Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account information: name, email, phone number, company name, ABN, and role within your organisation.
• Business data: job details, client records, quotes, invoices, milestones, and escrow transaction data.
• Payment information: billing name and address. Card numbers are processed by Stripe under PCI-DSS Level 1 — we do not store raw payment credentials.
• Compliance documents: SWMS, certificates, licences, insurance certificates, photos, and sign-off documents.
• Communications: messages, support tickets, and survey responses.

1.2 Information Collected Automatically

• Usage data: pages accessed, features used, session duration, and error logs.
• Device data: IP address, browser type, operating system, and device identifiers.
• Location data: approximate location from IP. Precise GPS is collected only with explicit mobile app permission for job-site check-in.
• Cookies: session tokens, preference cookies, and analytics identifiers. See Section 6 for details.

2. How We Use Your Information

• Provide, operate, and improve the TradeHub platform.
• Process escrow transactions and facilitate milestone-based payments.
• Send transactional notifications (job updates, milestone alerts, payment receipts).
• Verify ABNs, licences, and insurance for Trust Badge eligibility.
• Detect and prevent fraud, abuse, and security breaches.
• Comply with Australian legal obligations including tax, AML/CTF, and financial reporting.
• Send marketing communications — you may opt out at any time via account settings.

3. Data Storage and Security

Your data is stored in Australia using Supabase hosted in the Sydney region (ap-southeast-2). We implement the following security measures:

• TLS 1.2+ encryption for all data in transit.
• AES-256 encryption for all data at rest.
• Role-based access controls on a need-to-know basis.
• Multi-factor authentication for all internal systems.
• Regular penetration testing and vulnerability assessments.
• SOC 2 Type II compliance for core infrastructure.
• 72-hour breach notification under the Notifiable Data Breaches (NDB) scheme.

4. Sharing Your Information

We do not sell or trade your personal information. We share data only:

• With service providers: Supabase (hosting), Stripe (payments), Resend (email), PostHog (analytics), Anthropic (AI).
• Within your organisation: team members can view data according to their role permissions.
• With counterparties: escrow and Marketplace transactions share business name and job communications with the other party.
• With legal authorities: where required by law, court order, or to protect safety.

5. Your Privacy Rights

Under the Privacy Act 1988 (Cth), you have the right to:

• Access (APP 12): request a copy of your personal information. We respond within 30 days.
• Correction (APP 13): request correction of inaccurate or outdated information.
• Deletion: request deletion of your data, subject to legal retention requirements.
• Portability: export your data in JSON or CSV format via account settings.
• Opt-out: unsubscribe from marketing communications at any time.

6. Cookies and Tracking

7. Data Retention

• Account data: retained while active plus 90 days after closure.
• Financial records: 7 years per the Corporations Act 2001.
• Compliance documents: 5-7 years per WHS legislation.
• AML/CTF records: 7 years per the AML/CTF Act 2006.

8. Contact

For privacy enquiries, access requests, or complaints:

If unsatisfied, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.