About Us

Intelligent Mind Pty Ltd (ACN/ABN registered in Australia) operates the IRIS platform — an AI-assisted workforce rostering system designed for healthcare organisations.

In this policy, “we”, “us”, and “our” refers to Intelligent Mind Pty Ltd. “IRIS” refers to the Intelligent Roster Intelligence System and all associated web and mobile interfaces operated by us.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also comply with the EU General Data Protection Regulation (GDPR).

What This Policy Covers

This policy explains how we handle personal information about:

• Staff of healthcare organisations who use IRIS (roster builders, nurses, doctors, and other clinical and administrative staff)
• Representatives of healthcare organisations who engage with us for procurement, onboarding, or support
• Visitors to our website at intelligentroster.com

What Personal Information We Collect

From staff and roster builders using IRIS

• Full name and email address
• Role title, employment type, and craft group (e.g. RN, EN, Doctor)
• Employment details relevant to rostering (e.g. contracted hours, start date)
• Shift assignments, availability preferences, and leave information
• Qualifications and skills relevant to scope of practice
• Login credentials (stored in hashed, non-reversible form)

From visitors to our website

• Name and contact details submitted via enquiry or demo request forms
• Technical information collected via cookies and analytics (see Section 8)

What we do not collect

• Patient identifiers, Medicare numbers, or medical record numbers
• Clinical notes, diagnoses, treatment information, or health records
• Payment card data (we do not process payments directly)
• Sensitive information (as defined under the Privacy Act) unless you provide it voluntarily in a support context, in which case we handle it with the care the Act requires

How We Collect Personal Information

We collect personal information in the following ways:

• Directly from you — when you register for IRIS, set up your profile, enter availability, or contact us
• From your employer or healthcare organisation — when an administrator creates your account or imports staff data during onboarding
• Automatically — through your use of the platform (e.g. login events, usage logs, session data)
• From our website — through cookies, analytics tools, and enquiry or demo request forms

Where we collect personal information about you from a third party (e.g. your employer), we take reasonable steps to ensure you are made aware of this policy.

Why We Collect and How We Use It

We collect and use personal information only for purposes that are directly related to providing and improving IRIS. These include:

We do not use your personal information for advertising, sell it to third parties, or use it for purposes unrelated to workforce rostering.

Disclosure to Third Parties

We do not sell, rent, or trade personal information. We may disclose personal information to the following categories of third parties where necessary to provide the service:

We may also disclose personal information:

• To your employer or the healthcare organisation that administers your IRIS account, where that disclosure is necessary to operate the service
• Where required or authorised by law, including under the Notifiable Data Breaches Scheme
• To professional advisers (e.g. lawyers, auditors) under obligations of confidentiality

Data Retention

We retain personal information for as long as necessary to provide the service and meet our legal obligations. Our general retention approach is:

• Active accounts: Personal information is retained for the duration of the subscription and for a period after account closure to allow for transition, dispute resolution, and compliance with applicable legal obligations.
• After account closure: We retain data for a defined period (currently up to 7 years) to meet legal, regulatory, and audit obligations, after which it is securely deleted or de-identified.
• Backup systems: Residual copies in backup systems are purged in accordance with our backup retention schedule.

If you wish to request earlier deletion of your personal information, please contact us at the address in Section 15. We will consider all such requests in accordance with our obligations under the Privacy Act.

Cookies and Tracking

Our website and platform use cookies and similar tracking technologies. These may include:

• Essential cookies: Required for the platform to function, including session management and authentication. These cannot be disabled without affecting core functionality.
• Analytics cookies: Used to understand how visitors use our website and platform, so we can improve the experience. Analytics data is collected in aggregate and, where possible, anonymised.

Where cookies involve the transfer of personal information to third-party analytics providers, we take steps to ensure appropriate safeguards are in place.

You can control cookie settings through your browser. Disabling essential cookies may affect your ability to use the platform. Disabling analytics cookies will not affect platform functionality.

Cross-Border Disclosure

Some of our subprocessors are located outside Australia, including in Singapore (Render) and the United States (OpenAI, Anthropic). By using IRIS, you acknowledge that your personal information may be transferred to and processed in these countries.

Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the recipient handles that information in a way that is consistent with the Australian Privacy Principles, in accordance with Australian Privacy Principle 8 (APP 8). This includes relying on contractual safeguards with subprocessors and their published data processing terms.

If you choose the Australian hosting option (AWS Sydney), your data is stored and processed in Australia. AI model inference via OpenAI and Anthropic may still involve processing in the United States regardless of hosting region.

Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

• AES-256 encryption for data at rest
• TLS 1.2+ encryption for all data in transit
• Role-based access control (RBAC), single sign-on (SSO), and multi-factor authentication (MFA)
• Immutable audit logging
• Infrastructure hosted on providers with SOC 2 Type II and ISO 27001 certifications

No method of transmission over the internet or electronic storage is completely secure. While we use industry-standard measures, we cannot guarantee absolute security. In the event of a data breach that meets the threshold under the Notifiable Data Breaches Scheme, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

International Users — GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction where the GDPR or equivalent legislation applies, the following additional rights and obligations apply.

Lawful basis for processing

We process personal information on the following lawful bases under GDPR Article 6:

• Contract: Processing necessary to provide the IRIS service under agreement with your employer or healthcare organisation
• Legitimate interests: Platform improvement, security monitoring, and abuse prevention, where these do not override your fundamental rights
• Legal obligation: Compliance with applicable laws

Your GDPR rights

In addition to the rights described in Section 12, EEA and UK individuals have the right to:

• Lodge a complaint with your local data protection authority
• Object to processing based on legitimate interests
• Not be subject to solely automated decision-making that produces legal or similarly significant effects (IRIS roster suggestions always involve human review and approval)

International transfers under GDPR

Transfers of personal data outside the EEA are made on the basis of appropriate safeguards, including standard contractual clauses and reliance on adequacy decisions where applicable. Contact us for further detail on the transfer mechanisms we use.

Your Rights

Under the Australian Privacy Act and, where applicable, the GDPR, you have the right to:

• Access the personal information we hold about you
• Correct personal information that is inaccurate, incomplete, or out of date
• Request deletion of your personal information, subject to our legal retention obligations
• Portability — receive a copy of your personal information in a structured, machine-readable format (GDPR users)
• Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at the address in Section 15. We will respond within a reasonable time and, in any case, within 30 days. We may need to verify your identity before processing a request.

Complaints

If you believe we have breached the Australian Privacy Principles or otherwise mishandled your personal information, you may make a complaint by contacting us at the address in Section 15.

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If we are unable to resolve your complaint to your satisfaction, you may refer it to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992

EEA and UK individuals may also lodge a complaint with their local data protection authority.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify active users by email or in-app notification.

We encourage you to review this policy periodically. Continued use of IRIS after a policy update constitutes acceptance of the revised policy.

Contact Us

For any privacy-related enquiries, access requests, correction requests, or complaints, please contact us: