Privacy Policy

[Site Reports Pty Ltd] [ACN xxx xxx xxx] of [registered office address, Victoria, Australia] (“we”, “us”, “our”) operates Site Reports (the “Service”) from Australia. This Privacy Policy explains how we collect, use, disclose, store and protect personal information when you visit our marketing website or use the Service.

This document is a transparency notice. It is not tailored legal advice and does not replace any privacy assessment, contract or notice that your regulator or your own clients may require you to maintain.

Our role depends on the type of personal information involved:

Account, billing and telemetry data - controller. When you create an account, pay for the Service, or use it in a way that generates technical or usage information about you, we determine the purposes and means of processing and act as the controller (under UK/EU GDPR), the “business” (under California’s CCPA/CPRA) and an “APP entity” (under the Australian Privacy Act).

Project content you upload - processor. When you (or your organisation) upload inspection or survey content that may contain personal information about third parties - for example, the names of homeowners, tenants, purchasers, contacts at a building, or photographs of identifiable people in rooms or on site - we process that content on your behalf and on your instructions in order to provide the Service. In that capacity we act as a processor (under UK/EU GDPR), a “service provider” (under CCPA/CPRA) and an “agency-like service provider” treated as part of your APP-handling under the Australian Privacy Act. You (or your organisation) remain the controller of, and are responsible for the lawfulness of, that content. Before you upload project content, you must have all necessary rights, licences, and permissions to do so, including for floor-plan images, room photos, inspection notes, survey-note media, audio clips, short videos, and other files attached to a project (the same obligation is stated in our Terms of Service and Acceptable Use Policy).

Where we act as processor / service provider, we will: (a) process project content only on your documented instructions and as needed to provide and secure the Service; (b) not “sell” or “share” it (as those terms are defined in the CCPA/CPRA) for cross-context behavioural advertising; (c) not use it to train general-purpose AI models for our own benefit; and (d) assist you, where reasonably required, to respond to requests from individuals exercising their rights.

We collect the following categories of personal information directly from you, automatically through your use of the Service, or from third parties (such as your identity provider or our payment processor):

Account and identity information - name, email address, organisation identifiers, role, and authentication data processed through our identity provider.

Project content - inspection and survey inputs you choose to upload or enter, including room lists, findings, floor-plan images, measurement values, annotations, comments, reports and files attached to a project. This includes notes and media you attach to rooms, points, boundary vertices, sections, stamps, layers, or the project as a whole - manual text, photos, audio clips, and short videos. You must only upload such content if you have the rights, licences, and permissions described in “Scope and our roles” above. Project content may incidentally contain personal information about you or about third parties (for example, the names or images of people in a building you are inspecting or surveying).

AI feature inputs and outputs - prompts, file contents and contextual metadata that you submit to AI-assisted features, together with the responses generated for you. These are transmitted to one or more third-party AI service providers for processing - see “Disclosure to subprocessors” below and the “Use of third-party AI service providers” section of our Terms of Service.

Technical and usage information - IP address, approximate location derived from IP address, device type, operating system, browser type and version, language settings, the pages you visit, the actions you take in the Service, referring URLs, and security telemetry needed to operate, secure and improve the Service.

Billing information (paid accounts) - billing contact details, billing address, and transaction references processed by our payment processor (Stripe). We do not store full payment card numbers on our servers; card details are handled directly by the payment processor.

Communications - content of emails, support requests, contact-form submissions, and other communications you send to us, together with our responses.

Marketing preferences - your subscription status for product updates, your communication preferences, and your interactions with our marketing emails (where permitted).

Sensitive information - we do not deliberately collect sensitive information (such as health information, biometric data, or government identifiers) and ask that you do not submit it via the Service. If you submit sensitive information through project content, you are responsible for having a lawful basis to do so.

We use personal information for the following purposes:

(a) To provide the Service - create and manage your account, authenticate you, store and process project content, generate AI-assisted outputs, deliver reports, and process payments.

(b) To secure the Service - detect, investigate and prevent fraud, abuse, security incidents and misuse (including breaches of our Acceptable Use Policy).

(c) To support you - respond to enquiries, process requests, and provide technical support.

(d) To improve the Service - debug issues, monitor performance, evaluate AI quality (using de-identified data where practicable), and develop new features.

(e) To communicate with you - send service messages, billing notices, security alerts, policy updates and (where you have agreed or where we are otherwise permitted) product news relevant to engineering teams.

