Privacy Policy

Version 2026-05-16 · Last updated: 16 May 2026

This Privacy Policy explains how VQS Capital Pty Ltd (ABN 69 682 623 990), trading as SecureRoster ("we", "us"), collects, uses, holds and discloses personal information through the SecureRoster mobile app and admin web app (together, the "Service"). It reflects our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Information we collect (APP 3 + APP 5)

What we collect depends on your role (security guard, manager, admin, super admin) and which features your employer has enabled.

Account & identity

• Full name (first + last)
• Email address
• Mobile phone number
• Role (super admin, admin, manager, employee/guard, patrol guard flag)
• Profile photo (optional)

Employment & HR (guards only)

• Residential address (street, suburb, state, postcode)
• Date of birth
• Emergency contact name, phone and relationship
• Employment type (casual / part-time / full-time / contractor), agreed weekly hours, employment start date

Banking & tax (guards only, opt-in)

These categories are stored in a separate profile_payroll table with stricter access controls — only the guard themselves and the org owner/admin can read them. Managers cannot.

• Bank name, BSB, account number, account name
• Tax File Number (TFN) and tax residency status
• Superannuation fund name, USI, member number, fund ABN

Licensing & compliance

• Security licence number, state, expiry date and photo of the licence card
• RSA (Responsible Service of Alcohol) certificate number, expiry and photo
• First Aid certificate expiry and photo
• Policy acknowledgments (which policy version you accepted, and when)

Operational activity

• Shift schedule, accepted / declined status, availability, leave entries
• Sign-on / sign-off timestamps (stamped by our server clock, not your phone)
• GPS coordinates at the moment of sign-on, sign-off, and panic-button activation only — never between shifts
• Timesheet adjustments (billable hours, hourly-rate edits — admin only)
• Incident reports you submit (title, description, category, severity, time, venue) and any photos you attach
• Edit history for incident reports (who changed what, when)
• Patrol checkpoint scans, when patrol features are enabled
• Panic / SOS events: timestamp, your user account, the shift in progress, and your GPS coordinates at the moment of activation, sent immediately to admins and managers in your organisation

Communications

• In-app messages you send (1:1 chats and per-venue group chats), including any photos shared
• Read-receipt timestamps
• System-generated alerts you've received and read
• Questions you type into the in-app AI help chat (see §4 below)

Third-party information you enter

When you use the Service to record information about people who are not SecureRoster users, that information is also stored. Categories include:

• Venue contact names, phone numbers and email addresses (e.g. venue manager, billing contact)
• Patron watchlist entries: photos, names/aliases, descriptions, banned-until dates, and the reason for inclusion
• People named or pictured in incident reports (patrons, visitors, third parties)

Your employer is the data controller for this third-party information. Their incident-management and watchlist practices must comply with the Privacy Act and any state laws on photographing / recording the public.

Technical & device

• Expo / Apple / Google push notification tokens (so we can send alerts to your device)
• Authentication session tokens stored locally on your device
• TOTP factor metadata if you enrol in two-factor authentication (the secret itself stays in your authenticator app)
• Standard server access logs (IP address, user-agent, paths) for security and abuse detection

Sensitive information

Incident reports may include sensitive information under APP 3 (for example: details of a medical incident, intoxication state of a patron, or a recorded BAC reading). Banking and tax data is also sensitive personal information. We treat both categories with the heightened protections APP 3.3 and APP 11 require.

2. Why we collect each item

• Identity & contact: to operate your account and reach you about your shifts.
• HR data (address, DOB, emergency contact): employer record-keeping obligations under Fair Work Australia; we hold them as processor on your employer's behalf.
• Banking & tax: so your employer can pay you, lodge superannuation contributions, and report PAYG. Stored only because the payroll integrations we offer (Xero, MYOB coming) need them on file.
• Licence details and photos: to meet NSW SLED Master Licence record-keeping obligations on behalf of your employer, and to power expiry warnings in the app.
• GPS at sign-on/off and panic events: to verify you are at the rostered venue (geo-fence of 25 metres) and to give responders your location in an emergency. Never collected outside those events.
• Incident reports: to maintain the electronic incident register your employer is required to keep under the Security Industry Act 1997 (NSW) and equivalent state legislation.
• Watchlist: so guards rostered at a venue are aware of patrons of concern before incidents escalate.
• Messages: to enable operational communication between guards, managers and admins within an organisation.
• Push tokens: to deliver shift, sign-on, licence-expiry, panic, message and acknowledgment alerts.
• AI help chat: to answer your questions about how to use the app.
• Server access logs: security monitoring and breach detection.

