Privacy Policy

This Privacy Policy explains how TradeWaaS collects, uses, stores, and discloses your personal information, and how you can exercise your rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”).

It applies to the personal information of TradeWaaS customers and to visitors of the apex marketing site at tradewaas.com.au. Each customer’s own published site collects its visitors’ information for that customer — see section 11.

1. Who we are

TradeWaaS is operated by [TBD — set LEGAL_NAME in .env] (ABN [TBD — set LEGAL_ABN in .env]), an Australian sole trader, based at [TBD — set LEGAL_ADDRESS in .env]. We are the entity responsible for personal information collected through TradeWaaS, and you can reach us at admin@tradewaas.com.au.

Because we’re a small business, the Privacy Act doesn’t formally cover every part of our operations — but we choose to comply with the APPs as if it did. This policy is binding on us regardless.

2. What we collect

We collect different categories of personal information for different reasons:

Account information

• Your name, email address, password (stored only as a salted hash — we never store it in plain text), and the plan you signed up for.

Business information you publish on your site

• Your business name, trade type, services offered, business address, contact phone number, contact email, trade licence numbers and credentials, photos of your work, and any other content you choose to publish.

Payment information

• Payment is processed by Stripe. Stripe collects your card or other payment-method details directly. We never see your full card number — we only receive a token plus payment metadata (amount, currency, success/failure, last four digits, card brand).

Usage & technical information

• IP address, user-agent string, requested URLs, timestamps, and HTTP status codes — written to our server logs for security, debugging, and abuse-prevention purposes.
• A session cookie that keeps you logged in to your dashboard, and a CSRF-protection cookie that prevents cross-site request forgery.

Communications

• The contents of any email you send to us at admin@tradewaas.com.au, and our reply.
• Submissions made through any contact form we host (e.g. on the apex site).

We don’t collect “sensitive information” as defined in the Privacy Act (health, race, religion, political opinions, etc.) and there’s no reason for you to give it to us.

3. How we collect it

Most of what we hold about you, we collect from you directly:

• From the signup wizard when you create an account.
• From the customer dashboard when you edit your site content.
• From Stripe, when you complete a payment (we receive a webhook with payment metadata).
• From your browser, when it requests pages or assets from us (server logs, cookies).
• From email or contact-form submissions you send to us.

We don’t buy personal information from third parties, and we don’t scrape it from social media or other sources.

4. Why we collect it

We collect personal information so we can:

• Provide the TradeWaaS service to you — build, host, and serve your website.
• Bill you for the service and reconcile payments.
• Communicate with you about your account, including outages, security issues, billing, and material changes to our terms.
• Provide customer support when you ask for it.
• Keep the platform secure — detect abuse, rate-limit attackers, investigate incidents.
• Meet our legal obligations (e.g. retain billing records for the period required by the Australian Tax Office).

5. How we use it

Consistent with APP 6, we use personal information for the purpose for which it was collected (the “primary purpose”), and for related secondary purposes that you would reasonably expect. We won’t use your information for unrelated purposes without your consent or another lawful basis.

We don’t sell your personal information to anyone, ever. We don’t use your business or contact information to send marketing to third parties.

6. Who we share it with

We disclose personal information only when we have to, and only to the parties we have to disclose it to. Current disclosures:

• Stripe — receives payment details directly from you and shares payment metadata back to us. Stripe’s privacy policy: stripe.com/au/privacy.
• Google (Gemini) — inputs you provide in the signup wizard (business description, trade type, services, tone preferences) are sent to Google for AI generation. Google’s privacy policy: policies.google.com/privacy.
• Hetzner Online GmbH — our hosting provider. They have access to data at rest on the server they host. Privacy notice: hetzner.com/legal/privacy-policy.
• Let’s Encrypt — issues TLS certificates for HTTPS. Receives the domain name of your custom domain (not personal information about you) during certificate issuance.
• ImprovMX — forwards email sent to operator addresses (e.g. admin@tradewaas.com.au) to our operator mailbox. Receives email metadata and content in transit.
• Transactional email provider — once we have one connected, we will use it to send account, billing, and support emails. We will update this section before the first send.

We may also disclose information where we are required or permitted to by law, including in response to a court order, lawful regulatory request, or to enforce or apply our Terms of Service.

7. Overseas disclosure

Some of the providers we use are based outside Australia. Where personal information leaves Australia, the destination jurisdictions include:

• Singapore — Hetzner’s Singapore region, where our server is located. Personal information is stored at rest here.
• Germany — Hetzner’s registered office; corporate controls applied to our hosting account.
• Ireland, United States — Stripe’s operating regions for AU customers.
• United States and other Google data-centre regions — for Gemini AI generation requests.
• United States — ImprovMX is US-based.

