FatigueGuard
Log inSign up free

Privacy Policy

Last updated: 16 April 2026

Vero Investments Pty Ltd ABN 14 660 152 269, trading as FatigueGuard ("FatigueGuard", "we", "us", or "our") is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, use, disclose, and safeguard your information when you use the FatigueGuard web platform and iOS mobile application.

1. Information we collect

We collect the following categories of personal information:

  • Identity data: Full name, job title, and employee ID
  • Contact data: Email address, phone number, and work location
  • Organisation data: Company name, ABN, industry sector, and site locations
  • Assessment data: Pre-shift fatigue assessments including Karolinska Sleepiness Scale (KSS) scores, Samn-Perelli fatigue rating scores, Psychomotor Vigilance Test (PVT) results and reaction time measurements, composite fatigue scores, and fitness-for-duty determinations
  • Device data: A device-scoped identifier (Apple's identifierForVendor) transmitted from the iOS app with each assessment submission to support deduplication. This identifier is not linked to your Apple ID or any advertising profile, and resets when all apps from the same developer are removed from the device.
  • Usage data: Platform interaction logs, feature usage patterns, task completion records, and error reports

Sensitive information — fatigue assessment data

KSS scores, Samn-Perelli scores, PVT reaction time measurements, and fitness-for-duty determinations may constitute health information within the meaning of the Privacy Act 1988 (Cth) and are therefore sensitive information. We treat all fatigue assessment data as sensitive information and apply the heightened protections required by APP 3.3.

We collect sensitive assessment data:

  • With the express consent of the individual worker (obtained at first login or as arranged by their employer prior to enrolment); or
  • Where collection is required or authorised by law, including applicable Work Health and Safety legislation or the Heavy Vehicle National Law

We do not collect sensitive health information beyond fatigue assessment data, and we do not collect financial payment details (processed directly by our payment provider, Stripe).

2. How we use your information

We use collected information to:

  • Provide and operate the FatigueGuard platform and services
  • Generate compliance reports and audit documentation for your organisation
  • Send real-time fatigue risk alerts to supervisors and safety managers
  • Comply with our legal obligations under WHS legislation and the Heavy Vehicle National Law
  • Respond to your support requests and enquiries
  • Improve platform performance using aggregated and anonymised data only — individual-level assessment data is never used for product development or benchmarking without separate specific consent

We do not sell personal information to third parties or use it for direct marketing without your consent.

3. How workers are notified

Workers whose fatigue data is collected through the platform are notified of collection under APP 5 as follows:

  • Account holders (employers) are contractually required under our Terms of Service to provide workers with a copy of this Privacy Policy before their first assessment is recorded
  • Workers are presented with a consent screen on their first login to the FatigueGuard platform or mobile app, confirming the purpose of data collection and their rights
  • Workers can access their own fatigue assessment results at any time by contacting their employer's FatigueGuard administrator or by submitting a request to privacy@fatigueguard.com.au

Employers are separately responsible for their own privacy and WHS obligations to their workers. This policy governs FatigueGuard's obligations as a data processor.

4. Data storage and security

Assessment data and compliance records are stored in Australia. Our primary database is hosted on Supabase using the Sydney (ap-southeast-2) AWS region. We implement the following security measures:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access controls limiting data access to authorised personnel
  • Regular security audits and vulnerability assessments
  • Multi-factor authentication required for all platform accounts

5. iOS Mobile Application

The FatigueGuard iOS app collects and handles data as described below, in addition to the general practices set out in this policy.

Data stored locally on your device

The iOS app stores the following data directly on your device:

  • Assessment history (up to 90 records): stored in the Application Support directory using iOS Data Protection with CompleteFileProtection. This means the file is encrypted by iOS and cannot be accessed while the device is locked.
  • Worker session and PIN: stored in the iOS Keychain with the AfterFirstUnlockThisDeviceOnly access policy. This data never leaves the device and cannot be backed up to iCloud or transferred to another device.
  • Pending assessments queue: assessments completed while offline are temporarily stored in encrypted local storage until they are successfully synced to the server. Once synced, the local copy is removed.

