Privacy Policy

1. Introduction

Baseline Environmental Pty Ltd (ABN 23 764 916 808) ("Baseline", "we", "us", "our") operates an environmental monitoring platform (the "Platform") for environmental consultants, mining companies, and government agencies across Australia.

This Privacy Policy explains how we collect, hold, use, and disclose personal information in compliance with the Privacy Act 1988 (Cth) ("Privacy Act") and the thirteen Australian Privacy Principles ("APPs"). We are an APP entity for the purposes of the Privacy Act.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you provide personal information about other individuals (such as employees or contractors using the field survey app), you must ensure those individuals are aware of this Privacy Policy.

2. Personal Information We Collect

We collect and hold the following categories of personal information:

2.1 Account & Identity Information

• Full name, email address, and organisational role
• Organisation name and ABN (for billing purposes)
• Hashed passwords and passkey credentials (WebAuthn/FIDO2) — we never store passwords in plain text
• Login timestamps and IP addresses

2.2 Location Data

• GPS coordinates of survey sites and equipment deployments (entered manually or via device GPS)
• GPS tracks of field workers using the field survey app (collected only with explicit consent — see Section 7)
• Project area boundaries (polygons defining survey footprints)

2.3 Survey Media

• Photographs from camera traps — these are wildlife monitoring images that may incidentally capture identifiable individuals (site workers, trespassers, members of the public)
• Audio recordings from acoustic monitoring devices (bird and bat call recordings)
• EXIF metadata embedded in photographs (GPS coordinates, camera model, capture timestamp)

2.4 Technical & Usage Data

• Browser type and version, operating system, and device type
• Pages visited and features used within the Platform
• We do not use any third-party analytics, advertising, or tracking services

2.5 Sensitive Information

We do not intentionally collect sensitive information as defined under section 6 of the Privacy Act (such as racial or ethnic origin, health information, or biometric data). However, camera trap images collected for wildlife monitoring may incidentally capture images of individuals, which could constitute personal information. We process such images solely for environmental monitoring purposes.

3. How We Collect Personal Information

We collect personal information through:

• Direct collection: when you create an account, submit forms, or contact us
• Field survey app: GPS coordinates and survey data entered by field workers during environmental surveys
• Automated collection: camera trap and acoustic monitoring equipment deployed at survey sites — these devices operate autonomously and may capture images or audio of any person present at the site
• From your employer or organisation: if your employer or client creates an account on your behalf
• From government data sources: species records, regulatory boundaries, and environmental data sourced from public Australian Government datasets (these do not contain personal information)

We collect personal information directly from the individual to whom it relates wherever reasonably practicable (APP 3.6).

4. Why We Collect & How We Use Personal Information

We collect and use personal information for the following primary purposes:

• Providing, operating, and improving the Platform
• User authentication and account management
• AI-assisted species identification as a decision-support tool (see Section 10)
• Generating environmental survey reports and compliance assessments
• Recording survey locations and field worker positions for environmental monitoring
• Communicating with you about your account, including password resets and service notifications
• Protecting the security and integrity of the Platform
• Complying with our legal obligations, including responding to lawful requests from regulatory authorities

We will not use or disclose personal information for a purpose other than the primary purpose of collection unless you would reasonably expect the secondary use or disclosure, or you have consented (APP 6).

5. Disclosure of Personal Information

We may disclose personal information to the following categories of recipients:

• Your organisation: administrators within your tenant organisation can access user accounts and project data
• Client portal users: if your organisation shares project data with clients via the client portal, those clients can view shared reports and survey data
• Email service provider: your email address is disclosed to our email delivery provider for account notifications and password resets
• Law enforcement or regulators: where required by law, court order, or to comply with regulatory obligations

We do not sell, rent, or trade personal information to any third party. We do not disclose personal information for direct marketing purposes.

6. Cross-Border Disclosure of Personal Information

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs (APP 8.1). The following limited disclosures may occur:

AI species detection stays on-premises: All AI species identification models (MegaDetector, SpeciesNet, and Perch v2) run on our own infrastructure. Camera trap images and audio recordings are never transmitted to any external service for AI processing.

7. GPS Location Tracking & Workplace Surveillance

The Platform's field survey app includes optional GPS tracking functionality that records the location of field workers during environmental surveys. This feature:

• Is disabled by default and requires explicit, informed consent before activation
• Records GPS coordinates, timestamps, and track paths
• Is used for survey location documentation, field safety, and route recording
• Can be disabled at any time by revoking the device's location permission
• Consent is recorded with a timestamp when location permission is first granted

Employer obligations: If you are an employer or organisation enabling GPS tracking for your employees or contractors, you are solely responsible for compliance with applicable workplace surveillance legislation in your jurisdiction, including but not limited to:

• NSW: Workplace Surveillance Act 2005 — 14 days written notice required (s.16)
• VIC: Surveillance Devices Act 1999 — express or implied consent required (s.9)
• WA: Surveillance Devices Act 1998 — consent required
• SA: Surveillance Devices Act 2016 — consent and transparency required (s.11)
• ACT: Workplace Privacy Act 2011 — prior written notice required (s.12)
• NT: Surveillance Devices Act 2007 — consent required (s.14)
• QLD and TAS: No specific surveillance legislation, but general privacy obligations apply

8. Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11.1). Our security measures include:

• Passwords hashed using bcrypt with industry-standard salt rounds — we never store passwords in plain text
• All data transmitted via HTTPS with TLS encryption and HSTS preloading
• Multi-tenant data isolation through PostgreSQL Row-Level Security — each organisation's data is cryptographically isolated at the database level
• Role-based access controls (five permission levels) restricting data access to authorised users
• Multi-factor authentication available via FIDO2/WebAuthn passkeys
• Account lockout after repeated failed login attempts
• Signed URLs for media file access with automatic expiration
• Comprehensive audit logging of security-relevant actions
• Automated security monitoring and regular vulnerability assessments
• CSRF protection, Content Security Policy headers, and input validation on all endpoints

9. Data Retention & Deletion

We retain personal information only for as long as it is needed for the purposes described in Section 4, or as required by law (APP 11.2). Our retention practices:

• Active accounts: personal information is retained while your account remains active
• Account deletion: you may delete your account at any time through your account settings. Upon deletion, personal identifiers (name, email) are anonymised within 30 days. Survey data and project records associated with your organisation are retained for the organisation.
• Inactive accounts: accounts inactive for more than 24 months may be flagged for review and potential anonymisation
• Backups: encrypted backup copies are retained for up to 90 days and are automatically overwritten on a rolling basis
• Audit logs: security audit logs are retained for 12 months for security investigation purposes, then deleted

To request deletion of your personal information, email privacy@baselineenvironmental.com.au or use the account deletion function in the Platform.

10. Automated Decision-Making & AI Processing

The Platform uses artificial intelligence models to assist with environmental monitoring tasks. We are transparent about this processing in accordance with the Privacy Act reforms effective December 2026 regarding automated decision-making.

10.1 AI Species Identification

Camera trap images and audio recordings are processed by AI models (MegaDetector, SpeciesNet, and Perch v2) to provide preliminary species identifications. These identifications are decision-support outputs only — they are presented with confidence scores and require human review and confirmation by qualified ecologists before they are treated as verified records. AI outputs do not constitute definitive species determinations and must not be solely relied upon for regulatory decisions.

10.2 Compliance Analysis

The compliance engine uses AI to analyse publicly available environmental legislation and generate planning guidance. This analysis is a planning tool only and does not constitute legal or professional advice. All compliance assessments should be verified by qualified environmental practitioners and confirmed with the relevant regulatory authority.

10.3 Human Review

No automated decision made by the Platform has a legally binding effect on any individual without human review. You may request an explanation of how any AI-assisted output was generated by contacting our Privacy Officer.

11. Cookies & Tracking Technologies

The Platform uses only essential cookies required for operation:

• Authentication cookies: session tokens to keep you logged in (httpOnly, secure, SameSite)
• CSRF cookies: protection against cross-site request forgery attacks
• Preference cookies: your chosen map basemap and UI preferences (stored in localStorage)

We do not use any advertising cookies, tracking pixels, social media widgets, or third-party analytics services (such as Google Analytics). We do not participate in any cross-site tracking or advertising networks.

12. Data Breach Notification

In the event of an eligible data breach under Part IIIC of the Privacy Act, we will:

• Carry out a reasonable and expeditious assessment within 30 days of becoming aware of the breach
• If the breach is likely to result in serious harm, notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals as soon as practicable
• Where applicable, comply with the 72-hour reporting requirement for ransomware payments
• Take immediate steps to contain the breach and mitigate potential harm

Our data breach response plan is maintained and reviewed annually by our Privacy Officer.

13. Accessing & Correcting Your Information

You have the right to:

• Access personal information we hold about you (APP 12). We will respond to access requests within 30 days. You can access most of your information directly through the Platform's account settings and data export functions.
• Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13). You can update your name, email, and password directly in the Platform. For other corrections, contact our Privacy Officer.

We may refuse an access or correction request in limited circumstances permitted by the Privacy Act (e.g., where providing access would pose a serious threat to the life or health of any individual). If we refuse, we will provide written reasons.

14. Third-Party Data Sources

The Platform integrates data from public Australian Government and research institution sources for environmental monitoring purposes. These include species records from the Atlas of Living Australia, climate data from SILO (Queensland Government), protected matters data from DCCEEW, and geospatial data from Geoscience Australia and state government agencies. This data does not contain personal information. Full attribution details are available at baselineenvironmental.com.au/credits.

15. Children's Privacy

The Platform is designed for use by environmental professionals and is not directed at children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email to your registered account address at least 30 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last revised. Previous versions are available upon request.

17. Contact & Complaints

Privacy Officer
Baseline Environmental Pty Ltd
ABN 23 764 916 808
Email: privacy@baselineenvironmental.com.au

We will acknowledge receipt of a complaint within 5 business days and endeavour to respond substantively within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Online: www.oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001