Employment & HR Privacy Notice

Effective Date: 13 February 2026 Last Updated: 13 February 2026 Version: 1.0

1. Introduction

Who We Are

This privacy notice is provided by Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust, trading as Provii, an Australian company providing zero knowledge age verification services.

Legal Entity: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust Trading Name: Provii Registered Address: PO Box 169, St Arnaud VIC 3478, Australia Website: https://provii.app Privacy Contact: privacy@maelstrom.au HR Contact: cto@provii.app

Purpose of This Notice

This Employment & HR Privacy Notice explains how we collect, use, store, and protect personal information about our contractors, consultants, and employees (collectively referred to as “contractors” in this document, reflecting our contractor-based business model).

This notice supplements our main Privacy Policy and applies specifically to individuals who provide services to Maelstrom AI through employment or contractual relationships.

You should read this notice carefully to understand what personal information we collect about you, why we collect it, how we use it, and what rights you have.

Our Commitment to Your Privacy

We take your privacy seriously. As a company built on privacy-preserving technology, we extend the same privacy-first principles to our workforce:

• Data minimization. We collect only what we need for legitimate business and legal purposes
• Purpose limitation. We use your information only for the purposes explained in this notice
• Security. We protect your information with strong technical and organisational measures
• Transparency. We are open and honest about our data practices
• Your rights. We respect and facilitate your privacy rights under applicable laws

Scope of This Notice

This notice applies to:

• Independent contractors and consultants engaged by Maelstrom AI
• Employees of Maelstrom AI (if and when hired)
• Prospective contractors during recruitment
• Former contractors (for data retention purposes)

This notice does NOT apply to:

• End users of Provii services (see our main Privacy Policy)
• Business customers and partners (see our main Privacy Policy)
• Website visitors (see our main Privacy Policy)

2. Personal Information We Collect

Overview of Collection

We collect personal information from contractors through:

• Direct provision. Information you provide to us during onboarding, through contracts, and during our working relationship
• Automated collection. Work product, code commits, communications created during your work
• Third parties. Payment processors, credential issuing authorities (for verification of qualifications if applicable)

Categories of Personal Information

2.1 Identity and Contact Information

What we collect:

• Full legal name
• Preferred name (if different)
• Email address (personal and work)
• Phone number (mobile and/or landline)
• Physical mailing address
• Date of birth (for legal compliance purposes)
• Emergency contact information (name, relationship, phone number)

Why we collect it:

• Contract creation and management
• Payment processing and tax reporting
• Communication about work assignments and projects
• Emergency situations requiring contact

Legal basis (GDPR):

• Article 6(1)(b) - Contract performance
• Article 6(1)(c) - Legal obligation (tax reporting)
• Article 6(1)(f) - Legitimate interests (emergency contact)

2.2 Financial and Payment Information

What we collect:

• Bank account details (BSB, account number, account name)
• Tax File Number (TFN) or equivalent tax identifier
• Australian Business Number (ABN) if applicable
• Payment history and invoices
• Expense claims and receipts

Why we collect it:

• Payment for services rendered
• Tax withholding and reporting (compliance with Australian Taxation Office requirements)
• Expense reimbursement
• Financial record-keeping

Legal basis (GDPR):

• Article 6(1)(b) - Contract performance
• Article 6(1)(c) - Legal obligation (tax compliance)

Important security note: We do NOT store full financial details. Bank account information is provided directly to our payment processor (see Section 7). Tax identifiers are encrypted at rest.

2.3 Professional Information

What we collect:

• Resume/CV and work history
• Educational background and qualifications
• Professional certifications and licenses
• Skills and expertise
• References and recommendations
• Portfolio or work samples (if provided)
• LinkedIn profile or professional website (if provided)

Why we collect it:

• Assessment of suitability for roles
• Project assignment and team formation
• Professional development and training
• Performance management
• Verification of qualifications (where required for specific roles)

Legal basis (GDPR):

• Article 6(1)(b) - Contract performance (pre-contractual measures)
• Article 6(1)(f) - Legitimate interests (assessing suitability, managing workforce)

2.4 Work Product and Communications

What we collect:

• Code commits and contributions (GitHub, GitLab)
• Documentation and written work
• Design work and creative output
• Email communications related to work
• Slack/Discord messages in work channels
• Meeting notes and recordings (with consent)
• Project management system data (tasks, comments, time tracking)

Why we collect it:

• Intellectual property management
• Quality assurance and code review
• Project coordination and collaboration
• Performance assessment
• Business continuity (knowledge retention)

Legal basis (GDPR):

• Article 6(1)(b) - Contract performance
• Article 6(1)(f) - Legitimate interests (business operations, IP protection)

Important notes:

• Work communications in official channels are considered business records
• Personal communications outside work channels are NOT collected
• Meeting recordings require advance notice and consent

2.5 Contract and Legal Information

What we collect:

• Signed contracts and amendments
• Non-disclosure agreements (NDAs)
• Intellectual property assignment agreements
• Confidentiality obligations
• Conflict of interest disclosures
• Legal correspondence

Why we collect it:

• Legal compliance and contract enforcement
• Protection of intellectual property
• Management of legal rights and obligations
• Dispute resolution if necessary

Legal basis (GDPR):

• Article 6(1)(b) - Contract performance
• Article 6(1)(c) - Legal obligation
• Article 6(1)(f) - Legitimate interests (legal compliance, business protection)

2.6 Performance and Development Information

What we collect:

• Performance reviews and feedback
• Goals and objectives
• Training and professional development records
• Skill assessments
• Project completion records
• Time tracking and availability

Why we collect it:

