  • Access controls based on role and need-to-know principles
  • Regular staff training on data protection and security practices
  • Documented policies and procedures for secure handling of Personal Information
  • Incident response plans and procedures
  • Regular review and audit of security measures
  • Confidentiality agreements with staff and contractors

10.2 Despite these measures, no system, transmission or storage method can be guaranteed as completely secure. To the maximum extent permitted by law, we do not accept liability for unauthorised access to Personal Information that occurs despite our reasonable security measures, except where caused by our negligent, unlawful or wilfully wrongful acts or omissions.

10.3 Customers and users are responsible for:

(a) maintaining the security of their devices, networks and access credentials;

(b) ensuring that Admin User access is appropriately limited and reviewed; and

(c) notifying us promptly of any suspected compromise of credentials or unauthorised access to accounts.

10.4 We maintain processes to respond to actual or suspected data breaches:

  • We will assess suspected data breaches within 30 days of becoming aware of the suspected breach
  • Where an eligible data breach has occurred, we will notify affected individuals and the Office of the Australian Information Commissioner as required under the Notifiable Data Breaches scheme
  • Notifications to affected individuals will include recommendations on steps they should take in response to the breach
  • We will take immediate steps to contain and remediate the breach

11. Access, Correction and Rights

11.1 You may request access to the Personal Information we hold about you and request correction of that information if it is inaccurate, out of date, incomplete, irrelevant or misleading.

11.2 Requests should be made in writing using the contact details in section 14. We may need to verify your identity before providing access or making corrections.

11.3 In some circumstances permitted by law, we may refuse access or correction (for example, where providing access would have an unreasonable impact on the privacy of others or be unlawful). If we refuse a request, we will provide reasons and information on how to complain.

11.4 Participants should generally raise requests with their employer (the Customer), who controls how Participant information is used in the workplace. We will assist the Customer to respond to such requests where appropriate.

12. Complaints

12.1 If you have a concern or complaint about how we have handled your Personal Information, you should contact us using the details in section 14, providing full details of your concern.

12.2 We will investigate and respond within a reasonable time (typically within 30 days).

12.3 If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992

13. Children

13.1 The Service is designed for use in workplace and organisational contexts and is not directed to children under 16 years of age.

13.2 We do not knowingly collect Personal Information from children under 16 without appropriate consent. If you believe that we have collected such information without appropriate consent, please contact us and we will take reasonable steps to delete it.

14. Contact Details

The Resilience Reset
Attention: Privacy Officer
Email: hello@theresiliencereset.com.au
Postal address: [Insert Postal Address, Queensland, Australia]

15. Changes to this Privacy Policy

15.1 We may amend this Privacy Policy from time to time. The updated version will be posted on our website and will be effective from the date of posting.

15.2 The 'Last updated' date at the top of this Privacy Policy indicates when it was last revised. Your continued use of the Service after any change constitutes acceptance of the updated Privacy Policy.

Ready to Get Started?

Join Australian organisations using evidence-based assessments to create healthier, more productive workplaces.

Create Account