Last updated · 25 April 2026

Privacy Policy

This Privacy Policy explains what personal information Handover Australia Pty Ltd ("we", "us") collects, how we use it, and your rights under the Australian Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs).

1. Who we are

Handover Australia Pty Ltd, based in Mermaid Beach, Queensland. Contact: support@handover.au.

2. What we collect

From inspectors (our paying customers)

  • Business name, your name, contact email, contact mobile, business state. Stripe collects your billing address as part of card setup; we don't store it directly.
  • Password (stored hashed — PBKDF2-SHA256, salted, 100k iterations, the Workers platform maximum), login sessions
  • Logo. Inspection agreement PDFs you upload — optional for Building / Pest / Building & Pest (overrides Handover's AS-aligned default), required for Pool Safety where no default ships
  • Stripe customer ID, subscription ID, subscription status, trial end date, billing period end. Card details are sent directly to Stripe at signup via Stripe Elements and never touch our servers — we do not store card numbers.
  • OAuth tokens for Xero + Google (encrypted at rest with AES-GCM)
  • Gmail label IDs we create on your behalf (the parent Handover label and per-client child labels). These let us file your sent emails so your inbox stays tidy; we don't read or scan your existing inbox.
  • Audit log entries (actions, IP, user agent, timestamps)

From clients of inspectors (the people booking inspections)

The inspector using our Service is the data controller for their clients' information. We hold this data as a processor:

  • Name, email, mobile number, property address
  • Signature image (PNG), IP address, device fingerprint, signing timestamp
  • Payment metadata (Stripe payment intent IDs, Xero invoice IDs) — no card details
  • Any special conditions the client types into the booking form

3. How we use it

  • To operate the Service — create bookings, display the active inspection agreement (Handover's AS-aligned default text or the inspector's uploaded PDF override) and store the resulting signed copy, raise invoices in the inspector's Xero, send emails through their Gmail, create calendar events in their Google Calendar.
  • To file the inspector's sent emails into auto-generated Gmail labels (Handover ▸ Client — address) so their inbox stays organised. We only label emails the Service itself sends; we do not read or scan the existing inbox.
  • To bill inspectors (Stripe — the 7-day trial collects a payment method but doesn't charge until day 8) and to store their signed agreements (Cloudflare R2 file storage).
  • To send inspectors transactional email — welcome, password reset, trial warning, subscription lifecycle.
  • To maintain an audit trail for legal + compliance reasons (required for signed agreements under AS 4349.1/.3).
  • To improve the Service (aggregate, de-identified usage metrics).

We do not sell data, use it for third-party advertising, or share it with advertising networks.

4. Where it's stored

  • Database (Cloudflare D1): hosted on Cloudflare's global network. Primary region is configured to serve Australian users from AU edge nodes; the underlying database may be replicated across Cloudflare's global locations for redundancy.
  • Files (Cloudflare R2): logos, signatures, agreement PDFs stored in an R2 bucket with access restricted to the Handover Worker.
  • Email (Resend): transactional emails are sent through Resend. Email metadata is retained by Resend per their policy.
  • Payments (Stripe): all card data is handled directly by Stripe. Stripe is PCI-DSS Level 1 compliant.

5. Retention

  • Active accounts: we keep your data for as long as your account is active.
  • Cancelled accounts: booking records and signed agreements are retained for 7 years to meet AS 4349.1/.3 and insurance requirements, then deleted.
  • Payment records: retained for 7 years per Australian tax law.
  • Audit logs: retained for 2 years.

6. Sub-processors

We share data with these sub-processors only as necessary to operate the Service:

  • Cloudflare — hosting, database, file storage, network
  • Stripe — subscription billing + client payment links
  • Resend — transactional email
  • Google — Gmail send + Calendar events (per-tenant OAuth, inspector-authorised)
  • Xero — invoicing (per-tenant OAuth, inspector-authorised)
  • ClickSend — SMS for the renewal engine (optional, per-tenant, inspector-configured)

7. Your rights (APPs)

Under the APPs you can:

  • Request a copy of your personal information we hold — email support@handover.au.
  • Ask us to correct or delete your data. Inspectors can delete their own bookings and clients from their dashboard; account deletion is via email request.
  • Withdraw consent for marketing (we don't do marketing emails by default — only transactional).
  • Complain to us and, if unsatisfied, to the Office of the Australian Information Commissioner (oaic.gov.au).

8. Security

  • All traffic is served over HTTPS with HSTS enabled (Cloudflare-terminated TLS).
  • Session cookies are HttpOnly, Secure, and SameSite=Lax.
  • Passwords are hashed using PBKDF2-SHA256 with a per-user salt at the maximum iteration count supported by our runtime (100,000). We never store passwords in plain text.
  • OAuth tokens (Xero, Google) are encrypted with AES-GCM before being written to the database. The encryption key is held only as a Cloudflare Worker secret.
  • Stripe webhook events are signature-verified with a 5-minute replay window. Xero webhook events are HMAC-SHA256 verified.
  • Production database is backed up nightly to encrypted object storage with a 30-day retention sweep. Backup integrity is monitored on the admin status page.
  • Access to production secrets is restricted to the named director(s) of Handover Australia Pty Ltd. Secret rotation is logged.

9. Cookies and tracking

We use a single first-party session cookie (hvsess) to keep you logged in. No third-party tracking cookies, no analytics pixels, no advertising or remarketing identifiers.

You can clear the cookie at any time from your browser settings. You'll be logged out, but your account and data remain. If your browser sends a Do Not Track signal, we honour it by default — there is nothing we'd track of you anyway.

10. Notifiable data breaches

If we suffer a data breach that is likely to result in serious harm to any affected individual, we will:

  • Notify the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act) within 72 hours of becoming aware, where required by law, and otherwise as soon as practicable.
  • Notify affected inspectors directly by email at the same time, and where they are unable to notify their end-clients we will do so on their behalf.
  • Maintain an incident response process covering containment, root-cause analysis, and post-incident review, with a written record kept for 5 years.

11. International data transfers

Our infrastructure provider (Cloudflare) operates a global network. Although we configure data to be served from Australian edge locations, files in R2 and rows in D1 may be replicated across other Cloudflare regions for redundancy. Where data leaves Australia, it remains protected by Cloudflare's contractual privacy commitments and our own access controls. By using Handover you acknowledge and consent to this cross-border transfer.

12. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from children.

13. Changes to this policy

We'll email you if we change this policy materially. Small wording updates may be made without notice — last-updated date at the top reflects the most recent change.

14. Contact

Privacy questions or requests: support@handover.au.

← Back to Handover