Privacy Policy v2.0 · 5 May 2026

Effective Date	5 May 2026
Provider	TowerDesk
ABN	89 719 330 602
Website	www.towerdesk.com.au
Privacy Contact	privacy@towerdesk.com.au

TowerDesk (ABN 89 719 330 602) is committed to protecting the privacy of personal information we handle. This Privacy Policy explains how we collect, hold, use, disclose, and protect personal information in connection with our cloud-based strata management software platform.

By creating an account, accessing TowerDesk, using the Platform, or allowing users to access the Platform through your account, you acknowledge this Privacy Policy. This policy is incorporated by reference into our Terms and Conditions.

Capitalised terms not defined here have the meanings given in our Terms and Conditions.

1. Who We Are and What We Do

TowerDesk (ABN 89 719 330 602) operates a cloud-based strata management software platform used by Australian strata management businesses, owners corporations, body corporates, building managers, lot owners, residents, tenants, and authorised contractors.

The Platform is provided as a hosted subscription service via www.towerdesk.com.au, the TowerDesk API, and TowerDesk mobile applications.

This policy applies to all personal information we handle in connection with the Platform.

2. What Personal Information We Collect

We collect personal information that is reasonably necessary for our functions and activities. The categories we typically collect include:

2.1 Account information (required)

• Full name, email address, password (stored as a one-way bcrypt hash — we never see your plaintext password);
• Phone number, company or trading name, ABN, role/title;
• Billing address, city, state, postcode;
• Building names, addresses, and lot/unit identifiers you choose to add.

2.2 Resident, owner, tenant, and contractor details

When you (as a strata manager, building manager, or committee member) use the Platform, you may upload personal information about residents, owners, tenants, contractors, committee members, and other building stakeholders, including names, addresses, contact details, and lot or unit details. You are responsible for ensuring you have the lawful right and any required consents to upload this information — see §16.

2.3 Payment information

• Card details and bank-transfer details are processed by Stripe (our PCI-DSS-compliant payment processor) and are never stored on TowerDesk servers. We retain only a token reference, the card brand, and the last four digits for receipts and renewal display.
• Invoices, receipts, and payment history.

2.4 Platform content

• Support tickets, messages, and attachments;
• Maintenance records, work orders, defect reports;
• Meeting minutes, notices, AGM/EGM materials;
• Financial records, levies, ledger entries;
• Documents and files you choose to upload;
• Branding assets (logos, colours) you submit for portal customisation.

2.5 Technical and usage information

• IP address, user-agent, device type, browser, operating system;
• Login timestamps, session activity, page views, feature usage;
• Approximate geographic region (derived from IP, not GPS);
• Diagnostic information, crash logs, error reports;
• For mobile apps: Firebase Cloud Messaging (FCM) device tokens used to deliver push notifications.

2.6 Communications

• Emails and SMS messages sent or received via the Platform;
• Audit-trail records of in-platform actions (e.g. who acknowledged a notice, when a ticket was opened);
• Acceptance audit for our Terms and Conditions (timestamp, version accepted, IP address, user-agent — required for the Australian Consumer Law evidence trail).

2.7 What we do NOT collect

• We do not access your phone contacts, call logs, SMS messages, or browsing history;
• We do not use advertising identifiers and we do not serve advertising on the Platform;
• We do not sell, rent, or trade personal information to third parties.

3. How We Collect Personal Information

We collect personal information:

1. directly from you when you create an account, complete a form, upload content, send a message, make a payment, or contact us;
2. automatically when you use the Platform (server logs, analytics, cookies — see §6);
3. from your authorised users (employees, agents, committee members) acting on your behalf;
4. from service providers we use to deliver the Platform (e.g. payment processor, email and SMS delivery providers);
5. from publicly available sources where reasonably necessary to verify a business identity (e.g. ABN lookup);
6. from referrers or invitees, where another customer invites you to TowerDesk.

Where it is unreasonable or impracticable to collect personal information directly from the individual concerned, we may collect it from a third party — for example, a strata manager uploading owner contact details from a strata roll. In those cases, the strata manager (not TowerDesk) is responsible for ensuring the individual has been notified in accordance with Australian Privacy Principle 5.

4. Why We Collect and Use Personal Information

We collect, hold, use, and disclose personal information for the following primary purposes:

1. to provide, maintain, secure, and improve the Platform;
2. to authenticate users and protect accounts;
3. to process payments, issue invoices, and manage subscriptions and renewals;
4. to send transactional communications (receipts, invoices, password resets, account verification, security alerts);
5. to send notifications you have configured (tickets, parcels, notices, levy reminders, emergencies);
6. to provide customer support, troubleshoot issues, and respond to enquiries;
7. to monitor for fraud, abuse, security incidents, and breaches of our Terms and Conditions;
8. to comply with legal, tax, regulatory, audit, and record-keeping obligations;
9. to enforce or defend our legal rights, including in disputes;
10. to perform analytics that improve product performance, reliability, and user experience (see §6); and
11. for any other purpose disclosed at the point of collection or to which you consent.

We may also use de-identified or aggregated data for benchmarking, product research, and reporting. Once data is genuinely de-identified, it is no longer personal information under the Privacy Act.

