SHC Group of Companies Services

Privacy Policy

Effective: 16th August 2021. Last Updated: 3rd June 2026.

In this Privacy Policy, "SHC", "we", "us" or "our" means SHC Group of Companies, ABN 77 002 097 163.

We respect your privacy and are committed to handling personal information responsibly, transparently and in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles and other laws that apply to our business.

This Privacy Policy explains how we collect, use, store and disclose personal information when you interact with SHC, including through our websites, internal web applications, mobile applications, support channels, job and service workflows, forms, messaging, integrations and related digital services.

By using our services or providing personal information to us, you acknowledge that we will handle your personal information as described in this Privacy Policy. If you are using an SHC workplace system, additional workplace policies, employment terms, client terms or system-specific notices may also apply.

1. Scope of this policy

This Privacy Policy applies to personal information handled by SHC through:

  • our public websites and online forms;

  • the SHC internal web application used by office staff;

  • the SHC Toolbox mobile application used by technicians and field staff;

  • SHC backend systems, APIs, messaging, notifications, file storage, reporting and support tools;

  • communications with us by email, phone, chat, forms, support tickets or other channels;

  • recruitment, supplier, customer and business relationship processes.

Some employee records may be subject to separate workplace laws and policies. Where an employee record exemption applies under Australian privacy law, this Privacy Policy may not apply to that record, but SHC still aims to handle workplace information with care and appropriate confidentiality.

2. Summary

In practical terms:

  • We collect information needed to run SHC's operations, provide services, manage jobs, communicate with staff and customers, maintain safety and meet legal obligations.

  • SHC systems use Microsoft 365 sign-in and related Microsoft services for identity, email, files and access control.

  • The SHC Toolbox mobile app may use camera, photo library, file access and push notification permissions when you choose to use those features.

  • We do not sell personal information.

  • We do not use personal information for cross-app tracking or third-party advertising profiling.

  • We do not store raw credit card numbers, CVV/CVC codes or full payment card data in SHC systems. Where card payments are available, payment details are processed by secure third-party payment providers.

  • We use trusted service providers such as cloud hosting, file storage, accounting, notification, AI and security providers to operate our systems.

  • You can contact us to request access to or correction of your personal information, or to make a privacy complaint.

3. What personal information we collect

The types of personal information we collect depend on your relationship with SHC and the services you use.

Account, identity and contact information

We may collect:

  • name, preferred name and display name;

  • email address, phone number, mailing address and business contact details;

  • Microsoft 365 user profile information, such as user ID, email, name and group membership used for authentication and permissions;

  • job title, department, role, permissions and system access settings;

  • emergency, customer, supplier or business contact information where relevant to SHC operations.

Work, job and operational information

For staff, contractors, technicians, customers and business contacts, we may collect information connected with SHC's work, including:

  • job, task, tender, quote, roster, planner, timesheet, payroll and service records;

  • client, site, asset, equipment, inventory, supplier and material information;

  • form responses, inspection records, service notes, checklists and sign-off records;

  • signatures, job completion records and technician notes;

  • support tickets, enquiries, emails, chat messages, notifications and internal comments;

  • files, photos, receipts, sick leave certificates, attachments or other documents uploaded to our systems;

  • information needed for accounting, invoicing, payroll, leave, reimbursements and MYOB-related workflows.

Mobile app and device information

When you use the SHC Toolbox mobile app or related services, we may collect:

  • device type, operating system, app version and platform, such as iOS or Android;

  • device push notification tokens so we can send job, task, chat, reminder or system notifications;

  • app usage, diagnostic, crash, access log and security information;

  • files, images or documents you choose to upload from your device;

  • local app storage data needed for login, session continuity and app functionality.

The current SHC Toolbox app is not designed to collect continuous or background location tracking. If a future feature requires precise location access, we will request device permission where required and explain the purpose of that collection.

Website and online activity information

When you use our websites, web applications or online services, we may collect:

  • IP address, browser type, device information and operating system;

  • pages or features accessed, time and date of access, referral URLs and standard server logs;

  • authentication, session, security and audit log information;

  • cookie, local storage or similar technology information used to keep you signed in, remember preferences, protect the service and understand service performance.

Payment and transaction information

Where payments are available, we may collect transaction-related information such as:

  • billing contact details;

  • invoice, payment status and receipt information;

  • payment reference, transaction ID or token supplied by a payment provider;

  • limited card metadata where supplied by the provider, such as card brand or last four digits.

We do not intentionally collect or store full card numbers, CVV/CVC codes, magnetic stripe data or raw payment card data in SHC systems. Card details are processed by PCI DSS compliant third-party payment providers or merchant facilities, such as Stripe or the payment provider identified at the point of payment. Those providers handle card data under their own security and privacy terms.

Sensitive information

We only collect sensitive information where reasonably necessary for SHC's functions or activities, where you have consented, where it is required for workplace, health, safety or legal reasons, or where otherwise permitted by law.

Sensitive information may include health or medical information contained in sick leave records, incident reports, safety forms, certificates, licences, qualifications, identity documents, background checks, signatures or uploaded documents.

Recruitment information

If you apply for a job or contract role with SHC, we may collect information such as your name, contact details, resume, employment history, qualifications, references, interview notes, right-to-work information and background or records checks where permitted by law.

4. How we collect personal information

We may collect personal information:

  • directly from you when you submit forms, create records, upload files, send messages, contact us or use SHC systems;

  • through your use of our websites, apps, APIs, support tools and workplace systems;

  • from SHC staff, managers, administrators, customers, suppliers, contractors or business partners where relevant to SHC operations;

  • from Microsoft 365, Microsoft Graph, MYOB, accounting systems, file storage, notification services or other integrated platforms used by SHC;

  • from recruitment agencies, referees, previous employers or background check providers where you apply for work with us;

  • from public sources, regulators, professional advisers or law enforcement where appropriate.

Where practical, we collect personal information directly from you. Sometimes it is necessary to collect information from third parties, for example to authenticate a Microsoft 365 account, sync accounting data, receive a customer enquiry, manage a job site, verify employment information or process a support request.

5. Why we collect, use and disclose personal information

We collect, use and disclose personal information for purposes including:

  • providing, operating and improving SHC's websites, apps, workplace systems and services;

  • authenticating users and managing permissions, access control and security;

  • managing tenders, quotes, jobs, tasks, rosters, forms, equipment, inventory, clients, suppliers, reports and planner workflows;

  • enabling technicians and staff to record work, upload files, complete forms, communicate and receive notifications;

  • managing timesheets, payroll, leave, expenses, reimbursements, invoices, accounting and MYOB-related workflows;

  • communicating with staff, customers, suppliers, contractors and other business contacts;

  • providing support, responding to enquiries and resolving issues;

  • sending service messages, administrative notices, security alerts, reminders and operational notifications;

  • generating documents, PDFs, reports, analytics and business records;

  • maintaining safety, quality assurance, audit trails and compliance records;

  • protecting SHC, our users, our customers and our systems from misuse, unauthorised access, fraud, security incidents and legal risk;

  • training, testing, maintaining and improving our systems, where appropriate safeguards are used;

  • using AI-assisted features to help with search, summaries, classification, quote review, form parsing or other business assistance, subject to access controls and human review where appropriate;

  • considering employment or contractor applications;

  • meeting legal, regulatory, insurance, accounting, tax, workplace, health and safety, dispute resolution and law enforcement obligations.

We may also use de-identified or aggregated information for reporting, analytics, service improvement and business planning.

6. Mobile app permissions and app store disclosures

The SHC Toolbox app requests permissions only where they support app functionality. Depending on your device, operating system and the features you use, the app may request access to:

  • camera, to take photos for job records, chat attachments, form uploads, receipts or timesheet-related evidence;

  • photo library or media picker, to select images or files for upload;

  • files or storage, to read selected documents for upload or download job-related files;

  • push notifications, to deliver job, task, chat, reminder, form, timesheet or system alerts;

  • Microsoft sign-in, to authenticate your SHC account and confirm access permissions.

You can manage app permissions through your device settings. Some features may not work if required permissions are denied.

For Apple App Store and Google Play privacy disclosures, SHC Toolbox may involve the following broad data categories where the user or administrator enables the relevant feature:

  • account and contact information;

  • user content, such as messages, form responses, signatures, photos, files and attachments;

  • identifiers, such as Microsoft user ID and push notification token;

  • usage data, diagnostics and logs;

  • payment or financial workflow information, such as expenses, receipts, timesheets, invoices or payment references, but not raw card numbers stored by SHC.

This data is used for app functionality, account management, workplace operations, analytics, security, compliance and support. It is not sold and is not used by SHC for third-party advertising or cross-app tracking.

7. AI-assisted features

Some SHC systems may include AI-assisted features, including the SHC AI Assistant and tools that help with search, summaries, quote review, form parsing, enquiry classification or other workflow assistance.

When you use those features, the prompt, uploaded content, selected business context, conversation history or relevant system data may be processed by SHC systems and by AI service providers such as OpenAI so the feature can respond. Access to AI features is controlled through SHC account permissions and backend security controls.

AI outputs can be inaccurate or incomplete and should be reviewed before being relied upon for business, safety, financial, employment or legal decisions. Users should not enter unnecessary sensitive information into AI prompts.

8. Direct marketing

We may send marketing or promotional communications where permitted by law, including by email, SMS, mail or other communication channels.

You can opt out of marketing communications by using the unsubscribe link where provided or by contacting us. Even if you opt out of marketing, we may still send service, safety, support, security or administrative messages.

