Contact Us

Need help? Talk to an expert

+61 3 7003 6707
Contact us
Contact Info
OnsysConnect > Privacy Policy

Privacy Policy

What Are You Looking For?

OnsysConnect Privacy Statement

Effective date:  13, November 2025

This Privacy Statement explains how Onsys Technologies (ABN 49 602 081 005) (“Onsys”, “we”, “us”, “our”) collects, uses, discloses and protects personal information in connection with:

  • the OnsysConnect digital identity and data-sharing ecosystem and related services; and

  • the OnsysConnect website at onsysconnect.com (the “Site”).

By using the Site, booking a demo, engaging with our team or using the OnsysConnect platform, you agree to the practices described in this Privacy Statement.

This Statement should be read together with the Onsys Technologies Privacy Policy available on onsys.com.au, which sets out our broader privacy practices and your rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Who we are

OnsysConnect is a product of Onsys Technologies, an Australian IT and software company with offices in Melbourne, Australia and Kohuwala, Sri Lanka. We provide an open-source digital identity and data-sharing platform for governments and enterprises, including modules for digital ID issuance, biometric verification, verifiable credentials, consent-driven data sharing and citizen wallets.

For most website visitors and business contacts, Onsys Technologies is the data controller (or equivalent) of your personal information.

For data processed inside customer deployments of OnsysConnect (for example, citizen identities within a government program), Onsys generally acts as a service provider / data processor and the customer is the data controller.

2. What this Privacy Statement covers

This Statement explains how we handle personal information when:

  1. You visit or interact with onsysconnect.com, including forms, downloads and demo bookings.

  2. You are a customer, partner, supplier or prospect in relation to OnsysConnect.

  3. We provide hosting, support, professional services or managed services for an OnsysConnect deployment.

It does not override the privacy notices or legal obligations of our government or enterprise customers, who remain responsible for their own use of identity data in national ID, KYC, or sector programs.

3. Personal information we collect

3.1 Information you provide directly

We may collect personal information when you:

  • Fill in “Contact Us” or demo request forms on the Site

  • Subscribe to mailing lists, newsletters or product updates

  • Register for webinars, events or briefings

  • Engage with us as a customer, partner or supplier

  • Take part in surveys, feedback or case studies

The information can include:

  • Identity and contact details – name, organisation, job title, email, phone number, country, preferred contact channel

  • Business information – organisation type, industry, use cases, project details

  • Communications – emails, meeting notes, support requests, demo feedback and related correspondence

  • Account and billing details (for paying customers) – contact persons, invoicing details and transaction records (payment card data is handled via secure payment gateways and is not stored by us directly)

3.2 Information collected automatically

When you visit the Site, we may automatically collect:

  • IP address and approximate location

  • Device and browser type, operating system and settings

  • Pages viewed, time and date of visits, session duration and navigation paths

  • Referring website or campaign (e.g. LinkedIn, search engine)

  • Interactions with forms, buttons, downloads or videos

We typically collect this information using cookies, pixels, logs and similar technologies, and may use tools such as analytics and advertising platforms to understand usage and improve the Site.

3.3 Information processed via the OnsysConnect platform

OnsysConnect is designed to help governments and enterprises manage digital identity, biometric verification, verifiable credentials and data-sharing workflows. Depending on how a customer configures the platform, we may process (on their behalf) information such as:

  • Identity data – names, national ID numbers, passport/ID document numbers, dates of birth, addresses, contact details

  • Credential and registry data – licences, qualifications, registrations, account or service identifiers

  • Verification data – verification outcomes (pass/fail), timestamps, transaction IDs, device information, audit logs

  • Consent and authorisation data – consent records, scopes (“who sees what, for what purpose, and for how long”), authorisation tokens and revocations

  • Citizen wallet data – digital credentials, tokenised identifiers, presentation history, depending on the chosen configuration

In most cases, this information is collected and controlled by our customers, and we process it only to provide the contracted services (for example, hosting, support, maintenance or integration).

3.4 Sensitive information and biometric data

OnsysConnect may be used to handle biometric identifiers and templates (such as facial or fingerprint data), liveness detection outputs, and other information that may be considered “sensitive information” or special category data under privacy law.

Where we process such data:

  • We do so on behalf of a customer, under contract, and only as necessary to provide the service (e.g. biometric deduplication, liveness checks, watchlist matching).

  • We apply heightened security, access controls and audit logging.

  • We do not use biometric data or other sensitive information for unrelated marketing or profiling.

Customers are responsible for ensuring the lawful basis, notifications and consent mechanisms for the underlying identity program.

4. How we use personal information

We use personal information for purposes such as:

  • Providing and operating the Site and services – including responding to enquiries, booking demos, configuring test environments and delivering support

  • Customer onboarding and account management – proposals, statements of work, implementation, training and ongoing relationship management

  • Service delivery and improvement – troubleshooting, monitoring, analytics, quality assurance, security, performance tuning and feature development

  • Legal and compliance – meeting our obligations under the Privacy Act, tax, accounting, audit, security and sector-specific regulations

  • Marketing and communications – sending product updates, invitations, thought leadership, case studies and surveys (where permitted by law and your preferences)

  • Risk management and security – preventing fraud, abuse or misuse of the platform, and monitoring for suspicious activities

If we need to use your information for a materially different purpose, we will update this Statement or provide a specific notice where required.

