Legal
How we collect, use, store, and disclose personal information when you or your candidates use Risurix.
Risurix (Fractality Pty Ltd) of S1, 12 Browning Street, South Brisbane QLD 4101 ("Risurix", "we", "us", "our") operates the Risurix platform (the "platform"). The platform administers a pre-employment behavioural safety risk instrument (SIRPI-PE) and produces structured risk-profile reports. This policy describes how we handle personal information (within the meaning of the Privacy Act 1988 (Cth)) collected through the platform.
We are bound by the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth). This policy is structured to mirror the APPs so you can locate the relevant practice quickly. References to specific APPs (such as APP 5) are to the principle of that number in Schedule 1.
Risurix publishes this policy on the Risurix website. We review it at least annually and on any material change to our handling practices. Risurix has designated a Privacy Officer; contact details are in the Contact section.
Where it is lawful and practicable, we will let an individual deal with us without identifying themselves or by using a pseudonym. It is not practicable for a Candidate to complete SIRPI-PE anonymously or pseudonymously, because the resulting report must be linked to the Candidate so that the recruiting organisation can act on it. Recruiter (HR user) accounts require identification for billing and audit reasons.
We collect two categories of personal information:
We do not solicit sensitive information (within the meaning of section 6 of the Privacy Act 1988 (Cth)). The instrument is designed not to elicit health, racial, political, religious, or sexual-orientation information. The instrument can produce inferred behavioural patterns; the report does not provide a clinical, medical, or psychological diagnosis and must not be relied on as one.
The platform uses a scoring program (the "scoring engine") that converts a Candidate’s responses to SIRPI-PE into a structured Report describing patterns across five behavioural dimensions relevant to safety. The Report is provided to the recruiting organisation as one input to the organisation’s hiring decision.
Decision support, not automated decision-making. The scoring engine does not make the hiring decision. The hiring decision is made by the recruiting organisation, by a trained human reviewer who is contractually required to consider other evidence (interview, reference checks, technical assessment) and to record the human-review step. We require the recruiting organisation, under our Terms of service (clause 8), not to use the Report as the sole or principal basis for an adverse decision.
Information used.The scoring engine uses the Candidate’s responses to the 55 SIRPI-PE items, together with the scoring rules and item weights that form part of the SIRPI-PE manual. It does not use the Candidate’s name, email, IP address, or any other identifying data in the scoring step.
Meaningful information about how the program operates.SIRPI-PE produces a Report describing patterns across five behavioural dimensions. The scoring engine applies pre-defined weighting rules; it is not a self-learning model and does not adapt based on prior Candidates’ results.
Your rights. Candidates may request feedback from the recruiting organisation on how the Report was used in the selection process. Candidates may request human reconsideration of any adverse decision that was substantially informed by the Report. Candidates may also contact our Privacy Officer to raise concerns about the operation of the scoring engine.
This section is drafted to anticipate APP 1.7, 1.8 and 1.9, inserted into Schedule 1 of the Privacy Act 1988 (Cth) by the Privacy and Other Legislation Amendment Act 2024 (Cth), commencing 10 December 2026. We commit to maintaining and updating the content of this section in line with the final OAIC APP 1 Guidelines.
Candidates are shown a collection notice before they begin the assessment (the Candidate notice). The Candidate notice identifies Risurix as the platform operator, identifies the recruiting organisation as the customer, describes the purposes of collection, the kinds of information collected, the recipients of the Report, the consequences of not providing information, how the Candidate can access and correct information, how to make a complaint, and the overseas locations to which information may be disclosed (see section 8).
We use personal information only for the following purposes:
We do not sell, lease, or trade personal information. We do not use personal information for advertising or for purposes unrelated to the operation of Risurix.
We do not use Candidate information for direct marketing. We may send operational emails to recruiters about their account (billing, security, product updates); recruiters may unsubscribe from non-essential messages.
Candidate Data and recruiter data are stored in Australia (Sydney region, AWS ap-southeast-2). Application compute is also hosted in Sydney.
We use the following sub-processors which may process personal information overseas:
For each sub-processor, we (a) maintain a written data processing agreement requiring the sub-processor to handle personal information in a manner materially consistent with the APPs (and, where the sub-processor is GDPR-bound, requiring it to apply equivalent standards to Australian data), (b) review the agreement and the sub-processor’s certifications at least annually, and (c) maintain a current published Sub-processors list. We give recruiters at least 30 days’ notice of any new or replacement sub-processor that will receive Candidate Data.
Subject to APP 8.2, Risurix remains accountable under the APPs for an act or practice of an overseas sub-processor in respect of personal information that would be a breach of the APPs.
We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up to date, and complete:
We protect personal information using technical and organisational measures including:
We take reasonable steps under APP 11.2 to destroy or de-identify personal information that we no longer need for any purpose for which it may be used or disclosed, except where retention is required by law (see section 11).
We retain personal information for the following periods:
Earlier destruction or de-identification may be requested under APP 11.2 (see section 14, Destruction requests).
Risurix complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). Our Data Breach Response Plan defines the assessment process: when we become aware that there are reasonable grounds to suspect an eligible data breach, we assess the suspected breach within 30 days. If we determine that an eligible data breach has occurred (one that is likely to result in serious harm to any individual), we will notify affected individuals and the OAIC as soon as practicable.
You may request access to the personal information we hold about you, or correction of information that is inaccurate, out of date, incomplete, irrelevant, or misleading, by writing to privacy@risurix.com. We will respond within 30 days. We may need to verify your identity before releasing or amending information. If we decline a request, we will give written reasons consistent with the APPs.
A Candidate or recruiter may request that personal information we hold about them be destroyed or de-identified where we no longer need it for any purpose for which it may be used or disclosed. We will action verified requests within 30 days. We are required to retain certain financial, audit, and legal-obligation records for the periods set out in section 11 and may not be able to destroy those records earlier; if we retain information on this basis, we will not use it for any other purpose.
Since 10 June 2025, individuals have had a statutory cause of action for serious invasions of privacy (intrusion upon seclusion or misuse of information) under the Privacy Act 1988 (Cth) (as inserted by the Privacy and Other Legislation Amendment Act 2024 (Cth)). The safeguards described in this policy, particularly the limited collection set (section 3), the prohibition on direct marketing (section 7), the bounded recipient list (section 6), the documented de-identification methodology (section 11), and the contractual restrictions on the recruiting organisation’s use of Reports (Terms clauses 4, 7 and 8), are designed to reduce the risk of conduct that could amount to a serious invasion of privacy.
Privacy complaints can be made to privacy@risurix.com. We will acknowledge within five Business Days and aim to substantively respond within 30 days. If you are not satisfied with our response, you may complain to the OAIC at oaic.gov.au (phone 1300 363 992). For complaints involving alleged discrimination in the selection process, the appropriate forum may be the Australian Human Rights Commission (humanrights.gov.au) or your State or Territory equivalent.
The platform is not designed for individuals under 18 years of age. A recruiting organisation must not invite a Candidate under 18 to complete SIRPI-PE without first contacting us so that we can put age-appropriate handling in place. We will revisit this section once the Children’s Online Privacy Code (to be developed under the Privacy and Other Legislation Amendment Act 2024 (Cth) by 10 December 2026) is finalised.
We do not use cookies to identify Candidates while they are completing the assessment.
We may update this policy from time to time. The “Last updated” date at the top of the page reflects the most recent material change. Substantive changes will be notified to recruiter account holders by email and (in our discretion) by an in-platform banner.
Privacy enquiries: privacy@risurix.com
Postal: Risurix, S1/12 Browning Street, South Brisbane QLD 4101