1. Introduction

fixesau (ABN: 52697058503) ("Fixes", "we", "our", or "us") operates the Fixes mobile application (the "App") and related web platform available at www.fixesau.com (the "Platform").

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our App, Platform, and related services (collectively, the "Services"). We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as the privacy requirements of the Apple App Store and Google Play Store.

By creating an account or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use our Services.

2. Information We Collect

We collect the following categories of personal information:

2.1 Information You Provide Directly

Data Category	Specific Data Collected	Purpose
Account & Identity	Full name, email address, phone number (optional), password (stored as bcrypt hash)	Account creation, authentication, communication
Professional Profile	Trade categories, skill level (junior/senior/specialist), skills list, bio, service radius (km)	Job matching, profile display, dispatch eligibility
Compliance Documents	ABN, trade licences, insurance certificates, white card, police checks (uploaded as PDF/images)	Identity and qualification verification, regulatory compliance
Identity Verification	Government-issued ID photos (front and back) submitted during Stripe payout onboarding	Financial compliance (KYC), payout account verification
Financial Information	BSB, bank account number, account holder name (for payouts); payment card details (processed by Stripe — never stored on our servers)	Processing payments and payouts
Job Completion Photos	Photos of completed work (2–10 per job, watermarked with timestamp, location, and tradie ID)	Work verification, dispute evidence, quality assurance
Messages	Text messages and images sent within job chat	Communication between tradies and clients, dispute resolution
Bug Reports	Category, title, description, platform (iOS/Android), app version	Service improvement and issue resolution

2.2 Information Collected Automatically

Data Category	Specific Data Collected	Purpose
Location Data	Real-time GPS coordinates (latitude/longitude) when you are "online" and during active jobs. Collected via expo-location with foreground permission. Updates every 20 metres of movement or every 30 seconds as a heartbeat.	Job matching based on proximity, live tracking for clients, arrival detection, dispatch radius filtering
Device Information	Device platform (iOS/Android), app version, Expo project ID	Bug reports, compatibility, push notification delivery
Push Notification Token	Expo Push Token (device-specific identifier for push notifications)	Delivering real-time notifications about jobs, messages, and account updates
Authentication Tokens	JWT access and refresh tokens stored locally on your device (via AsyncStorage or in-memory depending on "Remember Me" preference)	Maintaining authenticated sessions

2.3 Information We Do NOT Collect

• We do not use any third-party analytics SDKs (such as Firebase Analytics, Mixpanel, or Amplitude) in the mobile app.
• We do not access your device contacts, calendar, microphone, or files beyond what you explicitly provide.
• We do not use advertising trackers or sell your data to advertisers.
• We do not perform cross-app or cross-site tracking.

3. How We Use Your Information

We use your personal information for the following purposes:

1. Service Delivery — Creating and managing your account, matching you with jobs, facilitating communication between tradies and clients, and processing payments.
2. Location-Based Services — Using your GPS coordinates to find nearby jobs within your service radius, providing live tracking to clients when you are en route, and detecting arrival at the job site.
3. Payment Processing — Processing job payments, managing escrow holds, calculating platform commissions, and facilitating payouts to your bank account via Stripe Connect.
4. Verification & Compliance — Verifying your identity, trade qualifications, and compliance documents (ABN, licences, insurance) to maintain trust and safety on the platform.
5. Communication — Sending transactional notifications (job dispatches, status updates, completion OTPs), in-app messages, emails, and SMS related to your jobs and account.
6. Safety & Dispute Resolution — Using job completion photos, chat records, and scope change records to resolve disputes between tradies and clients.
7. Service Improvement — Using bug reports and general usage patterns to identify and fix issues, and to improve the App and Platform.
8. Legal Compliance — Meeting our obligations under Australian law, including tax reporting, anti-money laundering requirements, and responding to lawful requests from authorities.

4. How We Share Your Information

We do not sell your personal information. We share information only as follows:

4.1 With Other Users

• Clients see your name, trade category, rating, and real-time location (only when en route to or performing their job).
• Tradies see the client's name, job location (suburb and state — full address only after acceptance), and job details.

4.2 With Third-Party Service Providers

Provider	Country	Purpose	Data Shared
Stripe (Stripe Payments Australia Pty Ltd)	Australia (primary), USA (infrastructure)	Payment processing, payout management, identity verification (KYC)	Name, email, date of birth, address, BSB, account number, ID document images
Twilio (Twilio Inc.)	USA	SMS delivery (job notifications, completion OTPs, tracking links)	Phone number, SMS content
Cloudinary (Cloudinary Ltd.)	India (current), subject to change	Image and document hosting (job photos, completion photos, compliance documents, dispute evidence)	Uploaded images and documents
Expo (Expo Inc.)	USA	Push notification delivery via Expo Push API	Expo Push Token, notification title and body
MongoDB Atlas	USA (Virginia)	Primary database — stores account data, job records, messages, notifications	All account and job data as described in Section 2
Redis (via Render hosting)	USA (Virginia)	Real-time caching — temporary location data, pending notification queues, session data	Location coordinates (temporary), notification payloads
Render (Render Inc.)	USA (Virginia)	Backend server hosting	All server-side data in transit and at rest
SMTP Email Provider	Varies	Transactional email delivery (verification, password resets, job updates, OTPs)	Email address, email content

4.3 Legal Disclosures

We may disclose your personal information if required by law, regulation, legal process, or governmental request, including to:

• Comply with a court order, subpoena, or similar legal obligation
• Cooperate with law enforcement or government authorities
• Protect the rights, property, or safety of Fixes, our users, or the public
• Report to the Office of the Australian Information Commissioner (OAIC) in the event of a notifiable data breach

5. Device Permissions

The App requests the following device permissions. All permissions are requested at runtime with clear explanations:

Permission	When Requested	Why Required
Location (Foreground)	When you go "online" or open the map	Job matching, live tracking, arrival detection. Location is shared via Socket.IO (not HTTP) and cached in Redis with a 60-second debounce to MongoDB.
Camera	When completing a job (work photos)	Capturing watermarked completion photos as proof of work
Photo Library	When uploading dispute evidence	Selecting existing photos to submit as evidence in disputes
Push Notifications	On first login	Receiving real-time job dispatches, status updates, and messages

You can revoke any permission at any time via your device's Settings. Revoking location permission will prevent you from receiving job dispatches.

