Privacy Statement

The Group of Companies Privacy Statement

The Group of Companies and its related and associated bodies corporate (EPG Group Holdings Pty Ltd (ACN 613136182), Payroll & HR Pty Ltd (ACN 613133163), EPG Staffing Pty Ltd (ACN 624466922), EPG Workforce Pty Ltd (ACN 626527222), EPG Migration Pty ltd (ACN 626704809), Expedo Pty Ltd (ACN 618727290) and us, we, our) maintain a policy of strict confidence concerning your (you, your) personal information (Privacy Policy). We value your privacy and treat any Personal Information (as defined in the Privacy Act 1988 (Cth) and) that you give to us with the utmost care and respect.  This Privacy Policy has been developed to comply with the Privacy Act 1988 (Cth) (Privacy Act).  We have also taken steps to ensure that, if you tell us you are located in the European Union, we will seek to give you the protections available to you under the General Data Protection Regulation 2016/679 (GDPR). Together, we refer to these two pieces of legislation as “Privacy Law”.

The Privacy Policy applies to the collection, storage, use and disclosure by us of your personal information.  By accessing our websites or mobile applications (Site) and using our services, you accept the terms of this Privacy Policy.  This Privacy Policy applies to information provided to us whether via this Site or any other means and demonstrates how we will comply with the Privacy Laws.

Although we will comply with this Privacy Policy in respect of information provided to us by persons under the age of 18 years, those persons must obtain the consent of a parent or guardian prior to using the Sites and the parent or guardian will be responsible for appropriately supervising the person’s use of the Sites.

If you have any further questions or if you wish to receive more information on our information practices and Privacy Policy, please contact our Privacy Officer.

1. Collecting personal information

The types of personal information we collect may include:

  • Employees of The Group of Companies Clients: We may collect personal information such as the individual’s name, address, e-mail address, user ID, banking details, date of birth, payroll details, and employment-related information such as salary details, superannuation contributions, Tax File Number, relevant awards and PAYG withholding tax.
  • Contact information: We collect contact information from or about clients or prospective clients, including individuals working for clients or prospective clients, and records details of interactions with clients and prospective clients, including name, username, mailing address, telephone numbers, email address or other addresses that allow us to communicate with the client.
  • Transaction information: We may collect information about how users interact with us, including purchases, inquiries, customer account information, and information about the use of our websites and applications.
  • Job applicants We collects contact details, employment history and other background information from job applicants as required and as permitted by law.
  • Immigration Services: We may also collect further information as listed below in order to provide our immigration services, visa history, financial information, family information, health declarations and biometric information as requested by the law.


If it is reasonable and practical to do so, we will collect personal information directly from you. In most cases, we collect personal information about employees and payment recipients directly from our clients that employs the relevant employee. This will include contact details and other information relevant to providing services to you.

This may take place in a number of ways, such as:

  • when you use our services;
  • when you contact us, use our Sites, use our applications, sign up to receive our newsletters, attend our events or make a purchase from us;
  • if your employer is a client of us, from your employer – we ask our clients to obtain the consent of the individual for the collection and use of their personal in accordance with this Policy;
  • from third party data suppliers and service providers who enhance our services, files and help us better understand its customers; and


We collect information from job applicants directly from the applicant or publicly available information. With the consent of the applicant, we may conduct additional reference, background and criminal record checks.  We may also collect personal information from third parties such as your representatives or publicly available sources of information.

If someone other than you provide us with personal information about you that we did not ask for and we determine that we could have collected this information from you had we asked for it, we will notify you, as soon as practicable.  This notice will be given unless to do so would be in breach of an obligation of confidence.  If we could not have collected this personal information, we will lawfully de identify or destroy that personal information.

We will not collect any sensitive information from you, revealing your: race, ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships or details of health or disability. Exceptions to this include:

  • where you have given express consent to us to do so and the information is reasonably necessary for us to carry out our functions or activities (e.g. for instance, membership of a trade union, where we pay trade union membership fees on behalf of an employee);
  • the use of this information is required or authorised under Australian law or a court or tribunal order; or
  • when the information is necessary for the establishment, exercise or defence of a legal claim.