3. Who can see your information

• You: your own profile, shifts, incidents, licences, banking/tax details, message threads, and policy acknowledgments.
• Your employer's admins and super admin: your full profile, HR fields, banking & tax (admin/super_admin only), licence photos and details, shift records, sign-on/off events, GPS coordinates at sign-on/off and panic events, incident reports you filed, your message threads with them, and your hourly pay rate.
• Your employer's managers: the same as admins except they cannot see banking & tax or the audit log.
• Other guards in your organisation: only what's relevant to a shared shift — your name in venue group chats you're both members of, your name on shared shift assignments. Not your contact details, HR data, banking, or licence numbers.
• Other organisations using SecureRoster: nothing. Every personal-information table is partitioned by org via Row-Level Security; cross-org access is technically impossible.
• We do not sell your information to third parties. We do not use it for advertising or for any purpose unrelated to operating the Service.

4. In-app AI help chat

The admin web app includes a help chat powered by Google Gemini. When you send a message:

• The text of your message and your current page path (e.g. /sites) are sent to Google's Gemini API.
• Your name, email, organisation, and any record data are not sent.
• The chat assistant has no database access — it can only answer general "how does this feature work" questions.
• On the free Google AI Studio tier, Google may use messages to improve its models. Don't paste sensitive data (TFNs, banking, incident specifics, patron details) into the chat. The chat panel displays this warning under the input box.
• Your conversation history is stored only in your browser's localStorage and can be cleared from the chat panel.

5. Where your information is stored (APP 8)

Primary storage is in Australia in the Supabase Sydney region (ap-southeast-2). All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Push notifications are delivered via Apple Push Notification Service and Firebase Cloud Messaging. The push token and the notification payload (a short message and a deep link) pass through those services' global infrastructure. No incident body content, banking details, or sensitive information is included in notifications.

The AI help chat sends your typed messages to Google's Gemini API, which routes globally.

If your employer connects an accounting integration (Xero), banking, tax, timesheet and venue contact data is transmitted to that integration to create payroll records and invoices. Xero stores that data per Xero's own privacy policy.

A full list of third-party services we use is at /subprocessors.html.

6. How long we keep your information

• Incident reports and attached photos: 7 years from the incident date, then permanently deleted (subject to a legal-hold override).
• Sign-on / sign-off records and GPS coordinates: 7 years from the date of the shift.
• Panic / SOS events: 7 years from activation.
• Banking & tax data: retained while your account is active and for 7 years after termination to meet ATO record-keeping obligations.
• Policy acknowledgments: retained for the life of your employment plus 7 years.
• In-app messages: 2 years from the date sent.
• Audit log of changes (who edited what, when): retained indefinitely. This record is append-only and cannot be modified.
• Alerts and notifications: 2 years.
• AI help chat history: stored only in your browser (localStorage). Cleared when you sign out, clear it manually, or clear your browser data.
• Profile and roster records: kept while your account is active. After you delete your account, your profile is marked deleted and permanently removed within 30 days, except for records we are required to retain under SLED, Fair Work or tax law.

These retention windows are enforced by an automated daily purge that writes proof of each run to our audit log.

7. Security (APP 11)

We protect your information with:

• Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Row-Level Security on every personal-information table — your data is technically inaccessible to other organisations using SecureRoster.
• Stricter RLS on banking, tax and superannuation data — managers are explicitly blocked, only you and the org admins/super_admin can read it.
• Multi-factor authentication available for every account; we recommend it for admins, managers and super admins.
• An append-only audit trail for changes to incident records, Master Licence details, organisation settings and staff data.
• Server-stamped timestamps for sign-on/off — your phone clock cannot tamper with attendance records.
• Anomaly detection that alerts admins to unusual rates of compliance-relevant actions.

8. Your rights (APP 12 + APP 13)

• Access: download a copy of your information by emailing privacy@secureroster.com.au. We respond within 30 days.
• Correction: update your details from My Profile → Edit account, HR or Banking & Tax. Contact us if you cannot correct them yourself.
• Deletion: delete your account from Settings → Delete account (super admins) or by asking your org's super admin (other roles). Records we are required to keep for compliance are retained per §6 and then deleted automatically.
• GPS consent: you can revoke OS-level location permission at any time in your phone's Settings app. Sign-on and panic events will not work without it — talk to your employer if you need an alternative.
• Notification consent: opt out of any notification category from Settings → Notifications (web) or the Settings screen on mobile. Push notifications can also be disabled at the OS level.
• Complaint: if you believe we have mishandled your information, contact us first; if unresolved you may complain to the OAIC at oaic.gov.au.

9. Children

The Service is intended for adults employed in the security industry. We do not knowingly collect information from anyone under 18.

10. Changes to this policy

We may update this policy. Material changes will be communicated through the Service and by email to admin contacts. The "Version" string at the top of this page increments on each material change. You will be asked to re-accept the policy at the next sign-in following a material change.

11. Contact

Privacy questions and requests: privacy@secureroster.com.au

Security-vulnerability disclosure: security@secureroster.com.au (see also /.well-known/security.txt).

General support: support@secureroster.com.au