Privacy Policy

1. Who we are

Mustr is operated by Keystone Systems (ABN 16 401 201 936), an Australian company headquartered in Perth, Western Australia. Mustr provides a cloud-based workforce management platform for Australian businesses. In this policy, "Mustr", "we", "us", and "our" refer to Keystone Systems.

We are bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) as amended, including the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 and subsequent 2024 amendments.

2. Information we collect

We collect and process the following categories of personal information:

2.1 Account and identity information

• Full name, email address, phone number
• Profile photograph (optional)
• Role within organisation (employee, manager, admin, owner)
• Employment basis (full-time, part-time, casual)

2.2 Employment and payroll data

• Award classification, pay rates, and employment start date
• Tax File Number (TFN)
• Bank account details (BSB and account number)
• Superannuation fund details and member number
• Leave balances and leave request history
• Timesheet records including clock-in/out times and break durations

2.3 Location data

• GPS coordinates at clock-in and clock-out (for geofenced time tracking)
• Geofence entry and exit events when background location is enabled
• Location data is only collected when actively used for time and attendance purposes

2.4 Device and technical information

• Device type, operating system, and app version
• IP address (for security and rate limiting)
• Browser type and version (web application)
• Push notification tokens (for delivering shift reminders and messages)

2.5 Communications data

• Messages sent through Mustr's team chat and news feed
• Survey responses submitted within the platform

2.6 Sensitive information

We may collect sensitive information as defined under the Privacy Act, including leave records that relate to personal/carer's leave and family and domestic violence leave (FDVL). We handle this information with additional protections as described in Section 8.

3. How we use your information

We use personal information for the following purposes:

• Providing workforce management services including scheduling, time tracking, and leave management
• Calculating pay, penalties, loadings, and allowances under applicable Modern Awards
• Generating payslips and payroll export files for integration with accounting software
• Enforcing compliance with the Fair Work Act 2009, National Employment Standards, and applicable Modern Awards
• Sending shift notifications, roster updates, and operational messages
• Verifying clock-in location against assigned work sites (geofencing)
• Detecting scheduling conflicts and compliance issues
• Maintaining security, preventing fraud, and enforcing our terms of service
• Meeting legal and regulatory obligations

4. Data storage and security

4.1 Data sovereignty

All customer data at rest — primary database, object storage, cache, and daily backups — is stored in the Sydney region of our primary infrastructure provider. We do not transfer, store, or replicate personal information to production data centres outside Australia. A small number of supporting subprocessors (error monitoring, analytics, chat) operate from outside Australia; the current list is published at /trust. This commitment to Australian data residency ensures your employment data remains subject to Australian law at all times.

4.2 Encryption

The following sensitive fields are encrypted at rest using AES-256 encryption before storage in our database:

• Tax File Numbers (TFNs)
• Bank account numbers
• Bank BSB numbers

These fields are never written to application logs, never included verbatim in audit trails, and are never returned in API responses unless explicitly required for the requesting user's own records. All data in transit is encrypted using TLS 1.2 or higher. Database backups are encrypted at rest using AWS-managed keys.

4.3 Multi-tenancy isolation

Mustr uses PostgreSQL Row-Level Security (RLS) to enforce strict data isolation between organisations. Each database query is scoped to the authenticated tenant. It is architecturally impossible for one organisation to access another organisation's data through the application.

4.4 Access controls

Access to personal information within the platform is governed by role-based access control (RBAC). Employees can only see their own data. Managers can see data for employees in their assigned locations. Admins and owners have broader access as required for business operations. All access is logged.

5. Data retention

Under the Fair Work Act 2009 and Fair Work Regulations 2009, employers are legally required to retain employee records for a minimum of 7 years. This includes time and attendance records, wage records, leave records, and superannuation records.

Mustr retains all employment-related records for this mandatory 7-year period from the date of the relevant record or from the end of the employment relationship, whichever is later. Records cannot be deleted before this period expires, as early deletion is a criminal offence under the Fair Work Act.

After the 7-year retention period, data is permanently deleted upon request by the tenant owner. Account data for terminated employees is locked (not deleted) and remains accessible to authorised administrators for the retention period.

6. Third-party service providers

We share personal information with the following categories of third-party processors, solely to provide and support the Mustr service:

When you connect Mustr to payroll or accounting software (such as Xero, MYOB, Employment Hero, KeyPay, or Reckon), employee payroll data is transmitted to those services at your direction. These integrations are initiated and controlled by you.

7. How compliance decisions are made

All pay calculations, leave accruals, and compliance determinations are performed by Mustr's deterministic rule engine. The same inputs always produce the same outputs. Every pay calculation persists an audit trail that records the award clauses and rates applied, so a Fair Work inspector (or your own bookkeeper) can trace any cent on any payslip back to source.

Mustr does not use machine-learning models to calculate pay, determine leave entitlements, or generate binding compliance decisions.

8. Family and domestic violence leave (FDVL) data

Mustr implements specific protections for family and domestic violence leave records in accordance with the Fair Work Act and the sensitivity of this information:

• FDVL is never identified as such on payslips. It is displayed under a neutral category (such as "Ordinary Pay") to protect employee safety.
• FDVL records are stored with restricted access controls. Only the employee themselves and authorised administrators with a documented need can view the leave type.
• FDVL data is excluded from standard reporting exports and team-visible leave calendars.
• Internal records maintain the leave type for compliance and accrual tracking purposes, but the display category is always neutral.

9. Cookies and tracking

Mustr uses only essential cookies required for authentication and session management. We use httpOnly cookies for JWT session tokens, which cannot be accessed by client-side JavaScript.

We use Plausible Analytics for website usage analysis. Plausible is a privacy-first analytics platform that does not use cookies, does not track individual users, and does not collect personal data. No personal information is shared with analytics providers.

We do not use advertising cookies, social media tracking pixels, or any third-party tracking technologies.

10. Your rights

Under the Australian Privacy Principles, you have the following rights regarding your personal information:

10.1 Right of access

You may request access to the personal information we hold about you. For employees using Mustr, most of your data is directly accessible through the platform (your profile, timesheets, leave balances, payslips). For data not visible in the platform, submit a request to your employer or to us directly.

10.2 Right of correction

You may request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. We will respond to correction requests within 30 days.

10.3 Right of deletion

You may request deletion of your personal information, subject to the mandatory 7-year retention period under the Fair Work Act. Where records must be retained for legal compliance, we will inform you of the applicable retention period and schedule deletion at its conclusion.

10.4 Right to complain

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us (see Section 12) or directly with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

10.5 Automated decision-making

In accordance with the Privacy Act 2024 amendments regarding automated decision-making transparency, we inform you that Mustr uses automated systems for scheduling conflict detection, pay rate calculation, and leave accrual. These systems use deterministic rules based on Modern Award provisions and National Employment Standards. No decisions with significant legal or financial impact are made by machine-learning or probabilistic systems.

11. Data breach notification

In the event of an eligible data breach as defined under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals as soon as practicable
• Provide details of the breach, the information involved, and recommended steps to mitigate potential harm
• Notify the relevant tenant administrators to facilitate employer-level response

12. Contact and complaints

For all privacy-related inquiries, requests, or complaints:

We will acknowledge your inquiry within 5 business days and provide a substantive response within 30 days. If you are not satisfied with our response, you may escalate your complaint to the OAIC.

13. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify affected users through the Mustr platform and update the "Last updated" date at the top of this page. Continued use of the service after notification constitutes acceptance of the updated policy.