Privacy Policy
Fixes — Client Mobile Application & Platform
1. Introduction
fixesau (ABN: 52697058503) ("Fixes", "we", "our", or "us") operates the Fixes mobile application (the "App") and related web platform available at www.fixesau.com (the "Platform").
This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our App, Platform, and related services (collectively, the "Services") as a Client (a homeowner or property manager seeking trade services). We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as the New Zealand Privacy Act 2020 and the privacy requirements of the Apple App Store and Google Play Store.
By creating an account or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use our Services.
Age Restriction: Our Services are intended for users aged 18 years and older. We do not knowingly collect personal information from individuals under 18. If you are under 18, please do not use the App or provide any personal information.
2. Information We Collect
We collect the following categories of personal information:
2.1 Information You Provide Directly
| Data Category | Specific Data Collected | Purpose |
|---|---|---|
| Account & Identity | Full name, email address, phone number, password (stored as bcrypt hash on our servers — never in plain text) | Account creation, authentication, communication |
| Profile Information | Avatar photo (optional), display name | Personalisation, identity within in-app chat |
| Job Details | Job title, description, trade category, preferred timing, scheduled date/time, diagnostic question answers | AI-powered quote generation, tradie matching, job fulfilment |
| Job Photos | Photos of the issue or work area (up to 5 per job, captured via camera or selected from photo library) | AI quote accuracy, tradie context, dispute evidence |
| Location (Manual) | Street address, suburb, postcode, state — entered manually or via Google Places autocomplete | Setting the job site location, matching nearby tradies |
| Payment Information | Payment card details (processed entirely by Stripe — never stored on our servers) | Paying for jobs (escrow), scope change top-ups |
| Messages | Text messages sent within job chat | Communication with assigned tradies, dispute resolution |
| Reviews | Star rating and written review for completed jobs | Quality assurance, tradie accountability |
| Dispute Evidence | Photos and text descriptions submitted when raising or responding to a dispute | Fair dispute resolution by our admin team |
2.2 Information Collected Automatically
| Data Category | Specific Data Collected | Purpose |
|---|---|---|
| Location Data (GPS) | Device GPS coordinates collected via expo-location with foreground permission — only when you tap "Use Current Location" during job posting. This is a one-time read, not continuous tracking. |
Auto-filling your job address |
| Device Information | Device platform (iOS/Android), app version | Compatibility, push notification delivery |
| Push Notification Token | Expo Push Token (device-specific identifier) | Delivering real-time notifications about job updates, messages, and quote results |
| Authentication Tokens | JWT access and refresh tokens stored locally on your device (via AsyncStorage or in-memory depending on "Remember Me" preference) | Maintaining authenticated sessions |
| Cached Profile | A local copy of your user profile (name, email, avatar URL) cached in AsyncStorage | Faster app startup, offline display |
2.3 Information We Do NOT Collect
- We do not continuously track your location. GPS is read only once when you explicitly tap "Use Current Location".
- We do not use any third-party analytics SDKs (such as Firebase Analytics, Mixpanel, or Amplitude) in the mobile app.
- We do not access your device contacts, calendar, microphone, or files beyond what you explicitly provide.
- We do not use advertising trackers or sell your data to advertisers.
- We do not perform cross-app or cross-site tracking.
- We do not collect health, fitness, or biometric data.
3. How We Use Your Information
We use your personal information for the following purposes:
- Service Delivery — Creating and managing your account, generating AI-powered quotes for your jobs, matching you with verified tradies, and facilitating communication.
- AI-Powered Quoting — Your job title, description, photos, location, and diagnostic answers are processed by our AI engine to generate personalised, tiered price quotes (Junior / Senior / Specialist).
- Job Classification — Your job description text is analysed using on-device keyword matching and (when confidence is low) a server-side AI classifier to suggest the appropriate trade category.
- Location Services — Using your GPS coordinates (when you tap "Use Current Location") to auto-fill your job address, and using the job address to find nearby tradies and calculate routes.
- Payment Processing — Processing job payments via Stripe, holding funds in escrow until job completion, processing refunds for cancellations, and handling scope-change top-up payments.
- Live Tracking — Displaying the assigned tradie's real-time location on a map when they are en route to your job (tradie location is shared by the tradie app, not yours).
