TRADESCRAFT

Privacy

Last reviewed May 2026

Tradescraft Pty Ltd (“tradescraft”, “we”, “us”) operates the tradescraft.app platform. This policy explains what personal information we collect, how we handle it, and the rights you have over it. We're bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth), the New Zealand Information Privacy Principles under the Privacy Act 2020, and where applicable the EU/UK General Data Protection Regulation.

Who we are

Tradescraft Pty Ltd, Melbourne, Australia. Privacy enquiries: privacy@tradescraft.app. For GDPR purposes we are the data controller; for the Australian and NZ Acts we are the APP / IPP entity.

What we collect and why

  • Account information - your name, work email, role (admin / staff), and the business you belong to. We need these to give you a usable account, to attribute the work you do, and to send service-related email.
  • Operational information you enter - clients, sites, jobs, quotes, invoices, time entries, materials, qualifications, safety paperwork, photos and documents you upload. Stored so the business can run on the platform.
  • Location while signed in- tradescraft is a dispatch product. While you're signed in, we keep your most recent position so the business's operator can see where the crew is and push the next job to whoever is closest. We also keep a short history of those positions (a breadcrumb trail) so the business can see where its crew has been during the working day; that location history is kept for up to 90 days and then automatically deleted. This is a core part of the service, not analytics. Your browser will ask for permission the first time; declining it means the dispatcher can't see you and the service can't do its job properly.
  • Customer + supplier contact details - the names, addresses, phone numbers and emails of the people the business deals with. The business is responsible for having a lawful basis to share that information with us.
  • Payment information- we don't store card details. Payments are handled by Stripe; we only see the metadata (amount, invoice id, success / failure).
  • System telemetry- anonymised request timings and error reports that help us keep the service running. We don't log request bodies and don't profile you for advertising.

Lawful basis for processing (GDPR)

For users in the EU / UK, we process personal information on the following bases:

  • Contract - to deliver the service you (or your employer) have subscribed to.
  • Legitimate interests - keeping the platform secure, preventing fraud, improving the service.
  • Consent- cookies that aren't strictly necessary. You can withdraw via the cookie banner at any time.
  • Legal obligation - where we need to retain records to meet Australian tax, accounting, or safety law.

Where your information lives

Operational data and uploaded files are hosted with our managed database provider, in a single fixed region outside Australia and New Zealand. Each business's data is isolated within the database: another business literally cannot read your records, and we enforce that at every query, not just in the user interface.

Because the hosting region is outside Australia and New Zealand, any disclosure of personal information to our provider is a cross-border disclosure for the purposes of Australian Privacy Principle 8 and the New Zealand IPP 12. We satisfy these obligations by relying on the privacy regime applicable to our provider (which is recognised as providing an adequate level of protection and is broadly comparable to the Australian and NZ Acts), and by binding the provider contractually to handle data in line with our obligations under those Acts and the GDPR. For transfers governed by GDPR we also rely on the EU Standard Contractual Clauses where required.

Other processors (payment, email, SMS, hosting) may operate from additional jurisdictions; the current list is in the “Who we share information with” section below.

Who we share information with

  • Stripe - to process card payments your customers make.
  • Resend - to send transactional email (notifications, invitations, overdue-invoice reminders).
  • Twilio - to send appointment confirmation SMS to your customers, when your plan includes it.
  • Xero - only if you connect it. Invoice and payment data only.
  • Vercel - hosts the web application.
  • Supabase - hosts the database and file storage.

We never sell your data. We never share it with advertising platforms. We never share data between businesses on the platform. We only disclose to law enforcement when a valid Australian court order requires it, and where lawful we'll tell you first.

The full list, with each provider's purpose and data region, is on our sub-processors page.

How long we keep it

While your subscription is active, we keep everything you've entered so the business can use it. When you cancel, operational data is purged within 30 days and backups roll off within 90 days. Some records (invoices, tax-related data) may be retained longer where Australian law requires it - we'll tell you which ones when you cancel.

Your rights - do these yourself, anytime

You don't need to email us to exercise the rights below. They're all available in the app under Settings → Security → Your data:

  • Access / portability.Click “Download my data” for a single machine-readable JSON file with all of your business records. Uploaded file attachments (job photos, scanned documents, CAD files and your logo) aren't bundled into that file - download them from each record where they're attached. For security, encrypted payroll identifiers (tax file / IRD numbers, bank and super details) are also left out of the bulk file - they stay viewable and editable in the app from each person's payroll details.
  • Correction. All records are editable in the app from their detail page.
  • Erasure / deletion.Click “Leave business” to remove your own access. An admin can click “Delete business” to permanently wipe every record and every teammate's access. Either is irreversible after the backup window rolls off.
  • Restriction / objection.Turn off notification kinds you don't want at Settings → My Notifications. Location is part of the dispatch service; if you don't want to be located you can sign out, which stops collection immediately.

If for any reason the in-app tools aren't enough, privacy@tradescraft.appwill action your request within 14 days.

Security

We require TLS on every connection, isolate every business's data at the database, offer optional two-factor authentication, and keep a tamper-evident audit log of every change. Full details are on the security page.

Data breach notification

If a breach is likely to result in serious harm we'll notify affected users and the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme. Where the GDPR applies we'll also notify the lead supervisory authority within 72 hours of becoming aware.

Cookies and similar technologies

We only set cookies that are strictly necessary for the service to work (sign-in, anti-CSRF, your theme preference). We don't set third-party advertising cookies. See the cookies page for the current list and how to manage them.

Children

The service is intended for businesses and their adult workers. We don't knowingly collect information from anyone under 16.

Complaints

If you're not happy with how we've handled your information, please tell us first: privacy@tradescraft.app. If we can't resolve it, you have the right to complain to:

  • The Office of the Australian Information Commissioner (oaic.gov.au) - for Australian residents.
  • The Office of the Privacy Commissioner (privacy.org.nz) - for New Zealand residents.
  • Your local EU / UK supervisory authority - for EU / UK residents.

Changes to this policy

If we materially change this policy we'll notify everyone with an active account by email before the changes take effect, and update the “last reviewed” date at the top.