Privacy Policy | CPD Central by Yellowtrace

1. About This Policy

This Privacy Policy describes how Yellowtrace Pty Ltd as trustee for The Hughes Design Trust (ABN 80 798 417 363) ("Yellowtrace", "we", "us", or "our") collects, uses, discloses, stores, and otherwise handles your personal information in connection with the CPD Central platform ("Platform"), accessible at cpd.yellowtrace.com.au.

We are bound by the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) ("Privacy Act") and are committed to protecting the privacy of your personal information. This Policy sets out how we comply with our obligations under the Privacy Act, the APPs, and the Notifiable Data Breaches scheme.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

2. Independent Platform — No Affiliation with AIA

Yellowtrace is not affiliated with, endorsed by, authorised by, or in any way formally connected with the Australian Institute of Architects ("AIA") or any of its subsidiaries, related bodies corporate, or affiliates.

The CPD Central Platform is an independent educational and assessment tool developed and operated solely by Yellowtrace. Any reference to the AIA, AIA Registration Numbers, or Continuing Professional Development ("CPD") requirements on this Platform is made solely for the purpose of facilitating the user's own professional development records and does not imply any partnership, sponsorship, approval, or endorsement by the AIA.

We collect AIA Registration Numbers solely for the purpose of assisting users in maintaining their own professional development records. The collection, storage, and use of AIA Registration Numbers by Yellowtrace does not create any relationship between Yellowtrace and the AIA, nor does it constitute any representation by Yellowtrace as to the validity, accuracy, or acceptance of any data in connection with AIA's systems, policies, or requirements.

Users are solely responsible for verifying the acceptance and recognition of any CPD credits, points, or certificates issued through this Platform with the AIA or any other relevant professional body directly. Yellowtrace makes no representations or warranties whatsoever regarding the acceptance of Platform-issued certificates by the AIA or any other body.

3. Information We Collect

We collect personal information that is reasonably necessary for, or directly related to, the functions and activities of the Platform. We collect the following categories of personal information:

(a) Account Information

Full name
Email address
Password (stored in encrypted/hashed form only)

(b) Professional Information

AIA Registration Number (provided voluntarily by the user)
Professional designation or membership details (if provided)

(c) Platform Activity Data

Quiz participation records, responses, scores, and completion status
CPD certificate generation records and verification data
Event attendance and eligibility verification data

(d) Technical and Usage Data

IP address and approximate geolocation
Browser type and version
Device type and operating system
Pages visited, access times, and referral URLs
Cookies and similar tracking technologies (see section 8)

4. Legal Basis for Collection and Processing

Under the Australian Privacy Principles, we collect and process your personal information on the following lawful bases:

Consent: You provide express consent when you create an account and agree to this Privacy Policy and our Terms of Service.
Contractual necessity: Processing is necessary for the performance of our services to you, including administering quizzes, generating CPD certificates, and verifying eligibility.
Legitimate interests: We may process data where we have a legitimate interest in operating, improving, and securing the Platform, provided this does not override your fundamental rights.
Legal obligation: We may process data to comply with applicable laws, regulations, or legal processes.

Where we rely on consent, you may withdraw your consent at any time by contacting us at privacy@yellowtrace.com.au. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

5. How We Use Your Information

We use the personal information we collect for the following purposes:

To provide, operate, and maintain the Platform and its features
To create and manage your user account and authenticate your identity
To administer quizzes, process your quiz results, and calculate scores
To generate, issue, and enable verification of CPD completion certificates
To verify your eligibility for specific quizzes or events (including cross-referencing attendee records)
To communicate with you regarding your account, Platform updates, and technical support
To monitor, analyse, and improve the Platform's performance, security, and user experience
To detect, prevent, and address fraud, abuse, or security incidents
To comply with applicable laws, regulations, and legal processes

We will not use your personal information for direct marketing purposes without your express, opt-in consent.

6. Disclosure of Personal Information

We may disclose your personal information to the following categories of recipients, solely for the purposes described in this Policy:

Service providers: Third-party providers who assist us in operating the Platform, including hosting providers, database services, email delivery services, and analytics providers. These providers are contractually obligated to handle your data in accordance with this Policy.
Certificate verification: Certificate verification data (limited to certificate ID, holder name, quiz title, completion date, and score) is made available through our public verification endpoint to enable employers, professional bodies, or other authorised parties to verify the authenticity of certificates.
Legal requirements: Where we are required or authorised to do so by law, regulation, court order, or governmental request, including to law enforcement agencies and regulatory bodies.
Protection of rights: Where we believe disclosure is necessary to protect our rights, property, or safety, or that of our users or the public.
Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.

