Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account and identity information: full name, email address, phone number, password, company name, Australian Business Number (ABN), and your role within your organisation.
• Business data: job details, client records, crew member information, quotes, invoices, purchase orders, timesheets, and financial figures you enter into the platform.
• Payment and billing information: billing name, address, and payment method details. Card numbers and bank account details are processed directly by our payment provider (Stripe) under PCI-DSS Level 1 certification; we do not store raw payment credentials.
• Compliance and safety documents: Safe Work Method Statements (SWMS), certificates, licences, insurance certificates, photos, and sign-off documents you upload.
• Communications: messages, feedback, support tickets, and survey responses you send to us.
• Profile information: trade category, years of experience, service areas, and portfolio content you add to your marketplace profile.

1.2 Information Collected Automatically

• Usage data: pages and features accessed, buttons clicked, search queries, session duration, and error logs.
• Device and technical data: IP address, browser type and version, operating system, device model, screen resolution, and unique device identifiers.
• Location data: approximate location derived from IP address. Precise GPS coordinates are only collected on our mobile app if you explicitly grant location permission; this is used for job site check-in, crew tracking, and dispatch features.
• Cookies and similar technologies: session tokens, preference cookies, and analytics identifiers. See Section 9 for details.
• AI interaction logs: prompts you send to the AI Copilot and the responses generated, stored to provide the service and enable conversation history.

1.3 Information from Third Parties

• Social sign-in providers (Google, Apple): basic profile information (name, email, profile picture) shared with your consent during authentication.
• Payment processors (Stripe): transaction records, payment status, and fraud-prevention signals.
• Australian government registries: ABN verification via the Australian Business Register (ABR), and contractor licence verification via relevant state licensing authorities.
• Referral partners: if you were referred to TradeHub by a partner, we may receive basic contact information to attribute the referral.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Services.
• Create and manage your account and authenticate your identity.
• Process transactions, manage escrow accounts, and facilitate payments between parties.
• Send transactional notifications including job updates, milestone alerts, payment receipts, invoice reminders, and account security alerts.
• Power the AI Copilot by sending relevant business context (job summaries, invoice data, crew information) to our AI provider to generate responses to your queries.
• Enforce compliance requirements, verify licences and ABNs, and assist with workplace health and safety record-keeping.
• Detect, investigate, and prevent fraud, security breaches, abuse of the platform, and violations of our Terms of Service.
• Analyse usage trends and conduct research to improve platform features and user experience.
• Send marketing communications about product updates, new features, and relevant offers — you may opt out at any time.
• Personalise your experience and display relevant content, jobs, and recommendations.
• Comply with legal obligations under Australian law including tax, financial reporting, anti-money laundering (AML), and counter-terrorism financing (CTF) requirements.
• Resolve disputes and enforce our agreements.

3. Legal Bases for Processing

While the Australian Privacy Act does not require us to identify a specific legal basis for each processing activity, we process your personal information on the following grounds:

• Contract performance: processing necessary to provide the Services you have subscribed to or requested.
• Legitimate interests: fraud prevention, platform security, improving our services, and communicating relevant product updates.
• Legal obligation: compliance with Australian tax law, AML/CTF obligations, court orders, and regulatory requirements.
• Consent: marketing communications, optional analytics tracking, and precise GPS location — each of which you can withdraw at any time.

4. Sharing Your Information

We do not sell, rent, or trade your personal information. We share it only in the following circumstances:

• Service providers: cloud hosting (AWS ap-southeast-2, Supabase), payment processing (Stripe), email delivery (Resend), analytics (PostHog), error monitoring (Sentry), and AI inference (Anthropic). Each provider is bound by a data processing agreement and is required to protect your data.
• Within your organisation: other users in your TradeHub account can view data within the shared workspace according to their assigned role permissions (Owner, Admin, Manager, Field Worker, Client).
• Counterparties: when you use the Marketplace or escrow features, certain information (your business name, trade category, and job-related communications) is shared with the other party to that transaction.
• Legal authorities: where required by law, court order, or to protect the rights, property, or safety of TradeHub, its users, or the public. We will notify you of such disclosures where legally permitted.
• Business transfers: in connection with a merger, acquisition, restructuring, or sale of assets. We will provide at least 30 days' notice and ensure the acquiring entity is bound by obligations at least as protective as this policy.
• With your consent: in any other circumstance where you have given us explicit permission.

5. International Data Transfers

Your data is primarily stored and processed in Australia (AWS ap-southeast-2, Sydney region). However, some service providers (including Anthropic for AI inference and Stripe for payment processing) may process data in the United States or other jurisdictions.

Where data is transferred outside Australia, we ensure appropriate safeguards are in place in accordance with APP 8, including contractual protections that require overseas recipients to handle your information consistently with the Australian Privacy Principles.

