Venue Axis

Privacy Policy

Version 1.2 Draft · Last updated: 26 April 2026
Draft notice: This policy is a draft prepared by Venue Axis's founder with AI assistance. It has not been reviewed by an Australian privacy lawyer. Before using this policy for real patron or staff data, or publishing it on the Venue Axis website, it must be reviewed by an Australian privacy lawyer with expertise in the Privacy Act 1988 (Cth), the Australian Privacy Principles, the Gaming Machines Act 2001 (NSW), and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). A lawyer review checklist is at the end of this document.

Venue Axis's role and the AML/CTF reporting entity

Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), a registered club providing gaming machine services is a reporting entity (ss.5, 26F). The club — not Venue Axis — bears AML/CTF obligations to AUSTRAC including maintaining an AML/CTF program, conducting customer due diligence, and submitting regulatory reports. These obligations remain with the club regardless of what compliance software the club uses.

Venue Axis is a compliance vendor. Venue Axis processes personal information about patrons and staff on behalf of each club, as a data processor. The club is the primary entity responsible for patron-facing privacy obligations and for the lawful collection and use of patron data under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

For the full description of this relationship — including what Venue Axis provides, what it does not undertake, and how AML/CTF reporting works — see the Terms of Service.

About Venue Axis

Venue Axis is a compliance software platform built for New South Wales registered clubs with gaming machines. Venue Axis helps clubs meet their regulatory obligations under:

  • The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) administered by AUSTRAC
  • The Gaming Machines Act 2001 (NSW) and the Gaming Machines Regulation 2019 (NSW) administered by Liquor & Gaming NSW
  • The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
  • Industry guidance from ClubsNSW including the Multi-Venue Self-Exclusion (MVSE) program and the Club Gaming Code of Practice

Venue Axis is provided as a hosted software service. Club staff use Venue Axis to record compliance events (incidents, welfare checks, customer due diligence records, self-exclusion checks, threshold breaches, machine malfunctions, inspector arrivals), generate regulatory reports and documents, and manage compliance workflows.

Venue Axis is operated by [Legal entity name and ABN — to be filled in before publication], with its registered office in [address — to be filled in]. Contact details for privacy matters are at the end of this policy.

Venue Axis's role and how Australian privacy law applies

How information flows

When a registered club uses Venue Axis, club staff enter information about patrons, staff, and visitors into the Venue Axis platform during the course of normal venue operations. The club decides what information to collect, why it is collected, and how it is used. The club also owns the direct relationship with patrons, holds the statutory obligations under the Gaming Machines Act 2001 (NSW), and is typically the appropriate entity to respond to patron requests about their personal information.

Venue Axis hosts and processes that information on behalf of the club to provide, secure, and support the Venue Axis service.

The “holding” concept and what it means for you

Under the Privacy Act, personal information held by a cloud service provider is typically held by both the customer (the club) and the service provider (Venue Axis) at the same time. This is because both parties have possession or control of the information in different ways. The OAIC has published guidance recognising this joint-holding scenario for cloud providers.

What this means:

  • The club is the primary entity with the patron-facing relationship. Patron requests about personal information (access, correction, complaint) should be directed to the relevant club in the first instance.
  • Venue Axis is a service provider to the club. Venue Axis processes and stores information in accordance with the club's instructions as set out in the Venue Axis Master Services Agreement and the Data Processing Agreement (DPA) signed between Venue Axis and each club.
  • Venue Axis may itself be an APP entity under the Privacy Act. Where Venue Axis is an APP entity and holds personal information about an individual, Venue Axis will comply with applicable Privacy Act obligations in relation to that information.
  • Where information is jointly held and a regulatory obligation applies (for example, a data breach notification under the Notifiable Data Breaches scheme), Venue Axis and the club will cooperate and agree who leads the response. Generally, the club will lead patron-facing notifications because the club has the direct relationship with patrons; Venue Axis will support the club by providing information and technical assistance.

