Privacy Policy
This Privacy Policy explains how TrueAgent Pty Ltd ABN 70 636 626 956, as trustee for The TrueAgent Unit Trust (ABN 54 180 227 297), trading as Snap Job Reports (we, us or our), collects, uses, holds, discloses and protects personal information when you visit snapjobreports.com (the Website), enquire about or sign up for the Snap Job Reports software-as-a-service application, or otherwise interact with us (together, the Services).
We handle personal information in accordance with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) (Privacy Act). We operate from Australia. We host the database and file storage that hold Customer Data in Sydney, Australia. Some other parts of the Services are operated by overseas providers — clause 5 and clause 6 set out exactly what is processed where, and what crosses Australia’s borders. If we expand to offer the Services in other countries, we will update this policy and notify customers before doing so.
1Who this policy applies to
This policy applies to:
- Visitors to the Website, and people who submit our beta-interest or support forms;
- Administrator users who sign in to the Snap Job Reports administrator portal on behalf of a customer organisation;
- Field technicians who access the Snap Job Reports progressive web application through a launch session originating from ServiceM8 or another Connected Platform;
- Customers’ clients and other individuals whose personal information is captured by the Services (for example, individuals visible in photographs taken at job sites, or signatories on certificates); and
- Prospects, leads and recipients of marketing communications.
We act in two different capacities, and your rights differ depending on which applies:
- Where we handle information in our own right — for example, beta-interest and support-form submissions, marketing-list contacts, administrator and billing-contact identities, and our own technical and security logs — we are the APP entity responsible for that information, and you can exercise the rights in clause 10 directly with us.
- Where we handle Customer Data on a customer’s behalf — the job, photo and field-capture content inside a customer’s account — the customer decides how that information is used, and we act as their service provider. Individuals seeking access, correction or deletion of personal information held by us on a customer’s behalf should generally direct those requests to the customer in the first instance, and we will assist the customer to respond.
2The kinds of personal information we collect
The categories of personal information we collect depend on how you interact with us.
2.1 Account and identity information
- Name, email address, role/title and avatar of administrators;
- Tenant organisation name, trading name, address, ABN, contact email and contact phone;
- Last sign-in time and similar account-activity timestamps;
- Membership role within the customer’s account (administrator, editor, viewer);
- Invitation, revocation and access-history records.
2.2 Beta-interest and support enquiries
When you submit our beta-interest form or our support form on the Website, we collect what you type into it. For the beta-interest form: your name, work email, company name and the platform you use. For the support form: your name, work email, a subject line, the platform you use, and a free-text message (up to 5,000 characters) describing your query. We use this information to respond to you, to assess and manage beta access, and to operate and improve our support. Please see clause 5.1 and clause 6 for an important explanation of where these submissions are sent and stored, and clause 7.5 for how long we keep them.
2.3 Field-technician session information
- The technician’s name, email and role as supplied by the Connected Platform (e.g. ServiceM8 staff record);
- Short-lived, job-scoped session tokens (not stored after expiry);
- A one-way HMAC hash of the IP address used to launch the session (the plain-text IP address is not retained);
- Device metadata such as browser type and screen size (for diagnostics).
2.4 Field-capture content
- Photographs taken or uploaded through the field application. We strip EXIF metadata from images captured through the field application (keeping only image orientation), so geolocation coordinates and camera details embedded by the capturing device are not retained in the images we hold;
- Annotations, ratings, defect notes, environmental readings (e.g. temperature, humidity), tags and other field data captured by technicians;
- Schematic diagrams, floor plans or other drawings uploaded for annotation;
- Signature images captured for certificates of compliance.
2.5 Job and business information from Connected Platforms
With the customer’s authorisation, we synchronise data from Connected Platforms (currently ServiceM8), which may include: job numbers, job descriptions, client names, site addresses, assigned staff, materials lists, checklists and similar operational information. Some of this information may identify individuals (for example, a client’s contact name or a site address).
2.6 Billing information
Billing contact name and email, organisation name, tax identifiers (ABN), invoice history. If we introduce online card payments, the card details themselves will be collected and stored by our payment processor and not retained by us beyond a payment-method token.
