Privacy Policy

Note: Further reforms to the Privacy Act are expected during 2026. This policy will be updated accordingly as new requirements come into effect.

Whump.Online is a volunteer rostering and management platform operated in Australia. This Privacy Policy explains how we collect, use, store, and protect personal information in accordance with the Australian Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024) and the Australian Privacy Principles (APPs).

By using Whump.Online, you consent to the collection and use of your personal information as described in this policy.

1. What information we collect

We collect the following categories of personal information:

• Identity information: first name, last name, date of birth
• Contact information: email address, phone number, postal address (including suburb, state, postcode)
• Account credentials: password (stored as a bcrypt hash — never in plaintext)
• Emergency contact details: name, phone number, and relationship of an emergency contact person
• Shift and rostering history: shifts assigned, attendance records, confirmation status, and volunteer hours
• Compliance register data: document numbers, issue and expiry dates for compliance documents (e.g. Working With Children checks, first aid certificates)
• Notes: internal notes recorded by organisation administrators
• Two-factor authentication data: TOTP secrets (stored encrypted)
• Technical data: IP address (for login rate limiting), browser user agent (for audit logging)

We only collect information that is necessary for the operation of the platform and for the purposes described below.

2. Why we collect your information

Your personal information is collected and used for the following purposes:

• Creating and managing your volunteer account
• Volunteer rostering — assigning shifts, managing availability, and tracking attendance
• Compliance tracking — monitoring the validity of required documents and alerting coordinators before expiry
• Shift notifications — sending email and SMS alerts about upcoming shifts, changes, and reminders
• Emergency contact — providing your organisation with a point of contact in case of emergency during a shift
• Security — verifying your identity, preventing unauthorised access, and detecting abuse
• Legal compliance — retaining records as required by applicable laws and regulations

3. How your information is stored

All data is stored on servers physically located in Brisbane, Queensland, Australia. No personal information is transferred to or stored outside Australia.

Sensitive personal information — including names, email addresses, phone numbers, addresses, dates of birth, emergency contact details, and compliance document data — is encrypted using AES-256-GCM encryption at the field level before being written to the database. This means that even if the database were accessed without authorisation, individual records would remain unreadable without the encryption key.

Passwords are stored as one-way bcrypt hashes and cannot be recovered by anyone, including Whump.Online platform staff.

4. Who can access your information

Access to your personal information is restricted as follows:

• You: can view and edit your own profile information at any time
• Your organisation's administrators (org_admin and org_superadmin roles): can view your full profile, including contact details, date of birth, address, compliance documents, and shift history within their organisation
• Whump.Online platform staff: have limited access to platform-level configuration and organisation account details. Platform staff do not routinely access individual volunteer records. Access is logged in an audit trail.

We do not sell, share, or disclose your personal information to third parties except where required by law.

5. How long we retain your information

Your personal information is retained for as long as you are an active member of an organisation on the platform.

When you leave an organisation (voluntarily or by administrative deactivation), a departure snapshot of your personal details at that time is retained in encrypted form. This snapshot is kept for legal compliance purposes and is accessible only to that organisation's administrators.

If you request deletion of your personal information and have no active memberships, we will take reasonable steps to remove your data within 30 days, subject to any legal obligation to retain records.

6. Your rights under the Australian Privacy Act 1988

Under the Australian Privacy Act 1988 (as amended 2024), you have the right to:

• Access your personal information — you can view most of your information directly in your profile. To request a full copy, contact your organisation's administrator or email hello@whump.online.
• Correct your personal information — you can update your profile directly or ask your organisation administrator to make corrections.
• Request deletion of your personal information — contact your organisation's administrator or email hello@whump.online. We will respond within 30 days.
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy rights have been breached. Visit the OAIC website for information on how to make a complaint.

7. Data breach notification

Whump.Online is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach — one that is likely to result in serious harm to any affected individual — we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable and, where the breach presents an imminent risk of serious harm, within 72 hours of becoming aware of the breach
• Notify affected individuals directly where it is practicable to do so
• Take immediate steps to contain the breach and prevent further unauthorised access

8. Cookies and session data

Whump.Online uses a session cookie to keep you logged in. This cookie does not contain your personal information — it holds only a session token used to verify your identity on each request. The cookie is cleared when you sign out or your session expires.

We do not use third-party tracking cookies, advertising cookies, or analytics that transmit your data to external services.

9. Third-party services

Address autocomplete

When you enter an address in Whump.Online, we use the HERE Geocoding & Search API, provided by HERE Technologies B.V. (a company headquartered in Amsterdam, Netherlands, and owned by BMW Group, Mercedes-Benz Group, and Audi AG), to provide address suggestions as you type.

When you use the address autocomplete feature, the partial address text you type is sent to HERE's servers to retrieve matching suggestions. We do not send any personally identifiable information to HERE — only the address text you are actively typing. Your name, email address, volunteer profile, and other personal data remain on our Australian servers at all times.

HERE's handling of this data is governed by their own privacy policy, available at here.com/en/privacy. HERE Technologies is certified under applicable data protection frameworks.

If you prefer not to use the address autocomplete feature, you can click “Enter address manually” to type your address directly without any data being sent to HERE's servers.

Attribution note: Address autocomplete is powered by HERE Technologies. © HERE 2026.

10. Privacy enquiries and complaints

For any questions about this policy or how your personal information is handled, please contact us:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

For reference, the full text of the Privacy Act 1988 is available at legislation.gov.au.