Privacy Policy
1. About This Policy
COLLS, OSCAR CHARLES operates Cortir, a job management platform for trades businesses in Australia. This privacy policy explains how we handle personal information collected through the Cortir application.
As a small business (annual turnover under $3 million), we may be exempt from the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). We have adopted this policy voluntarily because we believe transparency about data handling is important, particularly given that personal information is processed by overseas service providers as part of our core functionality.
This policy applies to:
- App users — tradies and managers who create accounts and use Cortir
- Customers — individuals whose personal information is entered into Cortir by app users in the course of managing jobs
If you are a tradie or manager entering your customers' information into Cortir, you are responsible for your own privacy obligations to those customers under Australian law.
2. What Personal Information We Collect
App Users (Tradies and Managers)
- Full name
- Email address
- Phone number
- Role within the app (manager or tradie)
- Labour rate
Business Information
- Business name
- Australian Business Number (ABN)
- Phone number, email address, suburb, and timezone
Customer Information (Entered by App Users)
- Full name
- Phone number
- Email address
- Customer status (lead, active, or inactive)
- Notes and source/referral information
Job and Financial Data
- Job site address, suburb, and geographic coordinates (latitude/longitude derived from the address)
- Job description, type, and scheduled date/time
- Duration estimates
- Parts used, labour hours, and costs
- Quote details including line items (labour, materials, call-out fees, subcontractor charges)
- Invoice and payment dates
- Subcontractor names, trades, phone numbers, email addresses, ABNs, and rates
Communications
- Full text of message threads between app users and the Cortir AI assistant
- Voice message transcriptions (the audio recording itself is not stored — only the text transcription)
Operational and Audit Data
- Records of AI processing: the text sent to and received from AI services, intent classifications, and quality evaluations
- API call metadata: service provider, model used, token counts, processing time, and tool call details including arguments and result summaries
3. How We Collect Personal Information
We collect personal information in three ways:
- Directly from app users — when you create an account (email and password) and when you enter information through the chat interface or app forms.
- From app users about their customers — tradies enter customer details through natural language messages (for example, "Customer John Smith, 14 Blake St, Reservoir, needs an electrical repair"). The AI assistant extracts structured data from these messages and creates records.
- Generated automatically — geographic coordinates are derived from job site addresses. AI processing logs are created each time the AI assistant handles a message.
4. Why We Collect and Use Personal Information
| Data Category | Purpose |
|---|---|
| User account data | Authentication, access control, identifying who performed actions |
| Customer data | Job management, scheduling, customer communications, quoting, invoicing |
| Job and financial data | Managing the job lifecycle from enquiry through to payment |
| Communications | Providing AI-assisted responses, maintaining conversation context for accurate job management |
| Operational and audit data | Monitoring AI response quality, debugging issues, tracking usage costs, ensuring AI responses are appropriate |
| Geographic coordinates | Mapping job locations |
| Labour rates and pricing | Generating quotes and invoices |
We do not use personal information for marketing, advertising, profiling, or sale to third parties.
5. Disclosure to Third Parties and Cross-Border Transfer
To provide the Cortir service, personal information is transmitted to the following overseas service providers. Both are based in the United States.
Anthropic (United States)
- What is sent: Job details, customer names, phone numbers, addresses, job descriptions, notes, message history, subcontractor details, quoting and pricing information. This data is sent as part of AI processing requests and is not redacted or anonymised before transmission.
- Why: Anthropic's Claude AI is the core engine that powers Cortir's conversational job management — extracting structured data from messages, managing scheduling, generating quotes, and assisting with job workflows.
- Their terms: Anthropic's standard API terms of service state that API inputs are not used to train their models. No separate Data Processing Agreement is in place.
OpenAI (United States)
- What is sent: Audio recordings of voice messages for transcription.
- Why: Converting spoken voice messages into text so they can be processed by the system.
- Their terms: Governed by OpenAI's standard API terms of service. No separate Data Processing Agreement is in place. The audio recording is not stored by Cortir after transcription.
Supabase (Sydney, Australia)
- What is stored: All data at rest is stored on Supabase infrastructure in the Sydney (ap-southeast-2) region in Australia.
- This is not a cross-border transfer. Your data at rest remains in Australia.
Backend application servers (Sydney, Australia)
Our backend application runs on infrastructure located in Sydney, Australia. Data processed by our application servers does not leave Australia except for the specific overseas transfers listed above.
Important Notice About Overseas Transfers
Australian privacy law differs from United States privacy law. The protections available under US law may not be equivalent to those available under the Australian Privacy Principles. We do not currently have binding Data Processing Agreements with the overseas providers listed above; we rely on each provider's standard terms of service.
By using Cortir, you acknowledge and consent to the transfer of personal information (including your customers' personal information that you enter into the system) to these United States-based service providers for the purposes described above.
6. Data Security
We take the following steps to protect personal information:
- Encryption in transit: All data transmitted between your device, our servers, and third-party services is encrypted using HTTPS/TLS.
- Encryption at rest: Data stored in our database is encrypted at rest by our database provider (Supabase).
- Access control: Row Level Security policies enforce data isolation between businesses — each business can only access its own data. Within a business, managers have full access while tradies have restricted access to jobs they are assigned to.
- Authentication: JWT-based authentication verifies identity on every request. Sessions are stored in memory, not in cookies.
- Security headers: Standard security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are applied in production.
Limitations
In the interest of transparency, we acknowledge:
- Personal information fields (names, phone numbers, addresses, etc.) are not encrypted at the application level within the database. Protection relies on database-level encryption at rest and access control policies.
- Deleted records are marked as inactive but are not permanently removed from the database (see section 9).
- Personal information is sent to overseas AI and messaging providers without redaction, as described in section 5.
7. Access to Your Personal Information
You can request access to the personal information we hold about you by contacting us at oscar@cortir.com.au. We will respond to access requests within 30 days.
There is currently no self-service data export feature in the app. Access requests are handled manually.
If you are a customer whose information was entered into Cortir by a tradie, please direct your access request to the tradie or business that collected your information, as they are the party with the primary relationship to you.
8. Correction of Personal Information
If you believe any personal information we hold about you is inaccurate, incomplete, or out of date, you can:
- Update some information directly through the Cortir chat interface (for example, customer details or job information).
- Request corrections by contacting us at oscar@cortir.com.au.
Please note that corrected data may still appear in historical audit and processing logs.
9. Data Retention
We do not currently have automated data retention or purge schedules. Data is retained while accounts are active.
If you wish to delete your data, contact us at oscar@cortir.com.au. We will manually delete your account data, job records, customer information, message history, and associated AI processing logs within 30 days of receiving the request. We may retain limited records (such as audit logs of the deletion itself) where required for operational or legal purposes.
If you are a customer whose information was entered into Cortir by a tradie, please direct deletion requests to the tradie or business that collected your information in the first instance.
10. Cookies and Tracking
Cortir does not use cookies for tracking or analytics. Authentication uses JWT tokens stored in browser memory, not cookies. We do not use any third-party analytics, advertising, or tracking services.
11. Changes to This Policy
We may update this policy from time to time. Changes will be posted at this location with an updated "Last updated" date. Continued use of Cortir after changes are posted constitutes acceptance of the updated policy.
12. Contact and Complaints
If you have questions about this policy or how we handle personal information, contact:
COLLS, OSCAR CHARLES
ABN: 80 260 137 386
Email: oscar@cortir.com.au
If you are not satisfied with our response to a privacy concern, you may contact the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992