1. Overview
TenThirtyFour Pty Ltd ("we", "us") operates FirstAidLog. We are committed to protecting your personal information in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth).
This policy explains what information we collect, why we collect it, how we use and store it, and your rights regarding your data.
2. Information We Collect
2.1 Account Information
| Data | Purpose | Basis |
|---|---|---|
| Full name | Display name, audit trail | Account registration |
| Email address | Authentication, notifications, reports | Account registration |
| Password (hashed) | Authentication | Account registration |
| Organisation name | Multi-tenancy, access control | Organisation setup |
| Role assignment | Permission enforcement | Organisation admin action |
2.2 Operational Data
| Data | Purpose |
|---|---|
| Kit inventories (items, quantities, expiry dates) | Core service functionality |
| Incident reports (patient info, injury details, witness statements) | WHS record-keeping |
| Inspection records (checklist results, environment checks) | Compliance tracking |
| Training records (certificate numbers, qualifications, expiry dates) | Training management |
| Photos (uploaded by users) | Evidence for incidents/inspections |
| Location data (GPS coordinates, when permitted by user) | Kit location, auto-fill |
2.3 Technical Data
- Error logs: Captured via Sentry for debugging (no PII included —
sendDefaultPii: false) - Session replay: Anonymised session recordings on error for debugging purposes
- Device information: Platform, OS version, app version (for compatibility)
- Usage analytics: Feature usage patterns (aggregated, non-identifiable)
3. How We Use Your Information
- Service delivery: Storing, processing, and displaying your kit, incident, inspection, and training data
- Notifications: Sending expiry alerts, low stock warnings, inspection reminders, and email reports
- Security: Authenticating sessions, enforcing role-based access, audit trail logging
- Improvements: Aggregated analytics to improve the Service (never sold to third parties)
- Legal compliance: Responding to lawful requests from Australian regulators
4. Third-Party Services
We use the following third-party processors. All are bound by data processing agreements:
| Service | Purpose | Data Centre Region |
|---|---|---|
| Supabase | Database, authentication, storage, real-time | Australia (Sydney) |
| Vercel | Web hosting, CDN | Global edge, primary US |
| Sentry | Error monitoring, performance | EU (Frankfurt) |
| Zoho Mail | Transactional emails (SMTP) | Australia |
| Stripe | Payment processing (subscription billing) | US/AU |
We do not sell, rent, or trade your personal information to any third party.
5. Data Storage & Security
- Encryption in transit: All data transmitted via TLS 1.2+
- Encryption at rest: Database encrypted at rest via Supabase (AES-256)
- Row-Level Security: Every database query is filtered by organisation-based RLS policies — users can only access data belonging to their organisation
- Password hashing: Managed by Supabase Auth using bcrypt
- Secure storage: Mobile credentials stored in device Secure Store (iOS Keychain / Android Keystore)
- Offline data: Queued mutations stored locally in AsyncStorage (native) or localStorage (web) and synced on reconnection
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of account + 30 days after deletion |
| Incident reports | Minimum 5 years (WHS record-keeping requirement) |
| Inspection records | Minimum 5 years |
| Audit logs | 2 years |
| Error logs (Sentry) | 90 days |
| Backups | 30 days rolling |
7. Your Rights
Under the Australian Privacy Principles, you have the right to:
- Access: Request a copy of all personal information we hold about you
- Correction: Request correction of inaccurate or outdated personal information
- Deletion: Request deletion of your account and associated data (subject to legal retention requirements)
- Export: Export your data via the in-app CSV and PDF export features at any time
- Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
To exercise any of these rights, email us at privacy@firstaidlog.com. We will respond within 30 days.
8. Cookies & Tracking
The web version of FirstAidLog uses:
- Essential cookies: Authentication session tokens (required for the Service to work)
- No advertising cookies: We do not use any advertising or tracking cookies
- No third-party trackers: We do not embed social media trackers, Google Analytics, or similar tools
9. Children's Privacy
FirstAidLog is designed for workplace use and is not intended for children under 16. We do not knowingly collect information from children. If you believe a child has provided us personal information, please contact us and we will delete it promptly.
10. International Data Transfers
Your primary data is stored in Supabase's Australian (Sydney) region. Some processing occurs internationally via Vercel (CDN) and Sentry (EU). All international transfers are governed by appropriate safeguards and data processing agreements.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before taking effect. The "Last updated" date at the top will always reflect the current version.
12. Contact
For privacy-related enquiries:
Privacy Officer
TenThirtyFour Pty Ltd
Email: privacy@firstaidlog.com
Queensland, Australia