- Communication — Sending push notifications (quote ready, tradie assigned, tradie en route, job completed), in-app messages, and emails (verification, password resets).
- Safety & Dispute Resolution — Using job photos, chat records, completion photos, and dispute evidence to mediate disputes fairly.
- Service Improvement — Using general usage patterns to improve the App and Platform.
- Legal Compliance — Meeting our obligations under Australian and New Zealand law, including tax reporting and responding to lawful requests from authorities.
4. How We Share Your Information
We do not sell your personal information. We share information only as follows:
4.1 With Other Users
- Tradies assigned to your job can see your name, job location (suburb and state initially — full address after they accept the dispatch), job details, photos, and chat messages.
- Tradies can also see your star rating and review after job completion.
- Your email, phone number, and payment details are never shared with tradies.
4.2 With Third-Party Service Providers
| Provider | Country | Purpose | Data Shared |
|---|---|---|---|
| Stripe (Stripe Payments Australia Pty Ltd) | Australia (primary), USA (infrastructure) | Payment processing, escrow management | Name, email, payment card details (card details handled entirely by Stripe SDK — never touch our servers) |
| Google Maps Platform | USA | Address autocomplete (Places API), live tradie route display (Routes API), map rendering | Address search queries, job location coordinates |
| Nominatim (OpenStreetMap) | Various | Fallback geocoding when Google coordinates are unavailable | Address string for geocoding |
| Cloudinary (Cloudinary Ltd.) | USA | Image hosting (job photos, avatar photos, dispute evidence) | Uploaded images |
| Expo (Expo Inc.) | USA | Push notification delivery via Expo Push API | Expo Push Token, notification title and body |
| MongoDB Atlas | USA (Virginia) | Primary database — stores account data, job records, messages, notifications | All account and job data as described in Section 2 |
| Render (Render Inc.) | USA (Virginia) | Backend server hosting | All server-side data in transit and at rest |
| SMTP Email Provider | Varies | Transactional email delivery (verification, password resets) | Email address, email content |
Overseas Disclosure: Some of our service providers are located outside Australia (primarily the United States). By using our Services, you consent to the transfer of your personal information to these countries. We take reasonable steps to ensure that overseas recipients handle your information in accordance with the Australian Privacy Principles.
4.3 Legal Disclosures
We may disclose your personal information if required by law, regulation, legal process, or governmental request, including to:
- Comply with a court order, subpoena, or similar legal obligation
- Cooperate with law enforcement or government authorities
- Protect the rights, property, or safety of Fixes, our users, or the public
- Report to the Office of the Australian Information Commissioner (OAIC) in the event of a notifiable data breach
5. Device Permissions
The App requests the following device permissions. All permissions are requested at runtime with clear explanations:
| Permission | When Requested | Why Required |
|---|---|---|
| Location (Foreground) | When you tap "Use Current Location" while posting a job | One-time GPS read to auto-fill your job address. We do not continuously track your location. |
| Camera | When you tap the camera button while adding job photos | Capturing photos of the issue or work area to attach to your job post |
| Photo Library | When you tap the gallery button while adding job photos, uploading an avatar, or submitting dispute evidence | Selecting existing photos from your device to upload |
| Push Notifications | On first login | Receiving real-time updates about quotes, tradie assignments, arrival notifications, job completion, and messages |
You can revoke any permission at any time via your device's Settings. Revoking location permission will require you to enter your job address manually. Revoking notification permission means you will not receive real-time updates.
6. Data Storage & Security
6.1 Where Your Data Is Stored
- Server-side: Our backend is hosted on Render (Virginia, USA). Database is MongoDB Atlas (USA). We plan to migrate to an Australian data centre when feasible.
- On-device: Authentication tokens and user profile cache are stored locally using React Native AsyncStorage (encrypted at the OS level on both iOS and Android). When "Remember Me" is disabled, tokens are stored in memory only and are cleared when the app is closed.
- Images: Job photos, avatar photos, and dispute evidence are stored on Cloudinary's CDN.
6.2 Security Measures
- Encryption in Transit: All API communications use HTTPS/TLS. WebSocket connections (for real-time chat and tracking) use WSS.
- Password Security: Passwords are hashed with bcrypt (12 rounds) and never stored in plain text.
- JWT Authentication: Access tokens are short-lived. Refresh tokens are rotated on each use.
