Back to app

Privacy Policy

Version: 2026-02-25 | Windrush Solutions PTY LTD

Privacy Policy

Windrush Solutions PTY LTD (trading as BOS Windrush) | ABN 82 665 004 400 Effective Date: 25 February 2026 | Version: 2026-02-25

1. Introduction

Windrush Solutions PTY LTD (trading as BOS Windrush) ("we", "us", "our") operates the Windrush BOS platform (the "Platform"), a cloud-based job management system for trade and construction businesses.

We are committed to protecting the privacy of your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information.

2. Information We Collect

We collect the following categories of personal information:

2.1 Account Information

  • Full name
  • Email address
  • Password (stored only in hashed form; we never store plaintext passwords)
  • Role within the Platform (e.g., admin, manager, field worker)

2.2 Business Information

  • Company name
  • Australian Business Number (ABN)
  • Business address
  • Business phone number
  • Industry type

2.3 Employee and Team Data

  • Employee names and email addresses
  • Employment roles and skills
  • Hourly rates and pay information
  • Certifications and expiry dates
  • Induction records
  • Injury records and incident reports
  • Timesheet data

2.4 Financial Data

  • Invoice and quote details (amounts, line items, dates)
  • Payment records processed through Stripe
  • Subscription billing details (Stripe manages card details; we do not store full card numbers)
  • Purchase order information

2.5 Job and Operational Data

  • Job descriptions, statuses, and schedules
  • Site addresses and location data
  • Contact details for customers and suppliers
  • Material and inventory records
  • Safe Work Method Statements (SWMS)

2.6 Uploaded Content

  • Documents, photos, and files uploaded to the Platform
  • PDF drawings, takeoff files, and estimation data

2.7 Technical and Usage Data

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and features used within the Platform
  • Session duration and timestamps
  • Error logs and performance data

3. How We Use Your Information

We use your personal information for the following purposes:

  1. Providing the Services — to operate the Platform, manage your Account, and deliver the features of your Subscription.
  2. Billing and Payments — to process Subscription payments, issue invoices, and manage your billing relationship.
  3. Communication — to send transactional emails (e.g., invoices, password resets, notifications), respond to support requests, and provide Account-related notices.
  4. AI-Assisted Estimation — to process estimation and takeoff data through our AI estimation engine for generating quotes and pricing recommendations.
  5. Improvement and Analytics — to analyse usage patterns, diagnose technical issues, and improve the Platform's features and performance.
  6. Legal Compliance — to comply with applicable laws, regulations, and legal processes, and to protect our legal rights.
  7. Security — to detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.

4. Third-Party Disclosures

We share personal information with the following third-party service providers, each for a specific and limited purpose:

| Provider | Purpose | Data Shared | Server Location | |---|---|---|---| | Supabase | Database hosting and authentication | All Platform data | Sydney, Australia (AWS ap-southeast-2) | | Cloudflare | File storage (R2) and CDN | Uploaded documents, photos, drawings | Global (data stored in APAC) | | Stripe | Payment processing and Subscription billing | Name, email, payment method details, billing address | United States | | Anthropic | AI-powered estimation and analysis engine | Estimation/takeoff data, job descriptions (no personal identification data sent unless contained in uploaded documents) | United States | | Resend | Transactional email delivery | Recipient email addresses, email content (invoices, notifications) | United States |

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

We may also disclose personal information:

  • Where required or authorised by law (e.g., court orders, regulatory requests);
  • To enforce our Terms of Service;
  • To protect the safety, rights, or property of Windrush BOS, our users, or the public; or
  • In connection with a merger, acquisition, or sale of all or a portion of our business (with prior notice to affected users).

5. Cross-Border Data Transfers

Your primary data is stored on Supabase-managed infrastructure in Sydney, Australia (AWS Asia-Pacific region).

However, certain data is transferred to servers in the United States when processed by:

  • Stripe (payment processing)
  • Anthropic (AI estimation services)
  • Resend (email delivery)

These transfers are necessary to provide the Services. We take reasonable steps to ensure that these providers maintain appropriate data protection practices. Where feasible, we minimise the personal information sent to overseas providers (e.g., Anthropic receives estimation data but not personal contact details unless embedded in uploaded documents).

By using the Platform, you acknowledge and consent to these cross-border transfers as described in this section.

6. Data Security

We implement the following security measures to protect your personal information:

  1. Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  2. Encryption at Rest — Database storage is encrypted at rest using AES-256 encryption.
  3. Password Security — Passwords are hashed using industry-standard algorithms; we never store plaintext passwords.
  4. Access Controls — Multi-tenant data isolation ensures that each business can only access its own data. Role-based access controls restrict data access within each Account.
  5. Row-Level Security — PostgreSQL row-level security (RLS) policies enforce tenant data isolation at the database level.
  6. Regular Updates — We apply security patches and updates to our infrastructure and dependencies on a regular basis.
  7. Monitoring — We monitor the Platform for security incidents and anomalies.

No method of electronic storage or transmission is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

7. Access and Correction (APPs 12 and 13)

Under the Australian Privacy Principles, you have the right to:

  1. Access your personal information held by us (APP 12). You can access most of your information directly through the Platform (Account settings, data export features).
  2. Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (APP 13).

To make an access or correction request, contact us at info@windrush.net.au. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

We will not charge you for making an access request. However, we may charge a reasonable fee for providing access if the request is manifestly excessive or if you request information in a specific format that requires significant effort.

If we refuse a correction request, we will provide you with a written explanation of our reasons and the mechanisms available to you to complain about the refusal.

8. Data Retention and Deletion

  1. Active Accounts. We retain your personal information for as long as your Account is active and as necessary to provide the Services.
  2. Closed Accounts. Upon Account termination, you have a 30-day window to export your data. After this period, we will delete your data within a reasonable timeframe (generally within 90 days), except where retention is required by law (e.g., financial records under Australian tax law must be retained for at least 5 years).
  3. Backups. Residual copies of data may persist in encrypted backups for up to 90 days after deletion, after which they are automatically purged.
  4. Anonymised Data. We may retain anonymised, aggregated data that cannot be used to identify you for analytical and improvement purposes.

9. Cookies and Tracking

  1. Essential Cookies. The Platform uses essential cookies to maintain your session, remember your authentication state, and store your preferences. These cookies are strictly necessary for the Platform to function.
  2. Analytics. We may use anonymised analytics tools to understand how the Platform is used. We do not use third-party advertising cookies or trackers.
  3. Local Storage. The Platform may store non-personal preference data (e.g., sidebar state, theme preference) in your browser's local storage.

10. Notifiable Data Breaches

In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988, we will:

  1. Take reasonable steps to contain and assess any suspected data breach.
  2. Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable if we determine that a breach is likely to result in serious harm.
  3. Provide a statement to the OAIC that includes the nature of the breach, the types of information involved, and our recommended steps for affected individuals.

11. Privacy Complaints

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, you may lodge a complaint as follows:

  1. Step 1 — Contact Us. Email your complaint to info@windrush.net.au with a description of the issue. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.
  2. Step 2 — Escalation. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
    • Website: www.oaic.gov.au
    • Phone: 1300 363 992
    • Post: GPO Box 5218, Sydney NSW 2001

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Platform with at least 14 days' notice. The "Effective Date" at the top of this policy indicates when it was last updated.

13. Contact Us

Windrush Solutions PTY LTD (trading as BOS Windrush) ABN: 82 665 004 400 Address: 7/121 Old Pittwater Road, Brookvale, NSW 2100 Email: info@windrush.net.au Phone: 0431 151 159

This Privacy Policy was last updated on 25 February 2026.