LuminarIQ Privacy Policy

1. About This Policy

LuminarIQ ("we", "us", "our") is committed to protecting your privacy in accordance with the Australian Privacy Act 1988 (as amended in 2024) and the 13 Australian Privacy Principles (APPs).

This policy explains how we collect, use, store, and protect your personal information when you use our business management software for Australian trade businesses.

Privacy Officer Contact: admin@luminariq.com.au

2. Information We Collect

We collect the following categories of personal information:

Information You Provide Directly:

• Account Information: Name, email address, phone number, business name, ABN
• Business Data: Client names and contact details, job information, invoice details, quotes, timesheet data
• Financial Information: Payment method details (processed securely by Stripe), billing history, subscription information
• Documents & Photos: Site photos, receipts, expense documents, uploaded files
• Communications: Support inquiries, feedback, email correspondence

Information Collected Automatically:

• Usage Data: Features used, login times, pages viewed, actions taken within the app
• Device Information: IP address, browser type, device type, operating system
• Location Data: General location from IP address; GPS location if using GPS tracking add-on (with your consent)
• Cookies & Similar Technologies: Session cookies, authentication tokens, preference settings

Information From Third-Party Sources:

• Business Data: ABN details from Australian Business Register (ABR) for business verification
• Accounting Data: Client and invoice data from Xero (if you enable Xero integration)
• Payment Data: Transaction confirmations from Stripe payment processor

3. Data Storage Location

Hosting Infrastructure:

• Database: PostgreSQL hosted on Supabase Sydney (AWS ap-southeast-2 region)
• Application: Hosted on Replit cloud infrastructure
• Region: Asia Pacific (Sydney) - Australian data residency

Benefits of Australian Data Hosting:

• Data sovereignty - your business data remains in Australia
• Faster performance - reduced latency for Australian users
• Privacy compliance - aligned with Australian privacy expectations
• No exposure to foreign data access laws for your database

Our Commitment to Your Data:

• We will notify you of any government access requests to the extent legally permitted
• We will challenge overly broad or inappropriate requests where appropriate
• We maintain strong encryption and security controls to protect your data (see Section 5)
• We remain fully accountable under Australian Privacy Principles

Third-Party Processors Located Overseas:

• Stripe (Payment Processing): Ireland and United States - PCI DSS certified, GDPR compliant
• Twilio (SMS Services): United States - ISO 27001 certified
• OpenAI (AI Receipt Scanning): United States - SOC 2 Type II certified
• Gmail SMTP (Email Delivery): United States - Google Cloud infrastructure

All third-party processors are bound by contractual agreements requiring them to comply with Australian Privacy Principles and maintain appropriate security standards.

4. How We Use Your Information

We use your personal information for the following purposes:

Service Delivery:

• Provide access to LuminarIQ features (client management, job tracking, invoicing, quotes)
• Process payments and manage subscriptions
• Sync data with Xero accounting software (if enabled)
• Send transactional notifications (job reminders, payment confirmations, booking alerts)
• Provide customer support and respond to inquiries

Service Improvement:

• Analyze usage patterns to improve features and user experience
• Troubleshoot technical issues and fix bugs
• Develop new features based on user needs

Marketing & Communications (With Your Consent):

• Send product updates, new feature announcements, and promotional offers
• Provide tips and educational content about using LuminarIQ
• You can opt-out of marketing emails anytime via unsubscribe links or account settings

Legal & Compliance:

• Comply with legal obligations and court orders
• Prevent fraud, abuse, and security incidents
• Enforce our Terms of Service
• Respond to data breach incidents

5. Data Security - Technical & Organizational Measures (APP 11.3)

We implement comprehensive security measures to protect your personal information from misuse, interference, loss, unauthorized access, modification, or disclosure:

Technical Security Measures:

