1. Introduction
Welcome to SpringFire. Your privacy is important to us.
SpringFire ("we", "us", or "our") is a multi-tenant software-as-a-service (SaaS) platform. We are committed to protecting the personal information you share with us, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
SpringFire is provided to you through a business arrangement between us and the organisation (the "Provider") that has given you access to the platform. This Privacy Policy describes how we collect, use, disclose, and protect your personal data when you interact with our services, including the SpringFire web portal, our iOS and Android mobile app, and public-facing pages such as booking forms, intake forms, and service directory listings.
By using our platform, you agree to the terms outlined in this policy. Your Provider may maintain their own privacy policy and terms of service, the current versions of which are presented to you during sign-in and account activation.
2. Information we collect
SpringFire collects personal information that is reasonably necessary for the delivery of our services. The categories of data we collect depend on your role within the platform.
2.1 Member data
When you are registered as a member (client/participant) on the platform, we may collect:
- Identity: First name, last name, middle name, date of birth, gender, nationality, marital status, religion, languages
- Contact: Email address, phone number, physical address (street, suburb, state, postcode, coordinates)
- Account: Username, profile photo, account status, unique identifier
- Service: Member type, service preferences, referral type, timezone, notes and description
- Real-time location at check-in: Precise coordinates (latitude, longitude, and accuracy in metres) captured via the mobile app when you check in or out at a service. These coordinates are used to validate that you are within the configured proximity range of the service location (geofence) and are persisted on the check-in record for audit and compliance purposes.
- Compliance: Privacy policy acceptance timestamp, terms acceptance timestamp, marketing opt-in preference, consent records, account activation status
2.2 Staff data
When you are registered as a staff member, we may collect: identity, contact, account, employment (type, department, access level, daily work hours, pay grade, clock-in status), and compliance data — including privacy and terms acceptance records.
Real-time location at clock-in and clock-out: When you start or end a shift via the mobile app, we capture your precise coordinates (latitude, longitude, and accuracy in metres). These coordinates are used to validate proximity to the configured shift or worksite location (geofence) and are then submitted to the Google Maps Platform for reverse-geocoding into a human-readable street address. The derived address is persisted on your timesheet record. Raw coordinates are not stored on staff timesheets but are transmitted to Google as described in Section 5.1.
2.3 Contact data
Contact records (for example, emergency contacts, next of kin, external contacts) may include name, email, phone, date of birth, role, type, description, and photo.
2.4 Technical and usage data
When you access and use SpringFire, we automatically collect: IP address, user agent (browser type and version), authentication events (login timestamps, failed login attempts, account lockout events), and consent interactions (records of policy acceptance, withdrawal, and version tracking).
2.5 Provider (organisation) data
Providers who subscribe to SpringFire provide their business name, legal name, ABN, business email, phone, website and social URLs, address and coordinates, branding assets, and payment information processed via Stripe (we only store the last four digits of the card, card type, and expiry).
3. How we collect information
- Account creation and onboarding — when a Provider creates an account for you, or when you register via an activation link
- Platform usage — as you use scheduling, forms, flows, bookings, messaging, and document features
- Public forms and bookings — when you submit information via publicly accessible forms or booking pages hosted on the platform
- Direct communication — when you contact us for support, feedback, or respond to surveys
- Automated technical collection — browser and device information collected automatically during your sessions
- Third-party integrations — Google Maps Platform is used for address autocomplete, place lookups, and reverse-geocoding of real-time clock-in and check-in coordinates submitted by authenticated staff and members through the mobile app (see Section 5.1)
We do not collect personal information by unlawful or unfair means. Where practicable, we collect personal information directly from you (APP 3.5).
4. How we use your information
SpringFire uses your personal information for the following purposes, each linked to the relevant Australian Privacy Principle:
- Service delivery (APP 6) — to provide, maintain, and improve the platform
- Authentication and security (APP 6) — to verify identity, manage sessions, enforce 2FA, detect unauthorised access, maintain audit trails
- Communication (APP 6) — transactional messages such as booking confirmations, shift reminders, 2FA codes, password resets, and flow notifications
- Workforce coordination (APP 6) — geofence validation at staff clock-in/out and member check-in/out events to confirm presence within the configured proximity range of a worksite or service location; storage of derived address strings (staff timesheets) and raw coordinates (member check-ins) for compliance, audit, and dispute resolution
- Marketing (APP 6, with explicit opt-in consent) — promotional communications and service updates, withdrawable at any time
- Compliance and legal (APP 6, 11, 12; NDB scheme) — to comply with legal obligations and maintain audit records
- Billing and payments (APP 6) — subscription payments, invoicing, and billing via Stripe
- AI-assisted features (APP 6 with notice) — generating form and workflow templates from natural language prompts (see Section 11)
We do not use your personal information for purposes unrelated to the above without your consent, except where permitted by law (APP 6.2).
