DEG Logo

Privacy Policy

1. Who We Are

Demi Education Group ("DEG", "we", "our", "us") includes:

  • Demi International Beauty Academy
  • Australasian Academy of Cosmetic Dermal Science
  • Demi Apprentices and Trainees
  • International College of Queensland
  • Aspire Training Clinics
  • Bravura Education

We deliver accredited and non-accredited training and operate clinical training clinics.

We are committed to protecting personal information in accordance with:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • Spam Act 2003 (Cth)
  • Standards for RTOs 2025
  • VET Student Loans legislation
  • ESOS Act and National Code
  • NVETR Act and Data Provision Requirements
  • Queensland funded training requirements
  • Applicable health privacy obligations

2. Scope

This policy applies to:

  • email marketing contacts
  • prospective students
  • current students
  • graduates and alumni
  • clinic clients and models
  • employers and partners
  • staff and contractors
  • website users
  • event attendees
  • competition entrants
  • social media users interacting with DEG

3. Types of Information We Collect

3.1 Personal Information

We may collect:

  • name, date of birth, gender
  • contact details
  • education and employment history
  • government identifiers (USI, CHESSN)
  • citizenship and visa status
  • payment and billing information
  • enquiry and marketing interactions
  • website browsing data

3.2 Sensitive Information

Where reasonably necessary and permitted by law, we may collect sensitive information, including:

  • disability and support needs
  • cultural and other diversity information
  • medical and health information
  • treatment suitability data
  • biometric or photographic records for clinical purposes
  • language, literacy and numeracy assessments

Sensitive information is only collected:

  • with consent, or
  • where authorised or required by law.

4. How We Collect Information

We collect information through:

  • website and enquiry forms
  • application forms
  • pre-enrolment processes
  • enrolment contracts and eCAF
  • clinic intake and consent forms
  • learning and student management systems
  • marketing platforms and contact form submissions
  • payment gateways
  • browser cookies and analytics tools
  • social media interactions (including direct messages)
  • event registrations
  • competitions and promotions
  • third parties such as employers, agents and government bodies

5. Why We Collect Personal Information

We collect, use and disclose personal information for:

Education and Training

  • assess suitability and enrol students
  • deliver training and assessment
  • issue qualifications
  • administer placements and practical training
  • provide student support
  • meet RTO, VSL and ESOS obligations

Clinical Services

  • determine treatment suitability
  • maintain clinical records
  • support supervised student treatments
  • manage adverse events
  • comply with health and safety obligations

Business and Marketing

  • respond to queries and questions submitted
  • manage enquiries and sales
  • administer loyalty programs
  • send transactional communications
  • conduct events and competitions
  • undertake market research
  • improve services
  • identify any other potential promotional opportunities for you across our RTOs or clinics
  • notify of any promotions or special offers
  • communicate any updates with future, present or past students
  • send reminders, confirmations or notices

Regulatory and Funding

  • AVETMISS reporting
  • NCVER submissions
  • VET Student Loans administration
  • Queensland funding compliance
  • Visa monitoring (CRICOS students)

6. Direct Marketing and Communications

We comply with the Spam Act 2003.

  • From time to time, we may use your personal information to provide you with information about our services or the services of our Associated Entities or promotional partners.
  • We want to communicate with you only if you want to hear from us.
  • If you prefer not to receive promotional information from us, please let us know by clicking on the "unsubscribe link" and/or "update your preferences" at the bottom of any of our communications, or by clicking into your account to manage the level of communication which you want to receive from us.
  • When lawful and practicable, you may interact with DEG anonymously or using a pseudonym.

We may send:

Transactional communications (no unsubscribe required)

  • booking confirmations
  • enrolment updates
  • invoices and receipts
  • overdue invoices, late payments
  • course communications
  • clinic appointment reminders

Marketing communications (consent and opt-out provided)

  • course promotions
  • alumni communications
  • loyalty offers
  • event invitations
  • newsletters

Individuals may opt out at any time.

7. Aspire Training Clinics Rewards Program

Where clients participate in an Aspire loyalty or rewards program:

  • personal information is used to administer points, rewards and offers
  • participation is voluntary
  • separate Loyalty Program Terms and Conditions apply
  • marketing preferences can be changed at any time

8. Events, Competitions and Social Media

When individuals:

  • enter competitions
  • attend events
  • interact via social media
  • send direct messages

we may collect and use their information to:

  • administer the activity
  • communicate with participants
  • promote future events (with consent where required)

Public social media content may be reposted where permission is obtained.

9. HubSpot and Offshore Data Hosting

DEG uses HubSpot as its primary Customer Relationship Management tool.

We will try to ensure that all information we collect, use or disclose about you in accordance with this Privacy Policy is accurate, complete and up to date. We expect that you will promptly notify us of any changes to your personal information.