• Encryption:
  • Data in transit: TLS 1.3 encryption for all connections
  • Data at rest: Database encryption using industry-standard algorithms
  • Password storage: Bcrypt hashing with salt (passwords never stored in plain text)
• Access Controls:
  • Multi-factor authentication (MFA) available for all users
  • WebAuthn biometric authentication for enhanced security
  • Role-based access controls for team members
  • Session management with automatic timeout
• Infrastructure Security:
  • Secure cloud hosting with redundant infrastructure
  • Firewall protection and intrusion detection
  • Regular automated backups with encryption
  • DDoS protection and rate limiting
• Application Security:
  • Input validation and sanitization to prevent injection attacks
  • Cross-Site Scripting (XSS) protection
  • Cross-Site Request Forgery (CSRF) tokens
  • Secure API endpoints with authentication

Organizational Security Measures:

• Access Management: Principle of least privilege - staff access limited to data necessary for their role
• Security Policies: Documented information security policies and procedures
• Employee Training: Regular privacy and security awareness training
• Incident Response: Documented data breach response plan with defined escalation procedures
• Vendor Management: Security assessments of third-party service providers
• Monitoring & Logging: Activity logging and monitoring for suspicious behavior
• Regular Reviews: Periodic security audits and vulnerability assessments

While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security but commit to:

• Continuously updating our security practices
• Promptly addressing identified vulnerabilities
• Notifying you of any data breaches as required by law (see Section 6)

6. Data Breach Notification

Under the Notifiable Data Breaches (NDB) scheme, we are required to notify you if a data breach is likely to result in serious harm to you or your business.

What Constitutes a Notifiable Breach:

• Unauthorized access to or disclosure of personal information
• Loss of personal information in circumstances where unauthorized access or disclosure is likely
• The breach is likely to result in serious harm (financial loss, identity theft, reputational damage, etc.)

Our Breach Response Process:

1. Detection & Assessment: Investigate suspected breaches within 24 hours of discovery
2. Containment: Immediately contain the breach to prevent further unauthorized access
3. Notification (as soon as practicable):
   • Notify the Office of the Australian Information Commissioner (OAIC)
   • Notify affected individuals via email to registered account address
   • Post prominent notice in the application dashboard
4. Remediation: Take steps to remediate the breach and prevent recurrence

Information We'll Provide in Breach Notifications:

• Description of the breach and what data was affected
• When the breach occurred and when we became aware of it
• Types of personal information involved
• Steps we've taken to contain and remediate the breach
• Recommendations for steps you should take (e.g., change passwords, monitor accounts)
• Contact information for further inquiries

How to Report Suspected Breaches: If you suspect unauthorized access to your account or a potential data breach, immediately contact us at admin@luminariq.com.au or change your password in account settings.

7. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We share your information only in the following limited circumstances:

Essential Service Providers:

• Payment Processing: Stripe (to process subscription payments and invoices)
• SMS Delivery: Twilio (to send job reminders, payment notifications, booking alerts if you enable SMS add-ons)
• Email Delivery: Gmail SMTP (to send transactional and marketing emails)
• AI Processing: OpenAI (to process receipt images if you use AI receipt scanning add-on)
• Cloud Hosting: Replit (to host and store application data in the United States)

Integrations You Enable:

• Xero: If you connect your Xero account, we sync client and invoice data bidirectionally
• Australian Business Register (ABR): We query ABR for business name lookups based on ABN you provide

Legal Obligations:

• When required by Australian law, court order, or government authority
• To comply with subpoenas, warrants, or other legal processes
• To protect our legal rights or defend against legal claims
• To prevent fraud, security incidents, or illegal activity

Business Transfers:

If LuminarIQ is acquired, merged, or sold, your information may be transferred to the new owner. We will notify you before your information becomes subject to a different privacy policy.

With Your Consent:

We may share information in other circumstances with your explicit consent.