Device identifier

The iOS app uses Apple's UIDevice.identifierForVendor — a per-device, per-developer identifier that is:

  • Not linked to your Apple ID, iCloud account, or any advertising profile
  • Not shared with any third party or advertising network
  • Used only to deduplicate assessment submissions (prevent duplicate records if a submission is retried)
  • Automatically reset when all FatigueGuard apps are removed from the device

Face ID and Touch ID

The FatigueGuard iOS app optionally uses Apple's LocalAuthentication framework to allow workers to sign in with Face ID or Touch ID. FatigueGuard does not access, process, store, or transmit any biometric data at any time. All biometric matching occurs entirely within Apple's Secure Enclave on the device. FatigueGuard receives only a binary pass/fail result from the operating system.

Deleting your local data

Workers can delete all locally stored assessment history and any pending (not-yet-synced) assessment records from within the app at any time via Settings → Clear My Assessment Data. This action permanently removes the data stored on that device. It does not affect records already successfully synced to your employer's FatigueGuard account; to request deletion of server-side records, contact privacy@fatigueguard.com.au.

6. Disclosure to third parties and overseas recipients

We disclose personal information to the following recipients:

Within your organisation

Supervisors, safety managers, and administrators you have authorised through the platform's role-based access controls. Workers can view their own assessment history. Supervisors can view the workers they manage. Administrators can view all workers in their organisation.

Sub-processors (service providers)

We use the following sub-processors to deliver the platform. Each is engaged under a data processing agreement or equivalent contractual protections:

  • Supabase Inc (USA) — database hosting. Assessment data is stored in the Sydney, Australia region. Supabase processes metadata and connection information in the USA.
  • Amazon Web Services (USA) — backend compute infrastructure hosted in the Sydney (ap-southeast-2) region.
  • Clerk Inc(USA) — authentication and identity management. User account credentials (name, email, phone) are processed and stored on Clerk's servers in the USA.
  • Vercel Inc(USA) — web application hosting and edge delivery. Page requests are routed through Vercel's global edge network, which may process request data in countries outside Australia.
  • Resend Inc (USA) — transactional email delivery (alerts, notifications, receipts).
  • Stripe Inc (USA) — payment processing. We pass only the minimum information required for billing; payment card data is never handled by FatigueGuard.
  • Sentry Inc (USA) — error monitoring. Error reports may contain partial request data; we configure Sentry to scrub personal identifiers before transmission.
  • Apple Inc(USA) — iOS app distribution via the App Store. Apple's handling of your data in connection with the App Store is governed by Apple's Privacy Policy.

APP 8 — overseas disclosure

Several sub-processors listed above are located in the United States. Before disclosing personal information to these overseas recipients, FatigueGuard has taken reasonable steps to ensure each recipient will handle information in a manner consistent with the Australian Privacy Principles, including by entering into data processing agreements, standard contractual clauses, or relying on the recipient's certification under recognised privacy frameworks.

By using FatigueGuard, you acknowledge that personal information (including name, email address, and phone number used for authentication) will be transferred to and processed in the United States by Clerk Inc and potentially Vercel Inc. FatigueGuard takes reasonable steps to protect this information but cannot guarantee that overseas recipients will comply with the APPs in all circumstances.

Regulators and law enforcement

We may disclose personal information where required by law, a court order, or a lawful request from a government agency or regulator (including the Office of the Australian Information Commissioner, SafeWork agencies, and the National Heavy Vehicle Regulator).

7. Data retention

We retain data in accordance with applicable regulations:

  • Fatigue assessment records: 7 years from the date of record, consistent with the Work Health and Safety Act 2011 and NHVR Heavy Vehicle National Law requirements
  • Compliance reports: 7 years from generation — these records are immutable once generated to preserve audit integrity
  • Account and billing data: 7 years from the end of your subscription, as required under the Tax Administration Act 1953
  • Usage and analytics data: 2 years, in aggregated and anonymised form only
  • Local device data (iOS app): Retained on the device until the worker clears it via Settings, uninstalls the app, or the device is reset. A maximum of 90 assessment records are stored locally at any time.

Following the applicable retention period, data is securely deleted using industry-standard data destruction practices, or anonymised such that individuals cannot be re-identified.

