Legal

Privacy Policy

How CriticalFlow collects, uses, stores, and protects personal information — written to comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Each section opens with a plain-English summary.

1. Who we are

CriticalFlow is operated by Critical Flow Services Pty Ltd, ABN 13 622 452 813 ("CriticalFlow", "we", "us"), an Australian business registered in South Australia. This policy covers personal information handled through the CriticalFlow application at app.criticalflowservices.com.au and our website at criticalflowservices.com.au.

2. Two kinds of personal information — and who is responsible for each

In shortYour own account details are our responsibility. Information your employer enters about you (like your name, role, or pay) is your employer's responsibility — we hold it on their behalf. If you're a crew member with questions about what your employer entered, ask your employer first.

Account information — your name, email, and sign-in details when you create or accept an account. For this, we decide how and why it's processed, and this policy applies directly.

Organisation-entered information — everything a subscribing organisation enters into its own workspace: its people (names, job titles, departments, and — visible only to permitted roles — pay and cost figures), projects, schedules, and financial data. The organisation controls this information; we process and store it on the organisation's behalf and instructions, to provide the service. The organisation is responsible for having the right to collect and enter it and for responding to its own people's questions about it. If you are an employee or contractor of a CriticalFlow customer, please direct requests about this information to your employer first — they control it and can usually act immediately; we will support them in responding. This routing doesn't remove our own obligations: where the Privacy Act requires us to handle a request directly, we will.

3. What we collect

In shortAccount details, what your organisation enters, security logs, AI-help questions, and — for paid plans — billing details handled by Stripe. Card numbers never touch our systems.
CategoryWhat it includesWhy we have it
Account dataName, email address, sign-in method (Google sign-in, email + password, magic link, or invitation), role within your organisation, two-factor-authentication enrolment Creating and securing your account; enforcing role-based access
Organisation-entered dataWhatever your organisation enters: people records (including pay/cost figures for permitted roles), projects, schedules, revenue and cost data, plant/asset records, uploaded organisation logo Providing the core product — scheduling, forecasting, reporting (processed on your organisation's behalf — see section 2)
Security & usage dataIP address, browser/device type, sign-in timestamps, and security-relevant actions (invites, role changes, destructive saves) recorded in an append-only audit log Security, abuse prevention, and reconstructing events if something goes wrong
AI-help dataQuestions you type into CriticalFlow AI (the in-app help assistant) Answering your question — the assistant sees only product documentation and your typed question, never your organisation's data
Billing data (paid plans)Plan, seat count, billing contact, and payment records. Card details are entered directly with our payment provider, Stripe — full card numbers never reach our systems Charging for and administering paid subscriptions
CorrespondenceEmails you send us (support, security reports, access requests) Responding to you and keeping a record of the exchange

We collect information directly from you, automatically when you use the service (security and usage data), from your organisation when it enters data about you, and from Google if you choose Google sign-in (name and email only). We do not knowingly collect sensitive information as defined by the Privacy Act, and ask that you do not enter it.

4. How we use it

In shortTo run the product, keep it secure, support you, and send you service messages. We don't sell your information and we don't use your data to train AI models.

We do not sell personal information. We do not use your data — account or organisation-entered — to train any AI model, ours or a third party's. We currently send service and account emails only; if we ever introduce marketing email, it will be opt-in with a working unsubscribe.

5. Who we share it with

In shortOnly the vendors who run the platform (listed publicly), and authorities if the law genuinely requires it. Nobody else.

We share personal information only with: the subprocessors who host and deliver the service — currently Supabase (database, authentication, functions), Cloudflare (hosting/CDN), Resend (transactional email), Anthropic (AI help), and, once paid plans launch, Stripe (payments) — as listed with purposes on our Subprocessors page, which we update when the list changes; professional advisers under confidentiality; law-enforcement bodies, regulators, or courts where disclosure is required or authorised by law; and a buyer or successor in a genuine business sale or restructure, on terms that continue to protect it. Members of your own organisation see your information according to the roles your organisation assigns.

6. Where it's stored — overseas disclosure

In shortThe database lives in Singapore. Email, AI help, and (soon) payments are processed in the United States. We choose vendors with strong security practices, but you should know your data crosses borders.

