Privacy Policy

Daylight Risk & Resilience ("Daylight", "we", "us", "our") is operated as a sole trader under ABN 90 296 738 135.

This Privacy Policy explains how we collect, use, store, disclose, and protect information in connection with:

• The Daylight website at daylightrisk.com (the "Website")
• Professional psychosocial risk assessment engagements (each an "Engagement")
• The secure Leader Portal through which Deliverables are accessed (the "Platform")

This policy should be read alongside our Terms and Conditions, which govern the use of the Website and all Engagements.

Daylight is committed to handling personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We collect different categories of information depending on how you interact with Daylight:

1. Client organisational data

When an organisation engages Daylight, we collect information necessary to conduct the Engagement, including:

• Organisation name and ABN
• Headcount and department structure
• Contact details of key stakeholders (name, email address, phone number, role)
• Industry classification
• Average salary and compensation benchmarks
• Turnover, absenteeism, and workers compensation data
• Workforce composition and demographic breakdowns
• EAP and wellbeing program information

2. Anonymous survey response data

As part of each Engagement, Daylight deploys an anonymous employee survey. We collect the survey responses only. We do not collect names, email addresses, IP addresses, or any other personally identifying information from survey participants. Responses are stored in non-identifying form and cannot be attributed to any individual.

The Survey includes optional open-text fields. While responses are anonymous, participants are advised that free-text comments describing unique personal circumstances could potentially be recognisable. Daylight treats all open-text responses with the same anonymity protections as structured responses.

3. Website visitor data

When you interact with the Website, we may collect:

• Contact form submissions: name, email address, organisation name, role, organisation size, reason for enquiry, and preferred timing. This data is stored in our database (hosted by Supabase in Australia) so we can respond to your enquiry and assess eligibility for a discovery call. Submission data also triggers transactional email notifications via Postmark (see Section 7).
• Cal.com booking data: when you schedule a meeting via an external Cal.com booking link, Cal.com collects your name, email address, and meeting details directly. This data is processed by Cal.com in accordance with Cal.com's Privacy Policy.

4. Business Case Calculator data

The Business Case Calculator tool on the Website processes all inputs (organisation name, headcount, average salary, and other parameters) entirely within your browser using client-side JavaScript. No data entered into the Calculator is transmitted to Daylight's servers or stored in any database.

We collect information through the following methods:

• Directly from Clients: during onboarding conversations, via signed proposals, and through information provided to conduct the Engagement.
• Via the anonymous Survey: responses are submitted voluntarily by employees of Client organisations through a secure survey link. No identifying information is collected.
• Via the Website: through the contact form and the external Cal.com booking link.
• Via browser storage: The Survey uses your browser's local storage to save draft progress so you can resume if interrupted. This data is stored on your device only and is never transmitted to Daylight's servers. It is automatically cleared after seven days or upon survey submission.
• Automatically: Daylight does not currently use analytics or tracking tools on the Website. If analytics tools are introduced in the future, this policy will be updated prior to their deployment.

We collect information only for the purposes set out below:

• Client organisational data: to scope, conduct, and deliver the Engagement, produce Deliverables, and communicate with Client stakeholders.
• Survey response data: to analyse psychosocial risk patterns at an aggregate level and produce the Deliverables outlined in the signed proposal.
• Contact form submissions: to respond to enquiries and facilitate communication about our services.
• Cal.com booking data: to schedule and manage meetings.

We do not use any personal information for purposes beyond those stated above without prior consent. We do not use personal information for direct marketing unless we have obtained explicit consent to do so.

Daylight collects and handles personal information in accordance with the following Australian Privacy Principles:

• APP 3 — Collection: We only collect personal information that is reasonably necessary for our functions and activities. We collect information by lawful and fair means, directly from the individual where practicable.
• APP 5 — Notification: This Privacy Policy serves as our notification to individuals about the collection, use, and disclosure of their personal information, as required under APP 5.
• APP 6 — Use and Disclosure: We use and disclose personal information only for the primary purpose for which it was collected, or for a related secondary purpose that the individual would reasonably expect.

For Client organisational data, the lawful basis for processing is the legitimate interest of the Client in managing their work health and safety obligations under applicable Australian legislation.