• Performance management
• Professional development support
• Resource allocation and project planning
• Contract renewal decisions
• Recognition and compensation adjustments

Legal basis (GDPR):

• Article 6(1)(b) - Contract performance
• Article 6(1)(f) - Legitimate interests (workforce management, performance optimisation)

What We Do NOT Collect

Maelstrom AI does NOT collect the following types of information about contractors:

Monitoring and Surveillance:

• ❌ Keystroke logging or screen monitoring
• ❌ Location tracking or GPS data
• ❌ Website browsing history
• ❌ Time-tracking screenshots or webcam monitoring
• ❌ Biometric data (fingerprints, facial recognition, etc.)
• ❌ Health or medical information (except as voluntarily disclosed for accommodation purposes)

Special Categories of Personal Data (GDPR Article 9):

• ❌ Racial or ethnic origin
• ❌ Political opinions
• ❌ Religious or philosophical beliefs
• ❌ Trade union membership
• ❌ Genetic data
• ❌ Biometric data for identification
• ❌ Health data (except as noted above)
• ❌ Sex life or sexual orientation

Personal Information Unrelated to Work:

• ❌ Personal social media accounts (unless publicly shared by you)
• ❌ Personal financial information beyond payment details
• ❌ Personal relationships or family details (except emergency contact)
• ❌ Personal hobbies or interests (unless relevant to work)

Why this matters: We respect the boundary between professional and personal life. We collect only information necessary for our working relationship and legal compliance.

3. How We Use Your Information

Purpose Limitation

We use your personal information ONLY for the following legitimate purposes related to our contractual relationship and legal obligations:

3.1 Contract Management and Performance

Activities:

• Creating and maintaining contractor agreements
• Assigning work and managing projects
• Coordinating collaboration and communication
• Providing necessary tools and resources
• Facilitating onboarding and offboarding

Information used:

• Identity and contact information
• Professional information
• Work product and communications

Legal basis: Contract performance (GDPR Article 6(1)(b))

3.2 Payment and Financial Administration

Activities:

• Processing payments for services rendered
• Generating and maintaining invoices
• Reimbursing legitimate business expenses
• Issuing payment summaries and tax statements
• Responding to payment inquiries

Information used:

• Financial and payment information
• Identity information (for payment verification)
• Contract information (payment terms)

Legal basis:

• Contract performance (GDPR Article 6(1)(b))
• Legal obligation (GDPR Article 6(1)(c)) - tax compliance

3.3 Legal and Tax Compliance

Activities:

• Withholding and reporting taxes to Australian Taxation Office
• Maintaining required business records
• Complying with employment and contractor regulations
• Responding to legal requests or court orders
• Meeting audit and compliance requirements

Information used:

• Tax identifiers (TFN, ABN)
• Financial records
• Contract and legal information
• Identity information

Legal basis:

• Legal obligation (GDPR Article 6(1)(c))
• Legitimate interests (GDPR Article 6(1)(f)) - compliance and risk management

Specific obligations:

• Australian Taxation Office reporting (PAYG, TFN declarations)
• Superannuation obligations (if applicable to employees)
• Fair Work Act compliance (if applicable to employees)
• Record-keeping under corporations law

3.4 Intellectual Property Management

Activities:

• Managing ownership of work product
• Protecting confidential information
• Enforcing IP assignment agreements
• Licensing and commercializing innovations
• Responding to IP disputes

Information used:

• Work product and contributions
• Contract and legal information
• Professional information (authorship attribution)

Legal basis:

• Contract performance (GDPR Article 6(1)(b))
• Legitimate interests (GDPR Article 6(1)(f)) - IP protection, business asset management

3.5 Performance Management and Development

Activities:

• Conducting performance reviews
• Providing feedback and coaching
• Identifying training needs
• Supporting professional development
• Making contract renewal or extension decisions

Information used:

• Performance and development information
• Work product quality assessments
• Professional information

Legal basis:

• Contract performance (GDPR Article 6(1)(b))
• Legitimate interests (GDPR Article 6(1)(f)) - workforce optimisation, quality assurance

3.6 Business Operations and Continuity

Activities:

• Maintaining business continuity
• Knowledge management and transfer
• Resource planning and allocation
• Quality assurance and improvement
• Internal reporting and analytics (aggregated)

Information used:

• Work product and communications
• Professional information
• Performance information

Legal basis:

• Legitimate interests (GDPR Article 6(1)(f)) - business operations, efficiency, continuity

3.7 Security and Incident Response

Activities:

• Protecting company systems and data
• Investigating security incidents
• Preventing fraud and unauthorized access
• Enforcing confidentiality obligations
• Responding to security threats

Information used:

• Access logs and system usage (technical data, not monitoring)
• Work communications (if relevant to incident)
• Identity information (for investigation)

Legal basis:

• Legitimate interests (GDPR Article 6(1)(f)) - security, fraud prevention
• Legal obligation (GDPR Article 6(1)(c)) - if required by law

Important: Security measures are proportionate and do NOT include invasive monitoring (no keystroke logging, screen recording, or location tracking).

What We Do NOT Use Your Information For

We NEVER use your personal information for:

• ❌ Marketing or promotional purposes
• ❌ Selling or renting to third parties
• ❌ Profiling or automated decision-making (GDPR Article 22)
• ❌ Background checks without consent (beyond publicly available information)
• ❌ Monitoring personal activities or communications
• ❌ Tracking location or movements
• ❌ Discriminatory purposes (based on protected characteristics)
• ❌ Sharing with third parties for their own purposes (except as required by law)

Automated Decision-Making and Profiling

Maelstrom AI does NOT engage in:

• Automated decision-making with legal or similarly significant effects (GDPR Article 22)
• Profiling for HR purposes
• Algorithmic performance assessment
• AI-based hiring or termination decisions

Human involvement: All significant decisions affecting contractors (hiring, contract renewal, termination, performance assessment) involve meaningful human review and judgment.

