Legal

Privacy policy.

How ZooYak handles personal information.Last updated: 2026-07-05

scope

1. Who we are and scope.

This privacy policy describes how [OWNER: insert ZooYak legal entity name and ABN] ('ZooYak', 'we', 'us', or 'our') collects, uses, and shares personal information through our marketing site, our customer-facing platform (web console and mobile app), and supporting services. It applies to client-organisation users, guards, and visitors to our marketing site.

collected

2. Information we collect.

We collect contact and account details for client-organisation users, and sales-lead information submitted through demo and contact forms. For guards, we collect identity and contact details, security licence numbers, GPS location recorded during active shifts for patrol and clock-in geofencing, the outcome of on-device biometric verification (a true/false result only; we never receive fingerprint or facial biometric templates, which are processed and stored solely on the guard's own device), emergency contact details, incident reports, time and attendance records, and payroll-related data. We also collect information automatically, such as browser, device, and IP information, and information from the cookies described in section 3.

cookies

3. Cookies.

Our marketing site sets no advertising or analytics cookies. The platform uses cookies and similar technologies for authentication and session management (strictly necessary) and to remember your preferences. Strictly necessary cookies cannot be disabled without affecting core functionality; blocking them in your browser settings may prevent you from signing in. If we introduce analytics or other non-essential cookies in the future, we will update this policy and seek consent where required.

data processing

4. Data processing.

For client-organisation account data and marketing-site data, ZooYak acts as the data controller. For customer data submitted through the platform in the course of providing the service, including guard personal information, ZooYak acts as a data processor on the customer's instructions, as described in our DPA. We process personal information on the following legal bases: performance of a contract, compliance with a legal obligation, our legitimate interests in operating and securing the service, and, where required, your consent. This approach aligns with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and, for customers or guards in the European Economic Area, Article 6 of the GDPR.

usage

5. How we use information.

We use information to provide and improve the service, to communicate with customers and guards, to comply with legal obligations, to detect and prevent fraud or misuse, and, where you have consented, to send marketing communications. We do not use guard location or biometric-verification-outcome data for any purpose other than providing the patrol, attendance, and welfare-monitoring features of the service.

sharing

6. Sharing and subprocessors.

We share information with subprocessors that support our operations: Amazon Web Services (hosting), Stripe (payment processing), Amazon Simple Email Service (email delivery), and Amazon Cognito (authentication). Where you choose to connect your Xero account for payroll export, information is shared with Xero at your direction. We notify customers at least 30 days before adding or replacing a subprocessor. We also share information with professional advisors under confidentiality obligations, and where required by law. We do not sell personal information.

retention

7. Data retention.

We retain personal information for as long as needed to provide the service, comply with legal obligations, resolve disputes, and enforce our agreements. On termination of a subscription or a written deletion request, customer data, including guard personal information, is deleted from production systems within 7 days and from backups within 30 days, including cryptographic erasure of associated key material.

security

8. Security.

We apply technical and organisational measures appropriate to the sensitivity of the information we handle, including encryption in transit and at rest, access controls, and audit logging. Further detail on our security measures is set out in our DPA.

transfers

9. International data transfers.

Customer data is hosted in Australia. Where information is transferred outside Australia, we use appropriate safeguards, such as standard contractual clauses, for transfers subject to the GDPR, and comply with APP 8 for cross-border disclosures.

guard app

10. Guard account deletion.

Guards may request deletion of their guard account directly within the mobile app. Consistent with App Store guideline 5.1.1(v), the request is subject to a 30-day cooling-off period, during which it can be reversed, after which the account and associated personal information are deleted in accordance with section 7.

rights

11. Your rights.

Subject to applicable law, you have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. Guards and customers in the European Economic Area additionally have rights under the GDPR, including the right to lodge a data subject access request (DSAR), which we handle through our server-side rights-management process. Contact privacy@zooyak.com to exercise these rights.

children

12. Children.

Our service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact privacy@zooyak.com.

automated decisions

13. Automated decision-making.

We do not use guard location, biometric-verification-outcome, or incident data to make decisions that produce legal or similarly significant effects about a guard without human involvement. Any welfare or SOS alert generated by the platform is directed to a human responder at the customer organisation.

changes

14. Changes to this policy.

We may update this policy from time to time. We will notify customers of material changes by email or in-app notice at least 30 days before they take effect, and record the version and date accepted against your organisation account.

contact

15. Contact us.

Questions about this policy or our privacy practices? Email privacy@zooyak.com or write to [OWNER: insert ZooYak legal entity name, ABN, and registered address].