2.7 Communications
Records of your correspondence with us, including support submissions, emails and (where permitted and with notice) recorded voice calls.
2.8 Technical, security and analytics information
- Device, browser, operating system, language preferences and timezone;
- Pages viewed and actions taken within the Services, request timestamps and response codes;
- Session-replay recordings of interactions with the administrator portal and progressive web application, captured by PostHog. We configure PostHog to mask input fields and we identify users only by a pseudonymous identifier (e.g.
field:<id>oradmin:<id>), not by name or email (see clause 4 and clause 11); - Application logs (Pino) and metrics (OpenTelemetry) transmitted to Grafana Cloud for operational diagnostics. These carry safe diagnostic envelopes (such as correlation identifiers and severity), not the contents of Customer Data;
- Error reports including stack traces and contextual data;
- Cookies and similar identifiers (see clause 11).
2.9 Marketing information
Where you sign up for our newsletter, request a demo, attend an event we organise, or otherwise provide your contact details for marketing purposes: your name, email, organisation, trade and any preferences you indicate.
2.10 Sensitive information and children
We do not intentionally solicit sensitive information (as defined in the Privacy Act — such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record or biometric templates), and we ask that you do not submit it through the Services. We recognise, however, that sensitive information could be captured incidentally — for example in a free-text support message, a field note, or a photograph that happens to show a person’s face or health-related details. Where that occurs, we handle the information consistently with APP 3 and APP 4: we will not use it for any purpose for which it was not provided, and we will delete or restrict it where appropriate and on request. Please avoid including sensitive details in free-text fields.
We do not knowingly collect personal information about children. The Services are intended for use by adult tradespeople and businesses. If you believe a child’s personal information has been provided to us, please contact us and we will delete it unless we are required by law to retain it.
3How we collect personal information
We collect personal information:
- Directly from you, when you submit a beta-interest or support form, sign up, install our ServiceM8 add-on, configure your branding, contact us, request a demo or use the Services;
- From your Authorised Users, when administrators or technicians log in, capture data or generate reports;
- From Connected Platforms, with your authorisation, when we synchronise jobs, staff lists, checklists and similar data;
- Automatically, through cookies, log files, analytics and error-monitoring tools when you interact with the Services;
- From third parties, such as referral partners or publicly available business directories, in limited circumstances and only where doing so complies with the Privacy Act. Where we obtain your contact details this way, we rely on a lawful basis to contact you (including, for marketing, consent that is express or that can reasonably be inferred from an existing or enquiry relationship — see clause 10.3), and we will tell you the source on request.
4Why we collect, hold, use and disclose personal information
We collect, hold, use and disclose personal information for the following purposes:
- Providing the Services — setting up and authenticating accounts; minting field-technician sessions; ingesting, processing, storing and rendering field-capture content into PDF reports; delivering reports back to Connected Platforms or to email recipients designated by the customer.
- Responding to enquiries and support — receiving and acting on beta-interest and support-form submissions, managing beta access, and answering your questions.
- Operating and securing the Services — monitoring availability, performance and error rates; detecting and responding to fraud, abuse, security incidents and policy violations; maintaining audit trails for accountability.
- Communicating with you — sending transactional messages (e.g. report-delivery notifications, billing notices, security alerts) and, where permitted under the Spam Act 2003 (Cth), product updates and marketing (see clause 10.3).
- Billing and account management — processing subscriptions, generating tax invoices, recovering overdue Fees.
- Improving the Services — analysing how the Services are used, diagnosing bugs, prioritising features. We use de-identified, aggregated Service Analytics for these purposes.
- Complying with law — meeting our legal, tax, regulatory and audit obligations and responding to lawful requests from regulators, courts and authorities.
- Enforcing our terms — investigating suspected breaches of our Terms of Service and exercising or defending our legal rights.
We do not use Customer Data to train AI or machine-learning models. We do not, and we contractually require our Sub-processors not to, use Customer Data (or any derivative of Customer Data that is identifiable to a customer or their Authorised Users) to train, fine-tune, evaluate or otherwise develop any machine-learning or artificial-intelligence model, whether ours or a third party’s.
