Effective starting:  4 August 2025

This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or otherwise collected by us, offline or online, including through our website www.jjryan.com.au (“Site”) and any future devices/mobile applications.

This Policy outlines how JJ Ryan Consulting Pty Ltd trading as JJ Ryan Consulting and our related entities and affilitates (JJR, we, our, us) collects, uses and stores personal information in the course of its business from employees, applicants for employment, contractors, clients, suppliers and other individuals (referred to as “you” or “your” in this Privacy Policy).

JJR fosters a workplace culture across all our operations whereby privacy is considered a core value. This policy outlines how we collect, manage and protect information of a personal, sensitive or confidential nature. Breaches or perceived breaches will be addressed immediately and directly with the person(s) involved. JJR is committed to upholding and complying with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act).

This Privacy Policy describes the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

• We may process your information if you have given us permission (i.e. consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
• Performance of a Contract. We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our services or at your request prior to entering into a contract with you.
• Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms.
• Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
• Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

We will:

• Only collect personal information necessary for one or more of our functions or activities.
• Only collecting personal information by lawful and reasonable means, always ensuring personal data is not collected in an unreasonably intrusive way.
• Take all reasonable steps to ensure that individuals who have provided personal information are aware of our details, ability to access the data, the purpose of collecting the information, relevant disclosures and laws, as well as consequences of providing partial or incomplete data.
• Where possible, only collect individual information from the individual in question.
• Using personal information for the primary purpose for which it was collected and not disclose the information unless conditions described in the IPP are met.
• Ensuring that information collected, used or disclosed is as accurate, complete and up to date as reasonably possible.
• Protecting information held by the company from misuse and loss, including unauthorised access, modification, or disclosure to the best of our abilities
• Where information is no longer needed for any purpose, taking reasonable steps to destroy or permanently de-identify personal information.
• Clearly documenting expressed policies on the management of personal information and make these available to the public upon request.
• Advising individuals what personal information of theirs is held by the company and how it is collected, used and disclosed when requested by that individual.
• Providing individuals with access to information held about them by the company unless not required to do so under the described IPP conditions.
• Communicate to the individual the reasons for a denial of access to information.
• De-identify individual’s information wherever it is lawful and practicable to do so.
• Avoid collecting sensitive information about an individual unless necessary as prescribed in IPP conditions.
• Assist openly and honestly with any complaints and investigations regarding the management of personal, sensitive or confidential information.

We are committed to lead by example and to demonstrate best practice within all our operations.

We may use and may disclose your personal information to third parties (located onshore or overseas) for the purposes it was collected, or for a related or ancillary purpose in connection with the performance of our business activities or operation of our business functions including but not limited to:

• JJR’s related entities;
• Clients who may wish to engage your services as a contractor or temporary employee;
• Our vendors, consultant, suppliers, contracted service providers or partners, including (but not limited to) organisations that conduct competency or psychometric tests, payroll processing or other employment related services;
• Your nominated referees;
• Any government authority;
• Any law enforcement body, including the police; and
• Any educational or vocational organisations to the extent necessary to verify your qualifications.

We may share your data with third-party vendors, service providers, contractors, or agents (‘third parties’) who perform services for us or on our behalf and require access to such information to do that work. While most of the personal information we collect about you is retained in the country in which it was collected, there are circumstances where we provide personal information to overseas recipients. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organisation apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct. The categories of third parties we may share personal information with are as follows:

• Cloud Computing Services
• Communication & Collaboration Tools
• Data Analytics Services
• Data Storage Service Providers
• Performance Monitoring Tools
• User Account Registration & Authentication Services
• Website Hosting Service Providers
• Finance & Accounting Tools
• Contracted Service Providers

We also may need to share your personal information in the following situations:

• Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company;
• We may share your information with our affiliates, in which case we will require those affiliates to honour this privacy notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.
• Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.

JJR primarily stores data in SaaS platforms that operate and store information in data centres within Australia (e.g., Microsoft Azure, Amazon AWS, Digital Pacific). These service providers may occasionally replicate data to other countries, such as the United States or New Zealand, for availability and redundancy purposes. These countries generally have privacy laws that are comparable in scope and comprehensiveness to those in Australia. In all cases, we will take all necessary measures to protect your information in accordance with this privacy policy and applicable laws.

JJR takes reasonable steps to protect the personal information we hold from loss, unauthorised access, and misuse, including by means of physical and electronic security measures. Your personal information may be stored in hard copy documents, or electronically on our software or systems. If you suspect any misuse, loss or unauthorised access please contact us immediately.

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our services is at your own risk. You should only access the services within a secure environment

Personal Information We Collect

1. The types of personal information we may collect include;
2. your name;
3. your contact details, including email address, mailing address, street address and/or telephone number;
4. your credit card details;
5. your demographic information, such as postcode;
6. your preferences and/or opinions;
7. information you provide to us through customer surveys;
8. details of products and services we have provided to you and/or that you have enquired about, and our response to you;
9. your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour;
10. information about your access and use of our Site, including through the use of Internet cookies, your communications with our Site, the type of browser you are using, the type of operating system you are using and the domain name of your Internet service provider;
11. additional personal information that you provide to us, directly or indirectly, through your use of our Site, associated applications, associated social media platforms and/or accounts from which you permit us to collect information; and
12. any other personal information requested by us and/or provided by you or a third party.