Consistent with APP 8, before disclosing personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the APPs — typically by relying on the provider’s contractual privacy commitments and recognised compliance certifications (GDPR adequacy, SOC 2, ISO 27001, where applicable).

8. Where we store it & security

Customer data is stored in SQLite databases on the Hetzner server in Singapore. The server is dedicated to TradeWaaS and not shared with other applications. Communication between you and the server is encrypted in transit using TLS (HTTPS). Backups are taken nightly and retained on the same server for 14 days.

We take security seriously and use technical and organisational measures appropriate to the size of our operation, including:

• HTTPS-only access with HSTS, modern TLS ciphers, and a wildcard certificate from Let’s Encrypt.
• Content-Security-Policy headers and other browser-side security headers via Helmet.
• CSRF tokens on every state-changing form.
• Rate limits on signup, login, contact forms, and domain enqueue endpoints.
• Password storage as salted hashes (scrypt), never in plain text.
• Operator account hardening: dedicated admin subdomain, environment-variable credentials.
• Routine OWASP-style review of the application surface.

No system is perfect. If we become aware of an eligible data breach under the Privacy Act, we will notify you and the Office of the Australian Information Commissioner (OAIC) without unreasonable delay, consistent with the Notifiable Data Breaches scheme.

9. How long we keep it

We keep personal information only for as long as we need it to provide the service and meet our legal obligations:

• While your account is active — we keep all the information described in section 2.
• After your account is cancelled — your site stays live until the end of your paid period, after which it is taken down. Your data remains accessible to you for export for 90 days after cancellation, then it is deleted from our active database.
• Billing records — we keep invoices, receipts, and payment metadata for at least 7 years, as required by Australian tax law.
• Server logs — rotated regularly; older logs are deleted within 90 days unless we have a specific reason to keep them (e.g. an open security investigation).
• Backups — held for 14 days, then overwritten. A deletion request takes effect against active databases within 30 days; backups age out within a further 14.

10. Cookies & tracking

We use the minimum cookies needed to make the service work. There is no third-party advertising or analytics tracking on the apex site or on customer sites today:

• Session cookie (connect.sid) — keeps you logged into your dashboard. HttpOnly, Secure, SameSite=Lax. Expires when you log out or after 24 hours of inactivity.
• CSRF cookie — prevents cross-site request forgery. Set on every page load with state-changing forms.

If we add product analytics in future (e.g. self-hosted Plausible), we will update this section before deploying it, and we will not introduce any third-party advertising trackers.

11. Your customers’ data

Each TradeWaaS customer site collects information from its own visitors when they fill in the contact form — typically a name, email address, phone number, and a message. That information is stored in our database and made available to you, the customer, in your dashboard. We act as the data processor on your behalf; you are the data controller for your visitors’ information.

As a TradeWaaS customer, you are responsible for displaying your own privacy notice to your visitors and for handling their personal information consistently with Australian privacy law.

12. Your rights

Under the APPs you have the right to:

• Access the personal information we hold about you (APP 12). You can see most of it directly in your dashboard. For anything not visible there, email us at admin@tradewaas.com.au.
• Correct inaccurate or out-of-date personal information (APP 13). Most fields are editable in your dashboard. For anything you can’t edit yourself, email us.
• Cancel and have your data deleted — cancel your subscription from the dashboard, then email us to request deletion. We will action it consistent with the retention periods in section 9.
• Withdraw consent for any optional processing we may add in future. (We don’t rely on consent for the core service today; the legal basis is performance of the contract.)
• Make a complaint — see section 13.

We’ll usually respond to a request within 30 days. We don’t charge for access or correction requests, except for the actual cost of producing very large exports (we’ll tell you in advance if that applies).

13. Complaints & the OAIC

If you think we have mishandled your personal information, please contact us first at admin@tradewaas.com.au — we take complaints seriously and would rather hear from you directly so we can fix anything we have got wrong.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5288, Sydney NSW 2001

14. Children

TradeWaaS is not directed at children. We don’t knowingly collect personal information from people under 16. If you believe we have, please email us at admin@tradewaas.com.au and we’ll delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we’ll change the “Effective” date at the top. If the change is material (for example, a new category of data we collect or a new third-party disclosure), we’ll notify you by email at least 14 days before it takes effect.

16. How to contact us

Email: admin@tradewaas.com.au
Operator: [TBD — set LEGAL_NAME in .env]
ABN: [TBD — set LEGAL_ABN in .env]
Address: [TBD — set LEGAL_ADDRESS in .env]