5. Disclosure of your information
We do not sell, rent, or trade your personal information to third parties.
5.1 Service providers (sub-processors)
| Provider | Purpose | Data shared | Jurisdiction |
|---|---|---|---|
| AWS S3 | File and document storage | Uploaded documents, photos, logos | Australia (ap-southeast-2, Sydney) |
| Microsoft Azure SQL | Primary database hosting | All application data (encrypted) | Australia |
| SendGrid (Twilio Inc.) | Transactional and marketing email | Recipient email, name, email content | United States |
| Twilio | SMS delivery | Recipient phone, message text | United States |
| Stripe | Payment processing | Business name, email, customer ID, payment amounts | United States (with Australian entity) |
| Google Maps Platform | Address autocomplete and reverse-geocoding | Address queries; real-time clock-in / check-in coordinates from authenticated mobile app sessions, submitted for reverse-geocoding into a street-address string | United States |
| AWS Bedrock (Anthropic Claude models) | AI-assisted template, form, flow and document-scan generation | Provider category and business name, user-supplied prompts, and document images uploaded for scanning — no member/staff PII is explicitly shared | Australia (Sydney + Melbourne, ap-southeast-2 / ap-southeast-4) |
| Retell AI (Retell Inc.) | Optional AI voice calling — inbound and outbound automated phone conversations, booking creation, member verification (opt-in per Provider, disabled by default) | Real-time call audio, call transcripts and metadata, agent configuration, member identity (when verified), booking context | United States |
We maintain a Third-Party Processor Register within the platform, recording each processor's name, purpose, data categories, country, data processing agreement status, and privacy policy URL.
5.2 Your Provider
Your personal information is accessible to the Provider organisation that manages your account. The Provider's access is governed by role-based access controls (RBAC) configured within the platform.
5.3 Legal and regulatory disclosure
We may disclose your personal information where required or authorised by Australian law or court order, a lawful request from law enforcement or regulatory authorities, or the Privacy Act 1988 (Cth) and its exceptions under APP 6.
5.4 Business transfers
In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify affected users and Providers of any such transfer.
5.5 Google Business Profile (Provider-authorised connection)
Where a Provider chooses to connect their Google Business Profile to SpringFire — either by signing in with Google (OAuth) or by inviting SpringFire's service account as a manager of their profile — SpringFire accesses and manages that Provider's own Google Business Profile on their behalf through Google's Business Profile APIs, using the https://www.googleapis.com/auth/business.manage scope.
This connection involves the Provider's business-listing information only — business name, address, opening hours, description, categories, website and phone number, posts, photos, the "Book online" action link, and customer reviews of the Provider. It does not involve member or staff personal information. We store only the OAuth tokens required to maintain the connection, encrypted at rest, and a Provider can revoke access at any time by disconnecting the integration in SpringFire or by removing SpringFire's access from their Google account.
Limited Use. SpringFire's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Information obtained through the Business Profile APIs is used solely to provide and improve the connected features the Provider has authorised; it is never sold, used for advertising, or transferred to others except as necessary to provide those features, to comply with applicable law, or in connection with a merger or acquisition. Human access to this information occurs only with the Provider's consent, for security or legal purposes, or where required to operate the feature.
6. Data storage and security
6.1 Where we store your data
All SpringFire customer data is hosted within Australia — database in Microsoft Azure SQL (Australian data centre), files in AWS S3 (Sydney region, ap-southeast-2). By using SpringFire, you consent to the storage and processing of your personal data within Australia in accordance with this policy.
Generative-AI processing in Australia. All generative-AI processing — form generation, flow generation, document scanning, invoice and receipt extraction, prompt refinement, and provider website setup assistance — is performed by AWS Bedrock in the Sydney region (ap-southeast-2). Content submitted to these features is processed and discarded in-region; no copies are transferred overseas for AI processing.
6.2 Cross-border data transfers
Some of our sub-processors (SendGrid, Twilio, Stripe, Google Maps Platform, and — where a Provider has enabled the optional AI voice calling feature — Retell AI) operate from the United States. When your data is transmitted to these services, we ensure appropriate contractual protections are in place (APP 8), data shared is limited to what is strictly necessary, and we maintain records of cross-border transfers in our Third-Party Processor Register.
Effective 23 May 2026, generative-AI processing (form/flow generation, document scanning, invoice extraction, prompt refinement, website setup) is no longer disclosed overseas; all such processing occurs in Australian AWS data centres. Optional AI voice calling, when enabled by a Provider, remains a cross-border processing activity disclosed in Section 11.