What this means for patrons

If you are a patron of a registered club that uses Venue Axis and you have questions about information the club holds about you, or if you wish to request access, correction, or make a complaint, you should contact the club directly in the first instance. The club is best placed to verify your identity, apply venue context, and respond under the Privacy Act.

Venue Axis can assist by:

  • Routing your request to the correct club and confirming receipt
  • Supporting the club to export or correct information as instructed
  • Responding directly where Venue Axis is legally required to do so (for example, to comply with a lawful request from a regulator or law enforcement authority)

If you are unsatisfied with a club's response, or with Venue Axis's response where Venue Axis has responded directly, you have the right to make a complaint to the Office of the Australian Information Commissioner (OAIC). Contact details are at the end of this policy.

What this means for clubs

  • Each club is responsible for its own patron-facing privacy policy that explains what information the club collects, why, and how it is handled. Venue Axis does not replace the club's privacy policy.
  • The Data Processing Agreement between Venue Axis and each club sets out the specific operational obligations, sub-processor disclosures, breach notification procedures, and audit rights.
  • Venue Axis provides tools — audit logs, access controls, secure storage, data export — to help clubs meet their privacy and compliance obligations.

How Venue Axis collects information

Venue Axis collects personal information from the following sources:

  • Directly from club staff using the platform. Staff enter patron information (names, dates of birth, identification details), record incidents and observations, and log compliance events as part of their normal venue duties.
  • From club-configured integrations. If a club has connected Venue Axis to a third-party system such as a facial recognition technology (FRT) provider or a sanctions screening service, Venue Axis may receive alert or match event data from those systems. Venue Axis does not itself perform facial recognition or sanctions screening; it records events reported by the club's chosen systems.
  • From staff authentication and activity. When staff log in to Venue Axis, Venue Axis records authentication events. When staff create, modify, or export records, Venue Axis logs those actions for audit purposes.
  • From automated security and performance logging. Venue Axis's infrastructure generates logs for authentication events, errors, and platform performance. These logs may incidentally contain limited personal information (for example, the email address of a staff member who experienced an error).
  • Indirectly from patrons during compliance interactions. When a patron provides identification for a customer due diligence check, or is involved in an incident recorded by club staff, that information is entered into Venue Axis by the club staff member handling the interaction. Venue Axis does not have a direct interface with patrons.

Venue Axis does not collect personal information from:

  • Cookies or trackers on the Venue Axis application itself (beyond session management)
  • Third-party analytics or advertising services
  • Purchased data sets or data brokers
  • Scraping, public records, or open data sources

What information Venue Axis holds on behalf of clubs

Patron information

  • Identity information: full name, date of birth, residential address, identification document details (type, number, expiry, country of issue), and photograph of identification documents where required for AML/CTF customer due diligence
  • Contact information: phone number and email address where provided to the club
  • Self-exclusion status: whether a patron is self-excluded, the scope and duration of the exclusion, and breach event records
  • Behavioural observations: records of welfare checks, incidents, interactions with venue staff, and compliance-relevant observations recorded by staff
  • Transaction-related information: dollar amounts associated with customer due diligence events (for example, cash-in totals that trigger the $5,000 CDD threshold under the AML/CTF Act). Venue Axis does not process payment card numbers, bank account details, or payment processor integrations.
  • FRT alert records: where a club uses facial recognition technology to identify self-excluded patrons, Venue Axis may record that an alert event occurred, the time and location, the match confidence score reported by the FRT system, and the staff response. See the “Facial recognition technology” section below for important scope information.
  • Sanctions screening results: where a club uses a sanctions screening provider, Venue Axis may record the outcome of a screening query (no match, possible match, confirmed match) and the staff decision

Staff information

  • Account information: full name, work email, phone number, role (Responsible Gambling Officer, floor, Gaming Manager, Compliance Officer, CEO, or administrator), and club affiliation
  • Authentication information: hashed passwords and session tokens managed by our authentication service provider
  • Activity information: logs of actions taken in Venue Axis (records created or modified, documents viewed, exports, approvals given)

