Privacy Policy

ServiceSmartOS ("we", "us" or "our") is an AI-powered contractor operating system designed for asbestos, demolition, remediation, civil, construction and trade service businesses. We deliver the Services through our website, web platform and mobile applications (together, the "Services"). This Privacy Policy explains how we collect, use, disclose and protect personal information when you use any of these Services, and sets out your rights as an individual.

We are committed to complying with the New Zealand Privacy Act 2020 and the Australian Privacy Principles (APPs) contained in the Australian Privacy Act 1988 (Cth). Where any inconsistency exists, we apply the more protective standard.

By creating an account or using ServiceSmartOS, you acknowledge that you have read and understood this Policy.

2.1 Account and Identity Information

When you register for an account we collect your name, work email address, company name, country, and password (stored in encrypted form). If you are added to an account by an employer or administrator, we collect the same information on your behalf.

2.2 Subscription and Billing Information

We collect subscription plan details, billing frequency, and payment method information. Full payment card details are handled exclusively by our payment processor, Stripe Inc. We store only a tokenised reference and the last four digits of your card number. We never store raw card data on our systems.

2.3 Business and Operational Documents

As part of normal platform use, you upload and create documents that may contain personal information about workers, clients, contractors, and other third parties. These include:

• Safe Work Method Statements (SWMS) and Activity Risk Control Plans (ARCP)
• Toolbox Talk records and attendance lists
• Audit and inspection records
• Incident reports and corrective action records
• Timesheet records including worker names, hours, and project details
• Site sign-in and sign-out records including visitor and contractor details
• Worker profiles including competency records, licence numbers, and medical expiry dates
• Environmental and waste management records

You are the controller of this data. We process it only as your data processor, on your documented instructions, to provide the services you have subscribed to.

All documents, records and content you create within ServiceSmartOS remain your property. We do not claim ownership of your Customer Content. We process and store it solely to provide the Services to you.

2.4 AI-Generated Content

When you use our AI generation features, we transmit the context you provide (such as work activity descriptions, project types, and known hazards) to our AI service providers to generate content. We may use one or more AI providers including Anthropic, OpenAI, Google, or other providers from time to time. The applicable AI provider's data processing terms apply to content transmitted for generation purposes.

We log the inputs and outputs of AI generations for auditing, troubleshooting, security monitoring, usage tracking, and service improvement purposes. AI generation logs are retained in accordance with our Data Retention Policy. We do not use your AI generation inputs to train AI models.

2.5 Usage and Technical Information

We automatically collect log data including IP addresses, browser type, operating system, pages visited, features used, and timestamps. This information is used for security monitoring, performance improvement, and debugging. We use Supabase's built-in analytics and logging infrastructure for this purpose.

2.6 Communications

If you contact us for support, we retain records of those communications including email correspondence and any attachments you send.

We use the personal information we collect for the following purposes:

• Service delivery: Creating and managing your account, processing subscriptions, and providing platform functionality.
• Billing: Processing payments, sending invoices, and managing subscription renewals through Stripe.
• Support: Responding to enquiries, troubleshooting, and resolving technical issues.
• Security: Monitoring for unauthorised access, fraud, and system abuse. Enforcing our Acceptable Use Policy.
• Platform improvement: Analysing usage patterns to develop new features and improve existing ones. We use aggregated, de-identified data for this purpose.
• Legal compliance: Meeting our obligations under applicable law, including responding to lawful requests from regulators and law enforcement.
• Communications: Sending transactional emails (account creation, subscription confirmations, payment receipts, password resets). We do not send marketing emails without your explicit consent.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

We disclose personal information only in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the platform:

• Supabase Inc. — database hosting, authentication, and storage. Data is stored on AWS infrastructure, typically in Australia (ap-southeast-2) or Singapore (ap-southeast-1) regions depending on your plan.
• Stripe Inc. — payment processing. Stripe is PCI-DSS Level 1 certified. Your full payment details are transmitted directly to Stripe and never pass through our servers.
• AI Service Providers — We use one or more AI providers (which may include Anthropic, OpenAI, Google, or others) for AI content generation features. We transmit the context you provide when using AI features to the applicable provider. Each provider's data processing terms apply to those transmissions. We will update this section if we make a material change to our primary AI provider.
• Vercel Inc. — platform hosting and content delivery.

Each provider is bound by contractual obligations to maintain the confidentiality and security of your information and to use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose personal information where required by law, court order, or a request from a government authority with jurisdiction. Where permitted, we will notify you of such a request before complying.

4.3 Business Transfers

If ServiceSmartOS is acquired by or merges with another entity, personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on our platform before your information is transferred and becomes subject to a different privacy policy.

4.4 Your Consent

We may disclose your information for any other purpose with your prior consent.

Our primary data storage is provided by Supabase using Amazon Web Services (AWS) infrastructure. Data may be hosted in Australia, Singapore, or other AWS regions depending on service configuration. By using ServiceSmartOS, you consent to the storage and processing of your information in these locations.

Where personal information is transferred internationally, we ensure appropriate safeguards are in place consistent with the requirements of the NZ Privacy Act 2020 and the APPs.

We retain personal information for as long as your account is active or as needed to provide services. For detailed retention periods, please refer to our Data Retention Policy.

When you close your account, we retain certain records for a period of 90 days to allow for account reactivation and to comply with legal obligations. After this period, personal account information is deleted or permanently de-identified.

Records that form part of business documents you have created (SWMS, incidents, audits) may be subject to longer retention requirements under applicable health and safety legislation. We recommend downloading your records before closing your account.

New Zealand

Under the New Zealand Privacy Act 2020, you have the right to:

• Request access to personal information we hold about you (Information Privacy Principle 6)
• Request correction of personal information that is inaccurate, incomplete, or misleading (Information Privacy Principle 7)
• Request deletion of your personal information where we are no longer legally required or operationally justified in retaining it
• Make a complaint to us or to the Office of the Privacy Commissioner if you believe we have breached the Act

Australia

Under the Australian Privacy Act 1988 and the APPs, you have the right to:

• Access the personal information we hold about you (APP 12)
• Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (APP 13)
• Request deletion of your personal information where we are no longer required by law or legitimate business need to retain it
• Make a complaint to us or to the Office of the Australian Information Commissioner (OAIC)

Exercising Your Rights

To exercise any of these rights, please contact us at support@servicesmartos.com. We will respond to your request within 20 working days. In some cases, we may need to verify your identity before processing a request.

There is no charge for making a request or receiving the information, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline the request.

Deletion requests may be subject to limitations where retention is required by applicable law, where data is needed to resolve a dispute, or where deletion would affect the rights of another party. We will advise you of any such limitations when responding to your request.

We use cookies and similar technologies on our platform. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

ServiceSmartOS is a business-to-business platform intended for use by commercial organisations and their adult employees. We do not knowingly collect personal information from individuals under 18 years of age. If you believe a minor has provided personal information to us, please contact us and we will delete it promptly.

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss, destruction, alteration, or disclosure. For details of our security practices, please see our Security Statement.

No method of transmission over the internet or electronic storage is completely secure. While we use commercially reasonable security measures, we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a prominent notice in the platform at least 14 days before the changes take effect. Your continued use of ServiceSmartOS after that date constitutes acceptance of the revised Policy.

We encourage you to review this Policy periodically. The current version is always available through the ServiceSmartOS website and platform.

For privacy enquiries, access requests, correction requests, or complaints, please contact:

If we are unable to resolve your complaint to your satisfaction, you may contact:

• New Zealand: Office of the Privacy Commissioner — privacy.org.nz
• Australia: Office of the Australian Information Commissioner — oaic.gov.au