5Who we share personal information with
We disclose personal information only in the following circumstances:
5.1 Our Sub-processors
We use carefully selected service providers to host and operate the Services. A current list is maintained at snapjobreports.com/sub-processors. At the date of this policy, our material Sub-processors include:
| Sub-processor | What it does / what personal information it handles | Processing location |
|---|---|---|
| Supabase | Primary database, authentication, file storage and realtime services — this is where Customer Data lives (account and contact details, job and report content, photographs, generated report PDFs, and per-tenant integration tokens). | Australia (Sydney, AWS ap-southeast-2) |
| Railway | PDF/photo rendering worker — fetches job photographs, schematics and report/job data (which can include client and site details and narrative) to render report PDFs, then writes them back to storage. It therefore processes a meaningful slice of Customer Data. | Singapore (Southeast Asia) |
| Vercel | Website and application hosting; serverless functions and scheduled jobs. It processes essentially all personal information in transit as the Services run (including beta/support form handling, login flows and the jobs that move photos and PDFs). | Global edge network; primary compute outside Australia (see clause 6) |
| Resend | Transactional email delivery. This includes field-technician sign-in codes, billing and security notices, and report-delivery emails that carry the report PDF itself — which may contain site photographs (potentially showing individuals), site addresses, signatures and defect notes — together with the recipient’s email address. | United States |
| Google (Workspace and Chat) | Receives the contents of our Website’s beta-interest and support forms as a Google Chat message (name, work email, company, and free-text support messages), which is our working record of those enquiries; and receives operational alert messages that can incidentally include a customer or site name from an error context. | United States and Australia |
| PostHog | Product analytics, error tracking and masked session replay. Users are identified only by a pseudonymous identifier (not name or email); input fields are masked. | European Union (selected for data residency) |
| Grafana Cloud | Application logs and metrics (Loki / Mimir) for operational diagnostics — safe diagnostic envelopes, not the contents of Customer Data. | Australia (primary) with EU failover |
Important — how our beta-interest and support forms work. When you submit the beta-interest form or the support form on our Website, the details you enter are sent to, and recorded in, a Google Chat space (operated by Google in the United States and Australia) using an incoming webhook. That Chat message is currently our system of record for these enquiries — there is no separate Website enquiry database. We have told you this here, and we repeat it in a short notice next to each form, so that you can decide what to include before you submit. Please do not include sensitive information or more personal detail than you need to in the free-text fields. We keep these enquiries only as long as set out in clause 7.5.
We require each Sub-processor by contract to: (a) handle personal information only on our documented instructions; (b) implement appropriate technical and organisational security measures; (c) maintain confidentiality; and (d) cooperate with our compliance obligations. We remain accountable for our Sub-processors’ handling of personal information.
5.2 Connected Platforms
Where the customer authorises an integration, we read from and write to those Connected Platforms (for example, attaching a generated PDF to a ServiceM8 job). The handling of personal information by Connected Platforms is governed by those platforms’ own terms and privacy policies.
5.3 Customer’s own recipients
Reports generated through the Services may be sent or shared by the customer to its own clients, regulators, insurers or others. We act on the customer’s instructions in delivering those reports; the customer chooses the recipients and is responsible for the contents of, and the recipients of, those reports.
5.4 Professional advisers
Our lawyers, accountants, auditors and similar professional advisers, under confidentiality obligations.
5.5 Business transfers
In connection with a proposed or actual merger, acquisition, financing, sale of assets, restructure or insolvency, we may disclose personal information to prospective buyers, advisers and other parties involved in the transaction, subject to confidentiality obligations. If a transaction proceeds, personal information may be transferred as part of the assets, with notice to affected customers.
5.6 Law enforcement and regulators
Where required or permitted by law, we may disclose personal information to law enforcement, regulators, courts or other authorities (for example, in response to a subpoena, court order or a request made under the Australian Privacy Principles or the Notifiable Data Breaches scheme).
5.7 With consent
To any other person where you have consented to the disclosure.