8. Your rights under the Australian Privacy Act

Access (APP 12)

You have the right to request access to personal information we hold about you. We will respond to valid access requests within 30 days at no charge. If we are unable to provide access (for example, because doing so would unreasonably impact the privacy of other individuals), we will provide written reasons.

Correction (APP 13)

You have the right to request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information. We will respond within 30 days. If we decline to correct information, we will provide written reasons, and you may request that we associate a statement of disagreement with the record. You may also complain to the OAIC about our refusal.

Deletion

You may request deletion of personal information we hold about you, subject to our legal retention obligations (see section 7). We will respond within 30 days. Workers may also delete locally stored assessment data from their device via Settings → Clear My Assessment Data in the iOS app.

Workers' right to access health monitoring results

Under applicable Work Health and Safety regulations, workers subject to health monitoring have a statutory right to access the results of their own health monitoring. Workers can request their fatigue assessment history by contacting their employer's FatigueGuard administrator or by emailing privacy@fatigueguard.com.au.

Complaint to the OAIC

If you are not satisfied with our handling of your personal information or with our response to an access or correction request, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

9. Notifiable data breaches

FatigueGuard complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach (being unauthorised access to or disclosure of personal information that is likely to result in serious harm), we will:

  • Notify the OAIC as soon as practicable after becoming aware of an eligible data breach
  • Notify affected account holders within 72 hours of becoming aware of a breach affecting their workers' data, so that they can fulfil their own NDB obligations
  • Notify affected individuals directly (or via public notification where direct contact is not practicable)

10. International users — GDPR and UK GDPR

While FatigueGuard is primarily targeted at Australian organisations, workers employed by multinational organisations may use the platform from within the European Economic Area (EEA) or the United Kingdom. In those circumstances, the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK GDPR (as retained in UK law by the Data Protection Act 2018) may apply in addition to the Australian Privacy Act.

Legal basis for processing (GDPR Article 6 and 9)

  • Performance of a contract (Art. 6(1)(b)): processing necessary to provide the platform to the employer-subscriber.
  • Legitimate interests(Art. 6(1)(f)): platform security, fraud prevention, and aggregated service improvement, where these interests are not overridden by the data subject's interests or fundamental rights.
  • Explicit consent (Art. 9(2)(a)): processing of health-adjacent data (fatigue scores, reaction times) is conducted on the basis of explicit consent obtained through the employer at enrolment.
  • Occupational health and safety (Art. 9(2)(b)): where processing is necessary for carrying out obligations and exercising specific rights in the field of employment and social security and social protection law.

Additional rights for EEA and UK residents

In addition to the rights described in section 8, EEA and UK residents have:

  • Right to data portability (Art. 20 GDPR): the right to receive personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller where technically feasible.
  • Right to object (Art. 21 GDPR): the right to object to processing based on legitimate interests. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Right to restrict processing (Art. 18 GDPR): the right to request restriction of processing in certain circumstances (e.g. while the accuracy of data is being verified).

International data transfers under GDPR

Transfers of personal data from the EEA or UK to Australia are conducted on the basis that Australia has been assessed as providing an adequate level of protection for personal data. Transfers from Australia to the United States (via sub-processors listed in section 6) rely on Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (where applicable), or equivalent safeguards.

For GDPR-specific enquiries or to exercise your GDPR rights, contact privacy@fatigueguard.com.au. We will respond within 30 days (one month) as required by the GDPR.

11. Cookies and tracking

Our website uses essential cookies for authentication and session management. We use anonymised analytics to understand how the platform is used. We do not use advertising or cross-site tracking cookies. The iOS app does not use cookies.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified to account administrators by email at least 30 days before they take effect. Your continued use of the platform after that date constitutes acceptance of the updated policy. The current version of this policy is always available at fatigueguard.com.au/privacy.

13. Contact for privacy matters

For privacy enquiries, access requests, correction requests, or complaints, contact our Privacy Officer:

  • Email: privacy@fatigueguard.com.au
  • Post: Privacy Officer, Vero Investments Pty Ltd t/a FatigueGuard, Woodbridge Tasmania 7162, Australia

We will acknowledge your request within 5 business days and respond fully within 30 days.