Privacy Policy

1. Introduction

Ontraq ("we", "our", or "us") operates the Ontraq mobile application and web platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Personal Information

When you register or use our Service, we may collect:

• Name and contact details (email address, phone number)
• Account credentials (email and encrypted password)
• Business information (organisation name, ABN)
• Employment details (role, assigned sites, work schedules)

Location Data

With your explicit consent, we collect precise GPS location data from cleaners' devices for the following purposes:

• Foreground location: recorded when you tap "Clock in" or "Clock out" on a job, to verify that the action occurred at the assigned site.
• Background location: while a shift is active, the app monitors whether your device enters or leaves the geofence around the assigned site (a 150m radius). This continues when the app is in the background or closed. We collect only arrival and departure timestamps — not a continuous location track.
• Site setup: contractors creating a new site may use their device location to set the site's coordinates.

You can revoke location permissions at any time through your device settings. Doing so disables geofenced attendance verification but does not prevent you from using the rest of the Service.

Motion & Step Count Data

With your permission, the app reads pedometer data (step count) from your device while you are on a job site. This is used only to verify that work activity occurred during the visit (e.g., flagging visits with unusually low step counts to the contractor). Step data is associated with a specific site visit and not used for any other purpose. On iOS, this uses CMPedometer; on Android, the ACTIVITY_RECOGNITION permission.

Usage Data

We automatically collect information about how you interact with the Service, including device type, operating system, app version, pages visited, and timestamps of actions. On the web app, we use cookies and similar technologies to maintain your sign-in session and remember your preferences. See Cookies and Tracking below for details.

Photos and Media

With your permission, you may upload photos for job documentation, site inspections, and incident reporting. These are stored securely in our hosting infrastructure and associated with your account and the relevant job.

Financial Information

Contractors enter business information including ABN, hourly rates, invoice and payslip records, and (if applicable) GST registration status. Payment card details for subscription billing are processed directly by Stripe and never stored on Ontraq servers — we receive only a payment-method token from Stripe.

2a. Cookies and Tracking

Our web application uses the following categories of cookies and similar technologies:

• Essential cookies: required to keep you signed in (Supabase auth session tokens), remember CSRF protection state, and maintain your selected organisation context. These cannot be disabled while you use the Service.
• Functional preferences: small amounts of local storage to remember UI preferences (e.g., dismissed banners, last-viewed list filters).

We do not currently use third-party analytics cookies, advertising cookies, or social-media tracking pixels on our web application. If this changes, we will update this policy and request consent where required.

3. How We Use Your Information

We use collected information to:

• Provide, operate, and maintain the Service
• Manage job scheduling, assignments, and workforce coordination
• Process invoices, payslips, and financial records
• Enable geofenced attendance tracking and site management
• Send notifications related to jobs, schedules, and account activity
• Improve and personalise your experience
• Comply with legal obligations

4. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

• Your organisation: Contractors can view information about team members, job assignments, and work records within their organisation.
• Service providers: Third-party services that help us operate the platform (e.g., hosting, email delivery, payment processing). These providers are contractually obligated to protect your data.
• Legal requirements: When required by law, regulation, or legal process.

5. Data Storage and Security

Your data is stored using industry-standard encryption (in transit via TLS, at rest via the hosting provider's default encryption). We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction.

International data transfers

Some of our service providers process data outside Australia:

• Supabase (database, auth, storage): hosted in the United States on Amazon Web Services infrastructure.
• Stripe (payment processing): United States; PCI-DSS compliant.
• Resend (transactional email delivery): United States.
• Vercel (web hosting): United States and global edge network.
• Expo (push notifications, mobile build infrastructure): United States.
• Sentry (web error monitoring): United States.

Where personal information is transferred outside Australia, we take reasonable steps to ensure each provider maintains protections at least equivalent to those required by the Australian Privacy Principles. By using the Service you consent to these transfers.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you request account deletion, we will remove your personal data within 30 days. Some categories of information are retained longer where law requires it:

• Tax invoices and payment records: retained for 5 years as required by the Australian Taxation Office.
• Authentication and security logs: retained for 90 days for fraud detection and account security.
• Aggregated, non-identifiable analytics: retained indefinitely because they cannot be tied back to an individual.

See the Account & Data Deletion page for the deletion process and what is removed vs retained.

6a. Contractor as Data Controller; Ontraq as Data Processor

For information that a contractor (the "Customer") inputs about their own cleaners, sites, clients, jobs, and invoices, the contractor is the "data controller" and Ontraq is the "data processor." This means the contractor decides what personal information about their team is collected and how it's used; Ontraq processes that information on the contractor's behalf to provide the Service.

For information about contractors themselves (their own account, billing, and usage of the Service), Ontraq is the data controller.

If you are a cleaner and have questions about how your contractor handles your personal information, contact the contractor directly. If you have questions about how Ontraq processes that information on the contractor's instructions, contact us at the email below.

7. Your Rights

Under applicable privacy laws (including the Australian Privacy Act 1988 and the Australian Privacy Principles), you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of your personal information (see Account & Data Deletion)
• Request a copy of your data in a portable, machine-readable format
• Withdraw consent for location tracking, motion data, or push notifications at any time via your device settings
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

To exercise these rights, contact us at support@ontraq.info with the subject line "Privacy request."

7a. Notifiable Data Breaches

In the unlikely event of a data breach that is likely to result in serious harm to affected individuals, we will notify those individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, as required by the Notifiable Data Breaches scheme under the Privacy Act.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

10. Related Documents

• Terms of Service
• Account & Data Deletion

11. Contact Us

If you have questions about this Privacy Policy, please contact us at: