Privacy Policy

1. Introduction

The Australian Roofing Corporation Pty Ltd (ACN 691 822 590) ("TARC", "we", "us", "our") is committed to protecting the privacy of your personal information. This Privacy Policy explains how we collect, hold, use, disclose, and otherwise manage your personal information in connection with our website at tarc.au (the "Site") and our software-as-a-service platform, tools, applications, and related services (collectively, the "Services").

This Policy is governed by the Privacy Act 1988 (Cth), including the Australian Privacy Principles ("APPs"), and all applicable State and Territory privacy legislation, including the Privacy and Personal Information Protection Act 1998 (NSW).

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the collection and use of your personal information as described in this Policy. If you do not agree, you must discontinue use of the Services immediately.

2. Information We Collect

2.1 Personal Information You Provide

We may collect the following categories of personal information directly from you:

• Account Information: full name, email address, phone number, business name, ABN/ACN, and password (stored in hashed form).
• Business Information: trading name, business address, licence numbers, insurance details, and company logo.
• Client Data: names, addresses, phone numbers, and email addresses of your clients that you input into the CRM or estimation tools.
• Project Data: property addresses, satellite imagery coordinates, roof measurements, material selections, pricing, estimates, invoices, and reports generated through the platform.
• Payment Information: billing name, billing address, and payment card details. Payment processing is handled by Stripe, Inc. We do not store your full credit card number on our servers.
• Communications: information you provide when contacting support, submitting feedback, or communicating via the AI chat assistant.

2.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Device & Browser Data: IP address, browser type and version, operating system, device identifiers, and screen resolution.
• Usage Data: pages viewed, features used, time spent on pages, click paths, search queries, and referral URLs.
• Cookies & Tracking Technologies: session cookies, persistent cookies, local storage, and similar technologies for authentication, analytics, and user experience. See Section 9 (Cookies) for details.
• Log Data: server access logs including timestamps, request URLs, response codes, and error messages.

2.3 Information from Third Parties

• Google Solar API & Google Maps: satellite imagery, digital surface model data, and geolocation data for property addresses you submit.
• Bunnings / Supplier APIs: product pricing, availability, and specification data linked to your estimates.
• Stripe: transaction confirmations, billing status, and subscription state.

3. How We Use Your Information

We use your personal information for the following purposes:

• Service Delivery: to provide, maintain, and improve the Services, including generating roof analyses, estimates, reports, and invoices.
• Account Management: to create and manage your account, authenticate your identity, and process subscriptions.
• Payment Processing: to process subscription payments, issue refunds, and manage billing through Stripe.
• AI & Analytics: to power the AI chat assistant, generate satellite-based roof measurements, and provide data-driven insights. We use OpenAI's API to process certain queries — your data is sent to OpenAI's servers subject to their privacy policy; however, we do not permit OpenAI to use your data for training.
• Communications: to respond to support requests, send transactional notifications (e.g., payment confirmations, subscription changes), and — with your consent — send marketing communications.
• Legal Compliance: to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Safety & Security: to detect, investigate, and prevent fraud, abuse, security incidents, or other harmful activity.
• Product Improvement: to analyse usage patterns in aggregate and anonymised form to improve our features and user experience.

4. Legal Basis for Processing

Under the APPs, we process your personal information on the following bases:

• Consent: where you have given clear consent for us to process your personal information for a specific purpose (e.g., marketing emails).
• Contractual Necessity: where processing is necessary for the performance of our agreement with you (e.g., providing the Services you subscribe to).
• Legitimate Interests: where processing is necessary for our legitimate business interests, such as fraud prevention, security, and service improvement, provided those interests are not overridden by your privacy rights.
• Legal Obligation: where processing is necessary to comply with Australian law.

5. Disclosure of Personal Information

We may disclose your personal information to the following categories of recipients:

• Service Providers: cloud hosting providers (data stored in Australia), payment processors (Stripe), AI service providers (OpenAI), email delivery services, and analytics tools — each bound by contractual obligations to protect your data.
• Third-Party APIs: Google (Solar API, Maps), Bunnings (product data) — limited to the data necessary to deliver the requested service.
• Professional Advisors: lawyers, accountants, auditors, and insurers where necessary.
• Law Enforcement & Regulators: where required by law, court order, or regulatory directive.
• Business Transfers: in connection with a merger, acquisition, or sale of all or part of our business, your personal information may be transferred to the successor entity.

We will never sell, rent, or trade your personal information to third parties for their independent marketing purposes.

6. Cross-Border Disclosure

Some of our service providers (such as OpenAI and Stripe) operate servers outside Australia, including in the United States. Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient handles your information in accordance with the APPs, including through contractual arrangements. By using the Services, you consent to the transfer of your personal information to these jurisdictions as described herein.

7. Data Retention

We retain your personal information only for as long as reasonably necessary for the purposes described in this Policy, or as required by law. Specifically:

• Account Data: retained for the duration of your account plus 12 months after deletion request, to allow for account recovery and comply with legal obligations.
• Project & Estimate Data: retained for as long as your account is active. Upon account deletion, project data is permanently deleted within 90 days.
• Financial Records: retained for a minimum of 7 years as required by Australian taxation law.
• Server Logs: retained for up to 90 days, then automatically purged.

Upon expiration of the retention period, personal information is securely deleted or irreversibly de-identified.

8. Data Security

We implement technical and organisational measures designed to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2+ (HTTPS).
• Encryption of data at rest using AES-256 or equivalent.
• Secure password hashing using industry-standard algorithms (bcrypt).
• Role-based access controls limiting access to personal information to authorised personnel only.
• Regular security reviews and vulnerability assessments.
• Secure cloud infrastructure with Australian data residency where practicable.

Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your personal information.

9. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies:

• Essential Cookies: required for authentication, security, and core functionality. These cannot be disabled without affecting the Services.
• Analytics Cookies: used to understand how users interact with the platform, measure feature usage, and identify performance issues.
• Preference Cookies: used to remember your settings and preferences (e.g., selected tools, display preferences).

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may impair your ability to use the Services. We do not use advertising or third-party tracking cookies.

10. Your Rights

Under the Privacy Act and the APPs, you have the following rights:

• Access: you may request access to the personal information we hold about you.
• Correction: you may request that we correct any personal information that is inaccurate, out of date, incomplete, or misleading.
• Deletion: you may request deletion of your account and associated personal information, subject to our retention obligations.
• Withdrawal of Consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Complaint: you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

To exercise any of these rights, contact us at theausroofingcorp@gmail.com. We will respond within 30 days.

11. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly.

12. Third-Party Links

The Services may contain links to third-party websites or services not operated by us (e.g., Bunnings, Stripe). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email to the address associated with your account and/or by a prominent notice on the Site at least 14 days before the changes take effect. Your continued use of the Services after the effective date of any changes constitutes acceptance of the updated Policy.

14. Contact Us

If you are not satisfied with our response to your privacy concern, you may contact the Office of the Australian Information Commissioner (OAIC):