6. Data Storage & Security

6.1 Where Your Data Is Stored

• Server-side: Our backend is hosted on Render (Virginia, USA). Database is MongoDB Atlas (USA). We plan to migrate to an Australian data centre when feasible.
• On-device: Authentication tokens and user profile cache are stored locally using React Native AsyncStorage (encrypted at the OS level on both iOS and Android). When "Remember Me" is disabled, tokens are stored in memory only and are cleared when the app is closed.

6.2 Security Measures

• Encryption in Transit: All API communications use HTTPS/TLS. WebSocket connections use WSS.
• Password Security: Passwords are hashed with bcrypt (12 rounds) and never stored in plain text.
• JWT Authentication: Access tokens are short-lived. Refresh tokens are rotated on each use.
• OTP Security: Job completion OTPs are hashed before storage and expire after 15 minutes.
• API Rate Limiting: 500 requests per 15 minutes (general), 100 per 15 minutes (auth endpoints) to prevent brute-force attacks.
• Input Validation: All inputs are validated and sanitised server-side.
• Sensitive Fields: Password hashes, refresh tokens, reset tokens, and OTP hashes are excluded from API responses using Mongoose select: false.
• Helmet.js: HTTP security headers are applied to all responses.

7. Data Retention

We retain your personal information in accordance with the following schedule:

Data Type	Retention Period	Basis
Account information	Duration of account + 2 years after deletion request	Legal obligations, dispute resolution
Job records & payment history	7 years from completion	Australian tax law (ATO record-keeping requirements)
Chat messages	2 years after job completion	Dispute resolution
Completion & dispute photos	2 years after job completion	Evidence preservation
Compliance documents	Duration of account + 2 years	Regulatory compliance, audit trail
Location data (real-time)	Cached in Redis for the active session; persisted to MongoDB with each update, overwriting the previous entry	Operational necessity
Push notification tokens	Until token becomes invalid or account is deleted	Service delivery
Bug reports	1 year	Service improvement

After the retention period expires, data is securely deleted or permanently de-identified in accordance with APP 11.2.

8. Your Rights

Under the Australian Privacy Act 1988 and the APPs, you have the following rights:

• Access (APP 12): You may request access to the personal information we hold about you.
• Correction (APP 13): You may request correction of any inaccurate, out-of-date, or incomplete personal information. You can also update your profile, phone number, bio, service radius, and categories directly in the App's Settings screen.
• Deletion: You may request deletion of your account and associated data. We will process your request within 30 days, subject to any legal retention obligations (see Section 7).
• Withdraw Consent: You may withdraw consent for optional data processing (e.g., push notifications, location tracking) by revoking device permissions or contacting us.
• Complaint: If you believe we have breached the APPs, you may lodge a complaint with us (see Section 12) or with the Office of the Australian Information Commissioner (OAIC).

To exercise any of these rights, please contact us at contact@fixesau.com.

9. Cookies & Local Storage

The mobile App does not use cookies. We use React Native AsyncStorage to store authentication tokens and cached user profile data locally on your device. This data is not shared with any third party and is cleared when you log out or delete the app.

Our web platform (fixesau.com) uses Vercel Analytics for anonymised, aggregate website performance metrics. No personally identifiable information is collected by this service on the web platform.

10. Notifiable Data Breaches

In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

1. Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
2. Notify affected individuals with details of the breach, the type of information involved, and recommended steps they should take.
3. Take all reasonable steps to contain the breach and mitigate any resulting harm.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Send an in-app notification or push notification to inform you of the changes
• Where required by law, seek your consent before applying changes that significantly affect how your personal information is handled

We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

• Entity: fixesau
• ABN: 52697058503
• Email: contact@fixesau.com
• Address: 86-88 St Helens Crescent, NARRE WARREN NORTH VIC 3804

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Phone: 1300 363 992
• Website: oaic.gov.au/privacy/privacy-complaints

13. Apple App Store & Google Play Store Disclosures

13.1 Data Collected (App Store Privacy Nutrition Label / Play Store Data Safety)

Category	Data Type	Linked to Identity	Used for Tracking
Contact Info	Name, Email, Phone	Yes	No
Location	Precise Location (GPS)	Yes	No
Financial Info	Payment Info (via Stripe), Bank Details	Yes	No
Identifiers	User ID, Expo Push Token	Yes	No
Photos & Videos	Job completion photos, document uploads, dispute evidence	Yes	No
User Content	Chat messages, bug reports, profile bio	Yes	No
Sensitive Info	Government ID (processed by Stripe only)	Yes	No

13.2 Data NOT Collected

• Health & Fitness data
• Browsing History
• Search History
• Contacts / Address Book
• Diagnostics / Crash Logs (no analytics SDK)
• Advertising Data / Ad Identifiers

13.3 Data Deletion

Users can request account and data deletion by contacting us at contact@fixesau.com. Deletion requests are processed within 30 days, subject to legal retention requirements outlined in Section 7.