Protecting the anonymity of survey participants is a foundational commitment of Daylight's service. The following safeguards are built into every Engagement:

• No personally identifying information is collected from survey participants — no names, email addresses, or IP addresses. A minimal technical identifier (browser type) is recorded for quality assurance purposes only and cannot identify an individual.
• All responses are stored in non-identifying form within the database. There is no technical mechanism to link a response to a specific individual.
• Minimum group reporting thresholds are applied to prevent the identification of individuals in small teams or departments. Where a group falls below the threshold, results are aggregated into a larger group.
• Daylight will not attempt to re-identify any survey participant under any circumstances.

Survey participants have no direct contractual relationship with Daylight. Their employment relationship is solely with the Client organisation. Any questions from survey participants regarding data handling should be directed to their employer in the first instance.

Daylight's analysis platform incorporates proprietary algorithmic and machine learning tools to identify patterns, generate risk scores, and produce Deliverables. The following principles govern their use:

• These tools are used for pattern analysis and report generation at an aggregate level only. They are not used to make decisions about individual survey participants or employees.
• No individual survey responses are used to train third-party machine learning models.
• Daylight utilises cloud-based inference APIs — currently Google Gemini — for specific analytical functions. Survey data and organisational context necessary for the analysis are transmitted, including verbatim open-text survey responses where these inform the qualitative analysis. These open-text responses are transmitted in their original anonymous form: no names, email addresses, or other direct identifiers are attached. As noted in Section 2, free-text comments describing unique personal circumstances could in principle be recognisable; the same anonymity protections (including minimum group reporting thresholds applied to all reported outputs) apply to these responses as to structured responses. Daylight selects providers whose terms of service prohibit the use of API inputs for model training, and reviews these terms regularly.

Daylight regularly reviews its technology providers and their terms of service. If a provider changes its data handling practices in a way that is inconsistent with this policy, Daylight will migrate to an alternative provider.

Daylight shares personal information only with the following categories of third-party service providers, and only to the extent necessary for the purposes described in this policy:

• Supabase — database hosting and infrastructure provider. All data is hosted on Supabase servers located in Australia. Supabase acts as a data processor on Daylight's behalf.
• Google Gemini (Google LLC) — cloud-based inference service used for analytical functions within Daylight's platform. Only aggregated, non-identifying data is transmitted via API calls. Google's Gemini API terms of service prohibit the use of API inputs for model training. See Section 9 for cross-border transfer details.
• Cal.com — external scheduling service. When you book a meeting via the Cal.com booking link, Cal.com collects your name, email, and meeting details directly. Cal.com processes this data under its own Privacy Policy.
• Postmark — transactional email delivery service. When you submit a contact form, Postmark sends a confirmation email to you and a notification email to Daylight. Postmark processes your name and email address for this purpose only. Postmark's servers are located in the United States. See Postmark's Privacy Policy.
• Supabase Auth — authentication service for the Platform. When a Client stakeholder logs in via magic link, Supabase sends a one-time authentication email to the email address provided. This is processed by Supabase as part of its hosting infrastructure.
• Google Fonts (Google LLC) — the Website loads typefaces from Google's font delivery network. When you visit the Website, your browser sends a request to Google's servers, which may include your IP address. Google processes this data in accordance with its Privacy Policy. No cookies are set by Google Fonts on the Daylight Website.

If Daylight introduces an email marketing platform in the future, this section will be updated to name the provider and describe what data is shared before any marketing communications are sent.

Daylight does not sell, rent, or trade personal information to any third party.

Daylight may disclose personal information where required by law, regulation, or court order, or to its professional advisors who are bound by equivalent confidentiality obligations.

