Privacy Policy

1. Who we are

SiteSphere Pty Ltd (ABN 93 697 450 338) is the entity responsible for handling personal information collected through the SiteSphere platform. Our registered address is Melbourne, Victoria, Australia. We can be contacted about privacy matters at privacy@sitesphere.com.au.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) as set out in that Act. This policy is written to comply with APP 1.4.

2. The kinds of personal information we collect

Personal information collected depends on your role and how you interact with the platform.

Account information

• Full name, email address, mobile phone number.
• Role within your business (worker, leading hand, supervisor, business admin, payroll manager, client admin).
• Business affiliation (which workspace you belong to).
• Authentication credentials (hashed password, OAuth tokens).

Worker profile information

• Home address, emergency contact details.
• Trade qualifications, licence numbers (e.g. A-Class electrical licence), TAFE achievement year, apprentice year started.
• Tax-related information needed for payroll: Tax File Number, superannuation fund and member number, bank account details for wage payment.
• Payroll classification, employment type, casual start date.

Operational information

• Timesheets you submit: hours worked, projects, sites, cost codes, allowances claimed, materials used.
• Expense submissions: receipts, amounts, descriptions, photos.
• Crew sheet approval records (who approved what, when, with what notes).

Device and location data (mobile app only)

• GPS location at check-in / check-out — only when you grant permission and only at the moment of an explicit check-in action.
• NFC tag scans, Bluetooth beacon proximity, QR code scans — only at the moment you explicitly initiate a check-in.
• Device push token (for delivering notifications about your shifts and pay).

Communication data

• Email and SMS opt-in records, delivery state, bounce/failure metadata returned by our email and SMS providers.
• Magic-link tokens issued for supervisor and client portal access (single-use, short-lived).

Technical data

• IP address, user-agent string, basic request logs.
• Auth session metadata (login time, refresh events).

3. How we collect personal information

• Directly from you: when you sign up, complete onboarding, submit a timesheet or expense, contact us.
• From your employer (the business admin): when you are invited to a workspace, your employer provides your name, email, role, and (for payroll workers) initial profile details.
• From your device: when you grant the mobile app the permissions it asks for (location, camera, NFC, Bluetooth, notifications).
• From third parties: if your employer connects their Xero account to SiteSphere, we may receive your employee record from Xero for synchronisation.

4. Why we collect it (purposes)

• To provide the SiteSphere service — record timesheets, calculate pay against the applicable enterprise agreement, generate invoices, push pay runs and invoices to your business accounting platform.
• To meet your employer's record-keeping obligations under the Fair Work Act 2009 (Cth) and the Australian Taxation Office requirements (which may require us to retain payroll records for a minimum of seven years after you cease employment).
• To deliver transactional notifications (pay run ready, invoice ready, supervisor approval requests).
• To verify check-in identity at construction sites where the site operator requires it.
• To respond to support requests, investigate incidents, and improve the service.
• To comply with Australian law.

5. Who we share it with

Within your business

Your employer (the business that invited you to SiteSphere) sees the personal information they need to administer your employment — your timesheets, allowances, classification, pay rate, and the records needed to calculate your wages. Other workers in the business do not see your information except where required for crew supervision (e.g. a leading hand who submits a timesheet on behalf of a crew).

With your business's clients

When your employer issues an invoice to one of their clients, the client may see hours you worked on their projects and the cost codes those hours were attributed to. Clients never see your pay rate, your bank details, your TFN, or any personal information not directly related to project billing.

Third-party service providers

We use the following processors. Each is bound by a data processing arrangement that limits their use of your information to providing services to us:

• Supabase — database, authentication, file storage. Hosted in Australian region (Sydney). Acts as our primary data infrastructure.
• Resend — transactional email delivery (account emails, supervisor magic links, pay run / invoice notifications). Email content traverses Resend's infrastructure during delivery.
• ClickSend (a Sinch company) — SMS delivery (supervisor magic links, OTP-style notifications). Australian provider with AU Alpha Sender ID.
• Xero — payroll and accounting integration, when your business connects a Xero tenant. Personal information flows between SiteSphere and Xero only within your business's authorised tenant.
• Google Places (Maps Platform) — address autocomplete used to confirm AU addresses you enter. We send the partial address you type; Google returns suggestions.
• Railway — application hosting infrastructure.
• Vercel — marketing site hosting infrastructure.
• Apple App Store / Google Play — distribution of the SiteSphere mobile apps. They handle the device push token registration we use to deliver notifications.

When required by law

We may disclose personal information when required by Australian law, court order, or to assist a law enforcement investigation with appropriate authority.

What we don't do

We do not sell your personal information. We do not share it with advertising networks. We do not run third-party trackers inside the authenticated app. The marketing website at https://sitesphere.com.au may use Google Analytics 4 — see our Cookies notice for details and how to opt out.

6. Cross-border transfers

Our primary infrastructure (Supabase) is hosted in Australia. Transactional email (Resend) is delivered from infrastructure that may include United States data centres. Some service providers we use are headquartered overseas. Where personal information is transferred outside Australia, we take reasonable steps to ensure the recipient is bound by privacy obligations substantially similar to the APPs.

7. How long we keep it

• Account information: for the life of your account.
• Worker payroll records: for the life of your employment plus a minimum of seven years thereafter, to meet our customers' obligations under the Fair Work Act and the ATO. We retain only the minimum necessary fields after employment ends.
• Operational data (timesheets, expenses, crew sheets): retained while the related payroll record is retained.
• Email and SMS delivery logs: 12 months for troubleshooting.
• Authentication tokens: session tokens expire after a short period of inactivity; refresh tokens rotate regularly and are revoked on sign-out.
• Mobile location data: stored on the device by default; only the timestamp and location of an explicit check-in action is uploaded, and only when you grant location permission.

8. Your rights

You have the right to:

• Access the personal information we hold about you. Most of it is visible inside the app — your profile, your timesheets, your expense submissions.
• Correct your personal information. Profile fields are editable in the app; for fields you can't edit yourself, contact your business admin or email privacy@sitesphere.com.au.
• Request deletion of your account. See our Account Deletion page for the full process and the legal limits on what we can delete.
• Lodge a complaint with us about how we handle your personal information. If you're not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9. How we keep your information secure

See our Security page for the full detail. Headlines:

• All connections to SiteSphere use TLS 1.2 or above.
• Data is encrypted at rest using AES-256 inside Supabase.
• Multi-tenancy is enforced at the database via row-level security — workers from one business cannot read data belonging to another business.
• OAuth tokens for connected services (Xero) are encrypted with AES-256-GCM before being stored.
• We follow the Notifiable Data Breaches scheme and will notify affected individuals and the OAIC if a breach meets the notification threshold.

10. Cookies and tracking

See our Cookies notice for the full breakdown. The marketing website uses essential cookies and Google Analytics. The authenticated app uses session cookies only — no third-party trackers.

11. Children

SiteSphere is not intended for use by children under 16. We do not knowingly collect personal information from children. If you believe a child has submitted information through our platform, contact privacy@sitesphere.com.au and we will delete it.

12. Changes to this policy

We may update this policy from time to time. The effective date at the top of this page reflects the latest substantive change. For material changes, we will notify active users by email or in-app notice before the change takes effect.

13. Contact us

Privacy enquiries: privacy@sitesphere.com.au
General enquiries: support@sitesphere.com.au
Postal address: SiteSphere Pty Ltd, Melbourne, Victoria, Australia.