DEFECT/OPS
Privacy Policy
Effective date: 24 April 2026 · Last reviewed: 24 April 2026
1. Who we are
DefectOps is a software-as-a-service product that helps builders, facilities management teams, and their contractors manage defects during the Defects Liability Period (DLP). The website is located at www.defectops.com.
| Legal entity | DefectOps Pty Ltd |
|---|---|
| Registered address | 3b Ilumba Road |
| Privacy contact | privacy@defectops.com |
| ABN | 64 989 158 078 |
References to 'we', 'us', or 'our' in this policy mean DefectOps Pty Ltd. References to 'you' mean any individual whose personal data we process, including account holders, team members, contractors, and website visitors.
2. Scope of this policy
This policy applies to all personal data collected or processed by DefectOps in connection with:
- use of the DefectOps web application and any associated mobile applications;
- visits to www.defectops.com and any subdomains;
- communications with us by email, live chat, or telephone; and
- payment processing conducted through our Merchant of Record (see Section 6).
This policy does not apply to third-party websites linked from our platform. We are not responsible for the privacy practices of those sites.
3. Categories of personal data we collect
3.1 Account and identity data
When you register for a DefectOps account we collect:
- full name and job title;
- business email address;
- company name and company size;
- telephone number (optional); and
- profile photo (optional).
3.2 Usage and activity data
When you use the application we automatically collect:
- defect records you create, including descriptions, photographs, location pins, and trade tags;
- action logs showing who created, assigned, updated, or closed each defect and when;
- contractor and stakeholder names and contact details entered by account holders;
- project names, addresses, and DLP expiry dates; and
- device type, browser, operating system, and IP address.
3.3 Communications data
If you contact us by email or through our support channels we collect the content of that communication and any personal data you include within it.
3.4 Payment data
DefectOps does not directly handle or store payment card numbers, bank account details, or billing addresses. All payment data is handled by Paddle (see Section 6). We receive only transaction confirmations, subscription status, and high-level billing summaries from Paddle.
3.5 Automatically collected technical data
We and our third-party infrastructure providers collect:
- log files recording requests to our servers;
- cookies and similar tracking technologies (see Section 12); and
- error reports and performance metrics.
4. How we collect personal data
We collect personal data:
- directly from you when you register, configure a project, add contractors, or contact us;
- from your colleagues or employer if your organisation purchases a DefectOps subscription and an administrator adds you as a user;
- automatically when you use the platform, via server logs and analytics tools; and
- from Paddle, our Merchant of Record, in the form of subscription status and payment confirmations.
5. Legal bases for processing
Where the Australian Privacy Act 1988 (Cth) and, for users in the United Kingdom and European Economic Area, the UK GDPR or EU GDPR apply, we rely on the following legal bases:
| Purpose | GDPR / UK GDPR | Australian Privacy Act |
|---|---|---|
| Providing and administering your account | Performance of contract (Art 6(1)(b)) | APP 3 — collection reasonably necessary for our functions |
| Processing payments via Paddle | Performance of contract (Art 6(1)(b)) | APP 3 — collection reasonably necessary for our functions |
| Transactional emails (receipts, DLP reminders, system alerts) | Performance of contract (Art 6(1)(b)) | APP 3 — necessary for our functions |
| Product updates and marketing (opted-in users only) | Consent (Art 6(1)(a)) | Consent — you may withdraw at any time |
| Security monitoring and fraud prevention | Legitimate interests (Art 6(1)(f)) | Legitimate interests — protecting our systems and users |
| Improving our product through usage analytics | Legitimate interests (Art 6(1)(f)) | Legitimate interests — improving our service |
| Complying with legal obligations | Legal obligation (Art 6(1)(c)) | Required by applicable law |
6. Paddle — Merchant of Record for payments
DefectOps uses Paddle.com Market Limited ('Paddle') as its Merchant of Record for all subscription payments. This means:
- Paddle is the seller of record on your invoice or receipt — not DefectOps directly.
- Paddle collects and processes your payment card or bank details, billing address, and VAT / GST information. We do not receive or store this data.
- Paddle may carry out identity verification, fraud prevention checks, and tax compliance as required by law in your jurisdiction.
- Paddle's own privacy policy governs how it handles your payment data. You can review it at paddle.com/legal/privacy.
For any billing disputes, refund requests, or questions about a charge from 'Paddle', you may contact Paddle directly or reach us at privacy@defectops.com.
7. Who we share personal data with
We do not sell your personal data. We share it only in the following circumstances.
7.1 Sub-processors and service providers
We engage third-party processors who act on our instructions only. Current key sub-processors include:
| Provider | Purpose | Location |
|---|---|---|
| Supabase / AWS | Database hosting, authentication, file storage | USA (with data transfer safeguards) |
| Paddle | Merchant of Record — payment processing | UK / Ireland |
| Resend | Transactional email delivery | USA |
7.2 Your organisation's team members
If your organisation holds a DefectOps subscription, account administrators may view, edit, or export project data including names and contact details of users they have added. This is a core product feature necessary for multi-user collaboration.
