1. About This Policy
This Privacy Policy explains how Global Matrix Group Australia Pty Ltd ("we", "us", "our") collects, uses, stores, and discloses your personal information when you use the BTAG application, website (btag.cloud), and related services ("Services").
We are bound by the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). This policy is designed to comply with our obligations under that Act.
You need an account to use BTAG, so we need your name and email. Anonymous use is not available (APP 2).
When you create an account, you are asked to review this Privacy Policy before proceeding. This policy serves as our collection notice under APP 5.
2. What Personal Information We Collect
2.1 Information You Provide Directly
| Category | Data Collected | When |
|---|---|---|
| Account Information | Email address, first name, last name, password (stored as one-way hash, never plaintext) | At signup |
| Profile Information | Mobile phone number, username (both optional) | When you update your profile |
| Business Information | Legal business name, ABN or ACN, country | When creating a Business account |
| Content | List names, item descriptions, notes, task details | When you create lists and items |
| Photos and Files | Images and documents you upload | When you attach files to items |
| Feedback | Bug reports, feature requests, screenshots, device info, app version | When you submit feedback |
| Waitlist Registration | Email address, selected plan tier | When you join the waitlist |
| Referral Information | Referral code usage, signup source | When you use a referral link |
2.2 Information We Collect Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Authentication Data | IP address, device type, browser type | Security, fraud prevention |
| QR Code Scan Logs | IP address, device type, timestamp. Location data is only collected if the list owner has turned on proximity restrictions, and the scanner is notified first. | Access control, usage reporting |
| Login Attempt Logs | Email used, IP address, success/failure, timestamp | Brute force protection |
| Usage Statistics | Per-account counts (items created, logins, last activity) | Service improvement |
| AI Credit Usage | Credits consumed, feature used, timestamp | Billing, usage tracking |
2.3 Information We Generate
| Category | Data Generated | Purpose |
|---|---|---|
| Image Fingerprints | A digital fingerprint of your photo, generated and stored entirely within Australia. It cannot be reversed back into the original image. | Powering visual search ("find items that look like this") |
| Text from Photos | Text read from your photos, like serial numbers or labels (only when you request it) | Text-based search of photo content |
| Thumbnails | Compressed preview images of your uploads | Faster loading in the app |
2.4 Information We Do NOT Collect
- We do not use third-party analytics tools (no Google Analytics, Mixpanel, or similar trackers)
- We do not serve advertising or share data with advertisers
- We do not collect biometric data. If you enable biometric login, that data stays on your device
- We do not store credit card numbers. Payment processing is handled entirely by Stripe
- We do not collect date of birth or age information
- We do not collect your home or business address
3. How We Use Your Personal Information
| Purpose | Why We Can |
|---|---|
| Providing the Service — creating your account, storing your lists and items, generating QR codes, enabling search | APP 6 — it's why you signed up |
| Authentication and Security — verifying your identity, protecting against unauthorised access | APP 6, APP 11 — keeping your account safe |
| Photo Search — creating image fingerprints for visual search; reading text in photos when you ask | APP 6 — core feature |
| Service Improvement — understanding usage patterns, identifying bugs, improving features | APP 6 — related to providing the service |
| Customer Support — responding to your feedback and bug reports | APP 6 — you contacted us |
| Referral Program — crediting users who refer friends | APP 6 — you opted in |
| Communication — sending service-related notifications | APP 6 — keeping you informed |
| Legal Compliance — responding to lawful requests from authorities | APP 6 — required by law |
We do not use your personal information for direct marketing unless you have separately opted in.
4. How We Store and Protect Your Information
4.1 Where Your Data Is Stored
Your data is stored on Oracle Cloud Infrastructure servers in Australia.
4.2 Security Measures
| Measure | Detail |
|---|---|
| Passwords | Your password is scrambled using industry-standard encryption. We cannot read it. |
| Login Sessions | Login sessions use short-lived encrypted tokens that expire automatically. |
| Encryption in Transit | All connections are encrypted, including internal database connections. |
| Encryption at Rest | Your data is encrypted when stored. Even if someone accessed the server, they couldn't read it. |
| Secrets Management | Passwords and signing keys are stored in a secure vault. No secrets in our source code. |
| Account Isolation | Every request is checked to make sure you can only access your own data. |
| Login Protection | Too many failed login attempts? We temporarily block further attempts to protect your account. |
4.3 Data Breach Response
We take the security of your data seriously. We follow industry best practices, regularly update our systems, and actively monitor for threats. If, despite our efforts, your data is compromised, we will notify you and the Australian Information Commissioner as required by law.