We do not sell, rent, or trade your personal information to third parties for their marketing or commercial purposes.

7. Cross-Border Data Transfers

In order to provide the Platform, your personal information may be transferred to, stored in, and processed in countries outside Australia, including the United States, where our hosting and infrastructure service providers (such as cloud hosting, database, and content delivery network providers) maintain their servers and facilities.

In accordance with APP 8, before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to your information. These steps include:

Entering into contractual arrangements with third-party providers that require them to comply with privacy obligations substantially similar to the APPs
Selecting providers with established privacy and security programs
Implementing appropriate technical and organisational security measures

By using the Platform and providing your personal information, you consent to the transfer and processing of your personal information outside Australia for the purposes described in this Policy.

8. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies to facilitate user authentication, maintain session state, and enhance your experience. These include:

Essential cookies: Required for Platform operation, including authentication tokens and session management.
Analytical cookies: Used to understand how users interact with the Platform and to improve its performance.

You may configure your browser to refuse cookies; however, doing so may impair certain features of the Platform, including the ability to log in and complete quizzes.

9. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, in accordance with APP 11. Our security measures include:

Encryption of data in transit (TLS/SSL) and at rest
Secure password hashing using industry-standard algorithms
Access controls and role-based permissions for administrative functions
Regular review of security practices and infrastructure

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security, and you acknowledge that you provide your information at your own risk.

10. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

Account information: Retained for the duration of your account and for a reasonable period thereafter (up to 12 months) to allow for reactivation requests.
CPD certificate and completion records: Retained for a minimum of seven (7) years from the date of issuance, as may be required for professional audit, compliance, and verification purposes.
Quiz performance data: Retained for seven (7) years in connection with certificate records.
Technical and usage data: Retained for up to twenty-four (24) months for analytics and security purposes.

Upon expiry of the applicable retention period, or upon your valid request for deletion (subject to our legal obligations), we will take reasonable steps to destroy or de-identify the personal information.

11. Your Rights Under Australian Law

Under the Privacy Act and the APPs, you have the following rights in relation to your personal information:

Access (APP 12): You may request access to the personal information we hold about you. We will respond to your request within a reasonable period (generally within 30 days).
Correction (APP 13): You may request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
Deletion: You may request deletion of your account and associated personal information. We will comply with such requests subject to our legal obligations to retain certain records (including CPD certificate records for audit purposes).
Withdrawal of consent: Where we process your personal information based on your consent, you may withdraw that consent at any time.
Data portability: Upon request, we will provide you with a copy of your personal information in a commonly used, machine-readable format where technically feasible.
Complaint: You have the right to lodge a complaint regarding our handling of your personal information (see section 14).

To exercise any of these rights, please contact us at privacy@yellowtrace.com.au. We may need to verify your identity before processing your request. We will not charge you for making a request or for providing access to your information, except in limited circumstances permitted under the Privacy Act.

12. International Users and GDPR

If you are accessing the Platform from outside Australia, including from the European Economic Area ("EEA") or the United Kingdom, you may have additional rights under the General Data Protection Regulation ("GDPR") or equivalent local data protection legislation.

To the extent that the GDPR or equivalent legislation applies to our processing of your personal data, we acknowledge and will endeavour to honour the following additional rights:

Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing
Right not to be subject to automated decision-making, including profiling

To exercise any such rights, please contact us at privacy@yellowtrace.com.au.

13. Notifiable Data Breaches

In accordance with Part IIIC of the Privacy Act (Notifiable Data Breaches scheme), if we become aware of an eligible data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

Take prompt and reasonable steps to contain the breach and mitigate any potential harm
Conduct an assessment of the breach as soon as practicable (and within 30 days of becoming aware of the breach)
Notify the Office of the Australian Information Commissioner ("OAIC") and affected individuals as required by law
Provide a statement to affected individuals detailing the nature of the breach, the information involved, and recommended steps

14. Changes to This Policy, Contact Us, and Complaints

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Where changes are material, we will notify you by posting a prominent notice on the Platform or by sending you an email notification. Your continued use of the Platform following the posting of changes constitutes your acceptance of those changes.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us at:

Yellowtrace Pty Ltd as trustee for The Hughes Design Trust
ABN 80 798 417 363
Email: privacy@yellowtrace.com.au
Platform: cpd.yellowtrace.com.au

Complaints

If you believe we have breached the APPs or are not satisfied with our response to a privacy concern, you may first contact us using the details above so that we may investigate and attempt to resolve the matter (generally within 30 days). If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner ("OAIC"):

Office of the Australian Information Commissioner
Website: www.oaic.gov.au
Phone: 1300 363 992