We will not collect personal information unless the information is reasonably necessary for or directly related to one, or more of our functions or activities.  If we are unable to collect personal information we reasonably require, we may not be able to do business with you or the organisation with which you are connected.

2. Cookies

We collect certain personal information by automated means, using technologies such as cookies, session cookies, pixel tags, browser analysis tools, server logs and web beacons. We treat this information as personal information when it is associated with the individual’s contact information. In many cases, this information is not linked to any personal information you may provide and cannot be used to identify you (e.g. website traffic patterns).

  • (Cookies) When you visit our Sites the server may attach a “cookie” to your computer’s memory. A “cookie” assists us to store information on how visitors to the Site use it and the pages that may be of most interest, to provide a customised experience and detect certain kinds of fraud.  This information (such as operating system, browser type, domain, language, country and IP address) may also be used to provide users of your computer with information that we think may interest the users of your computer.  If you prefer, you can configure your computer and browser settings to disable “cookies” or not accept them.  We also use Flash Cookies (also known as Local Stored Objects) which are similar to browser cookies – assistance in managing Flash Cookies is available at adobe.com.  We do not use Flash cookies or similar technologies for behavioural or interest-based advertising purposes.
  • (Pixel tags and web beacons) These are tiny graphic images placed on website pages or in emails that allow us to determine whether the recipient has performed a specific action. When the recipient accesses these pages or open or click an email, the pixel tags and web beacons generate a notice of that action.  These tools allows us to measure response to our communications and improve its web pages and promotions.
  • (Hotjar) We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device’s IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user.

3. Use and disclosure of information

We may use personal information about you for the primary purpose of providing you with our services, and for purposes which you authorise or would reasonably expect us to use that information.  We will not disclose information that personally identifies you to any third party other than as set out in this Privacy Policy or otherwise permitted by Privacy Laws.

All personal information that we or our related bodies corporate collect, is reasonably necessary for the purposes relating to providing our services to you or for another purpose permitted by law. Those purposes include:

  • to enhance our Sites and improve and deliver our services, including providing our products or services and related activities customer service, account management, support and training and to provide other services related to your relationship with us;
  • to keep you informed of our activities, industry news and upcoming events, products and services that we think may be of interest to you, including marketing communications and offers for products and services from us and, in some cases, our partners, surveys and other promotional events;
  • to allow the functions and services offered on the Site to be provided to you;
  • to conduct and maintain our business, including payment processing and financial account management, research and product development, contract management, website administration, forum management, fulfilment, analytics, security and fraud prevention, corporate governance, reporting and legal compliance, and business continuity; and


Where an individual has applied for employment with us, the personal information submitted with their job application will be added to our job opportunities database and may be used for recruitment and other customary human resources purposes.  For example, we may send the applicant information about new job opportunities within the Group of Companies as well as other career development resources.

In the event of a security incident involving unauthorised access, use or disclosure of personal information where a third party with whom we share personal information is involved, we will seek to work cooperatively with them to protect the personal information we have shared with them.

4. Direct marketing

We may use personal information about you for the primary purpose of providing you with our services, and for other purposes for which you would reasonably expect us to use that information. This includes sending you information about new developments, products, services and special offers by post, telephone or any form of electronic communication.  You authorise us to use any email address or other contact information you provide to us at any time for this purpose.

You can, at any time, opt out of receiving marketing material by contacting us. You agree and acknowledge that even if you opt out of receiving marketing material, we will still send you essential information that we are legally required to send you relating to the services we provide. Once you opt out of receiving marketing material from us, you agree and acknowledge that this removal from our distribution lists may take several business days after the date of your request to be removed.