- Payment Security: All payment card data is handled exclusively by the Stripe SDK and Stripe's PCI-DSS compliant infrastructure. Card details never pass through or are stored on our servers.
- API Rate Limiting: Rate limits are enforced on all endpoints to prevent brute-force attacks.
- Input Validation: All inputs are validated and sanitised server-side.
- Sensitive Fields: Password hashes, refresh tokens, and reset tokens are excluded from API responses.
- Secure Uploads: All image uploads to Cloudinary use signed upload requests with time-limited signatures generated server-side.
7. Data Retention
We retain your personal information in accordance with the following schedule:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account information | Duration of account + 2 years after deletion request | Legal obligations, dispute resolution |
| Job records & payment history | 7 years from completion | Australian tax law (ATO record-keeping requirements) |
| Chat messages | 2 years after job completion | Dispute resolution |
| Job photos & dispute evidence | 2 years after job completion | Evidence preservation |
| Reviews | Duration of account + 2 years | Platform integrity |
| Push notification tokens | Until token becomes invalid or account is deleted | Service delivery |
After the retention period expires, data is securely deleted or permanently de-identified in accordance with APP 11.2.
8. Your Rights
Under the Australian Privacy Act 1988, the APPs, and the New Zealand Privacy Act 2020, you have the following rights:
- Access (APP 12): You may request access to the personal information we hold about you.
- Correction (APP 13): You may request correction of any inaccurate, out-of-date, or incomplete personal information. You can also update your name and phone number directly in the App's Profile screen.
- Deletion: You may request deletion of your account and associated data via the App's Settings > Delete Account screen or by contacting us. We will process your request within 30 days, subject to any legal retention obligations (see Section 7). Account deletion is permanent and irreversible.
- Withdraw Consent: You may withdraw consent for optional data processing (e.g., push notifications, location) by revoking device permissions or contacting us.
- Complaint: If you believe we have breached the APPs, you may lodge a complaint with us (see Section 11) or with the Office of the Australian Information Commissioner (OAIC). New Zealand residents may also contact the NZ Office of the Privacy Commissioner.
To exercise any of these rights, please contact us at contact@fixesau.com.
9. Cookies & Local Storage
The mobile App does not use cookies. We use React Native AsyncStorage to store authentication tokens and cached user profile data locally on your device. This data is not shared with any third party and is cleared when you log out or delete the app.
Our web platform (fixesau.com) uses Vercel Analytics for anonymised, aggregate website performance metrics. No personally identifiable information is collected by this service on the web platform.
10. Notifiable Data Breaches
In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:
- Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
- Notify affected individuals with details of the breach, the type of information involved, and recommended steps they should take.
- Take all reasonable steps to contain the breach and mitigate any resulting harm.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Send an in-app notification or push notification to inform you of the changes
- Where required by law, seek your consent before applying changes that significantly affect how your personal information is handled
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:
- Entity: fixesau
- ABN: 52697058503
- Email: contact@fixesau.com
- Address: 86-88 St Helens Crescent, NARRE WARREN NORTH VIC 3804
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Phone: 1300 363 992
- Website: oaic.gov.au/privacy/privacy-complaints
New Zealand residents may also contact the NZ Office of the Privacy Commissioner.
13. Apple App Store & Google Play Store Disclosures
13.1 Data Collected (App Store Privacy Nutrition Label / Play Store Data Safety)
| Category | Data Type | Linked to Identity | Used for Tracking |
|---|---|---|---|
| Contact Info | Name, Email, Phone (optional) | Yes | No |
| Location | Precise Location (one-time GPS read) | Yes | No |
| Financial Info | Payment Info (via Stripe SDK) | Yes | No |
| Identifiers | User ID, Expo Push Token | Yes | No |
| Photos | Job photos, avatar, dispute evidence | Yes | No |
| User Content | Chat messages, job descriptions, reviews | Yes | No |
13.2 Data NOT Collected
- Health & Fitness data
- Browsing History
- Search History
- Contacts / Address Book
- Diagnostics / Crash Logs (no analytics SDK)
- Advertising Data / Ad Identifiers
- Sensitive Info / Government ID (not required for clients)
13.3 Data Deletion
Users can request account and data deletion directly within the App via Settings > Delete Account, or by contacting us at contact@fixesau.com. Deletion requests are processed within 30 days, subject to legal retention requirements outlined in Section 7.