Privacy and Safety

Privacy Policy

Reviewed and adopted by SKNG, effective 9 July 2026. Prepared with reference to the Australian Privacy Principles and the GDPR.

Effective date: 9 July 2026 | Version: 1.1

1. About this policy

SKNG Services Pty Ltd (ABN 47 616 958 822) (“SKNG”, “we”, “us”) provides procurement, recruitment and contracting services to government and commercial clients. We are committed to protecting personal information and handling it in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and — where it applies to individuals in the EU/UK — the EU General Data Protection Regulation (GDPR). This policy explains what personal information we collect, how we use and disclose it, and the rights available to you.

2. The personal information we collect

Depending on your dealings with us, we may collect:

• Identity and contact details — name, email address, phone number, and location.

• Work-eligibility and suitability information — Australian citizenship/residency status, security clearance status, résumé/CV, work history, skills and our assessment ratings.

• Engagement information — details relating to contracts and opportunities you are put forward for or engaged under.

• Correspondence — emails and messages you exchange with us.

• Insights we generate — profiles and role-suitability indicators (such as skill categories and persona classifications) that we derive from your résumé and correspondence, including with the assistance of automated tools (see “Automated processing and profiling” below).

Sensitive information. Some of the above (for example security clearance status, and information that may reveal citizenship/nationality) is sensitive information under the Privacy Act and special-category data under the GDPR. We collect it only where it is reasonably necessary to assess eligibility for a role and, where required, with your consent.

3. How we collect personal information

We collect personal information:

• directly from you — when you apply, are referred, or correspond with us;

• from third parties — including our customer-relationship-management provider (HubSpot), referrals, and publicly available professional sources; and

• through our internal procurement-management system (“Foresight”), which records candidate, opportunity and contract information.

Where we collect your personal information from someone other than you, we take reasonable steps to ensure you are made aware of the matters in this policy (APP 5; GDPR Articles 13–14).

4. Why we collect, hold, use and disclose it

We handle personal information to match candidates to procurement and contracting opportunities, to manage engagements and contracts, to communicate with you, and to meet our legal and contractual obligations. Under the GDPR, our lawful bases are the performance of a contract, our legitimate interests in operating a recruitment/procurement business, compliance with legal obligations, and — for sensitive data and direct marketing — your consent where required. We also use automated tools, including AI models run within our own Australian-region environment, to help categorise skills and experience and to match candidates to opportunities more quickly; these tools support our staff and do not make decisions about you on their own (see “Automated processing and profiling” below).

5. Disclosure to third parties

We may disclose personal information to:

• our clients and prospective clients (buyers), to present you for opportunities;

• service providers who process information on our behalf, including HubSpot (CRM), Microsoft 365 (email and document storage), Microsoft Azure (application hosting and, for the profiling feature described below, AI processing within our own tenant), and — as our contracting automation is introduced — e-signature, accounting and payroll providers; and

• government, regulators or others where required or authorised by law.

We require our service providers to protect personal information consistently with this policy and applicable law.

6. Overseas disclosure

Your personal information is stored in Australia. Our core service providers host the data we hold about you in Australia: our Microsoft 365 tenant is provisioned in the Australian region, and our HubSpot CRM account is in HubSpot's Australian (AP1) region. We do not routinely disclose your personal information to overseas recipients. Our AI-assisted profiling is performed using Microsoft Azure OpenAI deployed within our own Microsoft Azure tenant in the Australian region; your information is not sent to any external AI provider and is not used to train third-party AI models. HubSpot, Inc. is a United States company, so to the extent any incidental access from overseas occurs it is governed by HubSpot's data-processing agreement, which incorporates the EU-U.S. Data Privacy Framework and the Standard Contractual Clauses. If we engage a new overseas service provider in future, we will update this policy and take reasonable steps to ensure the recipient handles your information consistently with the Australian Privacy Principles and applicable law (APP 8; GDPR Chapter V).

7. Direct marketing and opt-out

We may send you information about opportunities and services that may be relevant to you. You can opt out at any time using the unsubscribe link in any such email or by contacting us. We honour opt-out requests and maintain a suppression list so that opted-out contacts are not emailed. We comply with the Spam Act 2003 (Cth) and, for GDPR-covered individuals, your right to object to direct marketing (GDPR Article 21).

8. How we keep personal information secure

Our systems are hosted in Microsoft Azure’s Australian region. We apply access controls aligned to staff roles, encrypt sensitive credentials and tokens at rest, transmit data over TLS, and log access to support accountability. We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure (APP 11; GDPR Article 32).

9. Automated processing and profiling

We use automated tools, including artificial-intelligence (AI) models operated within our own Microsoft Azure environment in the Australian region, to help us understand candidates’ skills and experience and to source and match candidates to suitable opportunities. For example, we may generate skill and persona classifications from your résumé and correspondence, and shortlist candidates against an opportunity’s requirements.

Before your personal information is processed by these AI models, we remove or replace direct identifiers (such as your name and contact details) so that the models work on de-identified information. This processing takes place only within our Australian-region environment; your information is not disclosed to any external AI provider and is not used to train third-party AI models.

These tools assist our staff — they do not make decisions that produce legal or similarly significant effects about you on their own, and a member of our team reviews and confirms any AI-generated result before it is relied upon. For individuals covered by the GDPR, we therefore do not carry out solely-automated decision-making of the kind restricted by Article 22. You may ask us about the logic involved and request human review using the contact details below.

10. Data breaches

If we suspect a data breach we will assess it promptly and, where the Notifiable Data Breaches scheme requires, notify affected individuals and the Office of the Australian Information Commissioner (OAIC). For GDPR-covered data we will also meet the breach-notification obligations under Articles 33–34.

11. Retention

We keep personal information only for as long as it is needed for the purposes described above or to meet our legal and contractual obligations, after which we destroy or de-identify it (APP 11.2; GDPR Article 5(1)(e)). As a general rule we retain personal information for at least 7 years from our last interaction with you (our standard record-keeping period), after which it is destroyed or de-identified — unless a law requires us to keep it longer (for example, records relating to a contract you were engaged under).

12. Your rights and how to exercise them

You may ask us to:

• access the personal information we hold about you, and receive a copy of it (APP 12; GDPR Articles 15 and 20);

• correct information that is inaccurate, out of date or incomplete (APP 13; GDPR Article 16); and

• for individuals covered by the GDPR — erase your data, or restrict or object to its processing, in the circumstances the GDPR allows (Articles 17, 18 and 21).

Because our internal system is not accessed by candidates directly, our staff action these requests on your behalf. To make a request, contact us using the details below. We will verify your identity, respond within the timeframes required by law, and explain our decision. Some information may be retained where we are required or permitted by law to keep it (for example, records relating to a contract you were engaged under).

13. Information for individuals in the EU / UK (GDPR)

For individuals in the EU/UK, SKNG is the controller of your personal data. The lawful bases, categories of data, recipients (including the overseas transfers noted above) and your rights are described in this policy. You also have the right to lodge a complaint with your local data-protection supervisory authority.

14. Complaints

If you have a concern about how we have handled your personal information, please contact us first using the details below and we will investigate. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (oaic.gov.au) or, for GDPR-covered data, your local supervisory authority.

15. Contact us

Privacy enquiries and requests: SKNG Privacy Contact

Email: contact@skng.com.au | Post: available on request

16. Changes to this policy

We may update this policy from time to time. The current version and its effective date will be published at skng.com.au (and provided on request).

Version 1.1 (9 July 2026): added a disclosure of AI-assisted profiling and candidate–opportunity matching (section 9, “Automated processing and profiling”), and clarified that this processing occurs within SKNG’s Australian-region Microsoft Azure environment on de-identified information, with human review and no disclosure to external AI providers.