Privacy Policy
Last updated 2026-07-12
How Commonop Pty Ltd collects, holds, uses and discloses personal information across CommonOP-AG and the shared COP backend.
1. Who we are & scope
Commonop Pty Ltd (ACN 700 011 374) (we, us, our). This policy covers commonop.io, ag.commonop.io, the CommonOP native apps, and the shared COP backend. We treat ourselves as bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We do not rely on the small-business exemption — because we operate a de-identified data product, that exemption does not apply to us — and we hold ourselves to the shared-substrate security bar.
2. What personal information we collect
Identity — name, email, phone, entity/ABN, role/callsign. Credential metadata — licence type, number and expiry and, where hosted, credential/insurance evidence. Job/COP data — properties, GPS/cadastre, maps, photos and spray records. Payment/subscription data — handled via Stripe; we do not store card numbers. Usage and audit logs.
Sensitive information (for example a police check or aviation medical, if ever collected) is handled under section 5; our design preference is reference-only — storing the fact and a reference rather than the document itself.
3. How & why we collect it (APP 3/5)
Directly from you at sign-up, job creation and credential upload; and from an employer, store, an approver, or a service provider where necessary and authorised. We collect only what is reasonably necessary to run the platform. Because of the nature of the platform you cannot use it anonymously. We collect sensitive information only with your consent and only where reasonably necessary.
4. How we use & disclose it (APP 6)
To operate the job/COP you are party to; to make information available to the parties you direct or who are entitled to it (the counterparty to your job, or an approver you apply to); to process payments (Stripe); to send transactional and functional messages; and as required by law.
We do not disclose your information to build a competing dataset, and we do not sell it. Sensitive information is used only for its primary purpose, or a directly related purpose with consent.
5. Storage, security & residency (APP 11)
Personal information is stored in Australia (DigitalOcean Sydney region). We apply encryption in transit and at rest, least-privilege and role-based access, tenant isolation, MFA on administrative access, and audit logging. We take reasonable steps to protect information and, when it is no longer needed, to destroy or de-identify it. This is the “encrypted, Australian servers” promise our product surfaces make.
6. Cross-border disclosure (APP 8)
We keep primary storage in Australia. Some service providers (for example Stripe for payments, and our email delivery provider) may process limited data overseas; where they do, we take reasonable steps to ensure APP-consistent handling.
[To confirm before publishing: the list of overseas processors and the countries in which they process data.]
7. Retention & deletion
Job, application and spray records: 7 years from completion (NSW Pesticides Regulation basis; conservative). Credential evidence: active plus 7 years. Account information: 12 months after closure, then hard-deleted (except where a legal hold applies). We action erasure requests within 30 days, subject to lawful retention.
8. De-identified data product & consent
We may create de-identified (not “anonymised”) datasets. We apply statistical disclosure controls (cohort of at least 10, location fuzzing, identifier removal) before any external share, and only under a data agreement. Participation requires a separate, un-pre-ticked, revocable consent —separate from these terms and from any marketing consent. We will never license it to insurers, banks or lenders, or to anyone who would use it to deny you a service.
9. Marketing & electronic messages
Transactional and functional messages (magic links, requests for information, job notifications) are part of the service. Commercial messages (product news) are sent only with consent and always carry an unsubscribe, consistent with the Spam Act 2003 (Cth).
10. Access, correction & complaints (APP 12/13)
You may request access to, and correction of, your personal information at privacy@commonop.io. If you are not satisfied you may complain to us, and then to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
11. Data breaches
We maintain a data breach response plan and comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.
12. Changes & contact
We keep this policy current and date each version. Contact: privacy@commonop.io.