5.8 We do not sell personal information
We do not sell, rent or trade personal information for marketing purposes.
6Overseas disclosure (APP 8)
Some of the Sub-processors listed in clause 5.1 process personal information outside Australia. Specifically:
- Singapore — Railway, which renders report PDFs and in doing so processes job photographs (which may show individuals), site addresses, signatures, defect notes and report narrative;
- United States — Resend, which delivers report-delivery emails including the report PDF and its contents together with the recipient’s email address; and Google (Workspace and Chat), which receives our beta-interest and support-form submissions (including free-text) and operational alerts that can incidentally include a customer or site name;
- Outside Australia (location depends on our hosting provider’s configuration) — Vercel, which operates the Website and application and therefore processes personal information in transit. Its compute region is set in our hosting provider’s configuration and is presently outside Australia; we treat all Vercel processing as an overseas disclosure for the purposes of this clause;
- European Union — PostHog (masked, pseudonymous product analytics and session replay), and Grafana Cloud on regional failover only.
The database and file storage that hold Customer Data (Supabase) are in Sydney, Australia, and our primary logging is in Australia.
Before disclosing personal information to an overseas recipient, we take reasonable steps (consistent with APP 8.1) to ensure the recipient does not breach the APPs in relation to that information, including by putting in place contractual terms requiring each recipient to handle personal information in a manner substantially equivalent to that required under the Australian Privacy Principles. Because some report content (clause 5.1, Resend) and some enquiry content (clause 5.1, Google) is comparatively rich, we pay particular attention to these flows: we limit what is sent, customers control who reports are delivered to, and we keep report links and access controlled. We remain accountable under the Privacy Act (including section 16C) for personal information we disclose to these overseas recipients — if an overseas recipient mishandles your information, we may be liable as if we had done so ourselves. If you would prefer that we not disclose your personal information overseas, please contact us — in some cases we may not be able to provide the Services, deliver a report, or respond to an enquiry without doing so.
7Where we hold personal information and how long for
7.1 Hosting and storage
Customer Data and account information are hosted by Supabase in Sydney, Australia (AWS ap-southeast-2). Backups are taken in the same region. Application logs and metrics are processed via Grafana Cloud in Australia (with European Union failover). Masked session replays and product analytics are processed by PostHog in the European Union. Report-delivery email passes through Resend in the United States; beta-interest and support-form submissions are recorded in Google Chat (United States and Australia); and PDF rendering occurs on Railway in Singapore. See clause 6.
7.2 Retention of Customer Data
While a customer’s account is active, we retain Customer Data for as long as the customer requires it for their business purposes. A customer’s administrator can configure a retention period for original photographs, which we intend to default to 365 days. Automated enforcement of photo-retention periods is still being built; we are targeting completion before general availability. Until automated enforcement is live, the operative controls are: original images are retained while the account is active and are deleted on account termination in accordance with clause 7.3, or earlier on request to privacy@snapjobreports.com. We treat the 365-day figure as a target default, not a guarantee of automatic deletion, until automated enforcement is in place. Optimised renditions used to compose reports may be retained to preserve report integrity.
7.3 Retention after termination
On termination of an account:
- The customer’s administrators retain export access for 30 days;
- Customer Data is deleted from primary production systems within a further 60 days;
- Backup copies are purged in the ordinary course of our backup rotation cycle, and in any event within 90 days after termination.
Certain limited records (billing records, audit trails, security logs) may be retained for longer where necessary to comply with law (for example, taxation records under the income-tax legislation).
7.4 Marketing data
Marketing contact records are retained until you unsubscribe or otherwise object, plus a reasonable suppression period to honour your opt-out.
7.5 Beta-interest and support enquiries
Beta-interest and support-form submissions recorded in Google Chat (clause 5.1) are retained for no longer than 12 months from the date of the enquiry, after which we delete or de-identify them, unless (a) the enquiry has become part of an active account or support matter, or (b) we are required to retain it to comply with law or to establish, exercise or defend a legal claim. You can ask us to delete your enquiry sooner by emailing privacy@snapjobreports.com.