4. Legal Basis for Processing (GDPR)

For contractors located in the European Union, European Economic Area, or United Kingdom, we process your personal information under the following legal bases (GDPR Article 6):

Summary Table

Legitimate Interests Assessment (Article 6(1)(f))

Where we rely on legitimate interests as the legal basis, we have conducted a balancing test to ensure our interests do not override your rights:

Our Legitimate Interests:

• Operating an efficient and effective business
• Protecting our intellectual property and confidential information
• Ensuring security of systems and data
• Managing performance and quality of work
• Maintaining business continuity and knowledge retention

Your Interests and Rights:

• Privacy and data protection
• Fair treatment and transparency
• Minimal intrusion into personal life
• Control over personal information

Balancing Outcome:

• ✅ Data collection is minimal and proportionate
• ✅ Processing is necessary and reasonable for business operations
• ✅ No invasive monitoring or surveillance
• ✅ Strong security protections in place
• ✅ Your rights (access, erasure, objection) are respected and facilitated

Conclusion: Our legitimate interests do not override your rights. You retain the right to object (see Section 9).

No Special Categories of Data

Maelstrom AI does NOT process special categories of personal data (GDPR Article 9) such as:

• Health data
• Biometric data
• Racial or ethnic origin
• Political opinions, religious beliefs, etc.

Exception: If you voluntarily disclose health information for accommodation or support purposes, we will:

• Obtain your explicit consent (GDPR Article 9(2)(a))
• Process only what is necessary for the accommodation
• Limit access to strictly necessary personnel (ISMS Owner only)
• Apply enhanced security measures
• Delete when no longer needed

5. How We Protect Your Information

Security Principles

Maelstrom AI implements technical and organisational security measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction.

Security is a core value at Maelstrom AI. As a company building privacy-preserving technology, we apply the same rigorous standards to protecting contractor information.

Technical Security Measures

5.1 Encryption

Data in Transit:

• TLS 1.3 encryption for all data transmission
• HSTS (HTTP Strict Transport Security) enforced
• VPN required for accessing internal systems
• No unencrypted email for sensitive information

Data at Rest:

• AES-256 encryption for HR databases and files
• Encrypted file storage (Google Workspace with encryption at rest)
• Device-level encryption required for all work devices
• Encrypted backups

Specific Protections:

• Tax File Numbers (TFNs) encrypted with separate key
• Bank account details handled by payment processor only (not stored by Maelstrom AI)
• Contract documents encrypted in cloud storage

5.2 Access Controls

Authentication:

• Multi-factor authentication (MFA) required for all systems
• Strong password requirements (minimum 14 characters, complexity requirements)
• Password manager usage encouraged
• Regular password rotation for sensitive systems

Authorisation:

• Principle of least privilege. Access limited to what is necessary for role
• Role-based access control (RBAC). Defined roles with specific permissions
• Need-to-know basis. HR data accessible only to ISMS Owner and authorised finance personnel

Current Access Model:

• ISMS Owner. Full access to all HR data (necessary for small team management)
• Finance/Payroll (if outsourced): Limited access to payment and tax information only
• Contractors. Access to own information only (via request)

Access Reviews:

• Quarterly review of who has access to HR data
• Immediate revocation upon contract termination
• Audit logs of all access to sensitive HR information

5.3 System Security

Infrastructure Security:

• Cloudflare infrastructure with DDoS protection
• Web Application Firewall (WAF) for public-facing systems
• Regular security updates and patching
• Endpoint protection on all work devices

Application Security:

• Secure development lifecycle practices
• Regular dependency scanning (cargo audit, npm audit)
• Code review requirements for all changes
• OWASP ASVS guidelines followed

Network Security:

• Network segmentation (HR data in separate environment)
• VPN required for remote access to internal systems
• Firewall rules restricting unnecessary connections

5.4 Data Loss Prevention

Backups:

• Automated daily backups of HR data
• Encrypted backup storage
• Regular backup restoration testing (quarterly)
• 90-day backup retention for operational recovery
• 7-year archive for legal compliance

Redundancy:

• Geographic redundancy for critical HR systems
• Failover capabilities for high availability
• Business continuity plan tested annually

Organisational Security Measures

5.5 Policies and Procedures

Security Policies:

• Information Security Policy (ISO 27001:2022 aligned)
• Data Breach Response Plan
• Access Control Policy
• Acceptable Use Policy
• Clean Desk/Clear Screen Policy

HR-Specific Procedures:

• Onboarding security checklist
• Offboarding data removal procedure
• Confidentiality training for anyone handling HR data
• Regular policy reviews and updates

5.6 Personnel Security

Background Verification:

• Professional reference checks for roles with HR data access
• Confidentiality agreements signed before access granted

Training and Awareness:

• Security awareness training for all contractors (annual)
• Privacy and data protection training (mandatory for ISMS Owner and finance roles)
• Incident response training

Confidentiality Obligations:

• All contractors sign confidentiality agreements
• Specific provisions for protection of HR data
• Obligations continue after contract termination

5.7 Physical Security

Office Security (if applicable):

• Secure storage for physical HR documents (locked filing cabinets)
• Clean desk policy (no sensitive documents left unattended)
• Visitor access controls

Remote Work Security:

