Wet Fish Privacy and Cookies Policy

1. Introduction

This Privacy and Cookies Policy is provided by WET FISH PTY LTD ("Wet Fish", "we", "us", "our") ACN 600 342 998. We are committed to protecting and respecting your privacy.

This policy applies to all of our websites and services, including our corporate website (wetfish.com.au), our Scodle learning management platform (scodle.com[.au] and any white-labelled or custom-branded deployments, such as government and enterprise sites), the artificial intelligence features within that platform, and our own usage analytics. Where a particular service has additional, service-specific terms, those are set out in a Schedule at the end of this policy. The Scodle learning platform is covered by Schedule A.

In this policy, "the Site" means whichever of our websites or services you are using.

This Privacy and Cookies Policy (together with our Terms of Use) explains what personal information we collect, how we use it, who we share it with, and the choices and rights you have. By using the Site, you accept this policy and our Terms of Use. If you do not agree with any part of them, you should stop using the Site.

2. Our role: when we are a controller and when we are a processor

The law distinguishes between an organisation that decides why and how personal information is processed (a "controller") and one that processes personal information on another organisation's instructions (a "processor"). Our role depends on the service:

3. Personal information we collect

We collect and process the following kinds of information about you:

Information you provide: When you register or interact with the Site, you may give us information such as your name and email address. Depending on the service and, for the Scodle platform, the configuration requested by the client organisation, we may also collect additional details such as a phone number, postal address, or other profile fields. For the Scodle platform the minimum collected is first name, last name and email address.

Information we receive from third parties: We may receive information about you from the company, organisation or government providing the training resources you are accessing.

Information we collect automatically: When you use the Site we collect technical information (including your IP address, browser and device type, operating system and platform) and information about how you use the Site, including pages viewed, features used, search queries you enter, and, on the learning platform, your course activity and progress. We collect this through our own self-hosted, privacy-respecting analytics (see Section 13, Cookies).

Information related to AI interactions: When you use our AI features, we anonymously log your questions for 30 days solely for system performance analysis, response safety monitoring, and prompt sentiment analysis. These logs are not used to identify you. See Section 14.

4. How we use your personal information

We process personal information to deliver our services, to meet our legal and regulatory obligations, and for our legitimate business interests, including to:

5. Who we share your information with

We process personal information in accordance with our obligations under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, and, where it applies to you, the EU General Data Protection Regulation 2016/679. We may share your personal information with:

Where we provide your personal information to a service provider, they are required to keep it confidential and secure and to use it only as instructed by us. We may also disclose your personal information where required by law, or to establish, exercise or defend legal rights, or to protect the safety of the Site, our people, or others.

6. Marketing

We do not use learner or Site-user personal information for third-party marketing or advertising, and we do not load third-party advertising or tracking beacons on the Site.

We send marketing communications (such as product news and updates) only to users who have opted in to receiving them. You can opt in or out at any time on your Scodle Profile page, or by contacting us. We use Mailchimp to deliver these communications (see Section 15), and every marketing message also includes an unsubscribe option.

7. Your rights

You have the right to:

  1. request access to the personal data we hold about you;
  2. request that we correct inaccurate personal data;
  3. request that we delete personal data we hold about you;
  4. restrict our processing of your personal data;
  5. object to our processing of your personal data; and/or
  6. receive your personal data in a structured, commonly used, machine-readable format, or have it transmitted to another organisation.

We may ask you for additional information to confirm your identity before acting on a request. We will respond in line with applicable law. Where we act as a processor for a client organisation (see Section 2), we will direct your request to that organisation, or assist them in responding to it, as appropriate.

To exercise any of these rights, contact our Privacy Officer at privacy@wetfish.com.au.

8. Complaints

If you have a concern about how we handle your personal information, please contact our Privacy Officer at privacy@wetfish.com.au in the first instance, and we will work with you to resolve it.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. If you are located in the European Economic Area, you also have the right to lodge a complaint with the supervisory authority in your country.

9. Data security

Our infrastructure is built on Amazon Web Services (AWS) in Sydney, Australia. We adhere to the Australian Privacy Principles and follow operational best practices aligned to the ACSC Essential Eight. We implement security measures including:

We use reasonable endeavours to protect your data from unauthorised access. However, no transmission over, or storage on, systems connected to the internet can be guaranteed to be completely secure, and so we cannot guarantee the privacy, security or authenticity of any information transmitted to or stored on the Site.

10. How long we keep your information

We keep personal information only for as long as necessary for the purpose for which it was collected, or as required by law. In determining retention periods we consider the amount, nature and sensitivity of the information, the risk of harm from unauthorised use or disclosure, the purposes for which we process it, and our legal obligations. In practice:

11. Storage and overseas transfers

Our primary servers and the core of the learning platform, including learner accounts and course data, are hosted in AWS in Sydney, Australia.

Some specific functions are delivered by service providers located outside Australia, and so a limited amount of personal information is transferred overseas. These are listed in Section 15 and currently include transactional email (United States), certificate generation (United Kingdom and United States), customer support (United States), marketing email for business contacts (United States), and encrypted off-site backups (United States).

Where backups are sent off-site, they are encrypted on our own systems before transfer using zero-knowledge, client-side encryption, so the storage provider holds only encrypted data it cannot read.

Whenever we transfer personal information outside Australia, we take reasonable steps to ensure it receives a level of protection consistent with the Australian Privacy Principles, including by entering into contractual data-protection terms with the provider (such as standard contractual clauses or equivalent safeguards) and, where relevant, transferring to countries recognised as providing an adequate level of protection. We remain accountable for the handling of your personal information by these providers.