5. Accuracy of your information

We take all reasonable steps to ensure that your personal information held by us is accurate, up-to-date, complete, relevant and not misleading.  If you believe that any of your personal information is not accurate, up-to-date, complete, relevant and not misleading, please contact us and we will take all reasonable steps to correct it within a reasonable time.  We may require substantiation of any request to correct personal information.

Individuals may request not to receive marketing communications from us. We aim to ensure such requests are complied with within five business days.

If you have an online account with us, you can also log into your account at any time to access and update information they have provided to us.  If you are an individual whose employer uses our services, we encourage you to contact your employer at first instance to correct your information.

6. Third Parties and your information

We will only collect, store, use or disclose personal information as set out in this Privacy Policy unless we are required by law to protect our rights or property (or those of any third party), or to avoid injury to any person.

In order to deliver the services that we provide to you, we may disclose your personal information to other organisations, only in relation to providing our services to you.  For example, government agencies as required by law, banks and financial institutions, superannuation funds, health funds and contracted service providers.  We may share personal information with business partners, but only to the extent required to provide our services (e.g. where you authorise the disclosure, or purchase or request a third-party product or service via our platform or vice versa, we may provide certain personal information to validate the referral). We take reasonable steps to ensure that these organisations are bound by privacy obligations in relation to the protection of your personal information.

We may also provide certain information about you including your personal information to our related bodies corporate.  We may also disclose personal information where needed to affect a sale or transfer of business assets, to enforce our rights, protect our property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions.

We may disclose personal information when required or authorised to do so by law.

7. Linked Sites

We have relationships with third party advertising companies to place advertisements on, and to perform tracking and reporting functions for, our Sites.  These partners (e.g. Adobe) may place cookies on an individual’s computer when they visit our Sites, in order to display targeted advertisements.  These partners do not collect personal information in this process, and we do not give any personal information to them as part of this process.

Although our Sites may link directly to websites operated by third parties (Linked Sites), you acknowledge that Linked Sites are not operated by us.  We encourage you to always read the applicable privacy policy of any Linked Site on entering the Linked Site.  We are not responsible for the content or practices of the Linked Sites nor their privacy policies regarding the collection, storage, use and disclosure of your personal information.

Assistance in managing targeted advertising generally is available at www.networkadvertising.org/ and for Adobe, at www.adobe.com/au/privacy/opt-out.html.

8. Disclosure of Information Overseas

We may transfer to people in foreign countries any of your personal information to fulfil the purposes set out in this Privacy Policy. In many cases the transfer will be necessary for the performance of our contract with you, for the implementation of measures taken in response to a request by you or for the performance of a contract with a third party which is concluded in your interests.

The countries to which such disclosures are made, and types of personal information disclosed, depend on the specific circumstances of the services being provided by us. For information about where we are located, see our website www.easypayrollglobal.com  We may also store, process or back-up personal information on servers that are located overseas (including through third party service providers).

In some circumstances, we use third party service providers to carry out its functions and provide services.  These service providers are typically located in China, India, Japan, Malaysia and Singapore.

While reasonable steps are taken to ensure these overseas recipients are subject to and comply with Privacy Laws, you acknowledge that these recipients may not be accountable under the Privacy Act and consent to the transfer of your information on this basis.

If you are located in the EU, there may be additional restrictions on the overseas transfer of your information and we have also taken steps to give you the protections available to you under GDPR.

9. Your consent

By your use of our Sites and/or services you consent to the collection, storage, use and disclosure of your personal information in accordance with this Privacy Policy and as otherwise permitted under Privacy Laws.

10. Storage, security and destruction

We take the security of your personal information seriously and use reasonable endeavours to protect your personal information in a secure environment, including, among other things, the use of industry standard techniques such as firewalls, encryption, intrusion detection, and site monitoring.  We also limit and restrict internal access to personal information to those personnel who need access to the information in order to do their jobs.  These personnel are limited in number and are committed to maintaining confidentiality.  These security measures are designed to ensure your personal information is not subject to unauthorised access, loss or misuse however, this security cannot be guaranteed.  If you reasonably believe that there has been unauthorised use or disclosure of your personal information, please contact us.

