Privacy Policy

Version 1.0Effective 20 May 2026Handled in accordance with the Australian Privacy Principles

This Privacy Policy explains how TrueAgent Pty Ltd ABN 70 636 626 956, as trustee for The TrueAgent Unit Trust (ABN 54 180 227 297), trading as Snap Job Reports (we, us or our), collects, uses, holds, discloses and protects personal information when you visit snapjobreports.com (the Website), sign up for the Snap Job Reports software-as-a-service application, or otherwise interact with us (together, the Services).

We handle personal information in accordance with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) (Privacy Act). We currently operate only in Australia and host Customer Data in Sydney. If we expand to other countries, we will update this policy and notify customers before doing so.

Plain-English Summary (not part of the policy)We collect information needed to run Snap Job Reports: account details for administrators, job and photo data captured by your crews, and technical logs to keep things working. We never sell your personal information. We never train AI on customer data. We store your data in Australia by default and we’ll tell you if we ever have a security incident. You can ask for access, correction or deletion at support@snapjobreports.com.

1Who this policy applies to

This policy applies to:

Visitors to the Website;
Administrator users who sign in to the Snap Job Reports administrator portal on behalf of a customer organisation;
Field technicians who access the Snap Job Reports progressive web application through a launch session originating from ServiceM8 or another Connected Platform;
Customers’ clients and other individuals whose personal information is captured by the Services (for example, individuals visible in photographs taken at job sites, or signatories on certificates); and
Prospects, leads and recipients of marketing communications.

For customer organisations that subscribe to the Services on behalf of their employees and clients, the customer is responsible for the personal information in their account and we act as the customer’s service provider in handling it. Individuals seeking access, correction or deletion of personal information held by us on a customer’s behalf should generally direct those requests to the customer in the first instance.

2The kinds of personal information we collect

The categories of personal information we collect depend on how you interact with us.

2.1 Account and identity information

Name, email address, role/title and avatar of administrators;
Tenant organisation name, trading name, address, ABN, contact email and contact phone;
Last sign-in time and similar account-activity timestamps;
Membership role within the customer’s account (administrator, editor, viewer);
Invitation, revocation and access-history records.

2.2 Field-technician session information

The technician’s name, email and role as supplied by the Connected Platform (e.g. ServiceM8 staff record);
Short-lived, job-scoped session tokens (not stored after expiry);
A one-way HMAC hash of the IP address used to launch the session (the plain-text IP address is not retained);
Device metadata such as browser type and screen size (for diagnostics).

2.3 Field-capture content

Photographs taken or uploaded through the application. We strip EXIF metadata from stored images (keeping only image orientation), so geolocation coordinates and camera details are not retained in, or embedded in, the images we hold;
Annotations, ratings, defect notes, environmental readings (e.g. temperature, humidity), tags and other field data captured by technicians;
Schematic diagrams, floor plans or other drawings uploaded for annotation;
Signature images captured for certificates of compliance.

2.4 Job and business information from Connected Platforms

With the customer’s authorisation, we synchronise data from Connected Platforms (currently ServiceM8), which may include: job numbers, job descriptions, client names, site addresses, assigned staff, materials lists, checklists and similar operational information. Some of this information may identify individuals (for example, a client’s contact name).

2.5 Billing information

Billing contact name and email, organisation name, tax identifiers (ABN), invoice history. If we introduce online card payments, the card details themselves will be collected and stored by our payment processor and not retained by us beyond a payment-method token.

2.6 Communications

Records of your correspondence with us, including support tickets, emails and (where permitted) recorded voice calls.

2.7 Technical, security and analytics information

Device, browser, operating system, language preferences and timezone;
Pages viewed and actions taken within the Services, request timestamps and response codes;
Session-replay recordings of interactions with the administrator portal and progressive web application, captured by PostHog (see clause 4);
Application logs (Pino) and metrics (OpenTelemetry) transmitted to Grafana Cloud for operational diagnostics;
Error reports including stack traces and contextual data;
Cookies and similar identifiers (see clause 11).

2.8 Marketing information

Where you sign up for our newsletter, request a demo, attend an event we organise, or otherwise provide your contact details for marketing purposes: your name, email, organisation, trade and any preferences you indicate.