Important disclosures:

  • HubSpot data may be hosted outside Australia
  • this includes contact records and uploaded documents
  • we have well defined roles in HubSpot and promote security for our users
  • access to HubSpot is role-restricted and monitored

Where identity documents (e.g., driver licences) are collected:

  • they are used solely for identity verification
  • access is restricted to authorised staff
  • retention is limited to what is reasonably required
  • periodic reviews of this practice are undertaken

DEG engages personnel located offshore to support its operations. These personnel operate within secure, cloud-based systems and controlled environments designed to protect information integrity and confidentiality. From time to time, authorised offshore staff may access student records strictly on a need-to-know basis to perform their duties. All access is governed by robust security protocols, confidentiality obligations, and internal policies to ensure that personal information is handled in accordance with applicable privacy laws and DEG's data protection standards.

10. Payment Processing

Online payments are processed via secure third-party payment gateways.

DEG:

  • does not store full credit card numbers
  • relies on PCI-DSS compliant providers
  • receives limited transaction data necessary for reconciliation

11. Cookies and Website Analytics

DEG websites use cookies and similar technologies to:

  • operate websites
  • analyse traffic
  • personalise content
  • improve user experience
  • support marketing campaigns

Users can control cookies through browser settings.

12. Links to External Websites

DEG websites may contain links to third-party websites.

Once a user leaves a DEG-controlled site:

  • we do not control those websites
  • we are not responsible for their privacy practices
  • we do not collect or store data from those sites

Users should review the privacy policy of any external site they visit.

13. Disclosure of Personal Information

We may disclose personal information to:

Government and regulators

  • NCVER
  • ASQA
  • Department of Employment and Workplace Relations
  • State Training Authorities
  • Tuition Protection Service
  • Queensland funding bodies
  • ESOS/immigration authorities

Service providers

  • IT and cloud providers
  • aXcelerate
  • HubSpot
  • payment gateways
  • marketing platforms
  • professional advisers
  • debt collection agencies

Clinical context

  • supervising clinicians
  • trainers and assessors
  • medical practitioners in emergencies
  • insurers

We only disclose what is reasonably necessary.

14. Data Retention

We retain personal information only as long as required for:

  • regulatory compliance
  • funding obligations
  • clinical record requirements
  • legitimate business purposes

Typical retention periods:

  • student records: minimum 7 years (or longer where required)
  • AQF certification records: retained permanently
  • clinical records: minimum period required under health regulations
  • marketing data: until consent withdrawn or no longer required
  • ID verification documents: retained only as long as reasonably necessary
  • alumni records may be retained longer for engagement purposes unless the individual opts out

15. Data Security

We implement safeguards including:

  • role-based access controls
  • MFA where available
  • secure cloud environments
  • staff confidentiality obligations
  • secure disposal processes
  • regular system monitoring

16. Data Breach Response

DEG maintains a Data Breach Response Plan.

If an eligible data breach occurs, we will:

  • contain and assess the breach
  • notify affected individuals where required
  • notify regulators and Government Departments where required
  • notify the Office of the Australian Information Commissioner (OAIC) where required
  • take remedial action

17. Use of Artificial Intelligence

DEG does not upload personal information or identity documents to open-source or public AI systems.

This includes:

  • student data
  • client records
  • images
  • identification documents

Any AI tools used internally are subject to privacy and security review.

Where appropriate, DEG may, with the individual's prior consent, record meetings (including student complaint discussions) for the purpose of creating accurate records. Recordings may be processed using transcription or AI-assisted translation tools to generate meeting notes. All recordings and derived materials are handled in accordance with DEG's privacy obligations, stored securely, and used only for the stated purpose. Individuals will be informed in advance and may decline to be recorded.

18. Internal Use of Data

Personal information may be accessed internally by authorised staff in:

  • Marketing
  • Sales
  • Student Administration
  • Training and Academic teams
  • Clinical Operations
  • Finance and Compliance

Access is limited to what is required for legitimate duties in compliance with legislation and operating frameworks.

19. Access and Correction

Individuals may request access to or correction of their personal information by contacting us.

Identity verification is required before release.

20. Complaints and Whistleblowing

  • contact the GM Operations (postal mail or email) for any privacy concerns or complaints
  • provide relevant details (dates, times, circumstances, and specific concerns) when lodging a complaint
  • complaints are acknowledged within 7 days of receipt
  • initial assessment determines whether the matter falls under applicable privacy laws
  • if not covered by privacy law, a written explanation will be provided
  • if covered, a thorough investigation will be conducted, which may include requesting further information
  • a timely response will be provided, with a practical resolution aligned to legal obligations
  • privacy complaints are handled impartially and confidentially
  • concerns may also be directed to the Privacy Officer
  • whistleblower disclosures relating to data misuse can be made confidentially under the whistleblower framework
  • if unresolved, complaints can be escalated to the Office of the Australian Information Commissioner (OAIC)

21. Contact Details

Privacy Officer / General Manager, Operations
Demi Education Group
Email: privacy@demieducation.edu.au
Address: c/- Aspire Training Clinic, 657 Burwood Road, Hawthorn East, VIC, 3123

Effective date
1 May 2026
Approved by
Chief Executive Officer
Applies to
All Demi Education Group entities