Privacy Policy

1. Introduction

Repair Manager (ABN: [INSERT ABN]) ("we", "us", "our") is committed to protecting the privacy of individuals whose personal information we collect and handle. This Privacy Policy explains how we manage personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to all users of the Repair Manager platform, including building and construction businesses, their staff, and the customers and suppliers they interact with through the platform.

By using Repair Manager, you consent to the collection and use of your personal information as described in this policy.

2. APP 1 — Open and Transparent Management of Personal Information

We are committed to managing personal information openly and transparently. We will:

• Only collect personal information that is reasonably necessary for our functions
• Handle personal information in accordance with the Australian Privacy Principles
• Make this Privacy Policy available on our website
• Update this policy when our practices change

For privacy inquiries, please contact us at: privacy@repairmanager.com.au

3. APP 3 — Collection of Solicited Personal Information

We collect the following categories of personal information:

Account Information

When you create an account, we collect your name, email address, and role through our authentication provider (Clerk). This information is used to authenticate you and manage your access to the platform.

Job and Business Data

In the course of managing jobs, we collect property addresses, customer names and contact details, supplier information, insurance claim references, and related job notes. Some job notes (particularly insurance claims) may contain health-adjacent information (for example, descriptions of injuries or circumstances relevant to an insurance claim). We handle this information with the same level of care as sensitive information.

Financial Information

We collect invoice amounts, payment records, deposit and excess details, and Xero integration data for the purpose of billing and financial record-keeping. We do not store credit card numbers or banking credentials directly — these are handled by third-party payment processors.

Usage Data

We collect information about how you use the platform, including feature usage, session data, and access logs. This data is used to improve the platform and diagnose technical issues.

4. APP 5 — Notification of Collection of Personal Information

We notify individuals of the collection of their personal information at the point of collection. Specifically:

• At sign-up: Users are directed to this Privacy Policy and our Terms of Service before creating an account.
• At job creation: Users entering customer personal information are responsible for ensuring they have the authority or consent to enter that data on behalf of their organisation.
• For portal access: Customers and suppliers accessing the platform via shared links are notified of data handling when they access the portal.

5. APP 6 — Use or Disclosure of Personal Information

We collect personal information for the following primary purposes:

• Job management — tracking work orders, scope approvals, and job status
• Invoicing — generating, sending, and tracking customer and supplier invoices
• Compliance tracking — ensuring trade licences and certification requirements are met
• Customer communication — portal access, quote approvals, completion certificates
• Platform operation and improvement

We will not use or disclose personal information for any secondary purpose without your consent, unless permitted or required by law.

We do not sell personal information. We do not share personal information with third parties for marketing purposes.

6. APP 8 — Cross-Border Disclosure of Personal Information

Some of the sub-processors we use are located outside Australia. Under APP 8, before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information.

Sub-Processors

Clerk, Inc. (United States)

Account authentication and user management is handled by Clerk, Inc., a company incorporated in the United States. Personal information disclosed to Clerk includes your name, email address, and account identifiers.

By disclosing personal information to Clerk, Repair Manager takes reasonable steps to ensure Clerk does not breach the APPs in relation to that information. Clerk is certified under industry security standards and publishes its own privacy policy at clerk.com. Repair Manager remains accountable for personal information disclosed to Clerk.

Resend (Email Delivery)

Transactional emails (such as portal access links and invoice notifications) are sent via Resend. Resend may process email addresses and names for delivery purposes. Resend publishes its own privacy policy and data handling commitments.

Data Sovereignty

All job records, documents, and financial data are stored in Sydney, Australia (AWS ap-southeast-2). Your operational data does not leave Australia, except as described above for authentication (Clerk) and email delivery (Resend).

7. APP 11 — Security of Personal Information

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Per-organisation encryption keys: Each organisation's sensitive data (including OAuth tokens and integration credentials) is encrypted using AES-256-GCM with a unique per-organisation encryption key and a random initialisation vector (IV) per operation. This ensures that a compromise of one organisation's key cannot expose another organisation's data.
• Encryption key rotation: Encryption keys can be rotated by administrators without downtime. Key rotation status is tracked per integration, and administrators receive reminders when keys are due for rotation.
• Encryption in transit: All data is transmitted over TLS (HTTPS)
• Role-based access controls: Access to data is governed by organisational roles (Admin, Manager, Field Staff) with least-privilege enforcement
• Tenant isolation: All data is segregated by organisation — users can only access data belonging to their organisation
• Database backups: Point-in-time recovery (PITR) is enabled on our primary database
• Security headers: HTTP security headers including HSTS, CSP, X-Frame-Options, and X-Content-Type-Options are applied to all responses
• Rate limiting: API endpoints are rate-limited to prevent abuse, with stricter limits applied to authentication and OAuth routes

When personal information is no longer needed, we will take reasonable steps to destroy it or ensure it is de-identified.

8. APP 12 — Access to Personal Information

You have the right to request access to personal information we hold about you. To request access, contact us at privacy@repairmanager.com.au. We will respond to access requests within a reasonable time (generally within 30 days).

We may charge a reasonable fee for providing access in some circumstances. We will not charge a fee for making an access request.

In some circumstances we may decline to give access (for example, where access would unreasonably impact on the privacy of other individuals, or where permitted by law). If we decline access, we will give you written reasons.

9. APP 13 — Correction of Personal Information

If you believe that personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you can request that we correct it. To request correction, contact us at privacy@repairmanager.com.au.

We will take reasonable steps to correct personal information within a reasonable time (generally within 30 days). If we decline to correct personal information, we will give you written reasons and advise you of your right to make a complaint.

10. Privacy Complaints

If you believe we have breached the Australian Privacy Principles or this Privacy Policy, you may lodge a complaint with us at privacy@repairmanager.com.au. Please include a description of the conduct you believe breaches your privacy.

We will acknowledge your complaint and respond within 30 days. If we are unable to resolve your complaint within 30 days, we will advise you of the expected timeframe for resolution.

If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Mail: Office of the Australian Information Commissioner, GPO Box 5218, Sydney NSW 2001

11. Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to any individuals, we will:

• Contain the breach and assess the risk of harm within 30 days
• Notify the OAIC if the breach meets the threshold for notification
• Notify affected individuals as soon as practicable

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. When we make material changes, we will update the "Last updated" date at the top of this policy. We encourage you to review this policy periodically.

Continued use of the platform after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

For privacy-related inquiries, contact: