1. Who we are

Aviaur is a business operations platform for service and infrastructure-maintenance businesses in New Zealand and Australia. We provide tools across scheduling, procurement, safety, retail, asset management, document control, and competency tracking. This policy explains how we collect, use, share, and protect personal information when you use the Aviaur platform — whether as a contractor, business administrator, customer, property manager, field worker, or visitor to our public services such as the free JHA tool.

This policy is the headline view; our retention rules and indefinite-retention categories are detailed at Data Retention, and your contractual relationship with Aviaur is at Terms of Service.

2. Information we collect

• Account details — name, email, phone, role, business details, the account's competency assignments and qualifications.
• Property and job information — addresses, parcel references (Land Information New Zealand identifiers where available), job descriptions, photos, access notes, and on-site observations.
• Safety and compliance records — JHA submissions, HAZOP study uploads and extracted records, incident reports and investigations, competency evidence (uploaded certificates, course completions, expiry dates), worker timeclock records.
• Operational data — messages between job participants, approval decisions, audit logs, timestamps, role and configuration changes.
• Payment records — transaction references and status. Aviaur does not store full card numbers or CVV data; payment processing is handled by PCI-compliant providers.
• Wizard interaction data — for users of the public JHA wizard, we record which hazards you accept, dismiss, or add. This data is used to refine the shared safety library and is anonymised before it influences the library.
• Device and usage data — IP address, browser type, page and feature usage timestamps. Used for security, fraud prevention, and platform improvement.
• Cookie and tracking data — see Section 7 for details on essential cookies, analytics, and advertising cookies.

3. How we use information

• Service delivery — coordinating jobs, dispatching contractors, managing approvals, generating invoices and evidence packs.
• Safety and compliance — meeting NZ Health and Safety at Work Act 2015 obligations (and Australian WHS equivalents), processing notifiable events, maintaining tamper-evident chains of custody from upstream HAZOP through field JHAs to incident records.
• Competency tracking and verification — confirming worker qualifications against trade-required competencies, where you have provided evidence or where a regulator API (such as NZQA) confirms the credential.
• Payments and audit trail — processing transactions, maintaining financial records required by NZ Inland Revenue and the Australian Tax Office.
• Support, dispute resolution, and legal requests — responding to tickets, working through disputes, providing information to regulators or law enforcement when legally required.
• Platform security — detecting fraud, preventing abuse, enforcing policy, investigating incidents.
• Service improvement — analysing how the platform is used so we can make it better. Where this involves identifying individuals, we aggregate or anonymise first.

4. Sharing and disclosure

We share personal information only when it is required to deliver services, comply with the law, or where you have explicitly opted in.

• With contractors assigned to your job — your job location, contact details, and any safety information relevant to the work.
• With property managers and landlords — property and job data for properties they manage or own.
• With your business's administrators — your competency status, timeclock entries, and operational records when you are part of an Aviaur business workspace.
• With trusted service providers — cloud hosting (Supabase, Vercel, Railway), email and notifications, payment processors (Stripe), advertising and analytics where you have consented (Google AdSense, Facebook Pixel).
• With regulators and law enforcement — when legally required, including in response to lawful requests or to meet notifiable-event obligations under NZ HSWA 2015 or Australian WHS Act.
• With issuing bodies for credential verification — where you have uploaded a regulated credential (e.g. NZQA qualification, EWRB endorsement), we may verify the credential against the issuing body's API. The query contains only the identifiers required to verify the credential.

5. Anonymised aggregation and industry bulletins

With opt-in consent, Aviaur aggregates incident and safety data across workspaces to produce industry-wide safety bulletins. These bulletins are designed to surface patterns (e.g. "workplaces in this region experienced this kind of incident this quarter") that benefit the wider trades and industrial community.

The aggregation is governed by strict privacy protections:

• K-anonymity threshold — no incident contributes to a bulletin unless at least 5 similar incidents have been reported across distinct workspaces.
• Time delay — minimum 7 days between an incident report and any aggregation pass that includes it.
• Geographic rollup — bulletins surface at the regional level (Auckland, NSW, etc.), never at street, suburb, or facility level.
• Worker anonymity — no worker names, no demographic detail, no employer identification.
• Opt-in consent — sharing is OFF by default. You actively opt in at the point of finalising a JHA or incident record. You can withdraw consent for future records at any time. Aggregations already generated cannot be reversed because the de-identification is irreversible by design.