8. Your Privacy Rights (Australian Privacy Principles)

Under the Australian Privacy Act, you have the following rights:

Right to Access (APP 12):

• Request access to your personal information we hold
• Receive a copy of your data in a portable format (CSV export available in app)
• We'll respond within 30 days and provide access free of charge (or explain any fees)

Right to Correction (APP 13):

• Request correction of inaccurate, incomplete, or out-of-date information
• Update most information directly in your account settings
• We'll respond within 30 days and make corrections or explain why we can't

Right to Complain:

• Lodge a privacy complaint about how we've handled your information
• We'll investigate and respond within 30 days (see Section 9 for complaint process)

Right to Withdraw Consent:

• Opt-out of marketing communications anytime (unsubscribe links in emails or account settings)
• Disable optional features that process personal data (GPS tracking, AI receipt scanning)
• Disconnect integrations (Xero) at any time

Right to Data Portability:

• Export all your data (clients, jobs, invoices, photos) in CSV format
• Available anytime from account settings

Right to Deletion:

• Request deletion of your account and associated data
• Data is permanently deleted 30 days after account termination (see Section 10)

How to Exercise Your Rights: Contact us at admin@luminariq.com.au with your request. We may need to verify your identity before processing certain requests.

9. Privacy Complaint Handling Process

If you believe we have mishandled your personal information or breached the Australian Privacy Principles, you have the right to lodge a complaint.

Step 1: Contact Our Privacy Officer

• Email: admin@luminariq.com.au
• Subject line: "Privacy Complaint"
• Include: Your name, contact details, description of the issue, and desired outcome

Step 2: Our Investigation Process

• We'll acknowledge your complaint within 7 business days
• We'll investigate thoroughly and impartially
• We may contact you for additional information
• We'll provide a written response within 30 days (or explain if we need more time)

Step 3: Our Response Will Include:

• Our findings and whether we found a breach occurred
• What steps we'll take to address the issue (if applicable)
• Your right to escalate to the OAIC if you're unsatisfied

Step 4: Escalation to OAIC

If you're not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Mail: GPO Box 5218, Sydney NSW 2001

The OAIC will investigate independently and may take enforcement action if they find a breach of the Privacy Act.

10. Data Retention

Active Accounts:

• We retain your data while your account is active and for as long as necessary to provide services
• Business data (clients, jobs, invoices) is retained indefinitely while your subscription is active

Trial Accounts:

• 14-day free trial period with full feature access
• 7-day grace period after trial expiration for upgrade
• Data is permanently deleted 21 days after trial start if no upgrade (14-day trial + 7-day grace)

Cancelled/Terminated Accounts:

• After account cancellation, you have 30 days to export your data
• Data is permanently and irreversibly deleted after 30 days
• We cannot recover data after permanent deletion
• Recommendation: Export your data before cancelling (CSV export in account settings)

Legal Retention Requirements:

• Financial records (invoices, payments) may be retained longer if required by Australian tax law (typically 7 years)
• Data required for ongoing legal matters or disputes is retained until resolution

Backup Retention:

• Automated backups are retained for disaster recovery purposes
• Backup copies are also deleted according to the retention schedule above

11. Cookies & Tracking Technologies

We use cookies and similar technologies to provide and improve our service:

Essential Cookies (Required for Service):

• Session Cookies: Keep you logged in and maintain your session
• Authentication Tokens: Verify your identity and prevent unauthorized access
• Security Cookies: Protect against cross-site request forgery (CSRF) attacks

Functional Cookies (Enhance Experience):

• Preference Cookies: Remember your settings and preferences
• Feature Cookies: Enable specific features you've activated

Analytics (With Consent):

• Usage analytics to understand how you interact with LuminarIQ
• Performance monitoring to identify and fix technical issues
• You can opt-out in account settings

Managing Cookies: You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from using LuminarIQ.

12. Children's Privacy

LuminarIQ is a business management tool designed for adults operating trade businesses. We do not knowingly collect personal information from individuals under 18 years of age.

If we become aware that we've collected information from someone under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact admin@luminariq.com.au.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect:

• Changes in our services or business practices
• Changes in privacy laws and regulations
• New features or technologies

How We'll Notify You:

• Email notification to your registered email address
• Prominent notice in the app dashboard
• Updated "Last Updated" date at the top of this policy
• At least 30 days notice before material changes take effect

Your Continued Use: Continuing to use LuminarIQ after changes constitutes acceptance of the updated policy. If you don't agree with changes, you may cancel your account.

Version History: Previous versions are available upon request by contacting admin@luminariq.com.au.

14. Contact Us

For any privacy-related questions, concerns, or requests:

Office of the Australian Information Commissioner (OAIC):
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au