Direct Marketing

We may only use personal information we collect from you for the purposes of direct marketing without your consent if:

• The personal information does not include sensitive information;
• You would reasonably expect us to use or disclose the information for the purpose of direct marketing;
• We provide a simple way of opting out of direct marketing; and
• You have not requested to opt out of receiving direct marketing from us.

If you wish to opt out of receiving direct marketing, contact us.

If we collect personal information about you from a third party, we will only use that information for the purposes of direct marketing if you have consented (or it is impracticable to obtain your consent). You can easily request not to receive direct marketing communications from us by contacting us. We will draw your attention to the fact you may make such a request in our direct marketing communications.

You have the right to request us not to use or disclose your personal information for the purposes of direct marketing, or for the purposes of facilitating direct marketing by other organisations. We will give effect to the request within a reasonable time. You may also request that we provide you with the source of their information. If such a request is made, we must notify you of the source of the information free of charge within a reasonable period of time.

How we treat personal information that is also sensitive information

Sensitive information is a subset of personal information that is given a higher level of protection under the Australian Privacy Principles.

Sensitive information means information relating to:

1. an individual’s racial or ethnic origin;
2. health information;
3. political opinions;
4. membership of a political association;
5. professional or trade association or trade union;
6. religious beliefs or affiliations;
7. philosophical beliefs;
8. sexual orientation or practices;
9. criminal record;
10. genetic information; or
11. biometric information that is to be used for certain purposes, and biometric templates.

Your rights and controlling your personal information

Choice and consent: Please read this Privacy Policy carefully. By providing personal information to us, you consent to us collecting, holding, using and disclosing your personal information in accordance with this Privacy Policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of this Site or the products and/or services offered on or through it.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.

Restrict: You may choose to restrict the collection or use of your personal information. If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.

Access: You may request details of the personal information that we hold about you. Subject to exceptions in the Privacy Act, you can access the personal information that we hold about you by contacting the Privacy Officer. We will generally provide access within 30 days of your request. If we refuse to provide you with access to the information, we will provide reasons for the refusal. We will require identity verification and specific particulars of what information is required and may charge an administrative fee for searching and photocopying our records.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading or out of date.

Complaints: If you believe that we have breached the Australian Privacy Principles and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint.

Unsubscribe: To unsubscribe from our e-mail database or opt-out of communications (including marketing communications), please contact us using the details below or opt-out using the opt-out facilities provided in the communication.

Unsolicited information

If we receive unsolicited personal information about you, we will destroy or de-identify this information unless it is relevant to the purposes for which we collect personal information.

Storage and Security

We are committed to ensuring that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

We use TLS encryption and authentication and we store all of our data on servers in a secure facility. We utilise hosting and DDOS protection from DigitalPacific. We implement systematic processes and procedures for securing and storing data.

This site has been issued certificates from Let’s Encrypt, which are used for web services and email authentication. These certificates use a high standard of authentication and were specifically utilised to boost and maintain customer confidence in ecommerce through a rigorous verification process. You can identify this certificate by the green lock in the address bar. These certificates incorporate some of the highest standards for identity assurance to establish our legitimacy.

We will retain the information we collect from you for a period of 7 years, as required by law, even if you cancel your membership with us.

Cookies and web beacons

We may use cookies on our Site from time to time. Cookies are text files placed in your computer’s browser to store your preferences. Cookies, by themselves, do not tell us your email address or other personally identifiable information. However, they do allow third parties, such as Google and Facebook, to cause our advertisements to appear on your social media and online media feeds as part of our retargeting campaigns. If and when you choose to provide our Site with personal information, this information may be linked to the data stored in the cookie.

We may use web beacons on our Site from time to time. Web beacons (also known as Clear GIFs) are small pieces of code placed on a web page to monitor the visitor’s behaviour and collect data about the visitor’s viewing of a web page. For example, web beacons can be used to count the users who visit a web page or to deliver a cookie to the browser of a visitor viewing that page.

Contacting JJR

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please submit a contact form by clicking here.

Please contact our Privacy Officer if you have a request relating to any of the following:

• if you would like to request access to, or correction of, your personal information held by JJR;
• if you would like to opt-out from receiving direct marketing e-mails; or
• general queries relating to this Policy.

Privacy Complaints

If you have a privacy related complaint, you may contact the Privacy Officer at the contact form set out above. Your message should set out sufficient details of your complaint, including any alleged breach of applicable privacy law. Following receipt of your complaint, the Privacy Officer will consider your complaint and advise you of their determination and/or request further details.

Changes To This Policy

We may, at any time and at our discretion, vary this Privacy Policy by publishing the amended Privacy Policy on our Site. We recommend you check our Site regularly to ensure you are aware of our current Privacy Policy.

If you have any questions about our Privacy Policy, please contact a local JJR office, use the Contact Us form on our website, or contact our Privacy Officer using the details set out below. Any genuine concerns or complaints will be investigated and responded to in line with local law:

1. JJ Ryan Consulting Pty Ltd ABN [69 145 797 726]
2. Email: enquiries@jjryan.com.au

If you are not satisfied with a response, dependent on your location, you may have an option to refer your complaint to a relevant privacy regulator. We will provide you details of any relevant regulator on request.