Privacy Policy

1. Introduction

Alexander Aikman T/A Vantage Operations (ABN 82 409 901 476) ("Vantage", "we", "us", or "our") is committed to protecting the privacy of individuals whose personal information we collect and hold. This Privacy Policy describes how we collect, hold, use, and disclose personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs").

This Privacy Policy applies to personal information collected through our software-as-a-service platform ("Platform") and associated services, which provide equipment management, vehicle tracking, checklist management, incident coordination, and operational visibility tools for emergency service organisations.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2. Definitions

In this Privacy Policy:

• "Organisation" means an entity that has entered into a subscription agreement with Vantage to use the Platform.
• "Organisation Administrator" means an individual authorised by an Organisation to administer its use of the Platform.
• "End User" means any individual who accesses or uses the Platform on behalf of an Organisation.
• "Personal Information" has the meaning given to that term in the Privacy Act, being information or an opinion about an identified individual, or an individual who is reasonably identifiable.
• "Sensitive Information" has the meaning given to that term in the Privacy Act.

3. Personal Information We Collect

3.1 Categories of Personal Information

We may collect the following categories of personal information:

(a) Account and Identity Information

• Full name
• Email address
• Authentication credentials (managed by our third-party authentication provider, Clerk)
• Organisation membership and role information
• User preferences and settings

(b) Operational Data

• Vehicle and equipment records you create or manage
• Checklist responses and completion records
• Defect reports and resolution notes
• Logbook entries, including driver names and usage records
• Incident reports and timeline events
• Skills and competency records
• Booking and scheduling information

(c) Location Data

• Vehicle GPS coordinates (where location tracking is enabled by the Organisation)
• Incident location information
• Station and facility addresses

(d) Technical and Usage Data

• IP address (stored in hashed/anonymised form)
• Browser type and user agent information
• Device information
• Access timestamps and activity logs
• Platform feature usage patterns

(e) Payment Information

• Billing contact details
• Payment method information (processed and stored by our payment processor, Stripe)
• Transaction and invoice records

3.2 Sensitive Information

We do not intentionally collect sensitive information as defined in the Privacy Act. However, Organisations may choose to include sensitive information in free-text fields (such as incident notes or defect descriptions). Organisations are responsible for ensuring they have appropriate consent and authority to record such information.

4. How We Collect Personal Information

We collect personal information through the following means:

• Directly from you: When you create an account, submit forms, enter data into the Platform, or communicate with us.
• From your Organisation: When Organisation Administrators add you as a user or assign roles and permissions.
• Automatically: Through technical means when you access the Platform, including server logs and analytics.
• From third parties: From our authentication provider (Clerk) when you sign in, and from our payment processor (Stripe) for billing purposes.

Where practicable, we provide the option to interact with us without identifying yourself or by using a pseudonym. However, account creation and Platform access require identity verification.

5. Purposes of Collection, Use, and Disclosure

5.1 Primary Purposes

We collect, hold, use, and disclose personal information for the following primary purposes:

• Providing, operating, and maintaining the Platform
• Processing and managing your account registration
• Authenticating users and maintaining security
• Processing payments and managing subscriptions
• Providing customer support and responding to enquiries
• Enabling Organisations to manage their operations, including equipment tracking, checklist management, incident coordination, and reporting
• Generating reports and analytics for Organisations
• Sending service-related communications, including notifications and alerts

5.2 Secondary Purposes

We may also use personal information for the following secondary purposes:

• Improving and developing the Platform and our services
• Conducting internal research and analysis
• Complying with legal obligations and responding to lawful requests
• Protecting the rights, property, and safety of Vantage, our users, and others
• Enforcing our terms of service

5.3 Marketing

We may use contact information to send communications about our products and services. You may opt out of marketing communications at any time by following the unsubscribe instructions in the communication or by contacting us directly.

6. Disclosure of Personal Information

6.1 Third-Party Service Providers

We disclose personal information to the following categories of third-party service providers who assist us in operating the Platform:

6.2 Within Organisations

Personal information and operational data entered into the Platform is accessible to other users within the same Organisation in accordance with the Organisation's role-based access controls. Organisation Administrators control user access and permissions.

6.3 Legal Requirements

We may disclose personal information where required or authorised by law, including:

• To comply with a court order, subpoena, or other legal process
• To respond to requests from regulatory authorities
• To protect the rights, property, or safety of any person
• In connection with the investigation of suspected unlawful activity

6.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal information may be transferred to the acquiring entity, subject to the commitments in this Privacy Policy.