In accordance with APP 8, Daylight discloses the following cross-border data transfers:

• Google Gemini (Google LLC): When Daylight's platform processes survey data for analysis, API calls are made to Google's servers located outside Australia (primarily the United States). Survey data and organisational context necessary for the analysis are transmitted, including verbatim open-text responses in their original anonymous form. No names, email addresses, or other direct identifiers about survey participants are attached. The qualifications about open-text content described in Sections 2 and 7 apply to these calls.
• Cal.com: Data entered via the external Cal.com booking link may be processed on servers outside Australia, in accordance with Cal.com's own data handling practices.
• Postmark: Transactional emails triggered by contact form submissions are sent via Postmark, whose servers are located in the United States. Only your name and email address are transmitted to Postmark for email delivery.
• Google Fonts: When you visit the Website, your browser loads typefaces from Google's servers, which are located outside Australia (primarily the United States). Your IP address is transmitted as part of this request.

Daylight takes reasonable steps to ensure that overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles, including reviewing provider terms of service and selecting providers whose data handling practices are appropriate for the data being processed.

Client organisational data and all Deliverables remain hosted exclusively in Australia on Supabase infrastructure.

Daylight takes the security of your information seriously. The following measures are in place:

• All data is hosted on Supabase infrastructure located in Australia.
• Data is encrypted both at rest and in transit using industry-standard encryption protocols.
• Access to Client data is restricted to authorised Daylight personnel on a need-to-know basis.
• The Platform uses secure authentication and access controls for all Client-facing features.

In the event of a data breach that is likely to result in serious harm to any individual, Daylight will:

• Notify affected Clients without undue delay
• Report the breach to the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988
• Take all reasonable steps to contain the breach and mitigate any harm

Daylight retains data in accordance with the following schedule:

• Client organisational data, aggregated survey results, and Deliverables: retained for a minimum period of seven (7) years from the date of Engagement completion. This retention period supports external auditing and legal compliance requirements.
• Contact form submissions: retained for the duration necessary to respond to the enquiry and for a reasonable period thereafter, not exceeding seven (7) years.

Platform access: Client stakeholders retain access to the Platform and their Deliverables for the duration of the retention period. For Clients with multiple Engagements, access is cumulative — all Deliverables from all Engagements remain accessible.

At the conclusion of the applicable retention period, all data is securely deleted and Platform access is deactivated.

The Client may request a copy of their aggregated data at any time during the retention period by contacting enquiries@daylightrisk.com.

First-party cookies: The Daylight Website does not currently set any first-party cookies.

Third-party cookies: The Daylight Website does not embed third-party widgets. When you follow the external Cal.com booking link, Cal.com may set cookies on their own domain in accordance with Cal.com's Privacy Policy.

Google Fonts: The Website loads typefaces from Google's font delivery network (fonts.googleapis.com). This causes your browser to make requests to Google's servers, which may process your IP address. Google does not set cookies via the Fonts API.

Analytics: Daylight does not currently use any website analytics or tracking tools (such as Google Analytics, Meta Pixel, or similar services). If analytics tools are introduced in the future, this section will be updated and an appropriate cookie consent mechanism will be implemented prior to deployment.

Business Case Calculator: The Calculator tool processes all data entirely within your browser. No information entered into the Calculator is transmitted to Daylight's servers, stored, or tracked.

Under the Australian Privacy Act 1988, you have the following rights in relation to personal information we hold about you:

• Right to access (APP 12): You may request access to the personal information Daylight holds about you. We will respond to access requests within 30 days.
• Right to correction (APP 13): You may request that we correct any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• Right to complain: If you believe Daylight has breached the Australian Privacy Principles, you may lodge a complaint with us. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC).

To exercise any of these rights, contact us at enquiries@daylightrisk.com.

A note on survey participants: Because the survey collects no personally identifying information, Daylight does not hold personal information about individual survey participants. There is no data to access, correct, or delete at an individual level.

Daylight's services are directed at organisations, not at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that personal information has been inadvertently collected from a child, we will take reasonable steps to delete it promptly.

Daylight may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. The "Last updated" date at the top of this page indicates when the most recent revision was published.

Material changes will be communicated to active Clients. Continued use of the Website or engagement of services after notification constitutes acceptance of the updated policy.

We recommend reviewing this page periodically to stay informed about how we protect your information.

If you have any questions about this Privacy Policy or wish to exercise your rights under the Privacy Act, please contact us:

• Email: enquiries@daylightrisk.com
• Entity: Daylight Risk & Resilience · ABN 90 296 738 135

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner:

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001