2.9 Information we do not deliberately collect

We do not deliberately collect sensitive information (as defined in the Privacy Act) such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record or biometric templates. If you provide sensitive information through Services (for example, in a free-text note or visible incidentally in a photograph), you confirm that you have a lawful basis to do so and authorise us to handle it consistently with this policy.

We do not knowingly collect personal information about children. The Services are intended for use by adult tradespeople and businesses.

3How we collect personal information

We collect personal information:

Directly from you, when you sign up, install our ServiceM8 add-on, configure your branding, contact us, request a demo or use the Services;
From your Authorised Users, when administrators or technicians log in, capture data or generate reports;
From Connected Platforms, with your authorisation, when we synchronise jobs, staff lists, checklists and similar data;
Automatically, through cookies, log files, analytics and error-monitoring tools when you interact with the Services;
From third parties, such as referral partners or publicly available business directories, in limited circumstances and only where doing so complies with the Privacy Act.

4Why we collect, hold, use and disclose personal information

We collect, hold, use and disclose personal information for the following purposes:

Providing the Services — setting up and authenticating accounts; minting field-technician sessions; ingesting, processing, storing and rendering field-capture content into PDF reports; delivering reports back to Connected Platforms or to email recipients designated by the customer.
Operating and securing the Services — monitoring availability, performance and error rates; detecting and responding to fraud, abuse, security incidents and policy violations; maintaining audit trails for accountability.
Communicating with you — sending transactional messages (e.g. report-delivery notifications, billing notices, security alerts) and, where permitted, product updates and marketing.
Billing and account management — processing subscriptions, generating tax invoices, recovering overdue Fees.
Improving the Services — analysing how the Services are used, diagnosing bugs, prioritising features. We use de-identified, aggregated Service Analytics for these purposes.
Complying with law — meeting our legal, tax, regulatory and audit obligations and responding to lawful requests from regulators, courts and authorities.
Enforcing our terms — investigating suspected breaches of our Terms of Service and exercising or defending our legal rights.

We do not use Customer Data to train AI or machine-learning models. We do not, and we require our Sub-processors not to, use Customer Data (or any derivative of Customer Data that is identifiable to a customer or their Authorised Users) to train, fine-tune, evaluate or otherwise develop any machine-learning or artificial-intelligence model, whether ours or a third party’s.

5Who we share personal information with

We disclose personal information only in the following circumstances:

5.1 Our Sub-processors

We use carefully selected service providers to host and operate the Services. A current list of these Sub-processors is maintained at snapjobreports.com/sub-processors. At the date of this policy, our material Sub-processors include:

Sub-processor	Purpose	Processing location
Supabase	Database, authentication, file storage, realtime services	Australia (Sydney)
Vercel	Website and application hosting; serverless functions	Global edge network; primary compute in the United States
Railway	PDF rendering worker	Region matched to the customer’s primary data region
PostHog	Product analytics, error tracking and session replay	United States
Grafana Cloud	Application logs and metrics (Loki / Mimir) for operational diagnostics	Australia (primary) with EU failover
Google (Workspace and Chat)	Internal communications and alert webhooks	United States and Australia
Resend	Transactional email delivery (field-technician sign-in codes, report delivery, billing notifications, security alerts)	United States

We require each Sub-processor by contract to: (a) handle personal information only on our documented instructions; (b) implement appropriate technical and organisational security measures; (c) maintain confidentiality; and (d) cooperate with our compliance obligations. We remain accountable for our Sub-processors’ handling of personal information.

5.2 Connected Platforms

Where the customer authorises an integration, we read from and write to those Connected Platforms (for example, attaching a generated PDF to a ServiceM8 job). The handling of personal information by Connected Platforms is governed by those platforms’ own terms and privacy policies.

5.3 Customer’s own recipients

Reports generated through the Services may be sent or shared by the customer to its own clients, regulators, insurers or others. We act on the customer’s instructions in delivering those reports; the customer is responsible for the contents of, and the recipients of, those reports.

5.4 Professional advisers

Our lawyers, accountants, auditors and similar professional advisers, under confidentiality obligations.