Application data (including organisation-entered data) is hosted with Supabase in Singapore. Transactional email is delivered via Resend and AI-help questions are processed by Anthropic, both in the United States; payment processing by Stripe will also involve the United States. Static assets and traffic pass through Cloudflare's global edge network in transit. Under Australian Privacy Principle 8, this is disclosure of personal information to overseas recipients: we select providers with robust, publicly documented security and privacy practices and bind them through their service agreements, but their local law applies to them, and by using the service you and your organisation acknowledge this cross-border handling.

7. How we protect it

In shortReal, database-level controls — tenant isolation, server-side pay redaction, default two-factor, an unalterable audit log. We're honest about what we don't have yet: no SOC 2 / ISO certification and no external penetration test.

What we don't yet have: CriticalFlow does not currently hold an independent security certification (such as SOC 2 or ISO 27001) and has not yet commissioned an external penetration test — our security testing to date is rigorous but internal. We state this plainly rather than imply otherwise; no system, certified or not, is perfectly secure.

8. How long we keep it

In shortWhile your account is active, plus short rolling recovery windows. The security audit log is kept longer by design.

9. Access, correction and deletion

In shortYou can see and fix your information — mostly right in the product. You can ask us to delete your data; we'll do it to the extent practicable, and we're upfront about the one exception (the audit log) and about crew data belonging with your employer.

Most information is directly visible and editable in the product by your organisation's permitted roles. For anything else, contact us (section 14) and we will provide access to or correct your personal information as the APPs require, verifying your identity first. If we refuse a request (for example, where it would reveal another person's information), we will explain why in writing.

On request, we will delete, de-identify, or put beyond use personal information we hold, to the extent practicable within a reasonable time. Three honest qualifications: (1) information entered about you by your organisation is handled on your organisation's instructions — deletion requests for it should normally go to your organisation, and we will act on your organisation's instruction (subject to section 2's note about our own obligations); (2) entries in the security audit log are deliberately tamper-evident and cannot be selectively deleted by anyone, including us — they age out per the schedule in section 8; (3) closed-organisation data is archived rather than instantly erased — rolling version snapshots persist for up to about 60 days and nightly backups for about 30 days before expiring from their cycles, and the archived record itself is removed when deletion is requested, not automatically.

10. Data breaches

In shortIf a breach is likely to cause serious harm, we'll tell the affected organisations without undue delay and comply with the Notifiable Data Breaches scheme.

We maintain an internal incident-response plan with severity levels, containment and restoration steps, and post-incident review. If we become aware of a data breach likely to result in serious harm, we will notify affected organisations' administrators without undue delay, assess the breach in accordance with the Notifiable Data Breaches scheme under the Privacy Act, and notify the Office of the Australian Information Commissioner and affected individuals where the scheme requires it. Because organisations control what they enter into their workspaces (section 2), we may coordinate with an affected organisation on notifying its own people.

11. Cookies and tracking

In shortOnly what's needed to keep you signed in. No advertising or analytics trackers.

The application uses only the cookies and browser storage necessary to keep you signed in and remember your preferences (such as display theme). We do not use third-party advertising or analytics trackers. Our marketing website loads fonts from Google Fonts, which involves a request to Google's servers.

12. Outside Australia?

In shortCriticalFlow is built for Australian businesses. If you're in the EU or UK, talk to us before relying on it.

CriticalFlow is designed and offered for Australian businesses, and this policy is written against Australian law. We have not yet implemented the specific cross-border transfer mechanisms some other regimes require (for example, EU/UK standard contractual clauses). If you are outside Australia and considering the service, contact us first.

13. Children

CriticalFlow is a business tool, not directed at or intended for children.

14. Complaints, questions and contact

In shortEmail us and we'll respond quickly. If you're not satisfied, you can go to the OAIC.

Questions, requests, or complaints about privacy: contact@criticalflowservices.com.au (security reports: security@criticalflowservices.com.au). We will acknowledge a privacy complaint promptly, investigate, and respond in writing. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

15. Changes to this policy

We may update this policy as the service evolves. Material changes will be notified to account holders by email or in-product notice before they take effect; the current version always lives at this address with its "last updated" date below.

Version 2.0 — effective 19 July 2026.