5. Legal bases (where applicable)

For individuals in Australia, we handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Where GDPR or UK data protection law applies, we may rely on legal bases such as:

  • Performance of a contract (e.g. providing services to your organisation)

  • Legitimate interests (e.g. securing systems, improving services, B2B relationship management)

  • Compliance with legal obligations

  • Consent (e.g. certain marketing communications or cookies, where required)

6. When we act as a service provider/data processor

For most OnsysConnect deployments, our customer (for example, a government agency, bank, telco, hospital or university) is the data controller for citizen or end-user data.

In those scenarios:

  • We process personal information only according to the customer’s documented instructions, our contract and applicable law.

  • The customer defines what data is collected, how long it is stored, what legal basis applies, and how individuals can exercise their rights.

  • If you are a citizen, customer or employee of one of our customers, you should contact them directly to exercise your privacy rights. We will support them as required under our contract.

7. Disclosure of personal information

We do not sell personal information. We may share personal information with:

  • Onsys group entities and authorised staff involved in delivering OnsysConnect and related services

  • Service providers and subcontractors who support our operations (for example, cloud hosting, email and collaboration tools, analytics, monitoring, payment processors, security services)

  • Professional advisers (lawyers, auditors, insurers) under confidentiality obligations

  • Regulators, law enforcement or courts, where required by law or to protect our legal rights

  • Successors or acquirers in the event of a merger, acquisition or reorganisation, subject to appropriate confidentiality and data protection safeguards

Where personal information is transferred to third parties, we require them to handle it securely and lawfully, and only for the purposes we specify.

8. International transfers

OnsysConnect is used by organisations in multiple countries and may be hosted on on-premises infrastructure or cloud environments (e.g. public cloud providers) as chosen by the customer.

Your personal information may therefore be stored or accessed in Australia, Sri Lanka or other jurisdictions where we or our service providers operate.

When we transfer personal information across borders, we take reasonable steps to ensure an appropriate level of protection, for example by:

  • Using providers that are subject to adequate data protection regimes, and/or

  • Putting in place contractual safeguards and technical controls.

9. Security

We implement a combination of technical, administrative and organisational measures to help protect personal information, which may include:

  • Role-based access control and least-privilege permissions

  • Network and infrastructure security controls

  • Encryption of data in transit and at rest, where appropriate

  • Secure development, testing and deployment practices

  • Logging, monitoring and audit trails for access and actions

  • Staff training and confidentiality obligations

No system can be guaranteed 100% secure, but we aim to maintain security controls consistent with industry best practice and our obligations under applicable law and contracts.

10. Data retention

We retain personal information for as long as reasonably necessary to:

  • Provide the Site and services

  • Meet contractual obligations

  • Comply with legal, regulatory and accounting requirements

  • Resolve disputes and enforce agreements

Retention periods may differ depending on the nature of the data and the context in which it was collected. Where we act as a service provider to a customer, we follow the retention and deletion rules agreed with that customer.

When information is no longer required, we will delete, de-identify or securely archive it in accordance with our policies and any legal requirements.

11. Cookies and similar technologies

The Site may use cookies, pixels and similar technologies to:

  • Remember your preferences

  • Measure traffic and understand how visitors use the Site

  • Improve content, navigation and performance

  • Support advertising and retargeting campaigns on third-party platforms (for example, search or social media)

You can usually control cookies via your browser settings (for example, by blocking or deleting them), though doing so may affect certain features or performance of the Site.

Where required by law, we will request your consent for non-essential cookies or tracking.

12. Marketing communications

If you opt in (for example, by ticking a box on a form or subscribing on the Site), we may send you:

  • Product news and feature updates

  • Invitations to webinars, demos or events

  • Case studies, whitepapers and thought leadership

  • Surveys and feedback requests

You can unsubscribe at any time by clicking the link in our emails or contacting us using the details below. We may still send non-marketing messages relating to your existing accounts, services or legal notices.

13. Your rights

Depending on where you live and which laws apply, you may have rights to:

  • Access the personal information we hold about you

  • Correct or update inaccurate or incomplete information

  • Request deletion of your personal information, where lawful and practicable

  • Object to or restrict certain types of processing

  • Withdraw consent where processing is based on consent (e.g. some marketing)

  • Lodge a complaint with a data protection or privacy regulator

To exercise these rights, please contact us using the details below. We may need to verify your identity before actioning your request.

If you are an end-user of a government or corporate program that uses OnsysConnect, we may redirect your request to the relevant customer, as they control how your data is used in that program.

14. Children

OnsysConnect and the Site are not intended for children under 18. We do not knowingly collect personal information from children via the Site. If you believe a child has provided us with personal information without appropriate consent, please contact us and we will take steps to delete it where appropriate.

15. Changes to this Privacy Statement

We may update this Privacy Statement from time to time, for example to reflect:

  • Changes in our products or services

  • Updates in applicable laws or regulatory guidance

  • Improvements to our internal processes

The “Effective date” at the top shows when it was last updated. We encourage you to review this Statement periodically.

16. How to contact us

If you have any questions, concerns or requests relating to this Privacy Statement or how we handle personal information, please contact:

Onsys Technologies 
Level 3, 480 Collins Street
Melbourne, VIC 3000
Australia

Email: admin@onsys.com.au
Alternative email (OnsysConnect): info@onsysconnect.com