Introduction
Hear Me Out (HMO) is a digital complaint-navigation and legal information platform operated by The National Justice Project Ltd (ABN 23 609 620 028) (NJP, we, us, our).
Hear Me Out is an AI-assisted platform designed to help users identify complaint bodies, complaint pathways, support services and next steps that may be relevant to their situation. It provides legal information and complaint-navigation guidance only. It does not provide legal advice.
This Privacy Policy explains how we collect, hold, use and disclose personal information in connection with Hear Me Out, and how you can request access to or correction of your personal information.
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
The platform currently provides information about New South Wales, Victoria and federal complaint pathways.
This Privacy Policy applies to anyone who uses Hear Me Out or otherwise interacts with us about the platform, including individuals, advocates, support workers, professionals and other users.
What Personal Information do we collect, and how do we collect it?
The personal information we collect depends on how you use Hear Me Out and interact with us, and what information you choose to include in free-text inputs.
For the triage chatbot, we collect and store:
- the information you enter into the chat;
- the date of the log; and
- the session ID.
We may also collect:
- information you provide when contacting us, requesting support, or giving feedback;
- records of communications with us about Hear Me Out; and
- website and service usage information collected through our platform and service providers, including analytics, security and technical tools.
Because Hear Me Out accepts free-text user input, information entered into the triage chatbot may include personal information, and may also include sensitive information about you or another person, even though Hear Me Out does not ask users to provide more personal or sensitive information than is reasonably necessary to use the service. Where practicable, users may interact with Hear Me Out without identifying themselves, or by using a pseudonym. Users should avoid including names, contact details, health information or other sensitive information unless it is reasonably necessary to explain their issue.
We collect personal information:
- directly from you when you use Hear Me Out, submit a chat message, contact us or provide feedback;
- automatically through the operation of the website, chatbot and related systems; and
- through service providers that support the operation, security, analytics, maintenance and improvement of the platform.
Full triage chatbot conversations are logged automatically.
The information logged for triage conversations is:
- what the user enters into the chat;
- the date of the log; and
- the session ID.
These triage logs are stored in HMO’s administrative systems and can be accessed by the Project Lead and any person granted permission by the Project Lead. Access requires authentication controls, including 2FA through a justice.org.au email account.
Access to the triage admin environment is restricted to the Project Lead and any person granted permission by the Project Lead. Third-party technical providers may also have administrative or support access where reasonably required to maintain or support the platform.
Based on our current understanding and configuration, complaint writer interactions are not stored in the same administrative logging environment as triage chatbot interactions, and are not visible there.
Because Hear Me Out accepts free-text input, users should avoid including unnecessary personal information or sensitive information about themselves or other people, and should only provide details that are reasonably necessary to explain their issue.
How we handle information entered into Hear Me Out
Hear Me Out does not require users to provide personal information in order to receive triage guidance, and users should avoid including unnecessary personal or sensitive information about themselves or other people.
However, because the triage chatbot accepts free-text input, users may choose to include personal information or sensitive information in a triage message even though that information is not required for triage. If that occurs, the information may be captured in triage logs.
Triage logs may be accessed by authorised users where reasonably necessary for platform operation, troubleshooting, safety, quality assurance, evaluation and improvement.
Where practicable, we de-identify information before using it for broader internal analysis, reporting, research, advocacy or service improvement. Authorised users may manually review triage logs and remove direct identifying details before recording information in internal spreadsheets. These spreadsheets are intended to contain de-identified information only.
These de-identified spreadsheets are stored in NJP’s SharePoint environment. Where de-identified spreadsheet information is created, any identifiable SharePoint version is deleted immediately. NJP does not keep an identifiable spreadsheet version outside the triage admin logs.
If personal information is included in a triage message, it may be disclosed to third-party service providers that support the operation of Hear Me Out, including providers involved in hosting, AI functionality, storage, analytics, monitoring, security, bot protection, deployment and system administration.
We may also disclose personal information where required or authorised by law, where you direct us to do so, or where disclosure is reasonably necessary to lessen or prevent a serious threat to life, health or safety, where permitted by law.
We do not sell personal information.
Based on our current understanding and configuration, complaint writer interactions are not stored in HMO’s triage administrative logging environment and are not visible there.
Hear Me Out uses third-party providers and infrastructure to help deliver and maintain the platform. These currently include Webflow, Microsoft Azure, Azure OpenAI, Cosmos DB, Pinecone, Google Analytics, Sentry, reCAPTCHA and Bitbucket. These providers support different aspects of the website, AI infrastructure, storage, analytics, monitoring, security, deployment and platform administration.
We take reasonable steps to ensure that third-party service providers handling personal information on our behalf do so under appropriate contractual, technical or organisational arrangements.
Hear Me Out is configured so that personal information handled through the platform is intended to be stored and processed in Australia. We rely on information provided by our relevant service providers about their Australian hosting and processing arrangements.
However, some third-party providers, or their products, infrastructure, subprocessors or support services, may involve access to or processing of personal information outside Australia in some circumstances, including for maintenance, support or incident response. For that reason, we cannot guarantee that overseas disclosure or overseas access will never occur.
Where personal information is disclosed to, or accessed by, an overseas recipient in connection with the operation, support, maintenance or improvement of Hear Me Out, we take reasonable steps to ensure that the recipient handles that information in a manner consistent with applicable privacy obligations.
Security of Personal Information
We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
These steps may include:
- restricted administrative access;
- authentication controls, including 2FA;
- protected cloud environments;
- logging and monitoring; and
- vendor and access controls where appropriate.
NJP takes reasonable steps to detect, assess and respond to privacy and security incidents affecting Hear Me Out.
No method of transmission over the internet or method of electronic storage is completely secure. Because of this, we cannot guarantee absolute security.
We keep personal information only for as long as it is reasonably necessary for the purposes described in this Privacy Policy, including operating, securing, reviewing and improving Hear Me Out, responding to issues, and meeting legal and governance requirements.
Triage admin logs are retained only for as long as they are reasonably required for those purposes. NJP reviews its information-handling practices from time to time and is continuing to develop and formalise retention and deletion processes for triage logs.
NJP may retain de-identified information for reporting, evaluation, service improvement, research, advocacy, and longer-term analysis of structural or systemic trends.
When personal information is no longer reasonably required for a purpose permitted under applicable privacy law, we will take reasonable steps to destroy it or de-identify it, unless we are required or authorised by law to retain it.
Personal Rights
You may request access to personal information we hold about you, and you may ask us to correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading. We may need to verify your identity before responding to a request. In some circumstances, the law permits us to refuse access or decline to make a requested correction.
To request access to or correction of your personal information, please contact us using the details below.
Complaints
If you have a concern about how we have handled your personal information, you may contact us using the details below and describe your concern. We will consider your complaint and respond within a reasonable period. We may ask you for further information to help us assess and respond to your complaint.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC).
Contact Details
For questions about this Privacy Policy, or to request access to or correction of your personal information, or to make a privacy complaint, please contact:
Email: hello@hearmeout.org.au
Policy Review
We may update this Privacy Policy from time to time to reflect changes to Hear Me Out, our practices, service providers or legal requirements.
The current version will be published on our website with its effective date.