Privacy Policy

1. About This Policy

Trackio ("we", "us", "our") is committed to protecting the privacy of personal information in accordance with the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). This policy explains how we collect, use, disclose, and protect your personal information when you use our asset and consumable tracking platform.

2. Information We Collect (APP 3)

We collect the following personal information:

• Identity information: Full name
• Contact information: Email address, phone number (optional)
• Authentication data: Password (stored as a one-way cryptographic hash, never in plain text)
• Profile data: Profile photo (optional), role, assigned region
• Usage data: Asset assignments, consumable records, condition check photos, audit logs of actions taken within the platform
• Technical data: Session tokens, login timestamps

We only collect information that is reasonably necessary for our platform's functions. Your account is created by your organisation's administrator, not through self-registration.

3. How We Use Your Information (APP 6)

We use your personal information for the following purposes:

• Authenticating your identity and managing your account
• Assigning and tracking assets and consumables to you
• Sending notifications about assignments, returns, low stock, and other platform events
• Providing AI-powered search and inventory management assistance
• Generating reports and audit trails for your organisation
• Processing subscription payments for your organisation

We will not use your information for purposes other than those described above without your consent.

4. Third-Party Disclosure (APP 6 & 8)

We share limited information with the following service providers to operate the platform:

• Resend (US-based): Email delivery service. Receives your email address and name for sending notifications. Resend Privacy Policy
• Stripe (US-based): Payment processing for organisation subscriptions. Receives organisation billing data only, not individual user data. Stripe Privacy Policy
• Anthropic (US-based): AI assistant functionality. Search queries and inventory data may be processed by Claude AI. No personal identification data is sent. Anthropic Privacy Policy
• Google (US-based): Optional OAuth authentication. If you sign in with Google, your name, email, and profile photo are shared with Google. Google Privacy Policy
• Vercel (US-based): Application hosting. Technical request data (IP addresses, user agent) is processed by Vercel's infrastructure. Vercel Privacy Policy

Cross-border disclosure (APP 8): As noted above, some of our service providers are based in the United States. By using Trackio, you consent to the transfer of limited data to these US-based providers. Your primary data (database) is stored in Australia (AWS ap-southeast-2, Sydney).

5. Data Security (APP 11)

We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access, modification, or disclosure:

• Passwords are hashed using bcrypt with 12 rounds (industry standard)
• All data transmitted over HTTPS (TLS encryption in transit)
• Role-based access control with granular permissions
• Rate limiting on authentication endpoints to prevent brute-force attacks
• Session tokens stored in HTTP-only secure cookies
• Database hosted in Australia with connection pooling and SSL
• Full audit trail of all system actions

6. Accessing and Correcting Your Information (APP 12 & 13)

You have the right to:

• Access your data: View your personal information via Settings, and download a copy of all your data.
• Correct your data: Update your name, email, and phone number via Settings.
• Delete your account: Request deletion of your account and associated data via Settings or by contacting your administrator.
• Control notifications: Enable or disable email notifications via Settings.

To make a formal data access or correction request, contact us at privacy@trackio.com.au. We will respond within 30 days.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. When your account is deleted:

• Your profile data (name, email, phone) is permanently deleted
• Asset assignments are returned and reassigned
• Audit logs are retained for 7 years for legal and compliance purposes (with anonymised references)
• Condition check photos are deleted with your account

Inactive accounts may be deactivated by your organisation's administrator. You may request full data erasure by contacting privacy@trackio.com.au.

8. Cookies

We use the following cookies:

• Session cookie (essential): Maintains your login session. Cannot be disabled.
• Preferences (functional): Stores your dashboard layout and column visibility preferences in your browser's local storage.

We do not use advertising or tracking cookies. No data is shared with advertisers.

9. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals within 30 days
• Take immediate steps to contain and remediate the breach
• Conduct a root cause analysis and implement preventive measures

10. Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us at privacy@trackio.com.au. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

11. Contact Us

For privacy-related enquiries, contact our Privacy Officer:

Email: privacy@trackio.com.au