Privacy Policy — SiteArmour

The short version Your data is stored in Australia. We do not sell it. We do not use your SWMS content to train AI. We use a small list of trusted providers — they are all named below. You can request your data, correct it, or delete it any time.

Contents

1Who we are 2What we collect 3How we use it 4AI processing 5Voice transcription 6Service providers 7Storage & security 8Retention 9Your rights 10Cookies 11Children 12Cross-border transfers 13Data breaches 14Changes 15Contact

01Who we are

SiteArmour ("we", "us", "our") operates the SiteArmour platform at sitearmour.com.au and sitearmour.au from Sydney, New South Wales, Australia. The legal operating entity is identified in Section 15.

This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using SiteArmour you acknowledge that you have read this policy.

02What we collect

Account information

When you sign up, we collect:

Full name
Email address
Business or trading name
ABN
Phone number (optional)
Trade type and primary state of operation
Password (stored hashed — we never see your plain password)

Payment information

Payments are processed by Stripe. We never receive or store your credit card details. Stripe receives your email address, account ID, and payment information to process your subscription.

SWMS content

We store the content you create using the Service: job descriptions, identified hazards, risk ratings, control measures, PPE selections, emergency procedures, and site details.

Uploaded files

If you upload a company logo or site photos, these are stored in our private storage with time-limited access URLs. Only your account can retrieve them.

Voice recordings

If you use voice input for job descriptions, the audio is transcribed and discarded immediately. See Section 5.

Digital signatures and sign-ons

When a worker signs a SWMS via QR code, link, or in-platform, we record:

Name
Role or position
Email (optional)
Signature image
IP address
Timestamp
Device type and browser

This is captured to create a defensible audit trail for WHS compliance.

Usage data

We automatically collect non-identifying information about how the Service is used: pages visited, features used, session duration, device type, browser type, and approximate location (country and state level only).

03How we use your information

We use the information we collect to:

Provide and operate the Service
Process payments and manage subscriptions
Generate SWMS content using AI
Store and display your SWMS history
Record digital signatures and sign-on data
Send account notifications, billing receipts, and service updates
Monitor performance, errors, and security
Detect and prevent fraud or misuse
Comply with legal and tax obligations
Improve the Service (using aggregated, non-identifying analytics only)

We do not sell your data, rent it, trade it, or use your SWMS content for advertising. We do not use your SWMS content to train AI models.

04AI processing

SiteArmour uses enterprise large language model providers to generate SWMS content. We send only the information needed to produce the SWMS — primarily the job description, trade, state, and project context — to the AI provider.

We do not send the following to AI providers:

Your name, email, or login details
Your ABN
Your phone number
Your payment information
Worker signatures or sign-on records

Our AI providers process inputs under commercial API terms that include zero data retention for API requests and a commitment not to use API inputs to train their public models. We select providers that meet enterprise security and privacy standards.

AI-generated content may contain errors. You must review every SWMS for accuracy before use. The PCBU retains full responsibility — see our Terms of Service.

05Voice transcription

If you use the voice input feature, your audio is sent to a third-party speech-to-text provider for transcription. The audio is processed in-memory, returned as text, and discarded. We do not store the original audio.

The transcribed text is then passed through our AI provider for punctuation and trade-term correction before being inserted into your SWMS draft.

Your audio is processed under the provider's commercial terms and is not used for model training.

06Service providers

We share limited data with a small number of service providers to operate the platform. We have selected each one for security, reliability, and — where possible — Australian data residency. Our primary application data is stored with named providers in Australia. AI processing and voice transcription are handled by enterprise providers under zero-retention commercial terms.

Category	Purpose	What is shared	Region
Supabase	Database & authentication	All account data, SWMS content, signatures, uploads	Sydney, Australia
Stripe	Payment processing	Email, account ID, payment information	Australia & USA
Hosting & serverless	Application hosting and serverless functions	Page requests, function invocations, request logs	Global CDN
AI inference	SWMS content generation	Job description text and trade/state context only — no personal identifiers	USA (zero-retention API)
Speech-to-text	Voice input transcription	Audio for transcription — discarded after processing	USA
Address autocomplete	Site address lookup	Address search queries	Global

Enterprise customers and procurement teams can request a full sub-processor list, including specific provider names and Data Processing Agreement terms, by emailing support@sitearmour.com.au.

