GearHawk Privacy Policy
Effective date: 17 June 2026 Last updated: 17 June 2026
1. About this policy
This Privacy Policy explains how GearHawk — currently operated by Matthew Charles Parnell, trading as "GearHawk" (ABN 15 753 353 207), of 22–28 Penkivil Street, Bondi NSW 2026, Australia ("GearHawk", "we", "us", "our") — collects, uses, holds, discloses and protects your personal information. (GearHawk currently trades as a sole trader and will be transferred to a dedicated company once registered; this notice will be updated with the new entity name and ACN at that time.)
GearHawk is an Australian app built for tradespeople and small trade businesses. It helps you track tools and equipment, capture expenses and receipts, generate ATO-style tax invoices, keep a mileage logbook, manage a vehicle fleet, and share records across a crew. This policy applies to the GearHawk website (gearhawkapp.com), the GearHawk progressive web app (PWA), and all related services (together, the "Service").
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By creating an account or using the Service, you agree to the collection, use and disclosure of your information as described here.
If you do not agree with this policy, please do not use the Service.
2. The short version (plain English)
- We collect the information you give us to run your business in the app — your account details, your business details, and the tools, expenses, receipts, invoices, vehicles and crew records you create.
- We store that information with Supabase (our database, login and file storage provider), whose primary database for GearHawk is located in Australia (Sydney), and we use a small number of trusted suppliers to send email, process payments, read receipt images, and host the app.
- Some of those suppliers are located overseas (including the United States). Using the Service involves your information being disclosed to them. In particular, receipt images you upload are sent to Google (in the United States) to read their text, and our website loads a Mailchimp marketing/analytics script that may set cookies.
- We do not sell your personal information.
- You can ask us to access, correct or delete your information at any time — see section 11.
This summary is not a substitute for the full policy below.
3. The kinds of personal information we collect
The information we collect depends on how you use the Service. It includes:
3.1 Account and identity information
- Your email address and a securely hashed password (passwords are managed by our authentication provider and are never stored by us in plain text).
- Your name and, optionally, phone number.
- If you sign in with Google, basic Google account profile information (email, name and your Google account identifier) provided through that sign-in.
3.2 Business profile information
- Your business or trading name, ABN, and GST registration status.
- Your business address, phone and email.
- Your bank account details for payment instructions on invoices — BSB, account number and account name. These are stored securely, are accessible to members of your workspace, and appear on the invoices you generate.
- Your business logo (if you upload one). Important: logos are stored in a publicly accessible file location so they can appear on invoices you send and on the invoice pages you share with your clients. Do not upload a logo that contains anything you wish to keep private (such as a phone number, address, ABN or other details), as it may be viewable by anyone with the link.
3.3 Information you create in the app ("your content")
- Invoices — invoice numbers, line items, amounts, dates, notes, status, and the recipient details on each invoice.
- Clients — the names, email addresses, phone numbers, postal addresses and ABNs of the clients you invoice.
- Expenses — vendor, category, amounts, GST, dates, notes, whether an expense was paid personally or by the business, reimbursement status, and images of receipts you upload.
- Tools, equipment and consumables — names, brands, serial numbers, purchase and value details, locations, status, photographs, and which person currently holds an item.
- Locations / job sites — names and, if you enter them, addresses.
- Mileage logbook — vehicle make, model, engine capacity and registration, and per-trip records including dates, odometer readings, distances, trip purpose, and whether each trip was business or personal.
- Fleet vehicles — vehicle name, registration, make/model, registration and service due dates, assigned driver, notes, and reminder preferences.
- Crew and activity — workspace membership and roles (administrator, supervisor, worker) and an activity log of actions taken in the workspace (such as tool check-ins/check-outs and expense approvals).
Information about other people. Some of the content you enter is personal information about other people — for example your clients, your workers, or drivers assigned to vehicles. When you provide that information you confirm you are entitled to do so and that those people are aware their information is being handled through the Service (a cloud service that uses overseas suppliers) as described in this policy, including any overseas disclosure under section 8. You are responsible for telling those individuals how their information is handled.
3.4 Payment and subscription information
- Your subscription plan, trial status, and any promotional or founding-member code you redeem.
- A payment-provider customer and subscription identifier that links your account to our payment processor.
We use Stripe to process payments. Your full card details are entered directly with Stripe and are never collected or stored on GearHawk's systems.
3.5 Marketing and attribution information
- If you join our mailing list or register interest in a plan, your email address and name and the plan you were interested in.
- Sign-up attribution data — where you came from before signing up, captured as marketing parameters (such as UTM source/medium/campaign), the referring website, and the landing page you arrived on.
3.6 Technical, device and usage information
- Authentication cookies and session tokens that keep you signed in.
