Privacy Policy

01

Who We Are

The Mycelium Group (ABN 42 683 446 186 / ACN 625 637 023) is a management consulting firm based in Melbourne, Australia. We provide organisational network health diagnostic services, AI readiness assessments, and related consulting engagements to organisations across government, critical infrastructure, financial services, and enterprise technology sectors.

We are the entity responsible for the personal information we collect. References to "we", "us", or "our" in this policy refer to The Mycelium Group.

02

What Personal Information We Collect

The personal information we collect depends on how you interact with us.

Website enquiries and contact

• Name and job title
• Organisation name
• Email address and phone number
• The content of your message or enquiry

Client engagements

• Contact details of key personnel at client organisations
• Role, seniority level, and organisational context necessary to deliver the engagement
• Communications and correspondence related to the engagement
• Invoice and payment information

Diagnostic participants

See Section 8 — Diagnostic Participants for the specific information collected from individuals who participate in our Network Health Diagnostic, AI Security Health Check, or AI Agent Discovery.

What we do not collect

We do not collect sensitive information (as defined under the Privacy Act) unless it is reasonably necessary for our services and you have consented. We do not collect personal information from individuals under the age of 18.

03

How We Collect Personal Information

We collect personal information directly from you wherever reasonably practicable. This includes:

• When you contact us via email, phone, or through our website
• When you engage us for consulting services and enter into a client agreement
• When diagnostic participants complete a survey or network mapping exercise as part of a commissioned engagement
• When you attend an event, webinar, or workshop we conduct

In limited circumstances, we may receive personal information about you from a client organisation that has engaged us — for example, a list of participants for a diagnostic engagement. In these cases, the client organisation is responsible for ensuring participants have been appropriately informed of our involvement.

04

How We Use Personal Information

We use personal information only for the purpose for which it was collected, or for a directly related purpose you would reasonably expect. This includes:

• Responding to your enquiry or request for a diagnostic conversation
• Delivering consulting services and diagnostic engagements
• Producing aggregated diagnostic reports for client organisations
• Managing our client relationship, including billing and correspondence
• Improving our services and methodology
• Complying with legal obligations

We do not use personal information for marketing purposes without your consent. We do not sell, rent, or otherwise commercialise personal information.

05

Disclosure of Personal Information

We do not share personal information with third parties except in the following limited circumstances:

Service providers

We may share personal information with trusted third-party service providers who assist us in delivering our services — for example, survey platforms or data storage providers. These providers are required to handle personal information in accordance with our instructions and applicable privacy law.

Legal requirements

We may disclose personal information if required to do so by law, court order, or a government authority.

Diagnostic reports

Diagnostic reports delivered to client organisations contain only aggregated results. No individual response, comment, or identifying information is included in any report. A minimum of three respondents per organisational level is required before that level's aggregate result is reported.

Overseas disclosure

Where personal information is stored or processed by third-party service providers, it may be held in overseas jurisdictions. We take reasonable steps to ensure those providers maintain privacy protections equivalent to the Australian Privacy Principles. We do not otherwise transfer personal information outside Australia without your consent or unless required by law.

06

Security and Storage

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. This includes:

• Encrypted storage systems with access controls limited to authorised personnel
• Secure transmission of information where applicable
• Data stored in Australia or in jurisdictions with equivalent privacy protections

Retention

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

• Enquiry and contact data: retained for up to 24 months, then securely deleted
• Client engagement records: retained for 7 years in accordance with standard business record-keeping obligations
• Diagnostic participant data (raw survey responses): retained for 12 months following completion of the engagement, then securely deleted

When personal information is no longer required, we take reasonable steps to destroy or de-identify it securely.

07

Your Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

• Request access to the personal information we hold about you
• Request correction of personal information that is inaccurate, out of date, incomplete, or misleading
• Make a complaint about how we have handled your personal information
• Withdraw consent to the collection or use of your personal information, where processing is based on consent

To exercise any of these rights, please contact us using the details in Section 11. We will respond to access and correction requests within 30 days. In some circumstances, we may be unable to provide access — for example, where doing so would unreasonably impact the privacy of another individual — and we will explain our reasons in writing.

08

Diagnostic Participants

This section applies specifically to individuals who participate in a Network Health Diagnostic, AI Security Health Check, or AI Agent Discovery commissioned by their organisation.

What we collect from participants

• Your organisational level (C-Suite, Management, or Frontline) — used to group responses for level-based analysis
• Your responses to survey questions (rated 1–5) across five system conditions
• Where applicable, additional questions on AI adoption readiness
• Optional network mapping responses identifying key collaboration and information-flow relationships

We do not collect names, email addresses, or any other personally identifying information from survey responses, unless separately agreed with the commissioning organisation for network mapping purposes.

How participant data is used

• Individual responses are combined with responses from colleagues at the same level to produce aggregated scores
• The diagnostic examines perception gaps between organisational levels — these patterns are the primary analytical output
• Results inform a confidential diagnostic report delivered to the commissioning organisation's senior sponsor only
• A minimum of three respondents per level is required before any level aggregate is reported, to protect individual anonymity
• No individual response is included in any report, presentation, or communication to the client organisation

Participation is voluntary

Participation in any diagnostic is voluntary. You may choose not to participate or to withdraw at any time before the analysis period begins. Withdrawal will not affect your employment or standing with your organisation.

Retention of participant data

Raw survey data is retained for twelve (12) months following the completion of the engagement, then securely deleted. No participant data is used for any purpose other than the commissioned diagnostic assessment.

09

Website Data

Analytics

Our website may use analytics tools to collect non-personally identifying information about how visitors interact with the site — for example, pages visited, time on site, and referral source. This information is used in aggregated form to improve the site. Where analytics services are used, they are configured to anonymise IP addresses.

Cookies

Our website may use cookies — small text files stored in your browser — to support basic site functionality. We do not use cookies for advertising or tracking purposes. You can disable cookies in your browser settings, though this may affect some site functionality.

Links to third-party sites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

10

Complaints

If you believe we have not handled your personal information in accordance with this policy or the Australian Privacy Principles, please contact us in the first instance using the details below. We will acknowledge your complaint within 5 business days and work to resolve it within 30 days.

If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992

11

Contact

For all privacy-related enquiries, access requests, correction requests, or complaints, please contact us:

12

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The current version will always be available on our website. Where changes are material, we will take reasonable steps to notify affected individuals.

This policy was last updated in April 2026.