• Device encryption mandatory
• Secure home network guidance provided
• Privacy screen filters encouraged
• Secure disposal of printed HR documents (shredding)

5.8 Third-Party Security

Vendor Management:

• Security assessment before engaging third parties with HR data access
• Data processing agreements with all vendors
• Regular vendor security reviews
• Contractual security obligations

Payment Processor Security:

• PCI DSS compliant payment processor used
• No storage of full bank account details by Maelstrom AI
• Encrypted transmission of payment data

Incident Response and Breach Notification

Data Breach Response Plan

Detection: 24-hour breach detection target for HR systems

Containment and Investigation:

1. Immediate containment to prevent further exposure
2. Investigation to determine scope and affected data
3. Documentation of incident details
4. Preservation of evidence for forensics

Notification:

• Affected contractors. Notification without undue delay if high risk to rights
• Supervisory authority. Within 72 hours (GDPR Article 33)
• Australian authorities. As required by Notifiable Data Breaches scheme (Privacy Act)

Notification includes:

• Nature of breach and data affected
• Likely consequences and potential harm
• Measures taken to mitigate harm
• Contact point for further information
• Recommended actions for affected individuals

Remediation:

• Implementation of additional security controls
• Post-incident review and lessons learned
• Updates to policies and procedures
• Additional training if human error involved

Breach Contact: security@maelstrom.au (24/7 monitored)

Security Commitments

We commit to:

• ✅ Continuous improvement of security measures
• ✅ Regular security testing and audits
• ✅ Prompt notification in case of breaches
• ✅ Transparency about security practices
• ✅ Proportionate security measures (balancing protection with usability)

What we do NOT do:

• ❌ Store HR data in unencrypted form
• ❌ Share HR data without legal basis or your consent
• ❌ Use consumer-grade or insecure systems for sensitive data
• ❌ Ignore security best practices to save costs

6. Data Retention and Deletion

Retention Principles

We retain your personal information:

• Only as long as necessary for the purposes for which it was collected
• In compliance with legal and regulatory requirements
• With clear deletion schedules and procedures

Retention Periods

6.1 Active Contractors

During active contract period:

6.2 Former Contractors (Post-Termination)

After contract termination or expiry:

Deletion Schedule:

• 1 year post-termination. Contact info, performance data, and communications deleted (unless needed for legal purposes)
• 7 years post-termination. Financial, tax, and contract records deleted
• Immediate on request. Data deleted upon erasure request (subject to legal retention requirements)

6.3 Prospective Contractors (Recruitment)

Automatic deletion: Applications for candidates not hired are automatically deleted after 6 months unless consent provided for talent pool retention.

Deletion Procedures

Automated Deletion

Scheduled deletion jobs:

• Monthly scan for data past retention periods
• Automated deletion from active systems
• Archival removal for records past 7 years
• Audit logs of automated deletions

Manual Deletion (Upon Request)

Process:

1. Contractor submits erasure request to privacy@maelstrom.au
2. Identity verification performed
3. Determination of legal basis for retention (if any)
4. Deletion from all systems (if no legal basis for retention)
5. Confirmation provided to requester
6. Documentation of deletion for compliance records

Deletion includes:

• Production databases
• Backup systems (next backup cycle will exclude deleted data)
• Archived records (if past legal retention period)
• Email systems
• File storage (Google Drive, etc.)

Secure Deletion Methods

Digital Data:

• Cryptographic erasure (deletion of encryption keys)
• Multi-pass overwriting for highly sensitive data
• Verification of deletion completion

Physical Documents:

• Cross-cut shredding for paper records
• Secure disposal certificates obtained
• Hard drive destruction for decommissioned devices

Exceptions to Deletion

We may retain data beyond standard retention periods when:

• Legal requirement. Required by law or regulation (e.g., tax records, litigation holds)
• Legal claims. Necessary for establishment, exercise, or defence of legal claims
• Consent provided. You have consented to longer retention
• De-identified. Data has been anonymized and no longer constitutes personal information

If retention required despite erasure request:

• We will inform you of the legal basis for retention
• We will limit retention to minimum necessary
• We will delete as soon as legal requirement expires
• You retain the right to object and complain to supervisory authority

Requesting Early Deletion

How to request:

• Email privacy@maelstrom.au with subject “Erasure Request - Contractor Data”
• Provide identity verification (full name, dates of contract)
• Specify data to be deleted (or “all data” for complete removal)

Response time: 30 days (GDPR requirement)

What you’ll receive:

• Confirmation of deletion
• Explanation of any data retained (with legal basis)
• Information on retention period for legally required data

7. Sharing Your Information with Third Parties

Data Sharing Principles

We share your personal information only when:

• Necessary for contract performance (e.g., payment processing)
• Required by law or legal process
• You have provided explicit consent
• Necessary for our legitimate interests (with appropriate safeguards)

We do NOT:

• ❌ Sell or rent contractor information
• ❌ Share information for marketing purposes
• ❌ Disclose information to third parties for their own purposes (except as required by law)
• ❌ Share more information than necessary for the stated purpose

Third-Party Service Providers (Sub-Processors)

7.1 Payment Processors

Service Provider: [Payment processor name - to be completed when engaged]

Information Shared:

• Full name
• Bank account details (BSB, account number)
• Payment amount and invoice details
• ABN (if applicable)

Purpose: Processing contractor payments

Safeguards:

• Data Processing Agreement in place
• PCI DSS compliance (for card payments if applicable)
• Encrypted data transmission
• Access restricted to payment processing only

Location: Australia (or Standard Contractual Clauses if overseas)

Your control: You provide bank details; you can change payment method

7.2 Cloud Storage and Collaboration Tools

Service Provider: Google Workspace (Google LLC)

