1. Overview
FirstAidLog Pty Ltd ("we", "us", "our") operates FirstAidLog ("the Service"). We are committed to protecting your personal information in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and applicable workplace health and safety legislation.
This policy explains what information we collect, why we collect it, how we use, store, and protect it, and your rights regarding your data. It applies to all users of the FirstAidLog web and mobile applications.
2. Information We Collect
2.1 Account Information
| Data | Purpose | Legal Basis |
|---|---|---|
| Full name | Display name, audit trail | Account registration (APP 3) |
| Email address | Authentication, notifications, reports | Account registration (APP 3) |
| Password (hashed) | Authentication | Account registration (APP 3) |
| Organisation name & ABN | Multi-tenancy, access control, compliance | Organisation setup (APP 3) |
| Role assignment | Permission enforcement | Organisation admin action (APP 6) |
2.2 Operational Data (including Health Information)
Under the Privacy Act 1988, health information is classified as sensitive information (s6(1)), requiring explicit consent for collection (APP 3.3), higher protection standards (APP 11), and restrictions on disclosure (APP 6.2(a)).
| Data | Purpose | Protection |
|---|---|---|
| Kit inventories (items, quantities, expiry dates) | Core service functionality | RLS + TLS |
| Incident reports (patient info, injury details) | WHS record-keeping | AES-256-GCM field-level encryption |
| Witness statements & first aider details | WHS compliance, legal records | AES-256-GCM field-level encryption |
| Psychological harm details | Notifiable incident reporting | AES-256-GCM field-level encryption |
| Inspection records (checklist results) | Compliance tracking | RLS + TLS |
| Training records (certificate numbers, qualifications) | Training management | RLS + TLS |
| Location data (GPS coordinates, when permitted) | Kit location, auto-fill | User-controlled permission |
2.3 Lead Capture Data
Certain public tools collect limited information from non-registered visitors:
| Source | Data Collected | Purpose |
|---|---|---|
| Compliance calculator | Email, state, worker count | Deliver detailed results |
| Compliance audit tool | Email, state, audit score | Deliver audit report |
| Inspector directory | Name, email, message | Facilitate inspector contact |
| Blog & guide CTAs | Deliver requested resource |
Lead data is stored in our database and used only to deliver the requested service and occasional product updates. You may opt out of follow-up communications at any time.
2.4 Inspector Directory Data
Inspectors who opt in to the public directory voluntarily publish:
- Name, company name, states/territories covered, certifications, and a short bio
- This information is publicly visible on the inspector directory page
- Listing can be removed at any time via profile settings
2.5 Technical Data
- Error logs: Captured via Sentry for debugging (no PII included —
sendDefaultPii: false) - Session replay: Anonymised session recordings on error for debugging purposes
- Device information: Platform, OS version, app version (for compatibility)
- Usage analytics: Feature usage patterns (aggregated, non-identifiable)
3. How We Use Your Information (APP 6)
We only use or disclose personal information for the primary purpose for which it was collected, or a directly related secondary purpose you would reasonably expect:
- Service delivery: Storing, processing, and displaying your kit, incident, inspection, and training data
- Notifications: Sending expiry alerts, low stock warnings, inspection reminders, and email reports
- Security: Authenticating sessions, enforcing role-based access, audit trail logging (including read events for incidents)
- WHS compliance: Maintaining records as required by the Work Health and Safety Act 2011
- Improvements: Aggregated analytics to improve the Service (never sold to third parties)
- Legal compliance: Responding to lawful requests from Australian regulators (SafeWork, OAIC)
We will never sell, rent, or trade your personal information to any third party.
4. Third-Party Services (APP 8)
We use the following third-party processors. All are bound by data processing agreements:
| Service | Purpose | Data Centre Region | Data Sent |
|---|---|---|---|
| Supabase | Database, authentication, storage | Australia (Sydney) | All application data |
| Vercel | Web hosting, API, CDN | Australia (Sydney), global edge | Request/response data |
| Sentry | Error monitoring | US | Error context (no PII) |
| Zoho Mail | Transactional emails (SMTP) | Australia | Recipient email, report content |
| Stripe | Payment processing | US/AU | Payment method, billing email |
| Xero | Accounting integration (optional) | AU/NZ | Organisation name, contact, invoice items |
| QuickBooks Online (coming soon) | Planned accounting integration | US/AU | Organisation name, contact, estimate items if enabled in future |
| Google Analytics (GA4) | Website analytics (public site only) | US | Page views, anonymised usage (no PII) |
OAuth token security: Xero OAuth tokens, and QuickBooks OAuth tokens if that integration is enabled in future, are encrypted at rest using AES-256-GCM before storage. They are never stored in plaintext.
We do not sell, rent, or trade your personal information to any third party.
5. Data Storage & Security (APP 11)
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure:
- Encryption in transit: All data transmitted via TLS 1.2+ (enforced via HSTS with preload)
- Encryption at rest: Database encrypted at rest via Supabase (AES-256)
- Field-level encryption: Sensitive medical fields in incident reports (patient details, injury nature, treatment provided, psychological harm details, witness statements) are encrypted with AES-256-GCM at the application layer before reaching the database. The database never stores plaintext medical data.