Visitor and third-party information

  • Regulator and law enforcement visit records: when an inspector from Liquor & Gaming NSW, an officer from NSW Police, or another authority visits a club, Venue Axis may record the visit date and time, the visitor's name and identification, the agency, the reason for the visit, and any records accessed
  • Witness and complainant information: where a patron, staff member, or visitor is involved in an incident as a witness or complainant, their name and contact information may be recorded as part of the incident record

Facial recognition technology (FRT) and biometric information

Venue Axis's handling of FRT-related information has specific limits that patrons and clubs should understand.

Venue Axis does not perform facial recognition. Venue Axis does not capture face images, generate biometric templates, or run matching algorithms. All facial recognition processing is performed by a third-party FRT system chosen by the club, operating outside of Venue Axis.

Venue Axis does not store face images or biometric templates from an FRT system. Raw biometric data remains within the FRT vendor's system. Venue Axis's integration (where configured by a club) is limited to receiving alert notifications when the FRT system reports a match event.

Where configured by a club, Venue Axis may store an alert record. This alert record may include:

  • The date and time of the match event
  • The location (camera or gaming area) where the alert occurred
  • The match confidence score as reported by the FRT system
  • The staff response to the alert (for example, whether the patron was approached, verified, refused entry, or escorted out)

Depending on the club's FRT implementation and how Venue Axis is configured, some of this alert information may constitute sensitive information or biometric information under the Privacy Act. Venue Axis handles alert records with appropriate care and treats them as sensitive information by default. The legal classification of a specific alert record depends on the club's implementation and on the guidance of the NSW Code of Practice: Facial Recognition Technology in Hotels and Clubs (18 March 2026).

Clubs using FRT should refer to:

  • The NSW FRT Code of Practice
  • The club's own privacy policy disclosures required under APP 5
  • The Data Processing Agreement with Venue Axis, which specifies how FRT alert records are handled

ClubSafe / MVSE data

The ClubsNSW Multi-Venue Self-Exclusion (MVSE) program is a centralised system operated by ClubsNSW that allows patrons to self-exclude from multiple venues. The MVSE program has its own data handling guidelines that are in some respects stricter than general APP requirements, including restrictions on overseas access, third-party storage, and email transmission of MVSE data.

Venue Axis's approach to MVSE data:

  • Venue Axis does not access the MVSE system directly. There is no Venue Axis integration with the MVSE database. Staff log in to the ClubsNSW Venue Staff Portal separately to query or record MVSE information.
  • Venue Axis records that MVSE-related events occurred, not the underlying MVSE data. For example, when staff identify a self-exclusion breach, Venue Axis records the breach as an incident in the club's incident register. The MVSE record itself is updated by staff directly in the Venue Staff Portal, not through Venue Axis.
  • Where a club instructs staff to upload MVSE-related identification (for example, a photo of a self-excluded patron captured during a breach interaction), that information is handled with the same protections as other sensitive information in Venue Axis. Clubs are responsible for ensuring their use of Venue Axis for MVSE-related information complies with the ClubsNSW MVSE guidelines and any conditions placed on venue access to the MVSE system.
  • Venue Axis does not transmit MVSE data outside of Australia. Venue Axis's sub-processors are selected to support Australian data residency for operational data (see “Where Venue Axis stores and processes data” below).

If a club is uncertain whether a specific use of Venue Axis is compatible with its MVSE obligations, the club should seek guidance from ClubsNSW and from its own legal counsel before recording MVSE-related information in Venue Axis.