9. Who we disclose personal information to

We may disclose personal information to:

  • SHC employees, contractors and related bodies corporate who need the information for their role;

  • customers, suppliers, subcontractors, technicians, business partners or site contacts where needed to deliver services or manage work;

  • IT, hosting, storage, security, software, support and communication providers;

  • Microsoft 365, Microsoft Graph, OneDrive, Azure and related Microsoft services used for authentication, email, files, hosting and storage;

  • MYOB or accounting providers used for accounting, payroll, invoicing and financial workflows;

  • Firebase, Google or Apple services used for push notifications and mobile platform services;

  • OpenAI or other AI service providers where AI-assisted features are used;

  • Cloudinary or similar media processing providers where images or thumbnails are processed;

  • Cloudflare or similar security providers used to protect forms and services;

  • payment processors, merchant facilities and banks where payments are processed;

  • professional advisers, insurers, auditors, lawyers, accountants and consultants;

  • recruitment agencies, referees, background check providers and employment-related service providers;

  • government agencies, regulators, courts, tribunals, law enforcement or other parties where required or authorised by law;

  • another organisation involved in a merger, acquisition, restructure, financing or transfer of SHC assets or business;

  • any other party where you consent or direct us to disclose the information.

We require service providers to handle personal information appropriately and only for authorised purposes, subject to their own legal obligations and service terms.

10. Overseas disclosure

Some of our service providers, platforms or support teams may store or process personal information outside Australia. This may include countries such as the United States, New Zealand, Singapore, the United Kingdom, members of the European Economic Area and other locations where our providers operate infrastructure or support services.

Examples include Microsoft, Google/Firebase, Apple, OpenAI, MYOB, Cloudflare, Cloudinary, payment processors and other cloud or software providers.

Where we disclose personal information overseas, we take reasonable steps to ensure the recipient handles the information in a way that is consistent with the Australian Privacy Principles, unless an exception applies under Australian privacy law.

11. Cookies, local storage and similar technologies

We may use cookies, local storage, session storage, tokens and similar technologies to:

  • keep you signed in;

  • remember settings or preferences;

  • protect accounts and systems;

  • support forms, uploads and app functionality;

  • understand website and application performance;

  • detect errors, misuse or unauthorised access.

You can manage cookies through your browser settings. Some services may not work properly if cookies, local storage or similar technologies are disabled.

12. Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure.

Depending on the system, safeguards may include:

  • Microsoft 365 authentication and permission-based access controls;

  • encrypted connections for web, API and mobile app traffic;

  • server, database, access and audit logging;

  • role-based access to business records;

  • cloud provider security controls;

  • secure file storage and limited access links where used;

  • backup, monitoring and incident response processes;

  • separation of duties and staff confidentiality obligations;

  • use of specialist third-party providers for high-risk processing such as payment card handling.

No method of transmission or storage is completely secure. If we become aware of an eligible data breach under the Notifiable Data Breaches scheme, we will notify affected individuals and the Office of the Australian Information Commissioner where required by law.

13. Retention and deletion

We keep personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide services, maintain business records, meet legal and accounting obligations, resolve disputes, enforce agreements, maintain safety records and comply with workplace requirements.

Retention periods vary depending on the type of information. For example, payroll, tax, accounting, safety, employment, job, insurance and legal records may need to be kept for longer periods.

When information is no longer needed, we take reasonable steps to delete it, de-identify it or securely archive it.

If you use an SHC app with a Microsoft 365 account, your app access is linked to your SHC account. You may request account deactivation, deletion or access changes by contacting SHC. Uninstalling the mobile app removes local app access from your device, but it does not automatically delete server-side business records that SHC is required or permitted to retain.

14. Accessing and correcting your personal information

You may request access to personal information we hold about you, or ask us to correct information you believe is inaccurate, incomplete, out of date, irrelevant or misleading.

To protect privacy and security, we may need to verify your identity before responding. In some cases, we may refuse access or correction where permitted by law, for example where disclosure would affect another person's privacy, reveal commercially sensitive information, prejudice an investigation or breach legal obligations. If we refuse a request, we will explain why where reasonable to do so.

15. Privacy complaints

If you believe we have breached this Privacy Policy, the Australian Privacy Principles or applicable privacy law, please contact us using the details below.

Please include your name, contact details and a clear description of your concern. We will acknowledge your complaint and aim to respond within a reasonable period.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au.

16. Children and young people

Our websites, internal systems and mobile applications are not directed to children under 16. We do not knowingly collect personal information from children for app account creation or workplace system access. If we become aware that a child has provided personal information to us without appropriate authority, we will take reasonable steps to delete or de-identify it where required.

17. Links to third-party websites and services

Our websites, applications, emails or documents may contain links to third-party websites or services. Those third parties are responsible for their own privacy practices. We encourage you to read their privacy policies before providing information to them.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our systems, services, legal obligations or business practices. The updated version will be published on our website or made available through appropriate SHC channels. The "Last updated" date shows when this Privacy Policy was most recently changed.

19. Contact us

For questions about this Privacy Policy, to request access to or correction of your personal information, to request account deletion or deactivation, or to make a privacy complaint, please contact:

SHC Group of Companies
ABN 77 002 097 163
Phone: 02 9618 5688
Mailing address: PO Box 279, Ingleburn NSW 1890
Email: [email protected]