- Information stored on your device by the app (in your browser's local storage, an offline action queue, and a cached copy of pages and data so the app works offline). See section 5.
- Push notification subscription details (a device/browser-specific endpoint and keys, managed by your browser's push service such as Apple, Google or Mozilla) if you enable push notifications.
- Product analytics and log data — pages viewed and actions taken in the app (where analytics is enabled — see section 5), and standard server and request logs generated by our hosting provider (such as IP address, timestamps, browser/device type and error logs).
4. How we collect your information
We collect information:
- Directly from you — when you create an account, complete your business settings, and use the app to create invoices, expenses, tool records and so on.
- Automatically — through cookies, local storage, analytics and server logs when you use the Service (section 5).
- From third parties — for example from Google when you choose to sign in with Google, and from our payment processor when you subscribe.
Where it is reasonable and practicable, we collect personal information directly from the individual it concerns. Some information (such as client and worker details) is provided to us by our users about other people, as described in section 3.3.
5. Cookies, local storage and analytics
Essential cookies and storage. We use cookies and your browser's local storage to keep you signed in, remember which workspace you are using, run the app offline (including a local queue of changes made while offline and a cached copy of data and pages), and remember interface preferences. These are necessary for the Service to function.
Product analytics. Where enabled, we use PostHog to understand how the Service is used (such as which pages are viewed and how sign-up flows perform).
Marketing attribution. We record how you arrived at the Service (section 3.5) so we can understand which of our marketing efforts work.
Marketing/analytics script. Our website loads a Mailchimp "connected site" script on every page. This script may set cookies and collect basic browsing information for marketing analytics, including from visitors who have not signed up. It is not essential to the Service.
We do not currently display a cookies/tracking consent banner. [We are reviewing whether to add a consent mechanism. If you do not wish to be tracked by optional analytics, you can use your browser's privacy controls, and you can contact us using the details in section 16.] Most browsers let you block or delete cookies and local storage, but doing so may stop parts of the Service from working.
6. Why we use your information
We use your personal information to:
- create and administer your account and workspace, and authenticate you;
- provide the Service — store and display your tools, expenses, receipts, invoices, logbook, fleet and crew records, and generate and send invoices;
- read the text of receipt images you upload (using optical character recognition) so we can pre-fill expense details for you;
- process payments, manage subscriptions and trials, and send billing-related communications;
- send you transactional messages (such as invoice delivery, welcome, trial and reminder emails) and, where you have opted in, marketing communications;
- send push notifications you have enabled (such as reminders);
- provide support, maintain security, prevent fraud and misuse, and debug and improve the Service;
- understand how the Service is used through analytics and attribution; and
- comply with our legal obligations.
We will only use your information for a purpose set out above, a directly related purpose you would reasonably expect, or another purpose you have consented to or that is permitted or required by law.
7. When we disclose your information
We disclose personal information:
- Within your workspace / crew. GearHawk is collaborative. Other members of a workspace you belong to can see shared records according to their role. Administrators can generally see all records in the workspace, including expenses, tools, invoices, activity and crew details; supervisors and workers see a more limited view. If you join or are invited to a workspace, the workspace's administrators control that workspace's data.
- To your clients. When you send an invoice, the invoice (including your business details, bank details, logo and the line items) is delivered to the recipient you nominate and can be viewed by anyone with the secure invoice link.
- To our service providers (see section 8) who help us run the Service.
- Where required or authorised by law, or to a court, regulator or law enforcement body, or to protect the rights, property or safety of GearHawk, our users or others.
- In connection with a business sale or restructure — if GearHawk's business or assets are sold or transferred, your information may be disclosed to the buyer, subject to this policy.
We do not sell your personal information, and we do not disclose it to third parties for their own marketing.
8. Service providers and overseas disclosure (APP 8)
We use trusted third-party suppliers to operate the Service. Several of them are located, or store data, outside Australia (including in the United States). By using the Service, you acknowledge and consent to your personal information being disclosed to the suppliers below for the purposes described, including the overseas disclosures noted.