Information Shared:

• Email communications
• Documents and files
• Calendar events
• Contact information

Purpose: Business communication, collaboration, and document management

Safeguards:

• Data Processing Agreement (GDPR-compliant)
• Encryption at rest and in transit
• Access controls and MFA required
• Data residency in Australia (where possible)

Location: United States, Australia (global infrastructure)

More Information: https://workspace.google.com/privacy/

7.3 Development and Project Management Tools

Service Provider: GitHub, Inc. (Microsoft subsidiary)

Information Shared:

• Name and email (in commit history)
• Code contributions and comments
• Profile information (if provided)

Purpose: Source code management, collaboration, IP tracking

Safeguards:

• Data Processing Agreement
• Access controls (repository permissions)
• Repositories are private by default; some repositories (such as open-source components) are public
• Standard Contractual Clauses for international transfers

Location: United States, European Union

More Information: https://docs.github.com/en/site-policy/privacy-policies

Other tools (if used):

• Slack or Discord (team communication)
• Linear, Jira, or similar (project management)
• Figma (design collaboration)

Each tool subject to similar safeguards and data processing agreements.

7.4 Accounting and Tax Services

Service Provider: [Accounting firm/service - to be completed if engaged]

Information Shared:

• Tax File Number (TFN) or ABN
• Payment records
• Financial information for tax reporting

Purpose: Tax preparation and lodgment, compliance with ATO requirements

Safeguards:

• Professional confidentiality obligations (chartered accountants)
• Data Processing Agreement
• Encrypted data transmission
• Access restricted to authorised personnel

Location: Australia

Government and Legal Disclosure

7.5 Tax Authorities

Authority: Australian Taxation Office (ATO)

Information Shared:

• Tax File Number (TFN)
• Payment amounts and withholding
• ABN and business details
• Superannuation contributions (if applicable)

Purpose: Tax reporting and compliance

Legal Basis: Legal obligation (Taxation Administration Act 1953)

Frequency: Annual PAYG payment summaries, quarterly reporting (if required)

7.6 Legal Process and Compliance

We may disclose information when required by:

• Court orders or subpoenas
• Warrants or legal process
• Regulatory investigations
• Legal or regulatory obligations

Information disclosed: Only what is legally required

Notification: We will notify you of disclosure requests unless prohibited by law (e.g., gag order)

Legal challenge: We will challenge overly broad or unjustified requests

Examples:

• Fair Work Commission proceedings
• Taxation audits or investigations
• Legal disputes involving intellectual property
• Regulatory compliance investigations

Business Transfers

In the event of:

• Merger or acquisition
• Sale of business assets
• Bankruptcy or insolvency
• Corporate restructuring

What happens:

• Your information may be transferred to acquiring entity
• We will notify you in advance of transfer
• Successor entity bound by this privacy notice (or will provide updated notice)
• You will have opportunity to exercise your rights (access, erasure, objection)

Protection: Contractual obligations to maintain confidentiality and security

No Other Sharing

We do NOT share your information with:

• ❌ Other contractors (unless necessary for collaboration on specific project)
• ❌ Maelstrom AI’s business customers or partners
• ❌ Marketing or advertising companies
• ❌ Data brokers or aggregators
• ❌ Social media platforms (except as necessary for accounts you create for work purposes)
• ❌ Family members or emergency contacts (except in genuine emergencies)

Your Rights Regarding Third-Party Sharing

You have the right to:

• Know who we share your information with (this section provides that transparency)
• Object to sharing based on legitimate interests (see Section 9)
• Access information about specific disclosures (via Data Subject Access Request)
• Request deletion from third-party systems (we will facilitate where possible)

8. International Data Transfers

Our Operating Model

Maelstrom AI is an Australian company primarily operating within Australia. However, some third-party service providers operate global infrastructure, which may result in your personal information being transferred outside Australia.

Cross-Border Transfers

8.1 Transfers to United States

Service Providers:

• Google Workspace (Google LLC) - United States headquarters
• GitHub (Microsoft) - United States headquarters
• Cloudflare - United States headquarters

Data Transferred:

• Email communications (Google Workspace)
• Code contributions (GitHub)
• Collaboration documents (Google Workspace, GitHub)

Safeguards:

• Standard Contractual Clauses (SCCs). EU Commission-approved clauses (Module 2: Controller-to-Processor)
• Data Processing Agreements. GDPR and Privacy Act compliant
• Encryption. All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls. Limited to necessary personnel only
• Transfer Impact Assessment. Completed (low risk due to encryption, contractual safeguards, nature of data)

GDPR Compliance (for EU contractors):

• Article 46 transfer safeguards implemented (SCCs)
• Article 44 requirement for adequate protection met
• Supplementary measures applied (encryption, pseudonymization where applicable)

8.2 Transfers to European Union

Service Providers:

• Cloudflare (Ireland data centres)
• GitHub (EU data centres)

EU Adequacy Decision: European Commission recognises EU member states as providing adequate protection (no additional safeguards needed for intra-EU transfers)

8.3 No Transfers to High-Risk Jurisdictions

We do NOT transfer contractor data to:

• Countries without adequate data protection frameworks
• Jurisdictions with known surveillance programs targeting foreign nationals (beyond what is protected by SCCs and encryption)
• Service providers in countries sanctioned or embargoed by Australia

Your Rights for International Transfers

If you are in the EU/EEA/UK:

• You have the right to obtain a copy of the Standard Contractual Clauses (email privacy@maelstrom.au)
• You have the right to object to specific transfers
• You have the right to lodge a complaint with your supervisory authority

If you are in Australia:

• Australian Privacy Principle 8 (APP 8) requires reasonable steps to ensure overseas recipients comply with APPs
• We take reasonable steps through contractual obligations and technical safeguards
• You can complain to OAIC if you believe overseas transfer violated your privacy

Data Residency Preferences

Australia-based contractors: If you prefer your data to remain in Australia, please notify us at privacy@maelstrom.au. We will:

• Assess feasibility of Australia-only data residency
• Implement Australia region restrictions where possible (e.g., Google Workspace Australia region)
• Inform you of any technical limitations

Note: Complete data residency in Australia may not be possible for all services (e.g., GitHub is global), but we will minimise overseas transfers where requested.

