Privacy Policy

CivDocs Pty Ltd (ABN 16 691 993 049) ("CivDocs," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose personal information when you use the CivDocs platform (the "Service").

This Privacy Policy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

CivDocs is designed for Australian businesses, users located outside Australia may access the Service. By using CivDocs, you consent to the handling of your personal information in accordance with this Privacy Policy and Australian law.

We collect personal information that is reasonably necessary to operate the CivDocs platform.

3.1 Account & Identity Information

• Full name
• Email address
• Password (hashed; never stored in plain text)
• Phone number (optional)
• Profile photo/avatar (optional)

3.2 Employment & Work-Related Information

Depending on your role within an organisation, this may include:

• Organisation membership and role (admin, supervisor, employee)
• Hourly pay rates (where entered by an organisation)
• Timesheet data (dates, hours worked, breaks, comments)
• Leave requests and approval metadata
• Project, cost code, and scope assignments
• Productivity and work output metrics

3.3 Licences & Qualifications

Where uploaded by users or organisations:

• Licence or ticket names
• Licence/card numbers
• Expiry dates
• Uploaded documents or images of licences

3.4 Plant, Safety & Operational Records

• Pre-start inspection records
• Fault reports and notes
• Machine overtime entries
• Attachments such as photos, PDFs, and documents

3.5 AI Conversation Data

When using Crank.ai:

• User questions and prompts
• AI-generated responses
• Conversation history (stored per user and organisation)

3.6 Invoice Payment Instructions

For organizations using the invoice creation feature, we may store:

• Bank BSB (Bank State Branch) number
• Bank account number
• Bank account name

This information is stored securely and used solely to display payment instructions on invoices generated by your organization. These details are not used for payment processing by CivDocs. Only organization administrators can add or modify this information.

CivDocs is not designed to collect sensitive information such as:

• medical or health information
• injury or incident reports
• biometric data

However, due to free-text fields and file uploads, users may choose to upload such information.

By uploading sensitive information, you:

• acknowledge that CivDocs does not require or request this data
• consent to CivDocs storing and processing it as part of the Service
• accept responsibility for ensuring you have lawful authority to upload it

CivDocs does not review, validate, or classify uploaded content for sensitive information.

We use personal information to:

• provide, operate, and maintain the CivDocs platform
• authenticate users and manage accounts
• enable organisational workflows (timesheets, pre-starts, approvals)
• generate reports, documents, and analytics
• provide AI-powered insights (Crank.ai)
• process subscription billing
• send service-related communications
• improve and develop our products and services
• comply with legal obligations

6.1 AI Data Use

• Crank.ai only accesses data within your organisation
• AI is read-only and does not modify your data
• AI outputs are generated based solely on your organisation's data
• AI outputs are stored to maintain conversation context

6.2 AI Training

CivDocs does not use your data to train AI models.

AI processing is performed using OpenAI's API. When you use Crank.ai, the following data is sent to OpenAI:

• Your questions and prompts
• Relevant organization data (project names, scope descriptions, cost data, timesheet summaries, machine information) necessary to answer your query
• Conversation history for context

OpenAI processes this data according to their API privacy policy. According to OpenAI's current policy, data sent via their API is not used to train their models unless explicitly opted in. However, OpenAI's policies are subject to change, and CivDocs cannot control third-party provider practices.

We do not sell, rent, or trade personal information.

We may disclose personal information to the following third-party service providers for the purpose of operating CivDocs:

These providers may process data outside Australia. We take reasonable steps to ensure they handle personal information in accordance with applicable privacy laws.

8.1 Cookies

CivDocs uses cookies strictly necessary for:

• authentication (Supabase auth tokens)
• session management

We do not use advertising cookies or third-party tracking cookies.

8.2 Local Storage

Local storage may be used for:

• Application caching (timesheet data, project information, organization data)
• Temporary form state
• User preferences (view mode settings)
• AI conversation thread identifiers
• Performance optimisation

Local storage is not used for tracking or advertising.

CivDocs logs limited application activity for operational and security purposes, including:

• user actions within the platform
• timestamps
• system events and errors

We do not:

• track IP addresses for user behavior analysis or advertising purposes
• collect device or browser fingerprints
• monitor user behavior for advertising purposes

(Note: Third-party infrastructure providers may log IP addresses for security and operational purposes.)

We take reasonable technical and organisational measures to protect personal information, including:

• access controls and role-based permissions
• encryption in transit
• secure third-party infrastructure

However, no system is completely secure. CivDocs does not guarantee absolute security and is not liable for unauthorised access beyond what is required by law.

• Personal information is retained while an account or subscription remains active
• Upon account termination, data may be retained for a limited period to allow you to request access to your personal information
• After this period, data may be permanently deleted
• CivDocs does not guarantee long-term archival storage
• Some anonymised data (such as system logs with user identifiers removed, or AI conversations with user_id set to null) may be retained for operational or legal purposes

You may:

• access your personal information through your account
• update certain profile information (such as name or phone number)
• delete individual timesheet entries you have created

Some information (such as roles, rates, or employment data) may only be managed by an organisation administrator.

Account Deletion:

• Employees cannot delete their own account or employment data; this must be done by an organisation administrator
• You may request access to your personal information by contacting us at support@civdocs.com.au. We will respond within a reasonable timeframe as required by applicable law

At this time, CivDocs does not provide self-service account deletion. Requests may be made via support.

CivDocs may use aggregated and anonymised data (with all personal and organisational identifiers removed) for:

• product improvement
• analytics
• benchmarking
• research and development

Such data cannot be used to identify individuals or organisations.

In the event of a data breach involving personal information, CivDocs will comply with its obligations under the Notifiable Data Breaches scheme and notify affected individuals where required by law.

We may update this Privacy Policy from time to time. Material changes will be notified via the Service or email.

Continued use of CivDocs after changes take effect constitutes acceptance of the updated Policy.

For privacy-related questions or requests, contact:

📧 support@civdocs.com.au

CivDocs Pty Ltd
ABN 16 691 993 049