If we add a new service provider category that processes personal information, we will update this policy and — where the change is material — notify you by email at least 14 days before it takes effect.

We do not sell, rent, or trade your personal information to any third party.

07Storage and security

We take reasonable steps to protect personal information:

All application data is stored in Australia (Sydney region)
Encryption in transit (TLS 1.2+/HTTPS) and at rest
Row-level security ensures one account cannot access another account's data
Signature images and uploaded files stored in private buckets with time-limited URLs
Passwords are stored using industry-standard hashing (bcrypt/argon2)
Rate limiting and abuse protection on all public endpoints
Regular dependency and security updates

While we apply these protections, no method of electronic transmission or storage is 100% secure. You are responsible for keeping your account password confidential.

08Data retention

Data	Retention
Account data	While your account is active. Deleted within 30 days of account closure unless required for legal or tax purposes.
SWMS documents	While your account is active. We recommend you keep copies for at least 7 years as required by WHS record-keeping obligations.
Digital signatures	Retained for the life of the associated SWMS.
Payment records	Minimum 5 years (Australian tax law).
Server & function logs	90 days.
Voice audio	Not retained — discarded after transcription.

09Your rights

Under the Australian Privacy Principles, you have the right to:

Access the personal information we hold about you
Request correction of inaccurate or out-of-date information
Request deletion of your personal information (subject to legal retention requirements above)
Withdraw consent for any optional data processing
Export your SWMS documents and sign-on records
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

To exercise any of these rights, email support@sitearmour.com.au from the email address on your account. We respond within 30 days.

10Cookies and tracking

We use a small number of cookies:

Essential cookies — keep you logged in and remember your session. Cannot be disabled without breaking the Service.
Analytics cookies — anonymous usage measurement to understand how the Service is used. No personally identifying information is sent.

You can manage cookies through your browser settings. Disabling essential cookies will prevent you from using the Service.

Australian law does not require cookie consent banners, but we disclose cookie use here for transparency.

11Children

SiteArmour is for businesses and workers of legal working age. The Service is not directed at children. We do not knowingly collect information from anyone under 16 years of age. If we discover that we have collected information from a minor, we will delete it.

12Cross-border transfers

Your primary application data — your account, SWMS content, and signatures — is stored in Australia with Supabase (Sydney). Limited data is processed by overseas providers as set out in Section 6:

AI inference (USA) — job description text only, under zero-retention commercial terms
Speech-to-text (USA) — voice audio, discarded after transcription
Stripe (Australia & USA) — payment processing under Stripe's privacy framework
Address autocomplete (Global) — address search queries

Where personal information is sent overseas, we take reasonable steps to ensure the recipient handles it in a manner consistent with the Australian Privacy Principles. Enterprise customers can request specific provider names and DPA terms by emailing support@sitearmour.com.au.

13Data breach notification

If we become aware of an eligible data breach likely to result in serious harm to affected individuals, we will:

Notify affected individuals as soon as practicable
Notify the Office of the Australian Information Commissioner (OAIC)
Comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988

We aim to notify affected users within 72 hours of confirming a notifiable breach.

14Changes to this policy

We may update this Privacy Policy. Material changes — such as adding a new category of personal information or a new service provider — will be notified by email at least 14 days before they take effect. The "Last updated" date at the top of this page will be revised.

Your continued use of the Service after the updated policy takes effect constitutes acceptance.

15Contact and operating entity

For any privacy questions, requests, or complaints, contact us:

Email: support@sitearmour.com.au
Location: Sydney, NSW, Australia

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

SiteArmour is a product of Alpha Interior Linings & Carpentry Pty Ltd (ACN 606 603 169), an Australian proprietary limited company. The company is registered in Queensland and operates the SiteArmour platform from New South Wales. All references in this Privacy Policy to "SiteArmour", "we", "us", and "our" refer to this entity unless the context requires otherwise.