PRIVACY POLICY

1. Who We Are

Steadyhand is operated by Steadyhand Trade Pty Ltd (ABN 14 696 780 588), a company registered in Western Australia. We operate the Steadyhand platform at steadyhandtrade.app — a request-to-warranty job management platform for homeowners and trade businesses.

For privacy enquiries, contact our Privacy Officer at hello@aridhouse.com.

2. What Personal Information We Collect

We collect personal information you provide directly and information generated through your use of the platform:

Account and identity information

• Full name and email address
• Suburb and state of residence or business
• Phone number (optional)
• Role on the platform (homeowner or trade business)

Trade business credentials

• Business name and trading name
• Australian Business Number (ABN)
• Trade licence number and licence type
• Insurance expiry dates
• Trade categories and service areas

Job and contract information

• Job descriptions, scope of work, inclusions and exclusions
• Quote amounts and milestone payment records
• Signed scope agreements and associated documents
• Warranty issue reports and resolution records
• Messages exchanged between parties through the platform

Electronic signature audit trail data

• IP address at the time of signing
• Browser user agent string
• Timestamp of signature event (UTC)
• Email address of signing party

Technical and usage information

• Log data including pages visited, timestamps, and error events
• Device type and operating system (from authentication logs)
• Payment processing tokens and Stripe account identifiers (where applicable)

We do not collect sensitive information as defined by the Privacy Act (such as health information, racial or ethnic origin, or political opinions) except where you voluntarily provide it in a job description or message.

3. How We Use Your Information

We use your personal information for the following purposes:

• Account management: Creating and maintaining your account, authenticating your identity, and enabling platform features.
• Job matching: Displaying homeowner job requests to relevant trade businesses based on trade category and service area.
• Scope agreements and contracts: Generating, storing, and serving signed scope agreement documents as legally binding records.
• Invoicing and payment processing: Processing milestone payments through Stripe Connect and maintaining financial records.
• Compliance documentation: Generating and storing compliance documents, warranty certificates, and audit trails for building and trade work.
• Platform communications: Sending transactional emails relating to your jobs, such as milestone approvals, scope signing reminders, and warranty notifications.
• Credential verification: Verifying trade licences and insurance where you have provided them, including by cross-referencing public registers.
• Platform improvement: Analysing usage patterns in aggregated, de-identified form to improve the platform.
• Legal compliance: Meeting obligations under applicable Australian law, including record-keeping requirements for building work.

We do not sell your personal information to third parties. We do not use your information for targeted advertising.

4. Electronic Signatures and Audit Trails

Electronic signatures executed through Steadyhand are legally valid under the Electronic Transactions Act 1999 (Cth) and applicable state electronic transactions legislation. When you sign a scope agreement or other document on Steadyhand, we capture and permanently store:

• Your full name as it appears in your profile at the time of signing
• Your email address
• The IP address from which the signature was applied
• Your browser user agent string
• The precise timestamp of the signing event

This audit trail is a legal record of the signing event. It cannot be deleted from the platform, even on account deletion request, because it forms part of the evidentiary record of the agreement between the parties. Parties to a signed agreement may request a copy of their own audit trail data.

The IP address capture is disclosed at the point of signing. By signing a document on Steadyhand, you consent to this capture for legal compliance purposes.

5. Retention Periods

We retain personal information for as long as necessary for the purposes for which it was collected, subject to the following specific retention rules:

• Job documents (scope agreements, milestone records, warranty certificates, audit trails): Retained for a minimum of 7 years from job completion. This reflects building compliance requirements under WA law, which require certain records to be retained for at least 6 years, and best practice for property-related documentation. Signed scope agreements are subject to indefinite retention as legal records.
• Account profile data: Retained for the life of the account, then deleted within 90 days of a verified account deletion request, subject to legal hold obligations below.
• Payment records: Retained for 7 years in compliance with Australian taxation law.
• Messages and communications: Retained for the life of the associated job, then for 7 years from job completion.
• Electronic signature audit trails: Retained indefinitely as legal records. These cannot be deleted because they form part of a signed agreement between third parties.
• Technical logs: Retained for up to 90 days unless required for an active investigation.

Where data cannot be deleted due to legal obligations (for example, audit trail data in a signed contract), we will inform you of this and explain the basis for retention when you request deletion.

6. Where Your Data Is Stored

All personal information collected by Steadyhand is stored in Australia. Our primary database and storage infrastructure is provided by Supabase, operating in the ap-southeast-2 (Sydney) AWS region.

Payment processing is handled by Stripe, Inc., which may process transaction data on servers outside Australia. Stripe is subject to its own privacy policy and complies with applicable Australian financial services regulations.

Email communications are delivered via Resend, which may route email traffic through servers outside Australia. The content of emails is not persistently stored by Resend.

We do not transfer your personal data to overseas recipients except as described above and where necessary for the payment or email delivery services.

7. Disclosure of Your Information

We share your personal information only in the following circumstances:

• Between parties to a job: Homeowners and trade businesses can see each other's name, business name, suburb, trade category, and contact information as part of the job process. Trade credential information (licence number, ABN) is visible to homeowners as part of the scope agreement.
• Service providers: We share data with Stripe (payments), Resend (email), and Supabase (database/storage) as necessary to provide the platform. These providers are bound by their own privacy policies and data processing agreements.
• Legal requirements: We may disclose information where required by law, court order, or in response to a valid request from a law enforcement authority.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity. We will notify affected users.

We will not disclose your personal information to any other third party without your consent.

8. Your Rights Under the Australian Privacy Act 1988

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights in relation to your personal information:

• Access: You may request access to the personal information we hold about you. We will respond within 30 days. In some cases a reasonable fee may be charged for providing access.
• Correction: If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you may request that we correct it. We will correct or append a note of disagreement within 30 days.
• Deletion: You may request deletion of your account and associated personal information. We will action deletion requests within 90 days, subject to our legal retention obligations (see Section 5). Some data cannot be deleted where it forms part of a signed legal document.
• Complaint: If you believe we have breached the Australian Privacy Principles, you may complain to us directly at hello@aridhouse.com. We will acknowledge your complaint within 7 days and respond substantively within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

To exercise any of these rights, contact our Privacy Officer at hello@aridhouse.com. We may need to verify your identity before acting on your request.

9. Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration or destruction. These include:

• All data in transit is encrypted using TLS 1.2 or higher
• Database access is protected by row-level security policies
• Authentication is handled by Supabase Auth with secure token management
• API keys and credentials are stored as environment secrets and are not exposed to client-side code
• Payment card data is never stored by Steadyhand — it is handled entirely by Stripe

No method of electronic transmission or storage is 100% secure. In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify affected users and the OAIC as required by the Notifiable Data Breaches scheme.

10. Cookies and Tracking

Steadyhand uses session cookies and local storage to maintain your authentication state while you are logged in. We do not use tracking cookies or third-party analytics cookies. We do not use advertising pixels or social media tracking scripts.

Authentication cookies are strictly necessary for the platform to function. They are deleted when you log out or when your session expires.

11. Children

Steadyhand is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be notified to registered users by email. The date at the top of this page indicates when the policy was last updated. Continued use of the platform after a policy update constitutes acceptance of the updated policy.

13. Contact

For any privacy enquiries, requests to access or correct your information, or to make a complaint, contact our Privacy Officer:

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or on 1300 363 992.