Privacy Policy

Last updated: 15 February 2025

1. Introduction

This Privacy Policy describes how Provvio ABN 58 419 205 595 ("Provvio," "we," "us," or "our") collects, uses, discloses, and protects personal information through our website at provvio.com, our mobile applications, and our cloud-based field-service platform (collectively, the "Service").

We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), applicable United States state privacy laws, and the General Data Protection Regulation ("GDPR") to the extent it applies.

By accessing or using the Service you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, company name, job title, and password when you register.
  • Billing information: Payment card details and billing address are collected and processed by our payment processor, Stripe. We do not store full card numbers on our servers.
  • Client and site data: Names, addresses, contact details, and service notes for your clients and job sites that you enter into the Service.
  • Communications: Any information you provide when you contact us at [email protected].

2.2 Information Collected Automatically

  • GPS / location data: When field workers check in or check out of a job site using our mobile app, we collect precise GPS coordinates. Location data is collected only during active check-in/check-out events and is not tracked continuously in the background.
  • Photos: Photos taken through the Service (e.g., proof-of-service evidence, checklist item photos) are uploaded and stored in association with the relevant visit record.
  • Device and usage information: Device type, operating system, browser type, IP address, pages viewed, features used, and timestamps.
  • Cookies and similar technologies: See Section 7 below.

2.3 Information from Third Parties

We may receive information from third-party integrations you enable (e.g., accounting software) and from our service providers described in Section 5.

3. How We Use Your Information

We use personal information for the following purposes:

  • Providing, maintaining, and improving the Service;
  • Processing transactions and managing subscriptions;
  • Recording GPS check-ins and photographic evidence for proof-of-service reporting;
  • Generating automated visit reports for you and your clients;
  • Sending transactional emails (e.g., account verification, visit summaries, billing receipts);
  • Communicating with you about product updates, security alerts, and support;
  • Detecting and preventing fraud, abuse, and security incidents;
  • Complying with legal obligations; and
  • Analysing usage to improve the Service (aggregated and de-identified where practicable).

3.1 Legal Bases for Processing (GDPR)

Where the GDPR applies, we process personal data on the following legal bases:

  • Contract: Processing necessary to perform our contract with you (providing the Service).
  • Legitimate interests: Improving the Service, preventing fraud, ensuring security.
  • Consent: Where you have provided consent (e.g., marketing communications). You may withdraw consent at any time.
  • Legal obligation: Compliance with applicable laws.

4. GPS Location Data and Photo Data

GPS data is a core feature of the Service. It is collected when a field worker initiates a check-in or check-out at a job site via the mobile app. GPS coordinates are stored with the visit record and used to verify that the worker was physically present at the designated site. GPS data is not collected in the background or outside of explicit check-in/check-out actions.

Photo data (including EXIF metadata) is collected when a user takes photos through the Service for proof-of-service or checklist purposes. Photos are stored securely and associated with the relevant visit, site, or checklist item.

Account administrators (employers) can access GPS and photo data for visits conducted by their team members. This data may also be shared with clients through automated visit reports or the client portal, as configured by the account administrator.

5. Third-Party Services

We use the following third-party service providers that may process personal information on our behalf:

  • Stripe (payments): Processes billing and payment card information. See Stripe's Privacy Policy.
  • Resend (transactional email): Delivers emails on our behalf. See Resend's Privacy Policy.
  • OpenStreetMap (mapping): Map tiles are loaded in the browser/app. OpenStreetMap may collect IP addresses. See OSM Foundation Privacy Policy.
  • Cloud hosting providers: Our infrastructure is hosted on reputable cloud platforms that maintain industry-standard security certifications.

We require our service providers to process personal information only as instructed and in compliance with applicable privacy laws.

6. Disclosure of Personal Information

We may disclose personal information to:

  • Third-party service providers as described in Section 5;
  • Your employer or account administrator (if you are an invited team member);
  • Your clients (via visit reports and client portal, as configured by the account administrator);
  • Professional advisers (lawyers, accountants, auditors);
  • Law enforcement or government agencies where required by law, regulation, court order, or governmental request;
  • A successor entity in connection with a merger, acquisition, or sale of assets (you will be notified of any change in ownership or control); and
  • Any other party with your consent.

We do not sell your personal information. We do not share personal information for cross-context behavioural advertising.

7. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Essential cookies: Session management, authentication, and security.
  • Analytics cookies: Understanding how visitors use our website to improve the Service.

You can control cookies through your browser settings. Disabling essential cookies may impair your ability to use the Service.

We do not respond to Do Not Track ("DNT") signals because there is no industry-accepted standard for DNT. However, we honour Global Privacy Control ("GPC") signals as required by applicable law.

8. Data Retention

We retain personal information for as long as your account is active or as necessary to provide the Service to you. When you cancel your account, we will delete or de-identify your personal data within 90 days, except where retention is required by law, necessary for dispute resolution, or needed to enforce our agreements.

Visit records (including GPS data and photos) are retained for the duration of the account subscription plus a 90-day grace period after account cancellation, unless the account administrator requests earlier deletion.

9. Data Security

We implement industry-standard technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. International Data Transfers

Provvio is operated from Australia. If you access the Service from outside Australia, your information may be transferred to and processed in Australia and other countries where our service providers operate. We take reasonable steps to ensure that overseas recipients handle personal information in accordance with the APPs (APP 8) and, where the GDPR applies, we rely on appropriate safeguards such as Standard Contractual Clauses.

11. Your Rights

11.1 Australian Privacy Act

Under the APPs, you have the right to:

  • Access the personal information we hold about you (APP 12);
  • Request correction of inaccurate, out-of-date, or incomplete information (APP 13); and
  • Complain to us or the Office of the Australian Information Commissioner ("OAIC") if you believe we have breached the APPs.

11.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose;
  • Delete your personal information, subject to legal exceptions;
  • Correct inaccurate personal information;
  • Opt out of the sale or sharing of personal information (we do not sell or share your data for cross-context behavioural advertising);
  • Non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at [email protected]. We will verify your identity before processing requests.

Categories of personal information collected in the preceding 12 months: Identifiers (name, email, IP address); commercial information (billing, subscription); geolocation data (GPS check-ins); internet/electronic activity (usage data, device info); visual information (photos); professional information (company, job title).

11.3 European Economic Area, United Kingdom, and Switzerland (GDPR)

If the GDPR applies to you, you additionally have the right to:

  • Request restriction of processing;
  • Object to processing based on legitimate interests;
  • Data portability (receive your data in a structured, commonly used format);
  • Withdraw consent at any time; and
  • Lodge a complaint with your local supervisory authority.

11.4 Other US State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may exercise similar rights to access, delete, correct, and opt out. Contact us at [email protected].

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16 without verified parental consent, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at [email protected].

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint, please contact us:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.