Why Venue Axis holds this information

Venue Axis holds information only to support the following purposes:

  1. Regulatory compliance: enabling clubs to meet their obligations under the AML/CTF Act, the Gaming Machines Act 2001 (NSW), the Privacy Act, and other applicable law
  2. Audit and evidence: providing clubs with a structured, timestamped, and tamper-evident record of compliance events that can be produced during regulatory inspections or investigations
  3. Regulatory reporting: generating reports and documents that clubs submit to AUSTRAC (Suspicious Matter Reports, Threshold Transaction Reports, Compliance Officer notifications) and Liquor & Gaming NSW (incident registers, inspection records)
  4. Self-exclusion enforcement support: helping clubs identify and respond to self-excluded patrons as part of the ClubsNSW MVSE program and related harm minimisation obligations
  5. Staff accountability: providing clubs with audit trails of staff actions so the club can demonstrate compliance and investigate incidents
  6. Platform operation: authenticating users, delivering the Venue Axis service, supporting users, investigating technical issues, preventing fraud and abuse of the platform, and improving reliability

Venue Axis does not use information for any purpose other than the above. In particular, Venue Axis does not:

  • Use patron data for marketing (Venue Axis's own or third parties')
  • Sell, rent, or otherwise commercialise patron data
  • Use patron data to train machine learning models
  • Share patron data with advertisers or analytics providers
  • Access patron data for any purpose beyond providing, maintaining, and improving the Venue Axis service on behalf of the club

Automated decision-making and use of AI

Venue Axis's own APP 1.7 disclosure

From 10 December 2026, the Privacy and Other Legislation Amendment Act 2024 (Cth) requires APP entities to include specified disclosures in their APP 1 privacy policy where they operate — or arrange for — a computer program that makes, or does a thing substantially and directly related to making, a decision that “could reasonably be expected to significantly affect the rights or interests of an individual”, where personal information is used in that program. Venue Axis is an APP entity in its own right and makes the following disclosures accordingly.

Programs Venue Axis operates that are within scope of APP 1.7

Venue Axis provides three computer-assisted programs that are within scope of APP 1.7 as programs used by clubs to substantially inform decisions about individual patrons:

1. Patron AML/CTF risk assessment

  • Kinds of personal information used: full name, date of birth, country of residence, identification document type and number, nature and declared purpose of the patron's gaming activity, types and amounts of transactions involving gaming machine access (cash-in, cash-out, TITO ticket value, cheque/EFT payouts), and staff observations of behaviour recorded during gaming sessions.
  • Kinds of individuals: patrons who have triggered a customer due diligence (CDD) event under the club's AML/CTF program. Not all patrons.
  • Kinds of decisions substantially informed: whether a patron is required to provide enhanced identity documentation or source-of-funds information; whether enhanced CDD is required; whether the club is required to take action under its AML/CTF program obligations including filing reports with AUSTRAC.
  • Kinds of personal information NOT used: age, gender, or residential address within Australia (including postcode). These fields are collected for identity verification and regulatory reporting purposes only. See the affirmative exclusion rationale in Venue Axis's internal scoring policy documentation.

2. Patron welfare and harm-minimisation assessment

  • Kinds of personal information used: patron session duration, frequency of gaming machine use, structured staff observations of behaviour (recorded against a standard framework aligned with L&GNSW guidance on signs of risky and problem gambling behaviour), and any patron-initiated interactions (self-exclusion requests).
  • Kinds of individuals: patrons observed by gaming floor staff or Responsible Gambling Officers during gaming sessions.
  • Kinds of decisions substantially informed: whether to initiate a welfare conversation with a patron; whether to offer a break from gaming; whether to record an incident in the club's Gambling Incident Register under the NSW Gaming Machines Regulation 2019; whether to facilitate a self-exclusion.
  • Kinds of personal information NOT used: age, gender, or residential address.