(f) To comply with law - meet our regulatory, tax, accounting and law-enforcement-cooperation obligations.

Lawful bases (UK/EU users). Where UK or EU GDPR applies, we rely on the following lawful bases under Article 6 of the GDPR: performance of a contract with you (purposes (a) and (c)); our legitimate interests, balanced against your rights, in operating, securing and improving the Service and developing our business (purposes (b), (d) and (e), where consent is not the basis); compliance with a legal obligation (purpose (f)); and your consent where required (such as for non-essential cookies and certain marketing). You have the right to withdraw consent at any time.

Australian Privacy Act. Where the Australian Privacy Act 1988 (Cth) applies, we collect, hold, use and disclose personal information only where it is reasonably necessary for our functions and in accordance with the Australian Privacy Principles (APPs).

The Service uses third-party artificial intelligence service providers to power features such as report drafting, classification, summarisation and visual interpretation. Our use of those providers is described in the “Use of third-party AI service providers” section of our Terms of Service, which forms part of the contract between us.

Where you use AI-assisted features, prompts and the inputs you submit (which may include personal information from project content) are transmitted to one or more AI providers for processing. Where commercially available, we use enterprise or “no-training” tiers so that your inputs and outputs are not used by AI providers to train or fine-tune their general-purpose models. We do not warrant the practices of any AI provider.

Automated decision-making. The Service does not make decisions that produce legal or similarly significant effects on you based solely on automated processing without meaningful human involvement. AI-assisted outputs are advisory only and you (or your professional users) review and act on them. If our use of AI changes such that automated decision-making with significant effects becomes a feature, we will update this Policy and provide the additional information required by Article 22 of the UK/EU GDPR (such as the logic involved and the consequences of the processing).

If you do not consent to AI processing as described above, do not use AI-assisted features.

We use cookies, local storage and similar technologies on our marketing website (sitereports.ai and sitereports.com.au) and in the Service (https://app.sitereports.ai; the same account may also be accessed at app.floorlevelpro.com) for the following purposes:

Strictly necessary - required to provide the Service: authentication tokens, session management, security tokens, and your cookie-consent preferences. These are not subject to consent and are always active.

Analytics - we use Google Analytics 4 (GA4) via Google's gtag library to measure how visitors use our sites. GA4 may use cookies and similar storage to distinguish sessions and recognise returning visitors. We configure Google Consent Mode v2 so that GA4 uses only cookieless, aggregated modelling when analytics consent has not been granted. Analytics tracking is used only with your consent in regions where it is required; in other regions, we default to analytics-enabled unless you opt out.

Marketing - ad conversion pixels (such as Google Ads, Meta Ads) may be loaded to measure advertising effectiveness. These are used only with your explicit consent for the "Marketing" category and are never loaded if marketing consent has not been granted.

Attribution - we capture standard campaign parameters (utm_source, utm_medium, utm_campaign, and ad-platform click IDs such as gclid) from the URL when you visit our marketing site or app. These parameters are stored in browser sessionStorage and localStorage only, not in cookies, and are used purely to understand which marketing channels are effective. No personal information is stored in sessionStorage or localStorage before you create an account.

How we collect consent. On our marketing site, a consent banner is presented to visitors from regions where applicable law requires opt-in consent (including EU/UK/EEA, Switzerland and Brazil) before non-essential storage is used. Visitors from other regions have analytics enabled by default but can opt out at any time via the cookie preferences icon (bottom-left corner). In the web application, the same preferences interface is available after you sign in.

Your consent choices are stored in your browser's localStorage under the key "flp_consent", along with a policy version number and a timestamp. If we add new tracking categories or vendors, we will increment the policy version and present the consent banner again to collect fresh choices.

Do Not Track and Global Privacy Control. We recognise the Do Not Track (DNT) browser signal and the Global Privacy Control (GPC) header ("Sec-GPC: 1"). If either signal is detected, we automatically deny all non-essential storage - no consent banner is shown - and your preference is honoured without any further action on your part. GPC is also treated as a valid opt-out of "sale" or "sharing" of personal information for cross-context behavioural advertising under California's CCPA/CPRA and equivalent US state laws.

You can change your cookie preferences at any time by clicking the cookie settings icon on our website or within the application. Disabling analytics or marketing cookies will not affect your ability to use the Service.

