How CriticalFlow collects, uses, stores, and protects personal information — written to comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Each section opens with a plain-English summary.
CriticalFlow is operated by Critical Flow Services Pty Ltd, ABN 13 622 452 813 ("CriticalFlow", "we", "us"), an Australian business registered in South Australia. This policy covers personal information handled through the CriticalFlow application at app.criticalflowservices.com.au and our website at criticalflowservices.com.au.
Account information — your name, email, and sign-in details when you create or accept an account. For this, we decide how and why it's processed, and this policy applies directly.
Organisation-entered information — everything a subscribing organisation enters into its own workspace: its people (names, job titles, departments, and — visible only to permitted roles — pay and cost figures), projects, schedules, and financial data. The organisation controls this information; we process and store it on the organisation's behalf and instructions, to provide the service. The organisation is responsible for having the right to collect and enter it and for responding to its own people's questions about it. If you are an employee or contractor of a CriticalFlow customer, please direct requests about this information to your employer first — they control it and can usually act immediately; we will support them in responding. This routing doesn't remove our own obligations: where the Privacy Act requires us to handle a request directly, we will.
| Category | What it includes | Why we have it |
|---|---|---|
| Account data | Name, email address, sign-in method (Google sign-in, email + password, magic link, or invitation), role within your organisation, two-factor-authentication enrolment | Creating and securing your account; enforcing role-based access |
| Organisation-entered data | Whatever your organisation enters: people records (including pay/cost figures for permitted roles), projects, schedules, revenue and cost data, plant/asset records, uploaded organisation logo | Providing the core product — scheduling, forecasting, reporting (processed on your organisation's behalf — see section 2) |
| Security & usage data | IP address, browser/device type, sign-in timestamps, and security-relevant actions (invites, role changes, destructive saves) recorded in an append-only audit log | Security, abuse prevention, and reconstructing events if something goes wrong |
| AI-help data | Questions you type into CriticalFlow AI (the in-app help assistant) | Answering your question — the assistant sees only product documentation and your typed question, never your organisation's data |
| Billing data (paid plans) | Plan, seat count, billing contact, and payment records. Card details are entered directly with our payment provider, Stripe — full card numbers never reach our systems | Charging for and administering paid subscriptions |
| Correspondence | Emails you send us (support, security reports, access requests) | Responding to you and keeping a record of the exchange |
We collect information directly from you, automatically when you use the service (security and usage data), from your organisation when it enters data about you, and from Google if you choose Google sign-in (name and email only). We do not knowingly collect sensitive information as defined by the Privacy Act, and ask that you do not enter it.
We do not sell personal information. We do not use your data — account or organisation-entered — to train any AI model, ours or a third party's. We currently send service and account emails only; if we ever introduce marketing email, it will be opt-in with a working unsubscribe.
We share personal information only with: the subprocessors who host and deliver the service — currently Supabase (database, authentication, functions), Cloudflare (hosting/CDN), Resend (transactional email), Anthropic (AI help), and, once paid plans launch, Stripe (payments) — as listed with purposes on our Subprocessors page, which we update when the list changes; professional advisers under confidentiality; law-enforcement bodies, regulators, or courts where disclosure is required or authorised by law; and a buyer or successor in a genuine business sale or restructure, on terms that continue to protect it. Members of your own organisation see your information according to the roles your organisation assigns.
Application data (including organisation-entered data) is hosted with Supabase in Singapore. Transactional email is delivered via Resend and AI-help questions are processed by Anthropic, both in the United States; payment processing by Stripe will also involve the United States. Static assets and traffic pass through Cloudflare's global edge network in transit. Under Australian Privacy Principle 8, this is disclosure of personal information to overseas recipients: we select providers with robust, publicly documented security and privacy practices and bind them through their service agreements, but their local law applies to them, and by using the service you and your organisation acknowledge this cross-border handling.
What we don't yet have: CriticalFlow does not currently hold an independent security certification (such as SOC 2 or ISO 27001) and has not yet commissioned an external penetration test — our security testing to date is rigorous but internal. We state this plainly rather than imply otherwise; no system, certified or not, is perfectly secure.
Most information is directly visible and editable in the product by your organisation's permitted roles. For anything else, contact us (section 14) and we will provide access to or correct your personal information as the APPs require, verifying your identity first. If we refuse a request (for example, where it would reveal another person's information), we will explain why in writing.
On request, we will delete, de-identify, or put beyond use personal information we hold, to the extent practicable within a reasonable time. Three honest qualifications: (1) information entered about you by your organisation is handled on your organisation's instructions — deletion requests for it should normally go to your organisation, and we will act on your organisation's instruction (subject to section 2's note about our own obligations); (2) entries in the security audit log are deliberately tamper-evident and cannot be selectively deleted by anyone, including us — they age out per the schedule in section 8; (3) closed-organisation data is archived rather than instantly erased — rolling version snapshots persist for up to about 60 days and nightly backups for about 30 days before expiring from their cycles, and the archived record itself is removed when deletion is requested, not automatically.
We maintain an internal incident-response plan with severity levels, containment and restoration steps, and post-incident review. If we become aware of a data breach likely to result in serious harm, we will notify affected organisations' administrators without undue delay, assess the breach in accordance with the Notifiable Data Breaches scheme under the Privacy Act, and notify the Office of the Australian Information Commissioner and affected individuals where the scheme requires it. Because organisations control what they enter into their workspaces (section 2), we may coordinate with an affected organisation on notifying its own people.
The application uses only the cookies and browser storage necessary to keep you signed in and remember your preferences (such as display theme). We do not use third-party advertising or analytics trackers. Our marketing website loads fonts from Google Fonts, which involves a request to Google's servers.
CriticalFlow is designed and offered for Australian businesses, and this policy is written against Australian law. We have not yet implemented the specific cross-border transfer mechanisms some other regimes require (for example, EU/UK standard contractual clauses). If you are outside Australia and considering the service, contact us first.
CriticalFlow is a business tool, not directed at or intended for children.
Questions, requests, or complaints about privacy: contact@criticalflowservices.com.au (security reports: security@criticalflowservices.com.au). We will acknowledge a privacy complaint promptly, investigate, and respond in writing. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
We may update this policy as the service evolves. Material changes will be notified to account holders by email or in-product notice before they take effect; the current version always lives at this address with its "last updated" date below.