3. Sanctions and politically exposed person (PEP) screening

  • Kinds of personal information used: full name, date of birth, and country of residence. These fields are submitted to a third-party screening service which returns a categorised result (no match, possible match, confirmed match) and a confidence score. The screening result and confidence score are recorded in Venue Axis.
  • Kinds of individuals: patrons who have triggered a CDD or enhanced CDD event under the club's AML/CTF program. Not all patrons are screened.
  • Kinds of decisions substantially informed: whether a patron is a match to a domestic or international sanctions list or PEP register; whether enhanced CDD is required; whether an SMR must be considered for filing with AUSTRAC; whether service must be refused under the club's AML/CTF program obligations.
  • Human review is always required. Every decision based on a screening result is made by the club's AML Compliance Officer or delegated officer after reviewing the result. The screening program assists by querying the list and returning a result; it does not autonomously block service, elevate a CDD tier, or file any regulatory report.
  • Kinds of personal information NOT used: age, gender, residential address within Australia, postcode, occupation, transaction amounts, or risk score.

No autonomous regulatory submissions

External regulatory submissions (Suspicious Matter Reports, Threshold Transaction Reports, Compliance Officer notifications to AUSTRAC, annual compliance reports) are not submitted automatically by any Venue Axis program. Clubs must review and approve all such submissions through the designated AMLCO control workflow before they are transmitted to regulators.

Access requests involving SMR-related records

Where a patron makes an access request and the responsive personal information relates to a Suspicious Matter Report filed under the AML/CTF Act 2006, the club's ability to provide access is limited by the tipping-off prohibition under s.123 of the AML/CTF Act and the access-refusal ground in APP 12.3(f) (giving access would be unlawful). In those circumstances, the club is entitled to refuse access to the SMR-related records and must provide written reasons for the refusal that do not reveal the existence of any SMR. Venue Axis provides guidance and template language to assist clubs in handling such access requests in compliance with both the Privacy Act and the AML/CTF Act.

Club ADM disclosure obligations

Each club that uses Venue Axis is itself an APP entity for patron data and bears its own APP 1.7 disclosure obligations. The above describes what Venue Axis discloses as operator of the programs. Each club must include its own ADM disclosures in its privacy policy. Venue Axis provides template language to assist clubs with these disclosures. Clubs should seek legal advice before finalising their APP 1 privacy policies.

AI processing and data residency

  • AI processing of patron data, where it occurs, is performed using services with Australian data residency (currently Amazon Bedrock in the Sydney region, AWS ap-southeast-2, for any AI workloads that are activated). Venue Axis does not currently use any non-Australian AI provider for patron data.
  • Venue Axis does not use patron data to train AI models. Information processed by AI tools is used only for the specific analytical task requested and is not retained by the AI provider for model training.
  • AI-assisted drafting tools, if used to prepare any content that leaves the club for a regulator, require explicit human review and approval by the club's Compliance Officer or equivalent authorised staff member before transmission.

Where Venue Axis stores and processes data

Venue Axis is designed so that core production workloads that handle club operational data are hosted in Australia. Venue Axis selects its sub-processors and configurations to support Australian data residency wherever operationally feasible.

Core production infrastructure

  • Primary database: Supabase (managed Postgres) in the ap-southeast-2 (Sydney) region. Patron, staff, and visitor records are stored in this region.
  • Application hosting: Vercel, with functions and compute configured for Australian regions where supported by the Vercel platform.
  • File storage: Supabase storage in the Sydney region for any uploaded files (for example, photographs of identification documents).
  • Authentication: Supabase Auth, with user and session data stored in the Sydney region.
  • AI processing (where activated): Amazon Bedrock in the Sydney region.

Infrastructure with potential overseas involvement

Some components of the broader internet infrastructure Venue Axis depends on may involve transient routing of encrypted traffic outside Australia. Examples include:

  • Global content delivery networks (CDNs): Venue Axis's static assets (JavaScript, CSS, images, fonts) may be served through a global CDN edge network. This routing is not intended to make personal information accessible to overseas recipients. Encrypted traffic transiting a CDN edge node is not the same as disclosure to that location.
  • Email delivery infrastructure: Venue Axis uses a third-party email provider for transactional email (for example, password reset emails). [Current provider: Supabase built-in email, which is rate-limited and intended for development use only. Before production use, Venue Axis will migrate to a production-grade provider with Australian data residency where available.]
  • Vendor support and monitoring access: Venue Axis's sub-processors may have support personnel located outside Australia. Venue Axis's Data Processing Agreement with each sub-processor addresses these arrangements.