| Supplier | What it does | Information involved | Location |
|---|---|---|---|
| Supabase | Database, user authentication and file storage (the core place your data is held) | Substantially all account, business and content data described in section 3 | Australia (Sydney region) |
| Google Cloud Vision | Reads text from receipt images (OCR) | The receipt images you upload | Overseas (United States) |
| Google (Sign-in) | "Sign in with Google" authentication | Your Google account email, name and identifier | Overseas (United States) |
| Stripe | Payment processing and subscription billing | Your name/email, plan and a customer identifier (card data is handled solely by Stripe) | Overseas (United States) |
| Resend | Sends transactional emails (invoices, welcome, reminders) | Recipient email and the contents of those emails (including invoice details) | Overseas (United States) |
| Mailchimp | Manages our marketing mailing list, and runs a "connected site" tracking script on every page of our website | Email and name of subscribers and plan interest; and basic browsing/analytics data from site visitors | Overseas (United States) |
| PostHog (if enabled) | Product analytics | Usage events and a user identifier | Overseas (United States) |
| Vercel | Hosts the application and processes requests | Technical and log data (e.g. IP address, request logs) | Overseas (United States) and global edge locations |
| Browser push services (e.g. Apple, Google, Mozilla) | Deliver push notifications if you enable them | Your push subscription and notification content | Varies by provider |
Because some recipients are overseas, we may not be able to ensure that an overseas recipient handles your personal information in accordance with the Australian Privacy Principles, and you may not be able to seek redress under the Privacy Act in respect of that recipient. We take reasonable steps to use reputable providers that offer appropriate data-protection commitments.
Your core data is hosted in Australia. GearHawk's primary Supabase database is located in the Sydney (Australia) region, so the bulk of your account, business and content data — including invoices, expenses, receipt images and tool records — is stored onshore. The overseas disclosures listed above relate to specific functions (payment processing, email delivery, receipt OCR, analytics, and hosting/edge delivery), not to your primary dataset.
9. How we store and protect your information
Your information is stored in our suppliers' secure cloud infrastructure (principally Supabase). We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification and disclosure, including:
- encrypted connections (HTTPS/TLS) for data in transit;
- hashed storage of passwords by our authentication provider;
- row-level security controls in our database so users can generally only access data in workspaces they belong to;
- access controls limiting who within GearHawk can access systems; and
- private storage for receipts and tool documents (accessible via time-limited secure links). Note: business logos are stored in publicly accessible storage so they can be shown on invoices and shared invoice pages — do not use a logo that contains information you wish to keep private.
Your sign-in session remains active until you sign out or it expires; on shared or public devices, always sign out after use. Business and financial details (including bank account details) are accessible to members of your workspace according to the collaborative model described in section 7.
No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. If we become aware of an eligible data breach, we will respond in accordance with the Notifiable Data Breaches scheme under the Privacy Act.
10. How long we keep your information
We keep your personal information for as long as your account is active and for as long as we need it to provide the Service and for the purposes in this policy.
Because GearHawk is used to keep tax and business records, some information (such as invoices and expense records) may need to be retained to help you meet your own record-keeping obligations — Australian tax law generally requires business records to be kept for five (5) years. After your account is closed, we will retain, de-identify or securely delete your personal information as appropriate, except where we are required or permitted by law to keep it.
Unless a longer period is required by law or you ask us to delete it sooner, we apply the following default retention periods after your account is closed:
- Account, business and content records (including invoices, expenses and receipt images): retained for up to 5 years, to support the tax record-keeping obligations described above, and then securely deleted or de-identified.
- Sign-up attribution data and server/access logs: retained for up to 24 months.
- Expired push-notification subscriptions and marketing-list records: deleted or unsubscribed on request, and otherwise reviewed and pruned periodically.
11. Your privacy rights
Under the Australian Privacy Principles you have the right to:
- Access the personal information we hold about you;
- Correct information that is inaccurate, out of date or incomplete; and
- request deletion of your personal information (subject to our legal obligations and legitimate business needs, such as retaining tax-related records).
GearHawk does not currently provide a self-service "export my data" or "delete my account" feature in the app. To exercise any of these rights, contact us using the details in section 16 and we will action your request manually. We will respond within a reasonable time (generally within 30 days). We may need to verify your identity first. There is normally no charge to access your information, though we may charge a reasonable fee for substantial requests.
12. Direct marketing
We send marketing communications about GearHawk only to people who have opted in (for example by subscribing through our website). We comply with the Spam Act 2003 (Cth): every marketing email contains a working unsubscribe link, and you can opt out at any time by using it or by contacting us. Opting out of marketing will not stop essential transactional and service messages (such as invoice delivery, billing and security notices).
When you subscribe to our mailing list we use a confirmation step (double opt-in), meaning you are only added once you confirm.
13. Eligibility and children
The Service is intended for businesses and for individuals aged 18 or over. It is not directed at children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us personal information, please contact us so we can delete it.
14. Third-party links
The Service may link to third-party websites and services (for example our documentation site, or maps providers used for directions). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.
15. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you by email or through the Service. Your continued use of the Service after a change takes effect means you accept the updated policy.
16. Contact us and complaints
For privacy questions, requests or complaints, contact us at:
GearHawk — Privacy Email: [email protected] 22–28 Penkivil Street, Bondi NSW 2026, Australia
This policy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and by the laws of Australia.
If you make a privacy complaint, we will acknowledge it and aim to resolve it within a reasonable time. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992