5. Sensitive Information

"Sensitive information" is a special category under the Privacy Act and includes information about health, religion, sexual orientation, criminal record, racial or ethnic origin, political opinions, and biometric data.

TowerDesk does not require sensitive information to operate. We will not collect sensitive information from you unless you provide it voluntarily (for example, attaching a medical certificate to a defect report or accessibility-related work order) or unless required by law.

If you upload sensitive information into the Platform — for instance, attaching a document containing health-related information to a maintenance ticket — you confirm that you have a lawful basis to do so and any required consents from the individuals concerned. Where reasonably possible, you should redact sensitive information that is not necessary for the strata-management purpose.

6. Cookies, Analytics, and Tracking

The TowerDesk website and web platform use cookies and similar technologies for the following purposes:

1. Strictly necessary cookies — session cookie (td_session), set on login, marked Secure and SameSite=Strict, used to keep you authenticated. Without this cookie the Platform cannot function.
2. First-party analytics — TowerDesk operates its own first-party analytics (td-track.js) that records page views, session counts, referrer information, and approximate geographic region. We do not share this data with third-party advertisers. IP addresses are hashed before storage. You can opt out via your browser's Do Not Track signal or by blocking the script.
3. Functional storage — your browser's localStorage may hold short-lived state (recently viewed buildings, draft text, UI preferences). This data does not leave your device.

We do not use third-party advertising cookies, retargeting pixels, or social-media tracking on the customer-facing portal. The marketing pages (such as the home page) may use limited analytics from Google Analytics or similar — see §15 for third-party services.

You can disable cookies in your browser, but this will prevent you from logging into the Platform.

7. How We Share Personal Information

We share personal information only with:

1. Authorised users on your account — strata managers, committee members, contractors, residents, and other users you have invited or who have been added by an authorised user;
2. Service providers processing personal information on our behalf under written confidentiality and data-protection obligations, including:
   • Stripe — payment processing and subscription billing;
   • Australian-based hosting provider — server infrastructure;
   • Email delivery providers — transactional and notification emails;
   • SMS gateway providers — SMS notifications, where enabled;
   • Google (Firebase Cloud Messaging) — push notifications to mobile devices;
   • Customer support tools used by TowerDesk staff;
3. Professional advisers — auditors, accountants, and lawyers acting under confidentiality;
4. Authorities and regulators where required by law, court order, search warrant, subpoena, or to protect rights, property, or safety;
5. Successors — in the event of a sale, merger, restructure, or transfer of the Platform, on the same terms as this Privacy Policy.

We do not sell, rent, or trade personal information.

8. Cross-Border Data Transfers

Customer Data is stored on servers located in Australia.

However, certain operational tasks may involve disclosure to overseas recipients:

1. Stripe processes payment information in the United States and the European Economic Area;
2. Google services (including Firebase Cloud Messaging and Google ML Kit on-device features) may process data in the United States;
3. Email delivery providers may operate from data centres in the United States or the European Union.

Where personal information is disclosed to an overseas recipient, we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles, including through written contractual obligations.

By using the Platform, you acknowledge that personal information may be transferred outside Australia for these limited operational purposes.

9. Storage, Security, and Retention

9.1 Where data is stored

Customer Data is stored on Australian-hosted servers using encrypted-at-rest storage. Daily backups are retained for operational continuity and disaster recovery (see clause 14 of our Terms and Conditions).

9.2 Security measures

We use commercially reasonable technical and organisational security measures, including:

1. HTTPS/TLS for all communication between clients and our servers;
2. Bcrypt password hashing with a per-user salt (we never see, store, or transmit your plaintext password);
3. Brute-force lockout on failed login attempts;
4. Strict same-site session cookies and locked CORS allowlist;
5. Webhook signature verification using HMAC-SHA256 with a 5-minute replay window;
6. Role-based access controls within each customer's tenant;
7. Least-privilege server access, audit logging, and regular review of access rights;
8. Secure file uploads with content-type validation and randomised non-enumerable filenames;
9. Encrypted credential storage on mobile apps (Android EncryptedSharedPreferences with AES-256-GCM, iOS Keychain).

9.3 No system is perfectly secure

Despite these measures, no software, cloud platform, network, or device can be guaranteed to be completely secure. Clause 12 of our Terms and Conditions sets out the limitation on TowerDesk's liability in connection with cyber events, except to the extent any liability cannot be excluded under Australian law.

9.4 Retention

We retain personal information only for as long as is reasonably necessary for the purposes set out in §4, including to:

1. provide the Platform during your active subscription;
2. comply with our legal, tax, audit, and record-keeping obligations (typically 7 years for financial records);
3. resolve disputes and enforce our agreements;
4. maintain backups for a reasonable disaster-recovery window after deletion (typically up to 90 days).

If your subscription is cancelled, suspended, or terminated, clause 7 of our Terms and Conditions describes how Customer Data may be deleted, archived, or de-identified.

10. Notifiable Data Breaches

Australia's Notifiable Data Breaches scheme (under Part IIIC of the Privacy Act) requires entities covered by the Privacy Act to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm.