5.5 Business transfers

In connection with a proposed or actual merger, acquisition, financing, sale of assets, restructure or insolvency, we may disclose personal information to prospective buyers, advisers and other parties involved in the transaction, subject to confidentiality obligations. If a transaction proceeds, personal information may be transferred as part of the assets, with notice to affected customers.

5.6 Law enforcement and regulators

Where required or permitted by law, we may disclose personal information to law enforcement, regulators, courts or other authorities (for example, in response to a subpoena, court order or a request made under the Australian Privacy Principles or the Notifiable Data Breaches scheme).

5.7 With consent

To any other person where you have consented to the disclosure.

5.8 We do not sell personal information

We do not sell, rent or trade personal information for marketing purposes.

6Overseas disclosure

Some of the Sub-processors listed in clause 5.1 process personal information overseas, in particular:

United States — Vercel (hosting), PostHog (product analytics, error tracking and session replay), Resend (transactional email) and certain Google services;
European Union — Grafana Cloud (operational logs and metrics), on regional failover only.

Before disclosing personal information to an overseas recipient, we take reasonable steps (consistent with APP 8.1) to ensure the recipient does not breach the APPs in relation to that information, including by requiring each recipient by contract to handle personal information in a manner substantially equivalent to that required under the Australian Privacy Principles. We remain accountable under the Privacy Act for personal information we disclose to these recipients. If you would prefer that we not disclose your personal information overseas, please contact us — in some cases we may not be able to provide the Services without doing so.

7Where we hold personal information and how long for

7.1 Hosting and storage

Customer Data and account information are hosted by Supabase in Sydney, Australia. Backups are taken in the same region. Application logs and metrics are processed via Grafana Cloud in Australia (with European Union failover). Session replays and product analytics are processed by PostHog in the United States.

7.2 Retention of Customer Data

While a customer’s account is active, we retain Customer Data for as long as the customer requires it for their business purposes. A customer’s administrator can configure a retention period for original photographs (default: 365 days). We are building automated enforcement of these retention periods; until it is in place, original images are retained while the account is active and are deleted on account termination in accordance with clause 7.3, or earlier on request. Optimised renditions used to compose reports may be retained to preserve report integrity.

7.3 Retention after termination

On termination of an account:

The customer’s administrators retain export access for 30 days;
Customer Data is deleted from primary production systems within a further 60 days;
Backup copies are purged in the ordinary course of our backup rotation cycle, and in any event within 90 days after termination.

Certain limited records (billing records, audit trails, security logs) may be retained for longer where necessary to comply with law (for example, taxation records under the Income Tax Assessment Act).

7.4 Marketing data

Marketing contact records are retained until you unsubscribe or otherwise object, plus a reasonable suppression period to honour your opt-out.

8Security

We take security seriously and apply layered technical and organisational measures, including:

Transport encryption: TLS for all traffic between users, the Services and Sub-processors;
Encryption at rest: managed-database and object-storage encryption provided by Supabase and other Sub-processors;
Secrets management: Connected Platform tokens are stored within Supabase Vault and referenced by secret identifier — raw access tokens are not stored in application tables;
Tenant isolation: Postgres Row-Level Security policies enforce per-tenant access scoping at the database layer;
Authentication: administrators authenticate through ServiceM8 OAuth, so sign-in (including any multi-factor authentication) is governed by the customer’s ServiceM8 configuration; field technicians verify their identity by a one-time code and receive short-lived, signed, job-scoped session tokens;
IP-address minimisation: where IP addresses are recorded for security purposes, only an HMAC hash is retained;
Access controls: production access by our personnel is restricted, role-based and audit-logged;
Logging and monitoring: application and security events are sent to Grafana Cloud (Loki/Mimir) and PostHog for monitoring and incident response;
Backups and disaster recovery: regular automated backups with documented restore procedures;
Secret rotation: high-privilege credentials (e.g. ServiceM8 OAuth client secrets) are rotated on a scheduled basis.

No system is perfectly secure. While we work hard to protect personal information, we cannot guarantee that it will not be subject to unauthorised access, loss, misuse or disclosure.