For more information on the safeguards used for a particular transfer, contact us at privacy@wetfish.com.au.

12. Data breach notification

We comply with the Notifiable Data Breaches scheme under the Australian Privacy Act 1988 (Cth). If an eligible data breach occurs that is likely to result in serious harm, we will notify the affected individuals and the Office of the Australian Information Commissioner as required by law, and we will work with any affected client organisation in doing so.

13. Use of Cookies

We use cookies that are essential for the proper functioning of the Site. These are session cookies that allow our servers to recognise whether you are logged in and to respond to your actions while you are logged in. They are configured to expire when your browser session ends or you log out. We do not store persistent cookies for our own purposes, and we do not use advertising cookies.

For usage analytics we use our own self-hosted analytics, which is configured to run without setting cookies. It records information such as pages viewed and features used, and on the learning platform it associates activity with your account so that, for example, progress is awarded to the correct person.

Some content provided by a client organisation within their courses may embed third-party media (for example Vimeo or YouTube videos). Where it does, your browser may load that media directly from the provider, and the provider may set its own cookies and collect information under its own privacy policy. This depends on the particular site and course and is outside our control.

The learning platform is a Learning Management System and needs to know who is logged in. Accordingly, it will not be available to you if you do not allow the essential cookies described above. Most browsers let you block or delete cookies, but if you block our essential cookies you will not be able to log in or view content.

We may change our use of cookies over time. Please review this page periodically. For general information about cookies, you may wish to visit www.allaboutcookies.org.

14. Our AI features

Our learning platform includes optional artificial intelligence features that help you find answers to questions about courses you already have access to, by searching course materials and presenting relevant information.

How your data is protected:

Data sovereignty: We do not use AI to process personal information, and all AI processing occurs within Australia. No personal information related to these features leaves Australian borders.

More information on Amazon Bedrock data protection is available on the AWS website.

15. Third-Party Sub-processors

We work with the following service providers (sub-processors), who may process personal data on our behalf to provide essential services. Each has been selected on the basis that it maintains appropriate data-protection standards. We will endeavour to update this policy at least 30 days before any change to our sub-processors.

Legal Name Purpose of Processing Categories of Personal Data Processing Location
Amazon Web Services, Inc. (AWS) Cloud infrastructure and hosting for all of our services All data processed through our platform, including user accounts, application data, logs and backups Australia
Mailgun Technologies, Inc. (Sinch Email) Transactional email delivery Email addresses, names, email content, delivery metrics, IP addresses, bounce/complaint data United States
Urlbox Ltd PDF certificate generation Names and course completion details United Kingdom, United States
Groove Networks LLC Customer support platform and knowledge base Names, email addresses and support ticket content United States
Backblaze, Inc. (B2 Cloud Storage) Encrypted off-site backups (zero-knowledge, client-side encrypted) Encrypted backups of platform databases and site data; the provider cannot read the contents United States
The Rocket Science Group LLC (Mailchimp) Marketing email and campaign management (business contacts) Names and email addresses United States

Change Log

Date Version Changes
September 22, 2025 1.0 Initial version - Added Amazon Web Services Inc., Mailgun Technologies Inc., Urlbox Ltd and Groove Networks LLC as sub-processors
October 24, 2025 1.1 Added The Rocket Science Group LLC (Mailchimp)
June 21, 2026 2.0 Restructured as a Wet Fish PTY LTD company-wide policy with a Scodle service schedule. Added controller/processor clause, OAIC complaints path, data-retention detail, Notifiable Data Breaches statement, and Backblaze, Inc. as a sub-processor. Corrected the overseas-transfer disclosure and removed invalid EU-US Privacy Shield / AU-US Safe Harbor references. Removed payment-gateway disclosure (not in use). Corrected the GDPR citation.

Data Protection Standards: All sub-processors are required to implement appropriate technical and organisational measures to ensure data security and to comply with applicable data protection laws, including the GDPR where applicable.

16. Contact us

If you have any feedback, questions or requests regarding this policy, please contact our Privacy Officer at privacy@wetfish.com.au.

This Privacy and Cookies Policy was last updated on June 21, 2026. We may update it from time to time, and the latest version will appear on our Site. By using the Site after any change is posted, you agree to the updated policy.

Schedule A: Scodle Learning Platform

This Schedule applies in addition to the main policy above when you use the Scodle learning management platform (scodle.com[.au] and any white-labelled or custom-branded deployment).

A1. Our role on the learning platform

We own and operate the Scodle platform and provide it as a fully managed service. Where we host the platform for a client organisation (for example a company, training provider or government department), that organisation is the controller of its learner and training records and decides the purpose for which they are collected and how long they are kept. We act as its processor for those records, on its instructions. If you are a learner, you should also read the privacy policy of the organisation that provided your training. Requests to access, correct or delete your training records may need to be made to, or actioned by, that organisation.

A2. Information collected on the learning platform

The minimum information collected for a learner account is first name, last name and email address. A client organisation may request additional profile fields for its deployment (for example a job role, team, or staff identifier). We also record your course activity and progress so that completions and records are attributed to the correct person.

A3. AI features on the learning platform

The AI features described in Section 14 are part of the Scodle platform. They answer questions using course materials you already have access to. They do not process personal information to generate responses, and questions are logged only in anonymised form for 30 days.

A4. Cookies and embedded content on the learning platform

The platform uses only the essential session cookies described in Section 13. Course content supplied by a client organisation may embed third-party media (such as Vimeo or YouTube), which may set that provider's own cookies under that provider's privacy policy. Whether any such content is present depends on the particular site and course.