If we no longer need your personal information, unless we are required by law or a court or tribunal order to retain it, we will take reasonable steps to destroy or de-identify your personal information, in accordance with our document and information retention policy.

Notwithstanding the reasonable steps taken to keep information secure, breaches may occur.  In the event of a security incident we have in place procedures to promptly investigate the incident and determine if there has been a data breach involving personal information, and if so, to assess if it is a breach that would require notification.  If it is, we will notify affected parties in accordance with Privacy Law requirements.

11. Variation and consent to variation

We may vary the terms of this Privacy Policy at any time.  You should check this Privacy Policy regularly so that you are aware of any variations made to this Privacy Policy.  You will be deemed to have consented to such variations by your continued use of the Site following such changes being made.

12. GDPR

In addition to the rights outlined in this Privacy Policy, if you are in the EU, you have the following additional rights under the GDPR.  When we process personal information relating to individuals in the EU, it is classified as a “controller” for the purposes of the GDPR.

Right to erasure

You can, at any time, request that we delete all personal information which relates to you. We will comply with any such request unless we are required to keep that information for:

  • the public interest;
  • the exercise of official authority;
  • archiving, research or statistical purposes (which would otherwise be rendered seriously impaired); or
  • the establishment, exercise or defence of legal claims.


Right to restriction on data processing

In certain circumstances, you may also request a restriction on the processing of your personal data. You can make such a request in the following situations:

  • where you believe that the information held is inaccurate;
  • where the processing is unlawful;
  • where we are storing the information for legal claims, however do not require it for processing purposes; or
  • you have legitimate grounds to object to data processing.


If you make such a request, we will not process any of your personal information without your consent, unless it is for the purposes of storage, legal claims, protecting the rights of another person or it is in the public interest of either the EU or the respective Member State.

Right to data portability

In certain circumstances, you may request that we provide you with all personal information that relates to you. If this is the case, we will provide you with that information in a structured, commonly used and machine-readable format. Upon request from you, and subject to certain circumstances, we will also transmit that information to another controller.

Right to object

You have the right to request that your personal information is not processed by us in various circumstances. These circumstances include the pursuit of business interests, direct marketing and profiling. Unless we have legitimate grounds to object to your request, we will stop processing data for the purposes requested.

Withdrawal of consent

If at any time you wish to withdraw your consent to our processing of your personal information, please send your request to our Privacy Officer, whose details can be found below.

Data breach notification

In the unlikely event that we experience a personal data breach that is likely to result in a high risk to individuals in the EU, we will notify those affected individuals without undue delay.

Legitimate basis for processing your information

Whenever we collect your personal information, we will endeavour to obtain your consent to process your information for the purposes outlined in this Privacy Policy. We rely on this consent to process your information, however, under GDPR, we may also process your information if the processing is necessary for:

  • the performance of, or entering into, a contract with you;
  • compliance with our legal obligations;
  • protecting the vital interests of an individual;
  • performing a task in the public interest; or
  • the purposes of legitimate interests pursued by us or a third party.


13. Access and complaints

If you request access to the personal information, we hold about you, we will respond to your request within a reasonable period of time and, where reasonable and practicable, give access to the information in the manner you request.  This will be subject to any exemptions allowed under the Privacy Laws. We may charge a reasonable fee for providing that information.

You may request information or make a complaint by writing to: privacy@epggroup.co

If you are not satisfied with our response to your complaint or believe that we have breached Privacy Laws in the handling of your personal information, you can contact the relevant regulator:

Australia: Office of the Australian Information Commissioner

1300 363 992
enquiries@oaic.gov.au

Europe: Please contact your local Data Protection Authority

When contacting us you have the option to either not identify yourself or to use a pseudonym.  However, this will not apply if it is impracticable for us to communicate with you that way or we are required or authorised under law (or a court or tribunal order) to only deal with individuals who have identified themselves.