9. Your Privacy Rights

Overview of Rights

You have significant rights regarding your personal information. This section explains each right, how to exercise it, and what to expect.

Important: These rights apply regardless of your location, though some rights are specific to certain jurisdictions (GDPR, CCPA, Australian Privacy Act).

9.1 Right to Access (GDPR Article 15, CCPA Right to Know, APP 12)

What it means: You have the right to know what personal information we hold about you and obtain a copy.

What You Can Request

Information about processing:

• What personal information we collect about you
• Purposes for which we use it
• Categories of recipients (who we share it with)
• Retention periods
• Your rights and how to exercise them

Copy of your data:

• All personal information we hold about you in a structured format
• Specific categories of data (e.g., “only my payment records”)

How to Exercise This Right

Email: privacy@maelstrom.au

Subject line: “Data Access Request - Contractor”

Include:

• Your full name
• Dates of your contract with Maelstrom AI
• Specific information requested (or “all personal information” for complete access)
• Preferred format (PDF, CSV, JSON)

Verification: We will verify your identity by:

• Confirming your email address matches our records
• Asking security questions (e.g., contract start date, last project worked on)
• Requesting copy of photo ID (if identity cannot be verified otherwise)

What You’ll Receive

Format: Structured, commonly used, machine-readable format (e.g., PDF summary + CSV/JSON data files)

Contents:

• Personal information summary. Table of all data categories
• Contract and financial data. Contracts, payment history, tax records
• Work product. Code contributions, documents created (or links to repositories)
• Communications. Email archives, relevant Slack messages (work channels)
• Performance information. Reviews, feedback, assessments
• Third-party disclosures. List of who we’ve shared your data with

Timeline: 30 days from verification (may extend to 60 days for complex requests with notice)

Cost: Free for first request in 12-month period. Reasonable fee for excessive or repetitive requests.

Limitations

We may restrict access if:

• Disclosure would reveal confidential information about other individuals
• Disclosure would prejudice legal proceedings or legal advice
• Request is manifestly unfounded or excessive

If restricted: We will explain the reason and inform you of your right to complain to supervisory authority.

9.2 Right to Rectification (GDPR Article 16, CPRA Right to Correct, APP 13)

What it means: You have the right to correct inaccurate or incomplete personal information.

How to Exercise This Right

Email: privacy@maelstrom.au

Subject line: “Correction Request - Contractor”

Include:

• Your full name
• Specific information that is inaccurate or incomplete
• Correct information (with supporting documentation if applicable)

Examples:

• “My bank account number is incorrect, correct number is [number]”
• “My address has changed to [new address]”
• “My professional qualifications should include [certification]“

What Happens

Review: We will assess the request and verify accuracy

Correction: If agreed, we will:

• Update our records within 10 business days
• Notify you of the correction
• Inform third parties who received the incorrect data (if necessary)

Dispute: If we disagree, we will:

• Explain why we believe the data is accurate
• Allow you to note your disagreement in our records
• Inform you of your right to complain to supervisory authority

Timeline: 30 days from request

9.3 Right to Erasure / “Right to be Forgotten” (GDPR Article 17, CCPA Right to Delete, APP 13)

What it means: You have the right to request deletion of your personal information in certain circumstances.

Grounds for Erasure

You can request erasure when:

• Information is no longer necessary for the purposes it was collected
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• Information has been unlawfully processed (processed in violation of law)
• Information must be erased for legal compliance
• Information was collected in relation to child data (if applicable)

How to Exercise This Right

Email: privacy@maelstrom.au

Subject line: “Erasure Request - Contractor Data”

Include:

• Your full name
• Dates of contract
• Specific data to be erased (or “all personal information”)
• Reason for request (grounds listed above)

What Happens

Assessment: We will determine if erasure is required under applicable law

Deletion (if approved):

• Deletion from all active systems (immediate)
• Deletion from backups (next backup cycle, typically within 30 days)
• Notification to third parties who received the data (request for deletion)
• Confirmation provided to you with deletion details

Timeline: 30 days from request

Exceptions - When We Can Refuse Erasure

We may retain data when:

• Legal retention required. Tax and financial records must be kept for 7 years (Australian law)
• Legal claims. Necessary for establishment, exercise, or defence of legal claims (e.g., contract disputes, IP disputes)
• Compliance obligation. Required by law or regulation
• Public interest. Archiving, research, or statistical purposes (with appropriate safeguards)

If refused:

• We will explain the legal basis for retention
• We will restrict processing to minimum necessary
• We will delete as soon as legal requirement expires
• You retain the right to object and complain to supervisory authority

Important: Work product (code, documents) that has been incorporated into Maelstrom AI’s products may be retained for business continuity and IP protection (legitimate interest), but attribution can be anonymized upon request.

9.4 Right to Restrict Processing (GDPR Article 18)

What it means: You can request that we limit how we use your personal information in certain circumstances (EU/UK contractors only).