We use reputable infrastructure and software vendors (“subprocessors”) to host data and deliver the Service. Subprocessors process personal information only to deliver the services we instruct them to provide and are bound by appropriate contractual safeguards.

Current categories include: cloud application hosting, databases, authentication, file storage and serverless compute (for example, Google Firebase / Google Cloud Platform); content delivery, edge networking, DNS and security (for example, Cloudflare); payment processing (for example, Stripe); transactional and notification email delivery; observability, error reporting and security monitoring; and third-party artificial intelligence service providers used to power AI-assisted features (for example, OpenAI, Anthropic or Google AI services).

Vendor names and roles change as we optimise quality, cost, latency and regional availability. A current summary of subprocessors is available on request via the contact channels at the bottom of this page; enterprise customers may receive an updated subprocessor list as part of their commercial agreement.

We may also disclose personal information to: our professional advisors (lawyers, accountants, auditors); a successor entity in the event of a merger, acquisition or sale of substantially all of our assets; and law-enforcement authorities, regulators, courts or other parties where required by law or where we reasonably believe disclosure is necessary to protect rights, property or safety.

We are based in Australia. Some subprocessors store or process personal information outside Australia, including in the United States, the United Kingdom, the European Economic Area, and other jurisdictions where major cloud providers operate. In particular, third-party AI providers used by AI-assisted features routinely process inputs and outputs in the United States.

Australia. Where we disclose personal information overseas, we take steps that are reasonable in the circumstances under Australian Privacy Principle 8 to ensure overseas recipients handle the information in accordance with the APPs, subject to any exceptions in the Privacy Act (including where you consent to the disclosure). By using AI-assisted features, you consent to the international processing described in our Terms of Service.

New Zealand. Where we disclose personal information of New Zealand individuals overseas, we comply with Information Privacy Principle 12 of the Privacy Act 2020 (NZ), including by relying on an exception or by ensuring the recipient is required to protect the information in a manner that, overall, provides comparable safeguards to those in the Privacy Act 2020.

United Kingdom and EEA. Where we transfer personal information of UK or EEA individuals to a country that has not been the subject of an adequacy decision by the UK Government or the European Commission, we put in place appropriate safeguards, typically the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum or the UK International Data Transfer Agreement, supplemented where necessary by additional technical and organisational measures. You may request a copy of the relevant transfer mechanism via the contact channels at the bottom of this page.

United States. By using the Service from a country outside the United States, you understand that personal information you submit may be transferred to and processed in the United States, where data protection laws may differ from those in your country.

We implement administrative, technical and organisational measures appropriate to the nature, scope, context and purposes of the processing - including access controls, multi-factor authentication for administrative access, encryption in transit, hardened cloud configurations, supplier diligence, logging and monitoring, and incident response procedures. No online service can guarantee absolute security.

If we become aware of a personal information breach that is reasonably likely to result in serious harm (or that meets an equivalent threshold under another applicable law), we will notify the relevant regulators and affected individuals as required: in Australia, under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act; in New Zealand, under section 114 of the Privacy Act 2020; in the UK / EEA, under Articles 33 and 34 of the GDPR; and in the United States, under applicable state breach-notification laws.

We retain personal information only for as long as is reasonably necessary for the purposes set out above, unless a longer retention period is required or permitted by law. Our typical retention guidelines are:

Account and identity data - for the lifetime of the account and for a reasonable period (typically up to 12 months) afterwards to resolve disputes, comply with law and maintain backup integrity.

Project content - for the lifetime of the account; on account termination, project content is retained for thirty (30) days to allow export (other than where termination is for cause as described in our Terms of Service) and is then deleted from active systems, with backup deletion completing on the normal backup-rotation cycle.

Survey video notes - short video clips attached to surveys (including point videos) are stored only for 30 calendar days (30 days) from capture, or from upload when capture time is not recorded. After that period we delete the video file from our storage systems and clear the playable link in your project data; the note may appear as expired in the Service. Any separate text note generated from a point video by an AI-assisted feature (where you use that feature) may remain as part of project content until project deletion under the rule above. Manual text, image, and audio notes are not subject to this automatic video deletion schedule.

AI inputs and outputs - retained as part of the related project content above. AI providers process the data briefly under their own retention policies; where commercially available we use enterprise tiers that minimise provider-side retention.

Billing records - retained for at least seven (7) years to comply with Australian tax and corporations-law record-keeping obligations.

Security and audit logs - retained for the period needed to investigate incidents and meet legal obligations (typically up to 12 months for routine logs; longer for material incidents).

Communications - retained for the period needed to handle the matter and any reasonable follow-up, and as required by law.

Marketing preferences - retained until you unsubscribe or until we determine the record is no longer needed, plus a short period to action your preference change.

Where we no longer have a lawful purpose to retain personal information, we will delete or de-identify it.

Subject to applicable law and the exceptions described below, you may have the following rights in relation to personal information we hold about you (as controller): access (a copy of your personal information); correction or rectification (of inaccurate or incomplete information); deletion or erasure (in certain circumstances); restriction of processing; objection to processing (including for direct marketing); data portability (receiving your data in a structured, machine-readable format and, where technically feasible, having it transmitted to another controller); and the right to withdraw consent (where processing is based on consent).

How to exercise your rights. You can exercise rights through the in-product settings where available, or by contacting us at the address below. We will respond within the timeframe required by applicable law (generally 30 days, extendable in complex cases). We may need to verify your identity before acting on a request and may decline or limit a request where an exception applies (for example, where the request is manifestly unfounded, would infringe another person’s rights, or where we are required by law to retain the information).

Project content (where we are processor). If you wish to exercise rights in relation to personal information that appears in project content uploaded by another customer (for example, your details appear in someone’s survey), please contact that customer directly. We will assist them as required by our processor obligations.

Right to complain. If you believe we have mishandled your personal information, please contact us first so we can try to resolve the matter. You may also lodge a complaint with the privacy regulator in your country - see the “Regional notices” sections below.

No discrimination. We will not discriminate against you for exercising your privacy rights - for example, by denying service, charging different prices or providing a lower quality of service - except as permitted by law (for example, where the difference is reasonably related to the value of the personal information to providing the Service).

If you are in Australia, your personal information is handled in accordance with the Australian Privacy Principles in the Privacy Act 1988 (Cth). The categories described above (“What we collect”, “Why we use personal information”) are our APP 5 collection notice; the international disclosure section is our APP 8 notice; and the rights section explains how to exercise APP 12 (access) and APP 13 (correction) rights.

You may complain to us in the first instance via the contact details below. We will acknowledge complaints promptly and respond substantively within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by telephone on 1300 363 992.

If you are in New Zealand, your personal information is handled in accordance with the Information Privacy Principles in the Privacy Act 2020. You have rights to access (IPP 6) and correct (IPP 7) personal information we hold about you; please contact us via the details below.

Cross-border disclosure (IPP 12). When we disclose personal information of New Zealand individuals to overseas subprocessors, we either rely on an exception in the Privacy Act 2020 or ensure the recipient is required to protect the information in a manner that, overall, provides comparable safeguards.

Notifiable privacy breaches. If we experience a privacy breach that is reasonably likely to cause serious harm to affected individuals, we will notify the Office of the Privacy Commissioner and the affected individuals as required by section 114 of the Privacy Act 2020.

Complaints. You may complain to us in the first instance, and you also have the right to complain to the Office of the Privacy Commissioner of New Zealand at www.privacy.org.nz.

If you are in the United Kingdom or the European Economic Area (EEA), the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, or the EU General Data Protection Regulation (EU GDPR), apply to our processing of your personal information.

Controller. [Site Reports Pty Ltd] [ACN xxx xxx xxx] of [registered office address, Victoria, Australia] is the controller for the account, billing, telemetry and marketing purposes described above. For project content uploaded by your organisation, your organisation is the controller and we act as processor on its instructions.

Lawful bases. We rely on the lawful bases described in “Why we use personal information” above. Where we rely on legitimate interests, our balancing assessment is available on request.

Your rights. You have the rights described in “Your privacy rights” above, as set out in Articles 15 to 22 of the UK/EU GDPR. You also have the right to lodge a complaint with the supervisory authority in your country of residence - for example, the UK Information Commissioner’s Office (ICO) at www.ico.org.uk, the Irish Data Protection Commission, the French CNIL, or the German federal or state authorities.

International transfers. Where we transfer personal information outside the UK or EEA to a country that has not been the subject of an adequacy decision, we use appropriate safeguards as described in “International data transfers” above (typically the EU Standard Contractual Clauses and, for transfers from the UK, the UK International Data Transfer Addendum or Agreement).