If TowerDesk becomes aware of a suspected or actual data breach affecting personal information, we will:

1. take reasonable steps to assess, contain, and mitigate the incident;
2. investigate the cause, scope, and likely impact;
3. notify affected parties and the OAIC where required by the Notifiable Data Breaches scheme; and
4. document our response.

If you are a strata manager or other organisation using TowerDesk, you remain responsible for any separate notification obligations you have to your residents, lot owners, or other affected individuals under the Privacy Act or other applicable law.

11. Your Rights

Under the Australian Privacy Act and this policy, you have the right to:

1. Access the personal information we hold about you;
2. Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
3. Withdraw consent for optional collection (e.g. SMS notifications, location features, marketing emails);
4. Request deletion of your account and associated personal information (see §12);
5. Opt out of direct marketing at any time (see §14);
6. Lodge a complaint with us or with the OAIC (see §18);
7. Be anonymous or use a pseudonym where lawful and practicable — note that for most TowerDesk functions an identifiable account is required.

To exercise any of these rights, contact privacy@towerdesk.com.au. We may need to verify your identity before acting on a request. We will respond to most requests within 30 days. There is no fee to access or correct your information, although a reasonable cost-recovery fee may apply for unusually onerous access requests.

12. Account and Data Deletion

You can request deletion of your account and associated personal information at any time by:

1. emailing privacy@towerdesk.com.au from the email address on your account;
2. contacting your strata manager or building manager (if you are a resident, owner, tenant, or contractor on a building portal);
3. using any in-app account-deletion feature available in our mobile applications.

Upon a verified deletion request, we will delete or de-identify your personal information within 30 days, except:

1. where we are legally required to retain certain records (for example, financial transaction records under Australian tax law are typically retained for 7 years);
2. where information is reasonably required to defend or pursue legal claims;
3. where deletion would compromise data integrity for other authorised users (for example, an audit trail entry that records who approved a work order).

Backups containing your data may persist for up to 90 days after deletion before being overwritten.

13. Children's Privacy

TowerDesk is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided personal information through the Platform, please contact us at privacy@towerdesk.com.au and we will take reasonable steps to delete it.

14. Direct Marketing

We may send you direct marketing communications (such as product updates, feature announcements, newsletters, and promotional offers) where you have consented or where it is permitted under the Spam Act 2003 (Cth) and the Privacy Act.

Every marketing email contains an unsubscribe link. You can opt out at any time by:

1. clicking the unsubscribe link in any marketing email;
2. updating your preferences in your account settings;
3. emailing privacy@towerdesk.com.au.

Opting out of marketing does not affect transactional communications (receipts, invoices, password resets, security alerts), which we will continue to send while you have an active account.

15. Third-Party Services and Links

The Platform integrates with the following third-party services. Each operates under its own privacy policy:

1. Stripe (payment processing) — stripe.com/au/privacy;
2. Firebase Cloud Messaging (Google) (push notifications) — policies.google.com/privacy;
3. Google ML Kit (on-device QR / barcode scanning in mobile apps — image data does not leave your device) — policies.google.com/privacy;
4. Email delivery providers for transactional and notification emails;
5. SMS gateway providers where SMS notifications are enabled.

The TowerDesk public website (such as marketing pages) may also include links to third-party websites. We are not responsible for the privacy practices of third-party websites — please review their policies before providing personal information.

16. Customer Data and Strata-Managed Information

If you are a strata management business, owners corporation, body corporate, building manager, or managing agent using TowerDesk to manage one or more buildings, the personal information you upload about residents, owners, tenants, contractors, committee members, or other individuals is "Customer Data" under our Terms and Conditions.

You are the entity primarily responsible for compliance with the Privacy Act in respect of how that information was originally collected and the lawful basis for entering it into TowerDesk. You must ensure that you have all necessary consents, notices, permissions, and legal rights to use TowerDesk for storing and processing this information (see clause 11 of our Terms and Conditions).

TowerDesk processes Customer Data on your behalf as a service provider under the licence granted in clause 10 of our Terms and Conditions, for the purposes set out in §4 of this policy.

If you are an individual whose personal information has been uploaded into TowerDesk by a strata manager and you wish to exercise your rights under the Privacy Act, please contact your strata manager in the first instance. You can also contact us at privacy@towerdesk.com.au and we will assist with routing your request to the responsible entity.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational factors.

When we make material changes, we will notify you by:

1. posting the updated policy on this page with a new version date;
2. where appropriate, sending an in-platform notice or email to active customers.

The "Effective Date" and version tag at the top of this policy indicate when changes were made. Continued use of the Platform after an updated policy takes effect means you accept the updated policy.

18. Complaints and Contact

If you have any questions about this Privacy Policy, would like to exercise any of your rights under §11, or wish to make a privacy complaint, please contact us:

We will acknowledge your complaint promptly and aim to provide a substantive response within 30 days. If we have not been able to resolve your complaint to your satisfaction, you can escalate it to:

Office of the Australian Information Commissioner (OAIC)
Phone: 1300 363 992
Website: www.oaic.gov.au
Mail: GPO Box 5288, Sydney NSW 2001