When You Can Request Restriction

• Accuracy contested. While we verify accuracy of disputed information
• Unlawful processing. You prefer restriction over deletion
• Retention no longer needed. We no longer need data, but you need it for legal claims
• Objection pending. While we verify whether our legitimate interests override yours

What Happens

Processing restrictions:

• Data will be stored only (not actively used)
• Processing only for: legal claims, protection of others’ rights, important public interest, or with your consent
• You will be notified before restriction is lifted

How to request: Email privacy@maelstrom.au with subject “Restriction Request - Contractor”

9.5 Right to Data Portability (GDPR Article 20)

What it means: You can receive your personal information in a structured, machine-readable format and transmit it to another controller (EU/UK contractors only).

Scope of Right

Applies to:

• Information you provided to us
• Processing based on consent or contract
• Processing carried out by automated means

Does NOT apply to:

• Processing based on legal obligation or public interest
• Work product created by others (though your contributions can be identified)

How to Exercise This Right

Email: privacy@maelstrom.au

Subject line: “Data Portability Request - Contractor”

Specify:

• Format preferred (JSON, CSV, XML)
• Destination (another employer/platform) if you want direct transmission

What You’ll Receive

Format: JSON or CSV with structured data including:

• Personal information (contact, tax, payment details)
• Your work contributions (code commits, documents authored)
• Performance data
• Communications you authored

Timeline: 30 days from request

9.6 Right to Object (GDPR Article 21, Australian Privacy Act)

What it means: You can object to processing based on legitimate interests, including profiling.

Grounds for Objection

You can object to:

• Processing based on legitimate interests (Article 6(1)(f))
• Processing for direct marketing (N/A - we don’t do direct marketing)
• Processing for profiling (N/A - we don’t do profiling)

Applicable to:

• Retention of work product beyond 1 year after termination
• Use of communications for business continuity
• Performance data retention

How to Exercise This Right

Email: privacy@maelstrom.au

Subject line: “Objection to Processing - Contractor”

Include:

• Specific processing you object to
• Reasons related to your particular situation

What Happens

Assessment: We will assess whether:

• We have compelling legitimate grounds that override your interests, rights, and freedoms
• Processing is necessary for legal claims

If objection upheld:

• We will stop processing the data for that purpose
• We may retain data for other purposes with valid legal basis (e.g., legal compliance)

If objection denied:

• We will explain the compelling legitimate grounds
• You retain the right to complain to supervisory authority
• You can still request erasure (subject to legal retention requirements)

Timeline: 30 days from objection

9.7 Rights Related to Automated Decision-Making (GDPR Article 22)

What it means: You have the right not to be subject to solely automated decisions with legal or significant effects.

Maelstrom AI’s position: NOT APPLICABLE - We do NOT use automated decision-making for:

• Hiring or recruitment
• Performance assessment
• Contract renewal or termination
• Compensation or promotion decisions

Human involvement: All significant decisions involve meaningful human review and judgment.

9.8 Right to Withdraw Consent (GDPR Article 7, Australian Privacy Act)

What it means: Where processing is based on consent, you can withdraw consent at any time.

Applicable to:

• Provision of emergency contact information
• Retention of CV for future opportunities (prospective contractors)
• Provision of references to third parties
• Voluntary disclosure of health information for accommodations

How to withdraw: Email privacy@maelstrom.au with subject “Withdrawal of Consent - Contractor”

Effect: We will stop processing based on that consent (but may continue processing on another legal basis if applicable)

9.9 Right to Lodge a Complaint (GDPR Article 77, Australian Privacy Act, CCPA)

What it means: You have the right to complain to a supervisory authority if you believe we violated your privacy rights.

Supervisory Authorities

United Kingdom (for UK contractors):

• Information Commissioner’s Office (ICO)
• Online: https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

European Union (for EU contractors):

• European Data Protection Board - Find your local DPA: https://edpb.europa.eu/about-edpb/board/members_en
• Ireland. Data Protection Commission - https://dataprotection.ie/ (if working via Cloudflare Ireland)

Australia (for Australian contractors):

• Office of the Australian Information Commissioner (OAIC)
• Online: https://www.oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

California (for California contractors):

• California Attorney General - Privacy Enforcement
• Online: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
• California Privacy Protection Agency (CPPA). https://cppa.ca.gov/

Our Commitment

No retaliation: We will NOT retaliate against you for exercising your right to complain

Cooperation: We will cooperate fully with any supervisory authority investigation

Remediation: We will implement any remedial measures ordered

How to Exercise Your Rights

Contact Information

Primary Contact: privacy@maelstrom.au

Mailing Address: Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust Privacy Requests - Contractor Data PO Box 169, St Arnaud VIC 3478 Australia

Verification Process

To protect your privacy, we verify identity before fulfilling requests:

Standard verification:

• Confirmation via email address in our records
• Security questions (contract dates, recent projects)

Enhanced verification (for sensitive requests like erasure):

• Copy of photo ID (driver’s license, passport)
• Recent communication from your work email
• Knowledge-based authentication

Response Times

1. GDPR (EU/UK contractors): 30 days (may extend to 60 days for complex requests with notice)
2. CCPA (California contractors): 45 days (may extend to 90 days with notice)
3. Australian Privacy Act. 30 days

Acknowledgment: We will acknowledge your request within 5 business days

Fees

No fee for:

• First request in 12-month period
• Reasonable, legitimate requests

Reasonable fee may apply for:

• Excessive or repetitive requests
• Requests requiring disproportionate effort
• Multiple copies of same information

Fee explanation: We will notify you of any fee before processing request (you can withdraw request if you don’t want to pay)

Rights Summary Table

10. Changes to This Notice

How We Update This Notice

Transparency: We will notify you of material changes to this privacy notice.