Cross-border disclosure commitment

Venue Axis does not intend to make personal information accessible to overseas recipients for the purposes of APP 8 (cross-border disclosure). Where Venue Axis becomes aware that a sub-processor or infrastructure component would result in such a disclosure, Venue Axis will:

  1. Assess the disclosure against APP 8 requirements
  2. Update this policy to reflect the disclosure and the countries involved
  3. Give affected clubs at least 30 days' notice and the opportunity to object or terminate the Data Processing Agreement

Venue Axis will not rely on an informal “Australia-only” claim to satisfy APP 8. If a specific integration, sub-processor, or infrastructure change would materially affect where information is processed or made accessible, Venue Axis will disclose it in this policy.

Who Venue Axis shares information with

Venue Axis shares personal information only with the following parties, and only to the extent necessary for the stated purpose:

The club itself

The club that uses Venue Axis has full access to its own data through the Venue Axis platform.

Sub-processors

Venue Axis uses the following sub-processors to operate the platform:

Sub-processorPurposeRegion
SupabaseDatabase, authentication, file storageSydney (ap-southeast-2)
VercelApplication hosting and deploymentAustralian region where supported
AnthropicAI-assisted analysis (dormant)Australian regions only, when activated
Amazon Web ServicesCloud infrastructure for AI features (dormant)Sydney (ap-southeast-2)
[Email provider TBC]Transactional emailTo be confirmed

A current list of sub-processors is maintained in the Data Processing Agreement between Venue Axis and each club. Venue Axis will notify clubs of any changes to the sub-processor list with at least 30 days' notice and give clubs the opportunity to object before the change takes effect.

Regulators and law enforcement

Venue Axis does not proactively disclose patron data to regulators or law enforcement. If Venue Axis receives a lawful request for information, Venue Axis will:

  1. Notify the affected club promptly unless legally prohibited from doing so
  2. Require the requesting party to provide proper legal authority
  3. Cooperate with the club in assessing and responding to the request
  4. Disclose only the minimum information necessary to comply with the lawful request

Clubs may and do submit data to regulators directly using Venue Axis's reporting tools. In those cases, the club is the party making the disclosure; Venue Axis provides the preparation and reporting infrastructure.

The MVSE system

When a club records a self-exclusion breach in Venue Axis, the club is separately required under the ClubsNSW MVSE program to record the breach in the MVSE Venue Staff Portal. Venue Axis does not transmit data to the MVSE system. The club's staff log the breach in MVSE manually; Venue Axis provides a guided checklist and audit trail to help the club meet its MVSE obligations.

Third-party service providers chosen by the club

If a club uses Venue Axis's integration with a third-party service (for example, a sanctions screening provider or an FRT vendor), the club's data may be shared with that provider as directed by the club. The club is responsible for ensuring it has the right to share data with those providers and for maintaining its own contractual arrangements with them. Venue Axis acts on the club's instructions.

How long Venue Axis retains information

Venue Axis retains information for as long as the controller club instructs, subject to the minimum retention periods set by law and industry codes. Different categories of information have different retention rules:

AML/CTF records — minimum 7 years

As required by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and AUSTRAC guidance. Includes: customer due diligence records, SMRs and supporting records, TTRs and supporting records, CO notifications and related correspondence.

Gambling incident register entries — minimum 3 years

As required by the Gaming Machines Act 2001 (NSW) and Liquor & Gaming NSW guidance. Includes: incident records, self-exclusion breach events, FRT alert events resulting in incidents, welfare checks escalated to incidents.