5. Third-Party Services
We share limited data with the following third-party services, solely to operate the BTAG service:
| Service | Data Shared | Purpose | Data Residency |
|---|---|---|---|
| Oracle Cloud Infrastructure | Photos, files, database records | Cloud hosting and storage | Australia |
| Text Extraction Service | Image content (only when you request text reading) | Reading text from your photos | Australia |
| Stripe | Payment details collected directly by Stripe. We may share your email address with Stripe to associate payments with your account. | Payment processing | Stripe's infrastructure (see Section 10) |
| Atlassian Jira | Bug report title, description, screenshot (if attached) | Issue tracking | Atlassian Cloud (see Section 10) |
We do not sell, rent, or trade your personal information to any third party.
6. Cookies and Local Storage
BTAG is a web application and mobile app. We do not use traditional tracking cookies.
| Storage Type | What We Store | Purpose |
|---|---|---|
| Secure device storage | Authentication tokens, user ID, tenant ID, biometric preference | Keeping you logged in between sessions |
| Local storage | Recent search queries | Convenience (showing your recent searches) |
We do not use cookies for advertising, analytics, or cross-site tracking.
7. How Long We Keep Your Data
| Data Type | Retention Period | What Happens After |
|---|---|---|
| Account information | While your account is active, then 7 years after closure | Retained for tax and legal compliance, then deleted |
| Lists, items, photos | While your account is active | Deleted items kept in Recycle Bin for 7 days, then permanently deleted |
| Recycle Bin items | 7 days after deletion | Automatically purged by nightly cleanup |
| Authentication tokens | 7 days (refresh), 15 min (access) | Automatically expired and invalidated |
| Login attempt logs | 7 years | Retained for security audit trail, then deleted |
| Application logs | 365 days | Purged after 365 days |
| Feedback and bug reports | 3 years | Deleted after 3 years |
| GPS / Location data | When the associated list or item is deleted | Deleted with parent record |
| QR code scan logs | When the associated BTAG is deleted | Deleted with parent record |
| Waitlist registrations | Until you sign up or request removal | Deleted upon request |
8. Your Rights Under the Australian Privacy Principles
8.1 Access Your Information (APP 12)
You can request a copy of the personal information we hold about you. We will respond within 30 days. There is no charge for making a request, but we may charge a reasonable fee for providing access if the request requires substantial effort.
8.2 Correct Your Information (APP 13)
If your personal information is inaccurate, incomplete, or out of date, you can update your profile directly in the app (name, email, phone) or contact us to correct information you cannot update yourself.
8.3 Complain About a Breach of Privacy
If you believe we have breached your privacy, you can:
- Contact us at support@btag.cloud
- We will investigate and respond within 30 days
- If unsatisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
8.4 Request Deletion
You can request deletion of your account and associated data by contacting support@btag.cloud. Upon receiving a verified request, we will deactivate your account and delete your content within 30 days. We will retain account identification and transaction records for 7 years from account closure as required by Australian tax law and our legal obligations, after which they will be permanently deleted.
8.5 Opt Out of Communications
You can opt out of non-essential communications at any time by contacting us or using the unsubscribe link in any marketing email.
8.6 Withdraw Consent
Some features (like location-based access restrictions) require your permission. You can turn them off at any time in the app or by contacting us. Turning off a feature stops future data collection for that feature, but doesn't affect data already collected. Some features may not work without the relevant permission.
9. Children's Privacy
You must be at least 16 to use BTAG. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has created an account, contact us at support@btag.cloud and we will delete it.
10. Cross-Border Disclosure
All personal information is stored and processed in Australia. We do not transfer personal information overseas except in the following limited circumstances:
- Atlassian Jira — Bug reports you submit may be stored on Atlassian's servers, which may be outside Australia. Atlassian is security-certified (ISO 27001). See Atlassian's privacy policy.
- Stripe — If you make a payment, Stripe processes it on their global servers. Stripe meets the highest payment security standards (PCI DSS Level 1). See Stripe's privacy policy.
We take reasonable steps to ensure these services handle your data consistently with Australian privacy law (APP 8).
11. Changes to This Policy
We may update this policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and notify you via in-app notification or email. For changes that expand how we collect or use your personal information, we will seek your explicit consent before those changes take effect. For other minor updates, continued use of the Services after notification constitutes acceptance.
We encourage you to review this policy periodically.
12. How to Contact Us
If you have questions about this policy, email us at support@btag.cloud.
13. Definitions
| Term | Meaning |
|---|---|
| BTAG | A QR code tag linked to a list of items in the BTAG application |
| Account | Your account in BTAG. Business users may have multiple people under one account. |
| Workspace | A space within your account that holds your lists, items, and files |
| Image Fingerprint | A digital summary of a photo used for visual search. It cannot be turned back into the original image. |