Jump to content

This Policy explains Fortescue’s overall approach to handling personal information. It works together with our audience‑specific privacy notices.

Last reviewed and updated 9 October 2025.

 

How to use this Policy

This Policy applies to all personal information we handle. For some interactions, we also provide audience-specific privacy notices. These are available from our main privacy hub. They supplement this Policy with context-specific details. If this Policy and an audience-specific notice differ, the notice for that audience applies, but only for the parts that differ. Otherwise, this Policy applies.

 

Who we are 

“Fortescue”, “we”, “us” and “our” refer to Fortescue Ltd and related bodies corporate within the Fortescue Group that handle personal information. 

Contact details for our Privacy Office are provided below.

 

What we collect

We collect personal information depending on how you interact with us. At a high level, this includes:

  • Identity & contact details (for example, name, addresses, email and phone).

  • Account & authentication (for portals and systems).

  • Business relationship information (for customers, suppliers and other business partners).

  • Device, usage & analytics (when you use our websites or apps).

  • Site access & security records (for example, visitor registration, access logs and CCTV).

  • Communications & preferences (enquiries, subscription choices and feedback).

  • Financial/transactional information (where needed for payments or corporate actions).

  • Recruitment information (summary only; see the Job applicants notice for details).

  • Sensitive information (for example, health and safety information for site access, or optional equal‑opportunity data for candidates; see the relevant audience notice).

 

How we collect & hold information

  • Directly from you — for example, forms, email, phone or in‑person.

  • Automatically — via computer systems, including through the Internet using logs, cookies, pixels and tags.

  • From others — for example recruitment partners, referees, service providers and publicly available sources.

 

Why we use personal information

  • Operate and improve services — run and secure our websites, apps and systems; diagnose issues; measure performance; personalise content where available.

  • Communicate and manage relationships — respond to enquiries; send updates you subscribe to; manage preferences.

  • Recruitment & workforce — assess applications; manage employment/engagement and safety obligations.

  • Business operations & contracts — negotiate and perform contracts; accounts and recordkeeping; research/testing/surveys; CSR activities.

  • Safety, security & compliance — site access and CCTV; fraud prevention; legal and regulatory requirements; investigations and disputes.

  • Corporate transactions — due diligence for mergers, acquisitions or asset sales under confidentiality.

  • Reporting — compile statistics and trends using de‑identified or aggregated data.

Legal bases (UK/EU/EEA):

Where UK/EU/EEA laws apply, our lawful bases for processing are set out in the relevant audience‑specific notice.

 

Who we share information with

  • Related bodies corporate within the Fortescue Group.

  • IT, hosting, security and analytics service providers.

  • Professional advisers (lawyers, auditors, insurers).

  • Contractors and suppliers involved in providing our goods or services.

  • Regulators and law enforcement authorities, in response to lawful requests.

  • Logistics and freight providers (for deliveries and site access where relevant).

  • Banks and payment processors (for invoicing and receipts).

  • Credit insurers and collections partners (where used).

We do not sell personal information or disclose it for third‑party marketing.

 

International transfers

Where we store and send personal information

We primarily store personal information in Australia. We also transfer and disclose personal information internationally, including to recipients in the United Kingdom, the European Economic Area (EEA), the United States, Singapore, and to other Fortescue Group companies in countries where we operate. Where we transfer information across borders, we do so in line with applicable laws and with appropriate safeguards (for example, adequacy decisions or standard contractual clauses/UK IDTA). You can contact the Privacy Office for an up‑to‑date list of our key service providers, hosting locations, and Fortescue Group companies that may receive your information.

 

How long we keep information

We keep personal information for as long as needed to achieve the purposes above (or in an audience-specific privacy notice) and to meet legal, regulatory and reporting requirements. 

 

How we protect information

We protect your information through appropriate organisational measures. These can include: 

  • Access controls and role‑based permissions.

  • Encryption in transit and at rest.

  • Monitoring and threat detection for our systems and providers.

  • Due diligence and contractual safeguards for service providers.

 

Software products we provide to businesses (e.g. Elysia)

When we provide software or connected services to enterprise customers (for example, Elysia Cloud or Elysia Embedded), we may process limited account and administration information (such as work email, role and activity logs), in‑product diagnostics or telemetry generated by customer assets, and support information you or your organisation submit (for example, screenshots or log files).

 

Your rights & choices

You can request access to, or correction of, your personal information. Depending on your location, you may also have rights to erasure, restriction, portability, objection (including to direct marketing) and to withdraw consent. To exercise your rights, contact the Privacy Office.

Marketing: You can unsubscribe from updates at any time. We do not use cookies, tags, pixels or logs to serve third‑party advertising on our sites.

We may ask you to verify your identity before we action a request. For archived or off‑site records, we may charge a reasonable cost‑recovery fee.

 

Children

We do not knowingly collect personal information from children without appropriate consent where required by local law. If you believe a child has provided information to us without consent, please contact our Privacy Office so we can take appropriate action.

 

Links to other sites

Our websites may link to other sites we do not operate. Their privacy practices are governed by their own policies.

 

Contact & complaints

Privacy Office: privacy@fortescue.com

If you would like to complain about our handling of your personal information, please write to our Privacy Office (email is fine). We aim to respond within 30 days. If you are not satisfied, you can contact the Office of the Australian Information Commissioner (OAIC). If you are in the UK/EU/EEA, you may also contact your supervisory authority (for the UK, the Information Commissioner’s Office).

 

Changes to this Policy

We update this Policy from time to time. We will post the latest version here and note the “Last reviewed and updated” date at the top of the page.

 

Glossary 

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable.

© Fortescue 2025

Looking for another Privacy Notice?

Visit our Privacy Hub to find the notice that applies to you. 

Visit our Privacy Hub