How we handle the information you trust us with.

1. WHO WE ARE

Who is responsible for your data.

Ordit Pty Ltd (“we”, “us”, “Ordit”) is the data controller for personal information collected through the Ordit platform.

We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles. State-specific privacy obligations also apply, including health-related provisions where relevant.

2. WHAT WE COLLECT

The information we hold.

Account information.

Name, email address, phone number, role (manager, owner, contractor, occupier), the building or buildings you are associated with, and login credentials.

Compliance and operational documents.

Certificates, audits, plans, registers, warranties, reports and any other compliance documents you upload. These are your records, attached to the building.

Special needs register information.

Information voluntarily provided by occupiers about evacuation requirements, mobility needs, sensory impairments, and emergency contacts. Disclosure is voluntary. We collect only what occupiers choose to share.

Hazard reports.

Photographs, descriptions, timestamps and identity of the person reporting a hazard.

Communications.

Messages sent through the contractor and occupier comms feature. Each message is logged with sender, recipients, content and timestamp.

Usage data.

Login times, device type, IP address, and platform activity. We use this to keep the service secure and to improve it.

3. WHY WE COLLECT IT

How we use your information.

We use the information described above to:

Operate the platform and provide the service you have subscribed to.

Maintain audit trails that protect building managers and owners under Australian compliance and personal liability frameworks.

Make operational safety information available to authorised emergency services when they scan the QR panel.

Send notifications about renewals, deadlines, system updates and security events.

Respond to support requests and improve the platform.

Comply with our own legal obligations.

We do not sell your information. We do not use it for advertising. We do not share it with marketing partners.

4. HOW WE PROTECT IT

Where the data lives.

Hosted in Australia.

All Ordit data is hosted on Amazon Web Services (AWS) infrastructure located in Australia. Data does not leave Australian data centres in the normal course of operation.

Encryption.

Data is encrypted in transit using TLS, and at rest using AES-256 encryption.

Access controls.

Role-based permissions ensure that only authorised people can see information relevant to their role. Sensitive personal and financial information is never accessible to people whose role does not require it.

Internal access.

Ordit staff access customer data only when necessary to provide support, investigate issues or comply with legal obligations. Access is logged.

5. ROLE-BASED ACCESS

Who can see what.

Managers and authorised owners.

See the building's full digital wallet, all compliance records, and the special needs register, through a logged-in account.

Contractors.

See only the documents relevant to their work. Evacuation diagrams, SDS sheets, asbestos register, building access notes. Do not see compliance audits or financial records.

Occupiers.

See and update their own profile. Cannot see other occupiers' information or building compliance records.

Emergency services.

See live operational safety information by scanning the QR panel: live evacuation plan, current special needs register, SDS sheets, asbestos register, FSI list and emergency contacts. They do not see sensitive personal information beyond what is necessary for emergency response, and they do not see financial records.

Other parties.

Do not get access. Unauthorised scan attempts are denied.

6. SHARING WITH THIRD PARTIES

Who we share data with, and why.

We share your data only in the following circumstances:

With service providers who help us run the platform (hosting, email delivery, analytics). These providers are bound by confidentiality and data protection obligations and are listed in our subprocessor register, available on request.

With authorised emergency services, when they scan the QR panel at your building, limited to operational safety information.

With law enforcement or regulators, when we are legally required to do so.

With your written authorisation, in any other case.

We do not share your data with marketing partners. We do not sell your data.

7. HOW LONG WE KEEP IT

Data retention.

During your subscription.

We keep all data for as long as your subscription is active.

If you choose not to renew.

You have a defined export period to download your complete compliance history. The export period is set out in your subscription agreement.

After the export period.

Active platform data is permanently deleted. Backup copies are removed in line with our 90-day backup retention schedule.

Audit logs.

Access logs and tamper-evidence audit logs may be retained for longer periods to satisfy our own compliance and security obligations.

8. YOUR RIGHTS

What you can ask us to do.

Under Australian privacy law, you have the right to:

Access the personal information we hold about you.

Correct information that is inaccurate or out of date.

Request deletion of your information, subject to our legal obligations to retain certain records.

Withdraw consent for any processing that depends on your consent.

Lodge a complaint with us, or with the Office of the Australian Information Commissioner (OAIC).

To exercise any of these rights, contact us at sales@ordit.au. We will respond within thirty days.

9. OCCUPIERS AND THE SPECIAL NEEDS REGISTER

A note for occupiers.

If you are an occupier of a building that uses Ordit, your participation in the special needs register is voluntary. You choose what to share and what not to share.

Information you provide is accessible only to authorised building managers and emergency services for safety purposes. Other occupiers and contractors do not have access.

You can update or remove your information at any time through your profile.

10. DATA BREACHES

If something goes wrong.

If a data breach occurs that is likely to result in serious harm, we will:

Notify you and any affected individuals as soon as practicable.

Notify the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme.

Take immediate steps to contain the breach and prevent recurrence.

11. COOKIES AND ANALYTICS

How we use cookies.

Our website uses essential cookies to operate, and a small number of analytics cookies to help us understand which pages are used and how the site can be improved. We do not use advertising cookies.

You can control cookies through your browser settings.

12. CHANGES TO THIS POLICY

Updates.

We may update this policy from time to time, for example when laws change or when we add new features. Material changes will be notified at least thirty days before they take effect, by email and via in-product notification.

13. CONTACT

Get in touch.

Questions about this policy, or how we handle your information?

Email. sales@ordit.au