6. Cross-border processing

Aviaur uses cloud providers that may process data outside New Zealand or Australia (notably, our database provider Supabase operates regions including Sydney; certain analytics and email providers operate in the United States and the European Union). We take reasonable steps to ensure overseas recipients protect information in line with Australian Privacy Principle 8 (APP 8) and New Zealand Information Privacy Principle 12 (IPP 12). Where a processor cannot demonstrate equivalent protection, we do not transfer data to them.

7. Cookies, analytics, and advertising

Aviaur uses cookies in three categories. You can decline analytics and advertising cookies at any time through your browser settings. We are introducing a cookie consent banner as part of our public-marketing surface rollout — when it ships, you will be able to manage all three categories from a single control on any Aviaur page.

• Strictly necessary — session management, security tokens, role preferences. These are required for the platform to function and cannot be disabled.
• Analytics — measuring which features are used, identifying performance issues, improving the service. We may use first-party analytics and, where you have opted in, third-party analytics providers.
• Advertising — Aviaur runs paid advertising campaigns on Facebook (Meta Pixel) and Google (Google Ads). On the public JHA tool, Aviaur also serves ads via Google AdSense to support the free service. These cookies are governed by the provider's own retention policies — typically 30 to 540 days. Cookies set by these services follow the browser's Do Not Track signal where you have enabled it.

8. Payment handling

All payment processing is handled by PCI-compliant third-party providers. Aviaur does not store full payment card numbers, CVV codes, or bank account credentials. We retain transaction references and status for audit, reconciliation, and dispute handling. Where we facilitate payments between customers and contractors via Stripe Connect, the contractor's Stripe account holds the funds — Aviaur does not act as a custodian of payment funds.

9. Data retention and deletion

Aviaur retains data only for as long as needed for operational, legal, and compliance purposes. Our complete retention schedule is at Data Retention. Two notable categories deserve flagging here:

• Property-anchored records. Photos, JHAs, asset histories, and documents tied to a specific property are retained indefinitely against the property identifier (typically a Land Information New Zealand parcel reference). Personal identifiers are removed at the operational expiry point; what remains is structural and maintenance history that travels with the address rather than the owner. This creates a long-term record useful to future owners, contractors, and inspectors.
• Evidence packs. Once an evidence pack is generated for a job, it cannot be deleted. The pack's SHA-256 hash chain forms a court-admissible record of work performed, who performed it, and the safety controls in place at the time. Evidence packs are retained for the full limitation period of any potential legal claim arising from the work.

10. Security

Aviaur uses encryption in transit (TLS 1.2+), encryption at rest for sensitive data, role-based access controls, audit logging, and least-privilege service architecture. All access to personal data is logged. We perform regular security reviews and respond to identified vulnerabilities promptly. Our backend infrastructure runs on Railway and our frontend on Vercel; our primary database is Supabase (PostgreSQL with PostGIS) hosted in ap-southeast-2 (Sydney).

11. Your rights

Under the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988, you have the right to:

• Request access to personal information Aviaur holds about you.
• Request correction of inaccurate or out-of-date information.
• Request deletion of information that is no longer required (subject to retention obligations described in Data Retention).
• Receive a copy of your personal information in a portable format.
• Withdraw consent for non-essential processing (analytics cookies, advertising cookies, anonymised aggregation opt-in).
• Opt out of marketing communications at any time.
• Lodge a complaint with the relevant privacy regulator (see Section 13).

12. Changes to this policy

We may update this policy from time to time as our services and legal obligations evolve. Material changes will be communicated through the platform. The "Last updated" date at the top of this page indicates the most recent revision. Your continued use of Aviaur after a material change constitutes acceptance of the updated policy.

13. Contact and complaints

For all privacy-related requests — access, correction, deletion, portability, consent withdrawal, or complaints — contact the Aviaur Privacy Officer through the Aviaur Help Centre. Your request will be acknowledged within 5 business days and resolved within the period set by applicable privacy law (typically 20 working days under NZ Privacy Act, 30 calendar days under AU Privacy Act).

If you are not satisfied with how Aviaur handles your privacy request, you may contact the relevant regulator:

• New Zealand: Office of the Privacy Commissioner — privacy.org.nz.
• Australia: Office of the Australian Information Commissioner — oaic.gov.au.