7. Data Sovereignty and Overseas Disclosure

7.1 Australian Data Residency

All Organisation data, including operational records, equipment data, incident information, checklists, and other core Platform data, is stored exclusively in Australia. Our primary database infrastructure is hosted on Amazon Web Services (AWS) in the Sydney (ap-southeast-2) region through our database provider, Supabase.

This means your Organisation's data remains subject to Australian law and is not transferred to overseas jurisdictions for storage or processing.

7.2 Third-Party Services

Some ancillary third-party service providers operate in, or may process limited data in, countries outside Australia, including the United States. These services include:

• Clerk (authentication): Processes authentication credentials and session data
• Stripe (payments): Processes billing and payment information
• Vercel (hosting): Processes application requests and logs

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. These service providers maintain data processing agreements and security certifications (including SOC 2 compliance) that provide protections comparable to the APPs.

8. Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Encryption: All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256
• Access Controls: Role-based access controls limit data access to authorised personnel
• Authentication: Multi-factor authentication is available for user accounts
• Infrastructure Security: Our hosting providers maintain SOC 2 Type II compliance and conduct regular security audits
• Data Isolation: Organisation data is logically isolated to prevent cross-tenant access
• Monitoring: We maintain audit logs of administrative actions and security events
• File Security: Uploaded files are validated and optionally scanned for malware
• Anonymisation: IP addresses are hashed (SHA-256) before storage to minimise identifiable data retention

While we implement reasonable security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

9. Data Retention

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Retention periods vary based on the type of information and the context of collection:

• Account Information: Retained while your account is active and for a reasonable period thereafter to enable account reactivation
• Operational Data: Retained in accordance with the Organisation's requirements and applicable record-keeping obligations
• Billing Records: Retained for 7 years to comply with tax and accounting requirements
• Audit Logs: Retained for 2 years for security and compliance purposes

Upon termination of an Organisation's subscription, Organisation data is retained for 30 days to allow for data export, after which it is scheduled for deletion.

10. Your Rights

10.1 Access and Correction

Under the Privacy Act, you have the right to request access to, and correction of, your personal information held by us. To make a request, please contact us using the details provided below.

We will respond to access requests within a reasonable period (generally within 30 days). We may charge a reasonable fee for providing access to cover our administrative costs.

We will correct personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading, having regard to the purpose for which it is held.

10.2 Complaints

If you believe we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint with us. We will investigate and respond to complaints within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

10.3 Data Export

Organisation Administrators may request export of Organisation data in a commonly used electronic format. Data export requests can be made through the Platform or by contacting us.

10.4 Deletion

You may request deletion of your personal information. We will comply with such requests unless we are required to retain the information by law or for legitimate business purposes. Note that for End Users, operational data created within an Organisation may be retained by the Organisation in accordance with their record-keeping policies.

11. Notifiable Data Breaches

In the event of an eligible data breach as defined in the Privacy Act, we will comply with the Notifiable Data Breaches scheme. This includes:

• Conducting an assessment of suspected breaches within 30 days
• Notifying the OAIC and affected individuals if a breach is likely to result in serious harm
• Taking reasonable steps to contain the breach and mitigate harm

For Organisations, we will also notify your designated security contact of any suspected breach affecting your Organisation's data within 72 hours of becoming aware of the incident.

12. Organisation Responsibilities

Organisations using the Platform act as data controllers for the operational data they collect and store. Organisations are responsible for:

• Ensuring they have lawful grounds to collect and process personal information through the Platform
• Providing appropriate privacy notices to their personnel and other individuals whose information is processed
• Configuring appropriate access controls and permissions
• Complying with applicable privacy laws, including the Privacy Act and any sector-specific requirements
• Responding to access and correction requests from individuals whose data they control

Vantage acts as a data processor on behalf of Organisations with respect to operational data. We process such data in accordance with our contractual obligations and the Organisation's instructions.

13. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

• Essential Cookies: Required for authentication, session management, and Platform functionality
• Analytics: To understand how users interact with the Platform and identify areas for improvement

You can control cookie settings through your browser. However, disabling essential cookies may prevent you from using the Platform.

14. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected personal information from a child, please contact us immediately.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on the Platform and, where appropriate, by email or in-Platform notification.

The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have questions about this Privacy Policy, wish to make an access or correction request, or have a privacy complaint, please contact our Privacy Officer:

• Email: privacy@vantage.com.au
• Post: Privacy Officer, Vantage Operations Pty Ltd, [INSERT ADDRESS]

We aim to acknowledge receipt of all enquiries and complaints within 5 business days and to provide a substantive response within 30 days.