Article 27 representative. Site Reports is operated from Australia and is not currently actively marketed in the UK or EEA. Before we begin actively offering the Service to data subjects in the UK or EEA, we will appoint a representative in the UK and the EU as required by Articles 27 of the UK and EU GDPR and update this Policy with their contact details. In the meantime, you can contact us using the details below for any UK/EU GDPR matter.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), gives you the rights summarised below. For purposes of the CCPA, [Site Reports Pty Ltd] is a “business” for the account, billing, telemetry and marketing data described above, and is a “service provider” for project content uploaded by another customer.

Categories of personal information collected (CCPA categories). In the 12 months preceding the date of this Policy we collect: identifiers (name, email, account ID, IP address); customer-records information (billing contact); commercial information (subscription status, purchases); internet or other electronic network activity (interactions with the Service, device and browser data); geolocation data (approximate location derived from IP address); audio, electronic, visual, or similar information (where you upload images or files); professional or employment-related information (organisation, role); inferences drawn from the above (for example, product preferences); and content of your communications with us. We do not knowingly collect the “sensitive personal information” categories defined under the CCPA.

Sources. We collect personal information directly from you, automatically through your use of the Service, and from third parties such as your identity provider and our payment processor.

Purposes. We use personal information for the business purposes described in “Why we use personal information” above (providing, securing, supporting and improving the Service; communicating with you; complying with law).

Disclosure. We disclose the categories above to the categories of subprocessors and recipients listed in “Disclosure to subprocessors” above.

Sale and sharing. We do not “sell” personal information for monetary consideration. We do not “share” personal information for cross-context behavioural advertising. If we ever begin to do so, we will update this Policy, present a “Do Not Sell or Share My Personal Information” link and honour the Global Privacy Control (GPC) signal.

Your CCPA rights. You have the right to: know what personal information we collect, use, disclose and (if applicable) sell or share; access a copy of your personal information; correct inaccurate personal information; delete your personal information (subject to exceptions); limit the use and disclosure of sensitive personal information (where we collect it); opt out of any sale or sharing; and not be discriminated against for exercising these rights.

How to exercise CCPA rights. Submit a request via the contact details below. You may also designate an authorised agent to make a request on your behalf; we will require written proof of authorisation. We will verify your identity before acting on a request (typically by matching information you provide against information we already hold). We will respond within the timeframes required by the CCPA (generally 45 days, extendable by another 45 days where reasonably necessary).

Notice of financial incentive. We do not currently offer financial incentives or price/service differences in exchange for the retention or sale of personal information.

Shine the Light. California Civil Code section 1798.83 permits California residents to request information regarding our disclosure of personal information to third parties for the third parties’ direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, Florida, New Jersey, New Hampshire, Minnesota, Maryland, or any other US state with a comprehensive consumer privacy law, you may have rights similar to the CCPA rights described above - including the right to access, correct, delete and obtain a copy of your personal information, the right to opt out of the sale of personal information and of targeted advertising, and (where applicable) the right to appeal a denial of your request.

You can exercise these rights using the contact details below. We will verify your identity, respond within the timeframe required by your state law, and (where required) provide an internal appeal mechanism if we decline a request. We do not “sell” personal information for monetary consideration and do not engage in “targeted advertising” as those terms are defined under those laws. If we ever do, we will honour validly transmitted universal opt-out mechanisms (such as the Global Privacy Control) where required.

The Service is intended for professionals and organisations and is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us via the details below and we will take reasonable steps to delete it.

In the United States, we do not knowingly collect personal information from children under 13 in a manner that would require parental consent under the Children’s Online Privacy Protection Act (COPPA), and we do not knowingly “sell” or “share” the personal information of California residents under 16 without the relevant consent required by the CCPA.

We may update this Privacy Policy from time to time by posting a revised version on this site and updating the “Last updated” date. For changes that materially affect your rights, we will provide reasonable additional notice through the Service or by email where appropriate (and, where the change requires it, ask you to acknowledge the updated Policy before continuing to use the Service).

Privacy enquiries, complaints and rights requests (including DSARs under UK/EU GDPR, requests under the CCPA and other US state laws, and access/correction requests under the Australian Privacy Act and the NZ Privacy Act) should be addressed to: support@floorlevelpro.com.

Postal address: [Site Reports Pty Ltd], [registered office address, Victoria, Australia].

For users in the UK and EEA: until our Article 27 representative is appointed (see the UK and EEA regional notice above), please contact us using the details above for any UK/EU GDPR matter.