7.6 Product analytics and session replay
Masked session replays and product-analytics events processed by PostHog (clause 2.8, clause 6) are retained for no longer than 12 months and are then deleted or de-identified in the ordinary course. Input fields are masked and users are identified only pseudonymously.
8Security
We take security seriously and apply layered technical and organisational measures, including:
- Transport encryption: TLS for all traffic between users, the Services and Sub-processors;
- Encryption at rest: managed-database and object-storage encryption provided by Supabase and other Sub-processors;
- Secrets management: Connected Platform tokens are stored within Supabase Vault and referenced by secret identifier — raw access tokens are not stored in application tables;
- Tenant isolation: Postgres Row-Level Security policies enforce per-tenant access scoping at the database layer;
- Authentication: administrators authenticate through ServiceM8 OAuth, so sign-in (including any multi-factor authentication) is governed by the customer’s ServiceM8 configuration; field technicians verify their identity by a one-time code and receive short-lived, signed, job-scoped session tokens;
- IP-address minimisation: where IP addresses are recorded for security purposes, only an HMAC hash is retained;
- Session-replay masking: input fields are masked and users are identified only pseudonymously in session replays and analytics;
- Access controls: production access by our personnel is restricted, role-based and audit-logged;
- Logging and monitoring: application and security events are sent to Grafana Cloud (Loki/Mimir) and PostHog for monitoring and incident response;
- Backups and disaster recovery: regular automated backups with documented restore procedures;
- Secret rotation: high-privilege credentials (e.g. ServiceM8 OAuth client secrets) are rotated on a scheduled basis.
No system is perfectly secure. While we work hard to protect personal information, we cannot guarantee that it will not be subject to unauthorised access, loss, misuse or disclosure.
9Data breaches and notification
If a data breach occurs, two separate sets of obligations may apply, and we keep them distinct:
9.1 Our obligations as an APP entity (statutory — Notifiable Data Breaches scheme)
For personal information we hold in our own right (for example, beta-interest and support enquiries, marketing-list contacts, administrator and billing-contact identities, and our own technical and security logs), we are responsible under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act. If we suspect on reasonable grounds that an eligible data breach may have occurred, we will carry out a reasonable and expeditious assessment and take all reasonable steps to complete it within 30 days (and faster where we can). If we determine there are reasonable grounds to believe an eligible data breach has occurred, we will notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable, in accordance with the scheme. These statutory timeframes are not the same as, and are not replaced by, the contractual commitment described in clause 9.2.
9.2 Our contractual commitment to customers (for Customer Data we process on their behalf)
Where we process Customer Data on behalf of a customer, the customer is usually the APP entity for that data and runs its own NDB assessment. To help the customer meet its obligations, we commit by contract to notify the customer’s designated administrator contact of any suspected or confirmed eligible data breach affecting their Customer Data without undue delay, and in any event within 72 hours of becoming aware of it, and to provide reasonable assistance and information for the customer’s own assessment and notifications. This 72-hour figure is our own service commitment to customers — it is not a requirement of the NDB scheme, which operates on the statutory timeframes described in clause 9.1.
We also recognise that a serious invasion of privacy can give rise to claims under the statutory tort that commenced on 10 June 2025; our security measures (clause 8), including session-replay masking, are designed with that in mind.
10Your rights — access, correction, deletion and complaints
10.1 Access and correction
You may request access to, or correction of, your personal information held by us. We will respond within a reasonable period (and in any event within 30 days) and we will not charge for making the request (although we may charge a reasonable fee for the cost of providing access where significant work is required). If we refuse a request, we will give you written reasons and information about how to complain.
10.2 Deletion
You may ask us to delete personal information about you. We will comply except where retention is required by law, necessary for the establishment, exercise or defence of legal claims, or otherwise permitted under the Privacy Act. Where personal information is held by us on behalf of a customer (for example, an administrator’s account record within a customer’s tenant), we will refer the request to the customer in the first instance. Where we hold the information in our own right (for example, a beta-interest or support enquiry under clause 7.5), we will action your deletion request directly.
