1. Information we collect

We collect the following categories of personal information:

Identity data: Full name, job title, and employee ID
Contact data: Email address, phone number, and work location
Organisation data: Company name, ABN, industry sector, and site locations
Assessment data: Pre-shift fatigue assessments including Karolinska Sleepiness Scale (KSS) scores, Psychomotor Vigilance Test (PVT) results, reaction time measurements, and fitness-for-duty determinations
Device data: Mobile device identifiers used for the iOS app
Usage data: Platform interaction logs, feature usage patterns, and error reports

Sensitive information — fatigue assessment data

KSS scores, PVT results, reaction time measurements, and fitness-for-duty determinations may constitute health information within the meaning of the Privacy Act 1988 (Cth) and are therefore sensitive information. We treat all fatigue assessment data as sensitive information and apply the heightened protections required by APP 3.3.

We collect sensitive assessment data:

With the express consent of the individual worker (obtained at first login or as arranged by their employer prior to enrolment); or
Where collection is required or authorised by law, including applicable Work Health and Safety legislation or the Heavy Vehicle National Law

We do not collect sensitive health information beyond fatigue assessment data, and we do not collect financial payment details (processed directly by our payment provider, Stripe).

2. How we use your information

We use collected information to:

Provide and operate the FatigueGuard platform and services
Generate compliance reports and audit documentation for your organisation
Send real-time fatigue risk alerts to supervisors and safety managers
Comply with our legal obligations under WHS legislation and the Heavy Vehicle National Law
Respond to your support requests and enquiries
Improve platform performance using aggregated and anonymised data only — individual-level assessment data is never used for product development or benchmarking without separate specific consent

We do not sell personal information to third parties or use it for direct marketing without your consent.

3. How workers are notified

Workers whose fatigue data is collected through the platform are notified of collection under APP 5 as follows:

Account holders (employers) are contractually required under our Terms of Service to provide workers with a copy of this Privacy Policy before their first assessment is recorded
Workers are presented with a consent screen on their first login to the FatigueGuard platform or mobile app, confirming the purpose of data collection and their rights
Workers can access their own fatigue assessment results at any time by contacting their employer's FatigueGuard administrator or by submitting a request to privacy@fatigueguard.com.au

Employers are separately responsible for their own privacy and WHS obligations to their workers. This policy governs FatigueGuard's obligations as a data processor.

4. Data storage and security

Assessment data and compliance records are stored in Australia. Our primary database is hosted on Supabase using the Sydney (ap-southeast-2) AWS region. We implement the following security measures:

Encryption at rest (AES-256) and in transit (TLS 1.3)
Role-based access controls limiting data access to authorised personnel
Regular security audits and vulnerability assessments
Multi-factor authentication required for all platform accounts

5. Disclosure to third parties and overseas recipients

We disclose personal information to the following recipients:

Within your organisation

Supervisors, safety managers, and administrators you have authorised through the platform's role-based access controls. Workers can view their own assessment history. Supervisors can view the workers they manage. Administrators can view all workers in their organisation.

Sub-processors (service providers)

We use the following sub-processors to deliver the platform. Each is engaged under a data processing agreement or equivalent contractual protections:

Supabase Inc (USA) — database hosting. Assessment data is stored in the Sydney, Australia region. Supabase processes metadata and connection information in the USA
Amazon Web Services (USA) — backend compute infrastructure hosted in the Sydney (ap-southeast-2) region
Clerk Inc (USA) — authentication and identity management. User account credentials (name, email, phone) are processed and stored on Clerk's servers in the USA
Vercel Inc (USA) — web application hosting and edge delivery. Page requests are routed through Vercel's global edge network, which may process request data in countries outside Australia
Resend Inc (USA) — transactional email delivery (alerts, notifications, receipts)
Stripe Inc (USA) — payment processing. We pass only the minimum information required for billing; payment card data is never handled by FatigueGuard
Sentry Inc (USA) — error monitoring. Error reports may contain partial request data; we configure Sentry to scrub personal identifiers before transmission

APP 8 — overseas disclosure

Several sub-processors listed above are located in the United States. Before disclosing personal information to these overseas recipients, FatigueGuard has taken reasonable steps to ensure each recipient will handle information in a manner consistent with the Australian Privacy Principles, including by entering into data processing agreements, standard contractual clauses, or relying on the recipient's certification under recognised privacy frameworks.

By using FatigueGuard, you acknowledge that personal information (including name, email address, and phone number used for authentication) will be transferred to and processed in the United States by Clerk Inc and potentially Vercel Inc. FatigueGuard takes reasonable steps to protect this information but cannot guarantee that overseas recipients will comply with the APPs in all circumstances.

Regulators and law enforcement

We may disclose personal information where required by law, a court order, or a lawful request from a government agency or regulator (including the Office of the Australian Information Commissioner, SafeWork agencies, and the National Heavy Vehicle Regulator).

6. Data retention

We retain data in accordance with applicable regulations:

Fatigue assessment records: 7 years from the date of record, consistent with the Work Health and Safety Act 2011 and NHVR Heavy Vehicle National Law requirements
Compliance reports: 7 years from generation — these records are immutable once generated to preserve audit integrity
Account and billing data: 7 years from the end of your subscription, as required under the Tax Administration Act 1953
Usage and analytics data: 2 years, in aggregated and anonymised form only

Following the applicable retention period, data is securely deleted using industry-standard data destruction practices, or anonymised such that individuals cannot be re-identified.

7. Your rights under the Australian Privacy Act

Access (APP 12)

You have the right to request access to personal information we hold about you. We will respond to valid access requests within 30 days at no charge. If we are unable to provide access (for example, because doing so would unreasonably impact the privacy of other individuals), we will provide written reasons.

Correction (APP 13)

You have the right to request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information. We will respond within 30 days. If we decline to correct information, we will provide written reasons, and you may request that we associate a statement of disagreement with the record. You may also complain to the OAIC about our refusal.

Deletion

You may request deletion of personal information we hold about you, subject to our legal retention obligations (see section 6). We will respond within 30 days.

Workers' right to access health monitoring results

Under applicable Work Health and Safety regulations, workers subject to health monitoring have a statutory right to access the results of their own health monitoring. Workers can request their fatigue assessment history by contacting their employer's FatigueGuard administrator or by emailing privacy@fatigueguard.com.au.

Complaint to the OAIC

If you are not satisfied with our handling of your personal information or with our response to an access or correction request, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

8. Notifiable data breaches

FatigueGuard complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach (being unauthorised access to or disclosure of personal information that is likely to result in serious harm), we will:

Notify the OAIC as soon as practicable after becoming aware of an eligible data breach
Notify affected account holders within 72 hours of becoming aware of a breach affecting their workers' data, so that they can fulfil their own NDB obligations
Notify affected individuals directly (or via public notification where direct contact is not practicable)

9. Cookies and tracking

Our website uses essential cookies for authentication and session management. We use anonymised analytics to understand how the platform is used. We do not use advertising or cross-site tracking cookies.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified to account administrators by email at least 30 days before they take effect. Your continued use of the platform after that date constitutes acceptance of the updated policy. The current version of this policy is always available at fatigueguard.com.au/privacy.

11. Contact for privacy matters

For privacy enquiries, access requests, correction requests, or complaints, contact our Privacy Officer:

Email: privacy@fatigueguard.com.au
Post: Privacy Officer, Vero Investments Pty Ltd t/a FatigueGuard, Woodbridge Tasmania 7162, Australia

We will acknowledge your request within 5 business days and respond fully within 30 days.

Privacy Policy