Active self-exclusion records — deleted promptly after expiry

Consistent with expectations under the NSW FRT Code of Practice. Operational data supporting an active self-exclusion is minimised once the exclusion is no longer in effect. Incident register entries from breach events are retained separately (3 years minimum).

Staff activity logs — minimum 5 years

Aligned with the NSW FRT Code of Practice staff training record requirement and general audit needs.

Platform operational logs — 90 days

Unless required for a longer period to investigate a specific incident or to comply with a legal obligation.

Data export on contract termination

If a club terminates its Venue Axis contract, the club has 30 days to export its data before Venue Axis deletes it from active systems. Regulatory retention obligations continue to apply after termination — the club is responsible for retaining the exported data for the required minimum periods.

How Venue Axis protects information

Access control and tenant isolation

  • Row Level Security (RLS) is enforced at the database level using Postgres RLS policies. For normal application access, staff from one club cannot query or retrieve data belonging to another club; the database itself rejects such queries regardless of any application-level bug.
  • Certain restricted administrative operations (such as cross-tenant operations performed by Venue Axis's server-side infrastructure, for example during new club registration) use privileged credentials that can bypass RLS. Venue Axis limits the use of such credentials, logs their use, and deploys them only when necessary for specific, documented operations.
  • Role-based access control within each club: staff see only the data appropriate to their role (floor staff, gaming managers, compliance officers, CEO users, administrators).
  • Authentication uses email and password, with optional multi-factor authentication. Password hashes are generated using industry-standard algorithms and are never stored in plaintext.

Encryption

  • Public web endpoints (the Venue Axis application, marketing site, and API) are served over TLS 1.2 or higher.
  • Database connections are encrypted in transit using SSL/TLS. Venue Axis enforces SSL on database connections where supported by the database provider's configuration.
  • Data at rest is encrypted using provider-managed keys (Supabase uses AWS-backed encryption at rest; Vercel encrypts storage at rest).

Audit logging

Venue Axis logs authentication events, record lifecycle events (creation, modification, deletion), exports and document generation, and access to sensitive workflows.

Venue Axis does not currently log every individual read of every patron record. Some read-only access (for example, viewing a dashboard that displays recent incidents) may not generate a discrete log entry. Clubs that require more granular read logging should discuss their requirements in the Data Processing Agreement.

Backups, personnel access, and vulnerability management

  • Data is backed up daily within the Australian region. Backup encryption and access follow the same controls as production data.
  • Venue Axis staff do not have routine access to patron data in production. Access is granted only for specific support or incident-response purposes, is time-limited, and is logged.
  • Venue Axis applies security patches promptly, monitors for newly disclosed vulnerabilities, and reviews its security posture periodically. No system is perfectly secure, and Venue Axis does not guarantee that information will never be subject to unauthorised access.

Data breach response

If Venue Axis becomes aware of a suspected or confirmed data breach, Venue Axis will:

  1. Immediately begin containment and investigation.
  2. Notify affected clubs as soon as practicable, and aim to provide an initial notification within 72 hours of becoming aware of a suspected or confirmed breach.
  3. Cooperate with each affected club on the Notifiable Data Breaches scheme assessment. Venue Axis and the club will agree who leads notification to affected individuals and to the OAIC; generally, the club will lead patron-facing notifications.
  4. Support the club's response by providing technical information, impact assessments, affected-record identification, and any other assistance reasonably required.
  5. Conduct a post-incident review to identify improvements to security, detection, and response processes.

Your rights

Under the Privacy Act and the Australian Privacy Principles, you have the right to:

  • Know what personal information is held about you (APP 1, APP 5)
  • Access that information (APP 12)
  • Request correction of inaccurate, out-of-date, or misleading information (APP 13)
  • Make a complaint if you believe your privacy has been breached

To exercise these rights, you should contact the club that holds your information in the first instance. The club is best placed to verify your identity, apply context from your interactions with the venue, and respond to your request.