9Data breaches and notification

If we suffer or become aware of an eligible data breach affecting personal information we hold, we will respond in accordance with our incident-response procedures and the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. Where we process Customer Data on behalf of a customer, we will notify the customer’s designated administrator contact without undue delay and in any event within 72 hours of becoming aware of a confirmed Security Incident affecting their Customer Data, with the information needed for the customer to assess and meet its own notification obligations.

10Your rights — access, correction, deletion and complaints

10.1 Access and correction

You may request access to, or correction of, your personal information held by us. We will respond within a reasonable period (and in any event within 30 days) and we will not charge for making the request (although we may charge a reasonable fee for the cost of providing access where significant work is required). If we refuse a request, we will give you written reasons and information about how to complain.

10.2 Deletion

You may ask us to delete personal information about you. We will comply except where retention is required by law, necessary for the establishment, exercise or defence of legal claims, or otherwise permitted under the Privacy Act. Where personal information is held by us on behalf of a customer (for example, an administrator’s account record within a customer’s tenant), we will refer the request to the customer in the first instance.

10.3 Marketing opt-out

You may opt out of marketing emails at any time using the unsubscribe link in every marketing message, or by emailing support@snapjobreports.com. Transactional messages (billing notices, security alerts, service-critical notifications) cannot be opted out of while you have an active account.

10.4 Anonymity and pseudonymity

Where lawful and practicable, you may interact with us anonymously or under a pseudonym. However, most uses of the Services require an identifiable account.

10.5 Complaints

If you believe we have breached the Australian Privacy Principles or this policy, please contact us at support@snapjobreports.com. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au or by phone on 1300 363 992.

11Cookies and similar technologies

The Website and the Services use cookies, local storage and similar technologies. Categories of cookies we use:

Strictly necessary — required for the Services to function (e.g. authentication, session management, CSRF protection);
Functional — remember your preferences and improve usability (e.g. language, theme);
Analytics — help us understand how the Services are used (PostHog product analytics);
Error monitoring — capture diagnostic information when errors occur.

You may refuse cookies through your browser settings; however, parts of the Services may not function properly without them. We do not knowingly use cookies for cross-site advertising.

12Photographs and on-site individuals

The Services are designed to capture photographs of equipment, buildings, defects and job-site conditions. From time to time, on-site individuals (occupants, building staff, members of the public) may be incidentally visible in those photographs. We strip EXIF metadata from stored images, so geolocation coordinates and camera details are not retained in the images we hold. Where photographs identify or are reasonably capable of identifying a person, they may constitute personal information.

If you are a customer of Snap Job Reports, you are responsible for: (i) ensuring you have a lawful basis (including, where required, the consent of identifiable individuals) to capture, store and share such photographs; (ii) any required notices to visible individuals; and (iii) the consequences of sharing generated reports with third parties (such as your own clients), including any individuals identifiable in those reports.

If you believe a photograph or report held by us identifies you and you have not consented, please contact us and we will work with the relevant customer to resolve your concern.

13Individuals outside Australia

The Services are currently offered only to businesses in Australia, and Customer Data is hosted in Sydney. We do not presently target or market the Services to individuals in other countries. If we expand into another region (for example, New Zealand or the United Kingdom), we will update this policy to describe the local privacy protections that apply and notify customers before the change takes effect.

14Automated decision-making and profiling

The Services do not make decisions about individuals that produce legal or similarly significant effects on them solely by automated means. Where features such as automatic photo processing, queue prioritisation or template suggestions are introduced, they are intended to assist the customer’s personnel and remain subject to human review.

15Changes to this policy

We may amend this policy from time to time. The current version is always available at snapjobreports.com/privacy and the “Effective” date at the top is updated whenever changes are made. For material changes, we will provide at least 30 days’ notice by email or in-product notice to administrators of paid Plans before the change takes effect. Continued use of the Services after the effective date constitutes acceptance.

16How to contact us

For privacy enquiries, requests for access or correction, complaints, or data-breach-related notices:

Snap Job Reports — Privacy enquiries
TrueAgent Pty Ltd (ABN 70 636 626 956) ATF The TrueAgent Unit Trust (ABN 54 180 227 297)
79 Grange Road, Sandringham VIC 3191, Australia
Email: support@snapjobreports.com