10.3 Marketing and the Spam Act 2003
We send commercial electronic messages (such as product-update and marketing emails) only where we have your consent — either express consent, or consent that can reasonably be inferred from an existing customer relationship or from an enquiry you have made about products of the kind we offer. Every marketing message will clearly identify us as the sender and include a functional unsubscribe facility. You may opt out at any time using the unsubscribe link in any marketing message, or by emailing privacy@snapjobreports.com; we will action unsubscribe requests within 5 business days. Transactional messages (billing notices, security alerts, service-critical notifications) are not marketing and cannot be opted out of while you have an active account.
10.4 Anonymity and pseudonymity
Where lawful and practicable, you may interact with us anonymously or under a pseudonym. However, most uses of the Services require an identifiable account.
10.5 Complaints
If you believe we have breached the Australian Privacy Principles or this policy, please contact our Privacy Officer at privacy@snapjobreports.com. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au or by phone on 1300 363 992.
11Cookies and similar technologies
The Website and the Services use cookies, local storage and similar technologies. Categories of cookies we use:
- Strictly necessary — required for the Services to function (e.g. authentication, session management, CSRF protection);
- Functional — remember your preferences and improve usability (e.g. language, theme);
- Analytics — help us understand how the Services are used (PostHog product analytics, with input masking and pseudonymous identifiers);
- Error monitoring — capture diagnostic information when errors occur.
You may refuse cookies through your browser settings; however, parts of the Services may not function properly without them. We do not knowingly use cookies for cross-site advertising.
12Photographs and on-site individuals
The Services are designed to capture photographs of equipment, buildings, defects and job-site conditions. From time to time, on-site individuals (occupants, building staff, members of the public) may be incidentally visible in those photographs. We strip EXIF metadata from images captured through the field application, so geolocation coordinates and camera details embedded by the capturing device are not retained in the images we hold. Where photographs identify or are reasonably capable of identifying a person, they may constitute personal information — and, when included in a report PDF, that content is delivered by email through our United States email provider (clause 5.1, clause 6).
If you are a customer of Snap Job Reports, you are responsible for: (i) ensuring you have a lawful basis (including, where required, the consent of identifiable individuals) to capture, store and share such photographs; (ii) any required notices to visible individuals; and (iii) the consequences of sharing generated reports with third parties (such as your own clients), including any individuals identifiable in those reports.
If you believe a photograph or report held by us identifies you and you have not consented, please contact us and we will work with the relevant customer to resolve your concern.
13Individuals outside Australia
The Services are currently offered only to businesses in Australia, and the database and file storage that hold Customer Data are in Sydney. We do not presently target or market the Services to individuals in other countries. If we expand into another region (for example, New Zealand or the United Kingdom), we will update this policy to describe the local privacy protections that apply and notify customers before the change takes effect.
14Automated decision-making and profiling
The Services do not make decisions about individuals that produce legal or similarly significant effects on them solely by automated means. Where features such as automatic photo processing, queue prioritisation or template suggestions are introduced, they are intended to assist the customer’s personnel and remain subject to human review.
15Changes to this policy
We may amend this policy from time to time. The current version is always available at snapjobreports.com/privacy, and the version number and “Effective” date at the top are updated whenever we make changes.
If a change materially reduces your rights or materially increases your obligations, we will give reasonable advance notice — at least 30 days where practicable — to all affected account-holders (not only paid plans) by email or in-product notice before the change takes effect, and we will describe what is changing. Before such a change takes effect, you may close your account and export your data without penalty if you do not agree to it; if you continue to use the Services after a material change takes effect, that constitutes acceptance of it. We will not treat your mere continued use as acceptance of a rights-reducing change unless we have first given you that notice and that opportunity to leave. Minor or non-material updates (for example, clarifications, contact-detail or typographical corrections) take effect when posted.
16How to contact us
For privacy enquiries, requests for access or correction, complaints, or data-breach-related notices:
Privacy Officer — Snap Job Reports
TrueAgent Pty Ltd (ABN 70 636 626 956) ATF The TrueAgent Unit Trust (ABN 54 180 227 297)
79 Grange Road, Sandringham VIC 3191, Australia
Email: privacy@snapjobreports.com