7.3 Contractors and external stakeholders
Contractors and clients you invite to a project will be able to view defect records assigned to or shared with them, as configured by your organisation's account administrator.
7.4 Legal and regulatory disclosures
We may disclose personal data to regulators, courts, or law enforcement where required by law, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of DefectOps, our users, or the public.
7.5 Business transfers
In the event of a merger, acquisition, or sale of substantially all of our assets, personal data held by DefectOps may be transferred to the acquiring entity. We will notify you before your data becomes subject to a materially different privacy policy.
8. International data transfers
DefectOps is based in Australia. Some third-party sub-processors store and process data in the United States. Where personal data is transferred outside Australia, we ensure appropriate safeguards are in place under the Australian Privacy Principles, including:
- standard contractual clauses or data processing agreements with the receiving party;
- transfers to countries with substantially similar privacy protections; or
- other mechanisms recognised under applicable law.
If you are located in the UK or EEA, transfers of your data to third countries are conducted under EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) as applicable.
9. Data retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy and to comply with our legal obligations.
| Data type | Retention period |
|---|---|
| Active account and project data | Duration of your subscription plus 90 days following cancellation, to allow data export. |
| Defect records, photos, and action logs | Duration of subscription plus 7 years, to support warranty and audit obligations. |
| Payment records and invoices | 7 years, as required by Australian tax law and equivalent obligations in other jurisdictions. |
| Support communications | 3 years from the date of last contact. |
| Server logs and technical data | 90 days on a rolling basis. |
| Backup copies | Backups are overwritten on a rolling 30-day cycle. |
When you cancel your account or we no longer have a legal basis to retain your data, we will securely delete or anonymise it. You may request early deletion under Section 10.
10. Your privacy rights
Depending on your location, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@defectops.com.
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Correction | Ask us to correct inaccurate or incomplete personal data. |
| Erasure ('right to be forgotten') | Ask us to delete your data where we have no legal basis to retain it. Note that audit trail data may be subject to legal retention obligations. |
| Restriction | Ask us to restrict processing of your data while a complaint or accuracy dispute is resolved. |
| Data portability | Request your data in a structured, machine-readable format (GDPR / UK GDPR users). |
| Objection | Object to processing based on legitimate interests. We will cease processing unless we have compelling grounds to continue. |
| Withdraw consent | Where processing is based on your consent (e.g. marketing emails), you may withdraw at any time without affecting the lawfulness of prior processing. |
| Complaint | Lodge a complaint with the OAIC at oaic.gov.au, the UK ICO at ico.org.uk, or your local EU supervisory authority. |
We will respond to all valid requests within 30 days. In complex cases we may extend this to 90 days and will notify you of any extension.
11. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:
- encryption of data in transit using TLS 1.2 or higher;
- encryption of data at rest using AES-256 or equivalent;
- row-level security controls so that each user and contractor can only access the project data they are authorised to see;
- regular automated backups with tested restore procedures;
- access controls and authentication requirements for internal systems;
- vulnerability monitoring and prompt patching of identified security issues; and
- contractual security obligations imposed on all sub-processors.
No system is completely secure. In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities as required by law.
12. Cookies and tracking technologies
We use cookies and similar technologies on www.defectops.com and within the application. Categories of cookies we use:
- Strictly necessary cookies — required for the application to function (e.g. session authentication). These cannot be disabled.
- Analytics cookies — we use privacy-respecting analytics to understand how users navigate the product. You may opt out through our cookie banner.
- Marketing cookies — if you arrive via a paid advertisement, we may use a cookie to attribute that visit. No cross-site tracking cookies are used for third-party advertising.
You can manage cookie preferences through the cookie consent banner on the site, or through your browser settings. Note that disabling strictly necessary cookies will prevent you from logging in.
13. Children
DefectOps is a business-to-business product intended solely for use by professionals and their organisations. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact privacy@defectops.com and we will take prompt steps to delete it.
14. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify account holders by email and update the effective date at the top of this document. We encourage you to review this policy periodically. Your continued use of DefectOps after a policy update constitutes acceptance of the revised terms.
15. Contact us
For any privacy-related queries, requests to exercise your rights, or concerns about how we handle your data, please contact:
| privacy@defectops.com | |
| Response time | Within 30 days of receipt |
If you are not satisfied with our response, you have the right to escalate your complaint to the relevant supervisory authority (see Section 10).
This document is a working template and does not constitute legal advice. DefectOps recommends having this policy reviewed by a qualified privacy lawyer before publishing, particularly to confirm the registered entity name, ABN/ACN, and the complete sub-processor list.