If you cannot identify or reach the club, or if you believe Venue Axis holds information about you outside of a specific club relationship, you may contact Venue Axis directly using the contact details at the end of this policy.

How Venue Axis handles privacy complaints

  1. Acknowledge your complaint within 5 business days of receiving it.
  2. Investigate the complaint. Depending on complexity, investigation may include reviewing logs, consulting with the affected club, and seeking additional information from you.
  3. Provide a written outcome within 30 days of receiving your complaint.
  4. Escalate to the OAIC if requested or required.

Cookies and analytics

The Venue Axis application (used by club staff) does not use third-party analytics, advertising trackers, or any tracking beyond what is necessary to provide the service and maintain audit logs. The only cookies used are essential cookies for session management and security.

The Venue Axis marketing website (where prospective clubs learn about Venue Axis) may use basic aggregate analytics to understand website usage. Where such analytics are configured, they are set to anonymise IP addresses and are configured not to collect personally identifiable information.

Children

Venue Axis is not directed at children. Patron data may include information about individuals under 18 only incidentally — for example, if a minor attempts to enter a gaming area and an incident is recorded. Venue Axis does not knowingly solicit or collect information from children.

Changes to this policy

  • Material changes will be communicated to clubs with at least 30 days' notice
  • Minor changes (clarifications, formatting) may be made without advance notice
  • The “Last updated” date at the top is updated for every change
  • Prior versions are retained in Venue Axis's document archive and can be provided on request

Contact Venue Axis about privacy

For any privacy-related question, request, or complaint:

Email: privacy@[venueaxis-domain].com.au
Post: [Venue Axis registered office address]

We aim to acknowledge privacy requests within 5 business days and to provide substantive responses within 30 days, consistent with APP 12 timeframes.

Outreach campaign data

Venue Axis operates periodic outreach campaigns directed at registered clubs holding NSW gaming machine licences. This section describes how Venue Axis collects and handles data in connection with those campaigns.

What we collect and why

Venue Axis collects business contact information (trading name, licensee name, licence number, address, and publicly-published business email addresses) from two sources:

  • The L&GNSW gaming machine licensee register — a public register maintained by Liquor & Gaming NSW listing every NSW registered club holding a gaming machine licence
  • Each venue's own publicly-accessible website — specifically, business email addresses that are conspicuously published on the venue's website (contact pages, footer, “about” pages)

This information is collected for the purpose of sending a single campaign of commercial electronic messages about Venue Axis's compliance platform, addressed to clubs with a relevant regulatory compliance obligation.

Harvest evidence and defensibility

For every email address collected from a venue's website, Venue Axis retains an evidence record documenting: the source URL, the date and time of collection, a snapshot of the source page at collection time, and whether the source page contained any “no unsolicited commercial email” notice. This evidence is retained to demonstrate compliance with the inferred consent provisions of the Spam Act 2003 (Cth) in the event of a complaint to the Australian Communications and Media Authority (ACMA).

Unsubscribe and deletion requests

Every campaign email includes a one-click unsubscribe link. Clicking this link immediately and permanently suppresses all future campaign messages to that address — across every future Venue Axis campaign, not just the current sequence. There is no re-opt-in. Venue Axis also responds to deletion requests submitted by reply email or by contacting scott@venueaxis.com.au. A deletion request will result in the removal of the contact record from the prospects table and the addition of the address to the permanent suppression list.

What we do not collect

Venue Axis does not collect patron data, club operational data, or any information held under the multi-tenant Venue Axis platform in connection with outreach campaigns. Campaign data is entirely separate from club compliance records. Venue Axis does not purchase email lists or use third-party data brokers.

Contact the OAIC

If you believe Venue Axis or a club using Venue Axis has mishandled your personal information:

Office of the Australian Information Commissioner
GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Website: oaic.gov.au
Terms of ServicePrivacy PolicyData DeletionSecurityHome