6.3 Security measures
- Password hashing — BCrypt with work factor 12; progressive rehash from legacy SHA-256
- Multi-factor authentication — Provider-configurable 2FA via 6-character code; trusted device support with expiring tokens
- Account lockout — after 5 failed login attempts for 15 minutes; sliding 30-minute failure window
- Session management — HttpOnly, Secure cookies with 7-day sliding expiration; SameSite policy enforcement
- Role-based access control — granular access levels with area-key permissions
- Multi-tenancy isolation — every query filtered by Provider ID
- Audit logging — all significant data access and mutations logged with identity, IP, user agent, timestamps, before/after values
- Security headers — applied across all web and API endpoints
- Encrypted transport and storage — TLS for all connections; Azure SQL encryption at rest; S3 server-side encryption
Despite these measures, no method of transmission or storage is 100% secure. We continually review and improve our security practices.
7. Cookies and local storage
7.1 Cookies
SpringFire uses essential cookies only. We do not use third-party tracking, analytics, or advertising cookies.
springfire_app_auth— authentication session (HttpOnly, Secure, 7-day sliding expiry)springfire_2fa_device— trusted device recognition (device-bound GUID, matches trust expiry)
7.2 Local storage
springfire_cookie_consent— records your cookie preferences (essential/analytics/marketing)theme— stores your preferred display mode (light/dark)
7.3 Cookie consent
A cookie consent banner is displayed on first visit. You can accept all or choose essential only. Your preference is stored in your browser's local storage and no data is sent to our servers until you interact with the platform.
8. Data retention
8.1 General approach
We retain your personal information only for as long as is reasonably necessary to fulfil the purposes for which it was collected, or as required by law (APP 11.2).
8.2 Provider-configurable retention
Each Provider can configure a data retention period (in days) through platform settings. This setting governs operational data within the Provider's tenant.
8.3 Retention by data type
- Email and SMS logs — configurable per Provider; deleted or anonymised
- Error logs — configurable; deleted in batches
- Trusted device records — automatically deleted at trust expiry
- Audit logs — retained indefinitely (regulatory requirement — APP 6, 11, 12; NDB scheme evidence)
- Shift timesheets — retained indefinitely (employment record requirements); the derived street-address strings on each timesheet (see Section 2.2) are retained alongside the timesheet
- Member check-in records — raw clock-in / check-out coordinates (latitude, longitude, accuracy) captured at the time of check-in are retained alongside the parent check-in record for the duration that record is retained (typically indefinitely per service-delivery and compliance requirements)
- Booking records — retained indefinitely (regulatory requirement)
- AI feature inputs and outputs — AWS Bedrock does not retain customer inputs or outputs from AI feature invocations once a request completes (AWS Bedrock data privacy commitment). SpringFire stores only the resulting generated artefact (for example, a form template or extracted invoice fields) against your account, retained per the timelines above
8.4 Account deletion
Members and staff can request deletion of their personal data. The platform supports deletion request tracking, scheduling, and cascade deletion across bookings, contacts, documents, notes, shifts, forms, flows, billing accounts, addresses, and member detail records. A deletion impact summary is generated before processing.
Deletion requests should be directed to your Provider's privacy contact in the first instance, or to SpringFire at the contact details in Section 15.
9. Your rights under the Australian Privacy Principles
9.1 Access (APP 12)
You have the right to request access to the personal information we hold about you. We will respond within 30 days. Access requests can be submitted to support@springfire.com.au.
9.2 Correction (APP 13)
You have the right to request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Corrections can be made directly through the platform (profile editing) or by emailing us.
9.3 Deletion
You have the right to request deletion of your personal information where there is no lawful basis for us to retain it. Note that some information may be required to be retained for legal, regulatory, or contractual reasons (see Section 8).
9.4 Data portability
You can request an export of your personal data. The platform supports data export for audit and compliance purposes.
9.5 Marketing opt-out
You can withdraw consent for marketing communications at any time by toggling the marketing opt-in switch in your profile's Privacy & Consent tab, or by contacting your Provider or SpringFire directly. Withdrawal is recorded as a formal consent withdrawal event in the consent audit trail.
9.6 Complaints (APP 1.4)
You have the right to lodge a complaint about how we handle your personal information. Complaints should be directed to your Provider's privacy contact, to SpringFire at support@springfire.com.au, or to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.
10. Consent management
10.1 How we obtain and record consent
SpringFire implements a purpose-built consent management system that records and tracks your consent across multiple categories: Privacy Policy, Terms of Service, Marketing Email, Marketing SMS, Sensitive Data Collection (APP 3.3), Cross-Border Transfer (APP 8), Data Processing, Cookie Consent, and Notice Presented (APP 5).
10.2 How consent is captured
Each consent record includes the entity type and identity, consent method (web checkbox, mobile app, public form, written, verbal), version of the policy/terms accepted, timestamp (UTC), IP address, user agent, and withdrawal timestamp if applicable.