What constitutes a material change:

• New categories of personal information collected
• New purposes for processing
• New third parties receiving your information
• Reduction in your rights or protections
• Changes to retention periods
• Changes to legal basis for processing

Non-material changes (do not require notification):

• Clarifications or additional detail
• Correction of typos or formatting
• Updates to contact information
• Changes that enhance your rights or protections

Notification Methods

For active contractors:

• Email. Notification to your work email address
• Acknowledgment. You may be asked to acknowledge receipt (for significant changes)

For former contractors (within retention period):

• Email. If we have retained your contact information
• Website notice. Updated notice posted on website

Notice period: Changes become effective 30 days after notification (or immediately for changes that benefit you)

Review Frequency

Regular reviews: We review this notice:

• Annually. Scheduled review each November
• As needed. When privacy laws change, new processing activities commence, or new third parties engaged

Version control: Each version dated and logged in version history (see end of document)

Your Rights After Changes

If you disagree with changes:

• You have the right to object to new processing activities
• You have the right to request erasure (subject to legal retention requirements)
• You can terminate your contract (if changes are material and you do not consent)

Continued engagement: By continuing to work with Maelstrom AI after the notice period, you acknowledge the updated privacy notice

11. Additional Information

Relationship to Other Policies

This Employment & HR Privacy Notice should be read together with:

• Maelstrom AI Privacy Policy (for general privacy practices): https://provii.app/privacy
• Contractor Agreement. Your contract includes confidentiality and data protection obligations
• Information Security Policy. Details of security measures (internal document)
• Acceptable Use Policy. Proper use of Maelstrom AI systems and data (internal document)

Conflict: If there is any conflict between this notice and your contractor agreement, this privacy notice prevails for privacy matters.

Children’s Privacy

Maelstrom AI does NOT:

• Employ or engage individuals under 18 years of age
• Knowingly collect personal information from minors

Minimum age: All contractors must be 18 years or older (legal capacity to contract)

Contact for Privacy Questions

General privacy questions: privacy@maelstrom.au

HR-specific questions: cto@provii.app

Security concerns: security@maelstrom.au

We commit to responding within: 2 business days for acknowledgment, detailed response as needed

Privacy-First Culture

At Maelstrom AI, privacy is a core value. As a company building privacy-preserving technology, we are committed to:

• Leading by example. Treating contractor data with the same rigor we apply to customer data
• Transparency. Being open about our data practices
• Accountability. Taking responsibility for privacy compliance
• Continuous improvement. Regularly reviewing and enhancing our privacy practices

Your feedback matters: If you have suggestions for improving our privacy practices, please email privacy@maelstrom.au

12. Consent and Acknowledgment

Contractor Acknowledgment

By signing your contractor agreement and commencing work with Maelstrom AI, you acknowledge that:

1. You have read and understood this Employment & HR Privacy Notice
2. You understand what personal information we collect and why
3. You understand how we use, share, and protect your information
4. You understand your privacy rights and how to exercise them
5. You understand retention periods and deletion procedures
6. You have had the opportunity to ask questions (contact privacy@maelstrom.au)

Voluntary Provision of Information

You acknowledge that:

• Provision of certain personal information is required for contract performance (e.g., name, payment details, tax identifiers)
• Provision of other information is voluntary (e.g., emergency contact, professional development interests)
• Failure to provide required information may result in our inability to engage you as a contractor or process payments

Consent for Specific Processing

Where consent is the legal basis, you provide specific consent for:

• Emergency contact. Use of emergency contact information in genuine emergency situations
• References. Provision of references to prospective employers/clients (opt-in, you will be asked at time of request)
• Talent pool. Retention of CV for future opportunities (opt-in for prospective contractors not hired)

Consent is:

• Freely given. You are not penalized for refusing consent
• Specific. Consent is for specific purposes stated
• Informed. You understand what you are consenting to
• Unambiguous. You take clear affirmative action (opt-in)
• Revocable. You can withdraw consent at any time (email privacy@maelstrom.au)

Document Information

Document Title: Employment & HR Privacy Notice Document Owner: Privacy Officer Approved By: ISMS Owner Effective Date: 13 February 2026 Last Reviewed: 13 February 2026 Next Review: 13 February 2027 (annually) Version: 1.0 Classification: Public Document Location: /trust/legal/hr-privacy-notice.md

Version History

Acknowledgments

This Employment & HR Privacy Notice was developed in compliance with:

• GDPR Articles 13-14 (Information to be provided to data subjects)
• ISO 27701:2019 Annex A 7.2.9 (Information for PII principals regarding processing)
• Australian Privacy Principles (APPs) - APP 5 (Notification of collection)
• Victorian Government HR privacy guidance (recruitment, staff management)
• CCPA/CPRA (California employee privacy requirements)

Legal Review: [To be completed by legal counsel]

References:

• Victorian Government - Privacy in Human Resources: https://ovic.vic.gov.au/privacy/resources-for-organisations/
• OAIC - Employment Privacy Guide: https://www.oaic.gov.au/privacy/guidance-and-advice/
• ICO (UK) - Data protection and employment: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/employment/
• EDPB Guidelines on transparency (Art 12-14): https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-012021-interplay-between-application_en

Contact Summary

Thank you for working with Maelstrom AI. We are committed to protecting your privacy and treating your personal information with the care and respect it deserves.

Last Updated: 13 February 2026 Effective Date: 13 February 2026 Version 1.0

© 2026 Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust. All rights reserved.