- Row-Level Security: Every database query is filtered by organisation-based RLS policies — users can only access data belonging to their organisation
- Role-based access: Incident data access is restricted by role — non-managers can only view incidents they created or were shared with
- Password hashing: Managed by Supabase Auth using bcrypt
- Secure storage: Mobile credentials stored in device Secure Store (iOS Keychain / Android Keystore)
- Audit logging: All data access (including reads) and mutations are logged with timestamps, user IDs, IP addresses, and user agents
- Offline data: Queued mutations stored locally in AsyncStorage (native) or localStorage (web) and synced on reconnection
- Security headers: HSTS, X-Content-Type-Options, X-Frame-Options (DENY), Referrer-Policy, Permissions-Policy, COOP
6. Data Retention (APP 11.2)
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Type | Retention Period | Legal Requirement |
|---|---|---|
| Active account data | Duration of account + 30 days after deletion | Operational necessity |
| Incident reports (serious injury) | 30 years | WHS Act 2011 s274(d) |
| Incident reports (general) | Minimum 5 years | WHS Regulations |
| Inspection records | 5 years | WHS Regulations |
| Training records | Employment + 7 years | Fair Work Act / Tax obligations |
| Audit logs | 7 years | Best practice / tax obligations |
| Financial records | 7 years | Tax obligations |
| Lead capture data | 2 years from collection | Operational |
| Error logs (Sentry) | 90 days | Operational |
| Backups | 7 days rolling | Disaster recovery |
An automated retention policy enforces these periods. When retention periods expire, data is anonymised (aggregate statistics preserved) rather than deleted, except where full deletion is required.
7. Your Rights (APPs 12 & 13)
Under the Australian Privacy Principles, you have the right to:
- Access (APP 12): Request a copy of all personal information we hold about you
- Correction (APP 13): Request correction of inaccurate or outdated personal information
- Deletion: Delete your account via Settings → Delete Account. Your personal data will be removed while preserving anonymised WHS records as required by law. Sole organisation admins must transfer ownership first.
- Export (APP 12): Export your data via the in-app CSV and PDF export features at any time
- Restrict processing: Request that we limit how we use your information
- Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
To exercise any of these rights, email us at privacy@firstaidlog.com. We will respond within 30 days.
8. Collection Notice (APP 5)
When you create an incident report, you will be shown a Collection Notice explaining:
- What personal and health information is being collected
- Why it is being collected (WHS record-keeping obligations)
- Who it may be disclosed to (organisation administrators, regulatory bodies if notifiable)
- How it is protected (AES-256-GCM encryption, role-based access)
- Your rights regarding access, correction, and deletion
You must accept the Collection Notice before submitting personal health information. Consent can be withdrawn at any time by contacting us.
9. Cookies & Tracking
Application (firstaidlog.com)
- Essential cookies: Authentication session tokens (required for the Service to work)
- No advertising cookies: We do not use any advertising or tracking cookies
- No third-party trackers within the application itself
Public website (landing pages, blog, tools)
- Google Analytics (GA4): We use GA4 on our public website pages to understand visitor behaviour (page views, traffic sources, feature interest). GA4 collects anonymised usage data and does not track logged-in application activity.
- No advertising cookies: We do not use advertising or remarketing cookies
10. Children's Privacy
FirstAidLog is designed for workplace use and is not intended for children under 16. We do not knowingly collect information from children. If you believe a child has provided us personal information, please contact us and we will delete it promptly.
11. International Data Transfers (APP 8)
Your primary data is stored in Supabase's Australian (Sydney, ap-southeast-2) region. Some processing occurs internationally:
| Service | Region | Safeguards |
|---|---|---|
| Stripe | US/AU | PCI-DSS Level 1, SCCs |
| Sentry | US | SOC 2 Type II, no PII transmitted |
| Vercel (edge CDN) | Global | SOC 2 Type II, edge caching only |
| QuickBooks Online (coming soon) | US/AU | SOC 1 & 2, user-initiated only if enabled in future |
| Google Analytics | US | Anonymised data only, no PII |
All international transfers are governed by appropriate safeguards, data processing agreements, and the transferee's privacy obligations under APP 8.1.
12. Notifiable Data Breaches (NDB Scheme)
In the event of an eligible data breach, we will:
- Notify the Office of the Australian Information Commissioner (OAIC) within 30 days
- Notify affected individuals as soon as practicable, including a description of the breach, the types of information involved, and steps they can take
- Take immediate remedial action to contain and mitigate the breach
Our internal Notifiable Data Breach Response Plan details our assessment, containment, notification, and review procedures.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before taking effect. The "Last updated" date at the top will always reflect the current version.
14. Contact
For privacy-related enquiries:
Privacy Officer
FirstAidLog Pty Ltd
Email: privacy@firstaidlog.com
Queensland, Australia
If you are not satisfied with our response, you may lodge a complaint with the OAIC.