10.3 Version-based re-consent
When a Provider updates their privacy policy or terms of service version, you will be presented with a consent wall at your next login requiring you to review and accept the updated policies before proceeding.
10.4 Account activation consent
New accounts created by a Provider require activation via a time-limited link (30-day expiry). Activating your account constitutes acceptance of the Provider's current privacy policy and terms of service.
10.5 Consent history
Your complete consent history — including every acceptance and withdrawal — is viewable in the Privacy & Consent tab on your member or staff profile.
11. Artificial intelligence and automated processing
11.1 How we use AI
SpringFire uses AI in two distinct ways. Generative AI for content generation (form/flow templates, document scanning, invoice and receipt extraction, prompt refinement, and provider website setup assistance) is provided by AWS Bedrock running Anthropic Claude models, hosted in Australian data centres. Optional AI voice calling (inbound and outbound automated phone conversations) is provided by Retell AI, hosted in the United States. The voice calling feature is opt-in per Provider and disabled by default.
11.2 Generative AI (AWS Bedrock, Australia)
SpringFire integrates with AWS Bedrock (running Anthropic Claude Sonnet 4.6 and Claude Haiku 4.5 models) via Australia-only cross-region inference profiles. Inference is performed entirely within Australian AWS data centres (Sydney and Melbourne regions).
We send provider context (business name, category), user prompts (natural-language descriptions), and — when using document scanning or invoice extraction — uploaded document images that may contain incidental personal information. We do not explicitly send member or staff personal information to these AI services. By using document scanning, you acknowledge and consent to this processing. AWS's data-privacy commitments for Bedrock are published at aws.amazon.com/bedrock/data-protection. Content submitted to Bedrock is not used to train foundation models and is not retained by AWS after the request completes.
11.3 Voice AI calling (Retell AI, United States, opt-in)
Providers may optionally enable AI voice calling to handle inbound and outbound phone conversations on their behalf through SpringFire's integration with Retell AI (Retell Inc., United States). This feature is disabled by default and only activates when a Provider explicitly configures it under integration settings.
When the feature is enabled, the following information is transmitted to Retell AI servers in the United States during a call:
- Real-time call audio (caller's voice) and synthesised AI voice output
- Call transcripts and metadata (duration, caller phone number, call outcome)
- Provider-supplied agent configuration (business name, services, agent prompts, knowledge base entries)
- Member identity data where the agent performs verification against a known member record
- Booking and scheduling context when the agent creates, modifies, or confirms a booking
This is a cross-border data transfer under APP 8. Providers configuring this integration acknowledge that voice data and incidental personal information transmitted during AI-handled calls is processed by Retell Inc. in the United States. Retell AI publishes its own privacy commitments at retellai.com. Where a Provider enables AI voice calling for members, the Provider is responsible (as data controller) for obtaining any additional member consent required under the Australian Privacy Principles or applicable sector-specific frameworks (for example, NDIS Quality and Safeguards).
11.4 No automated decision-making with legal effect
SpringFire does not use AI or automated processes to make decisions that produce legal effects concerning you. Generative AI features are assistive tools that produce templates and extractions for human review and editing. AI voice calling handles conversational scheduling and information exchange under Provider-configured boundaries; substantive decisions about service eligibility, clinical care, or financial liability remain with the Provider's human staff.
12. Third-party links
The SpringFire platform and Provider-configured pages may contain links to third-party websites, including Provider websites and social media pages, payment processing portals (Stripe), and policy document URLs hosted externally by Providers. We do not control these external sites. If you submit information to a third-party site, your information is governed by that site's privacy policy, not this one.
13. Children's privacy
SpringFire is not directed at children under the age of 18. We do not knowingly collect personal information from children without appropriate parental or guardian consent as facilitated through the Provider organisation. Where a Provider manages services for minors (for example, NDIS participants under 18), the Provider is responsible for ensuring appropriate consent is obtained in accordance with the APPs.
14. Changes to this privacy policy
SpringFire may revise this policy periodically to ensure it remains compliant with legal requirements and reflects changes in our platform, practices, or regulatory environment. The effective date at the top of this document will be updated, and material changes will be communicated through Provider notifications or in-platform re-consent prompts. We encourage you to review this policy regularly.
15. Contact SpringFire
For privacy-related inquiries, data access requests, correction requests, complaints, or any questions about this policy:
Privacy Officer
Spring Fire Pty Ltd
Email: support@springfire.com.au
General enquiries: support@springfire.com.au
Website: https://springfire.com.au
Office of the Australian Information Commissioner (OAIC)
oaic.gov.au · 1300 363 992 · GPO Box 5218, Sydney NSW 2001
This Privacy Policy is governed by the laws of Australia, in particular the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). © 2026 Spring Fire Pty Ltd. All rights reserved.