RTOPilot Privacy Policy

Last Updated: 31-03-2026

1. Introduction

1.1 This Privacy Policy explains how XMB Technology Pty Ltd ABN 49 672 748 391 ("RTOPilot", "we", "us", or "our") collects, uses, discloses, and protects personal information through the RTOPilot platform and associated services.

1.2 We are committed to protecting your privacy and ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1.3 This Privacy Policy applies to:

  • Registered Training Organisations (RTOs) using our services;
  • Students enrolled through RTOs using our platform;
  • RTO staff members and administrators; and
  • Visitors to our website and users of our services.

2. Types of Information We Collect

2.1 RTO Information

2.1.1 We collect and store the following information about RTOs:

  • Business details including ABN, RTO code, and contact information;
  • Staff member details including names, positions, and contact information;
  • Authentication and access credentials;
  • Training and course information; and
  • Payment and transaction details.

2.2 Student Information

2.2.1 Through our platform, we collect and store the following student information on behalf of RTOs:

Personal details including:

  • Full name
  • Date of birth
  • Contact information
  • Unique Student Identifier (USI)
  • Emergency contact details

Demographic information required for AVETMISS reporting including:

  • Indigenous status
  • Disability status
  • Language and cultural information

Educational information including:

  • Enrolment details
  • Course progress and completion data
  • Assessment results
  • Attendance records

Payment and transaction information.

2.3 Technical Information

2.3.1 We automatically collect:

  • Device information;
  • IP addresses;
  • Access timestamps;
  • System usage logs; and
  • Platform interaction data.

3. How We Collect Information

3.1 We collect personal information:

  • Directly from RTOs during registration and platform use;
  • From students through RTO-managed enrolment processes;
  • From RTOs acting on behalf of students, including where an RTO updates student profile information or processes enrolments without requiring the student to independently complete certain enrolment steps;
  • Through automated system logging and monitoring;
  • Via integration with authorised third-party services; and
  • Through direct communications with our support services.

3.2 Where an RTO processes an enrolment or updates student information on a student's behalf, the student's personal information may be collected, used, or modified without the student's direct interaction with the platform. This occurs only where the student has not withdrawn permission for such actions (see Section 7.4).

4. Purpose of Collection and Use

4.1 We collect and use personal information to:

  • Provide and maintain the RTOPilot platform and services;
  • Facilitate RTO compliance with regulatory requirements;
  • Enable AVETMISS reporting;
  • Process enrolments and payments, including enrolments initiated by RTOs on behalf of students;
  • Provide student portal access;
  • Maintain system security and prevent fraud;
  • Provide technical support and customer assistance;
  • Access and review RTO data when necessary for support purposes;
  • Improve our services; and
  • Comply with legal obligations.

5. Storage and Security

5.1 We store personal information:

  • On secure servers located within Australia;
  • Using industry-standard encryption for data in transit and at rest;
  • With restricted access controls and authentication measures; and
  • According to our backup and retention policies.

5.2 We maintain the security of personal information through:

  • Regular security assessments;
  • Staff training and access controls;
  • System monitoring and logging;
  • Incident response procedures; and
  • Regular security updates.

6. Disclosure of Information

6.1 We may disclose personal information to:

  • The RTO responsible for a student's enrolment;
  • Authorised integration partners (e.g., LMS providers);
  • Government authorities as required by law;
  • Payment processors for transaction processing;
  • Service providers who assist in operating our platform; and
  • Professional advisers as necessary.

6.2 We will not disclose personal information to international recipients except:

  • With explicit consent; or
  • As required by law.

7. Access and Correction

7.1 RTOs may access and correct their information through:

  • The RTOPilot platform administrative interface; or
  • Contacting our support team.

7.2 Students may access and correct their personal information through:

  • Their student portal account;
  • Their enrolled RTO; or
  • Contacting us directly.

7.3 We will respond to access and correction requests within 30 days.

7.4 Student Control Over RTO Data Management

7.4.1 By default, RTOs may update student profile information and process enrolments on a student's behalf without requiring the student to independently complete certain enrolment steps. Where an enrolment is processed in this manner, RTOPilot will automatically notify the student via email.

7.4.2 Students may withdraw this permission at any time by disabling the relevant setting in their Student Portal account preferences. Where permission is withdrawn, the RTO will be unable to modify the student's profile information directly or bypass enrolment steps requiring the student's direct participation, including acceptance of terms and conditions. Any changes to the student's profile requested by the RTO will be sent to the student as an update request, which the student may accept or decline.

7.4.3 Withdrawal of permission does not affect enrolments or data changes that were processed prior to the withdrawal.

8. Retention and Disposal

8.1 We retain personal information for:

  • The period required by law;
  • A minimum of seven years for student records;
  • The duration of platform usage plus six months for RTO-specific data; or
  • As long as necessary for the purposes for which it was collected.

8.2 When personal information is no longer needed, we will:

  • Securely destroy or de-identify the information; or
  • Archive it in a secure manner if required for legal compliance.

9. Cookies and Analytics

9.1 We use cookies and similar technologies to:

  • Maintain platform security;
  • Remember user preferences;
  • Improve user experience;
  • Analyse platform usage; and
  • Enable platform functionality.

9.2 Users may control cookie settings through their browser preferences.

10. Data Breaches

10.1 In the event of a data breach, we will:

  • Take immediate steps to contain the breach;
  • Assess the potential harm of the breach;
  • Notify affected individuals and the Office of the Australian Information Commissioner if required; and
  • Take steps to prevent future breaches.

11. Complaints

11.1 Privacy-related complaints may be submitted:

  • Through our support channels; or
  • Via email to support@xmb.com.au.

11.2 We will:

  • Acknowledge complaints within 7 days;
  • Investigate the complaint thoroughly;
  • Respond within 30 days; and
  • Take appropriate remedial action.

12. Changes to this Policy

12.1 We may update this Privacy Policy from time to time.

12.2 Changes will be:

  • Notified to RTOs via email and available through the platform;
  • Effective 7 days after notification; and
  • Binding upon continued use of the platform after the effective date.

13. Contact Us

13.1 For privacy-related enquiries, please contact:

Privacy Officer
XMB Technology Pty Ltd
Email: support@xmb.com.au

14. Additional Information

14.1 For more information about privacy rights and obligations, visit the Office of the Australian Information Commissioner website at www.oaic.gov.au.

A fresh RTO experience built in Australia

Designed to help you spend less time and save money in running your RTO.

See why others have switched ->