6. Data Storage and Security

We implement industry-standard technical and organisational security measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction:

• TLS 1.2+ encryption for all data in transit.
• AES-256 encryption for all data at rest.
• Role-based access controls limiting employee access to data on a need-to-know basis.
• Multi-factor authentication (MFA) required for all internal systems access.
• Regular third-party penetration testing and vulnerability assessments.
• SOC 2 Type II compliance for our core infrastructure.
• Automated security monitoring and anomaly detection.
• Incident response plan with 72-hour breach notification procedures.

Despite these safeguards, no system is completely secure. If you suspect unauthorised access to your account, contact us immediately at security@tradehub.com.au. We will notify affected users and the OAIC of any eligible data breaches under the Notifiable Data Breaches (NDB) scheme within 30 days of becoming aware of the breach.

7. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Services, plus any additional period required by law:

• Account data: retained for the duration of your subscription plus 90 days after account closure (during which you may request a data export).
• Financial records (invoices, escrow transactions, BAS): retained for 7 years from the end of the relevant financial year to comply with the Corporations Act 2001 (Cth) and the Income Tax Assessment Act 1997 (Cth).
• Compliance documents (SWMS, incident reports): retained for the period required by applicable workplace health and safety legislation in the relevant state or territory (typically 5–7 years).
• AML/CTF records: retained for 7 years as required by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
• Support and communication records: retained for 3 years from the date of the interaction.

After the applicable retention period, data is securely deleted or anonymised. Anonymised analytics data (from which you cannot be identified) may be retained indefinitely.

8. Your Privacy Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights:

• Access (APP 12): you may request a copy of the personal information we hold about you. We will provide it within 30 days of a verified request. A small fee may apply for complex or voluminous requests.
• Correction (APP 13): if information we hold is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request correction. We will correct it or, if we disagree, attach a notation to the record explaining your view.
• Deletion: you may request deletion of your personal information. We will comply unless retention is required by law (see Section 7) or is necessary to resolve a dispute or enforce our agreements.
• Portability: you may request an export of your account data in a machine-readable format (JSON or CSV) at any time through account settings or by contacting us.
• Opt-out of marketing: unsubscribe from marketing emails via the link in any email, or through Account Settings > Notifications. Opting out of marketing does not affect transactional notifications required to operate the Services.
• Withdraw consent: where we process your data based on consent (e.g., GPS tracking, analytics), you may withdraw that consent at any time through app or account settings without affecting prior processing.
• Restrict processing: in certain circumstances, you may request that we limit how we process your data while a complaint or correction request is being resolved.

To exercise any of these rights, email our Privacy Officer at privacy@tradehub.com.au with proof of identity. We will respond within 30 days. If a request is complex, we may extend this period by a further 30 days with notice.

If you are dissatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

9. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

You can control cookies through your browser settings. Blocking essential cookies will prevent login and access to the Services.

10. AI Copilot and Third-Party AI

The AI Copilot feature sends relevant business data (job summaries, invoice amounts, client names, crew information, and your typed prompts) to Anthropic via their Claude API to generate AI responses. The following applies:

• Anthropic processes this data as a data processor under a data processing agreement and may store prompts and responses for up to 30 days for safety monitoring, after which they are deleted. Anthropic does not use API data to train models without explicit consent.
• We do not send sensitive financial credentials (bank account numbers, passwords, or full payment card details) to the AI.
• AI conversation history is stored in our database and is subject to our standard retention and security controls (Sections 6 and 7). You can delete your AI conversation history at any time from Account Settings.
• AI outputs are generated automatically and may be inaccurate. You should review all AI-generated content before relying on it. AI responses do not constitute legal, financial, tax, or professional advice.

You may disable the AI Copilot feature entirely from Account Settings > AI Copilot, in which case no data will be sent to Anthropic.

11. Children's Privacy

The Services are intended for use by businesses and individuals who are at least 18 years old. We do not knowingly collect personal information from anyone under the age of 18. If you believe that a minor has provided us with personal information, please contact us at privacy@tradehub.com.au and we will take steps to delete that information promptly.

12. Links to Third-Party Sites

The Services may contain links to third-party websites or integrations (e.g., Xero, MYOB, Google Maps). TradeHub is not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you choose to use.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will revise the "Last updated" date and notify you via email and/or a prominent in-app notice at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes your acceptance of the updated policy. For non-material changes (e.g., clarifications), we may update the policy without advance notice. We encourage you to review this policy periodically.

14. Contact and Complaints

For all privacy enquiries, access or correction requests, or complaints, contact our Privacy Officer:

If you are not satisfied with our response to a complaint, you have the right to escalate to the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001