Legal
Privacy Policy
Last updated: 9 June 2026
This Privacy Policy explains how SiteLive ("we", "us", "our") collects, uses, holds, discloses and protects your personal information. We are bound by the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Where you are located in the European Union or the United Kingdom, the EU GDPR and UK GDPR also apply (see Clause 14). By creating an account or using the SiteLive web application and marketing site (the "Service"), you agree to the handling of your personal information as described here.
1. What personal information we collect
Under APP 3 and APP 5, we collect only information reasonably necessary to run the Service:
- Account information: name, email address, phone number, company, job title and role.
- Site & booking information: sites, resources, schedules, check-ins, site diary entries, observations, and the subcontractors and workers you invite.
- Location information: where you enable geofence sign-on or live tracking, we process approximate or precise location to confirm presence on site. You can decline these features.
- Billing information: processed by Stripe. We receive a payment token and the last 4 digits of your card — never the full card number. Stripe calculates and collects any applicable GST.
- Usage information: pages visited, features used, device, browser and IP address, collected to operate and secure the Service.
- Communications: emails, support messages and feedback you send us.
We generally do not collect sensitive information (as defined by the Privacy Act). If a feature ever requires it, we will ask for your consent first (APP 3.3).
2. How we collect it
We collect personal information directly from you when you sign up, configure your sites, and use the Service. Where someone invites you to a site, we may receive your name, email and phone number from that organisation so we can send your invitation (APP 3.6). If we collect information about you from a third party, we will take reasonable steps to notify you as required by APP 5.
3. Why we use it
We use personal information only for the purposes for which it was collected, and related purposes you would reasonably expect (APP 6):
- To provide, operate and improve the Service.
- To process payments and prevent fraud.
- To send transactional messages — booking invites, confirmations, digests, password resets and security alerts.
- To send service updates and, where you have opted in, product news. You can opt out at any time.
- To provide support and respond to your enquiries.
- To comply with our legal obligations.
Automated decision-making. SiteLive's AI features (Ask SiteLive and Deep Reports) are tools to assist your decision-making — they produce outputs for you to review and act on. We do not use automated processing to make decisions about individuals that produce legal or similarly significant effects without human review. If this changes, we will update this policy and notify you.
4. Direct marketing
In line with APP 7, we will only send you marketing communications where you have consented or would reasonably expect them, and every marketing message includes a simple unsubscribe option. You can also email us at any time to opt out. We never sell your personal information.
5. Who we disclose it to
We use carefully selected service providers ("processors") who handle data on our behalf:
- Supabase — database, authentication and file storage.
- Stripe — payment processing.
- Resend / email provider — transactional and notification email delivery.
- Cloudflare — hosting and edge runtime.
- Google (Gemini Pro) — AI model powering the included Pro Brain, where subscribed.
- WhatsApp / Meta — where you enable WhatsApp notifications.
An up-to-date subprocessor list is available on request at team@sitelive.group. We will give reasonable notice of any material change to our subprocessors.
Where you enable WhatsApp notifications, Meta Platforms (as the operator of WhatsApp) also processes your data in accordance with Meta's own Privacy Policy (available at meta.com/privacy). We recommend reviewing Meta's policy to understand how they handle your information on their platform.
We may also disclose personal information where required or authorised by Australian law, or to protect the safety of people on site. We do not use your data to train third-party AI models.
6. Cross-border disclosure
Some of our processors store or process data outside Australia (for example, in the European Union or the United States). Before disclosing your personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles, as required by APP 8.
Where EU or UK data protection law applies, transfers of personal information to countries outside the EU or UK (including to Australia and the United States) are protected by one of the following mechanisms approved under EU GDPR and UK GDPR:
- Standard Contractual Clauses (SCCs) as approved by the European Commission; or
- the UK International Data Transfer Agreement (IDTA) as approved by the UK Secretary of State; or
- another appropriate safeguard recognised under applicable data protection law.
You may request a copy of the relevant transfer safeguards by emailing team@sitelive.group.
7. How we keep it secure
As required by APP 11, we take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Data is encrypted in transit (TLS) and at rest, access to production data is restricted and logged, and we destroy or de-identify personal information when it is no longer needed.
8. Notifiable data breaches
If we experience a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme. Where EU or UK GDPR applies, additional breach-notification timeframes apply (see Clause 14.5).
9. How long we keep it
We keep account and booking information for the life of your account, plus up to 7 years after closure to meet legal, tax and record-keeping obligations. Audit logs are kept for 2 years and marketing consent records until you withdraw consent. After that we securely delete or de-identify the information.
10. Accessing and correcting your information
Under APP 12 and APP 13 you may request access to the personal information we hold about you and ask us to correct it if it is inaccurate, out of date or incomplete. Email team@sitelive.group and we will respond within 30 calendar days. For complex or multiple requests, we may extend this by a further 60 days; if we need to extend, we will notify you within the first 30 days and explain why. We do not charge for making a request, though a reasonable cost may apply for giving access in some cases.
11. Cookies
We use a small number of essential cookies for authentication, session management, security and remembering your preferences. These cookies are necessary for the Service to function and cannot be switched off.
We do not use third-party advertising, marketing or tracking cookies. We do not use cookies to build profiles about you for advertising purposes.
Most browsers allow you to control cookies through their settings. Disabling essential cookies may affect your ability to sign in and use the Service. If we introduce any non-essential cookies in the future, we will update this policy and implement a consent mechanism before doing so.
12. Changes to this policy
We may update this policy from time to time. When we make a material change we will update the date above and ask you to review and accept the updated policy the next time you sign in.
13. How to contact us or make a complaint
For privacy questions, access or correction requests, or to make a complaint, contact us at team@sitelive.group. We will acknowledge your complaint and aim to resolve it promptly. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.
14. Additional information for EU and UK users (GDPR / UK GDPR)
If you are located in the European Union or the United Kingdom, the EU General Data Protection Regulation (EU GDPR) or the UK General Data Protection Regulation (UK GDPR) may apply to our handling of your personal information. This section supplements the rest of this Privacy Policy for those users.
14.1 Data controller
SiteLive is the data controller for personal information processed in connection with the Service. Contact: team@sitelive.group.
14.2 Lawful basis for processing
We process your personal information on the following lawful bases:
- Contract performance (Article 6(1)(b)): account information, site and booking data, and billing data processed to provide the Service.
- Legal obligation (Article 6(1)(c)): retaining records as required by applicable law.
- Legitimate interests (Article 6(1)(f)): securing the Service, preventing fraud, and improving the platform — where our interests are not overridden by yours.
- Consent (Article 6(1)(a)): marketing communications, and location data for geofence sign-on or live tracking. You may withdraw consent at any time.
14.3 Your rights under GDPR / UK GDPR
In addition to the access and correction rights in Clause 10, you have the right to:
- Erasure ('right to be forgotten') — request deletion of your personal data in certain circumstances (Article 17).
- Restriction — ask us to limit how we process your data in certain circumstances (Article 18).
- Data portability — receive your data in a structured, machine-readable format (Article 20).
- Object — to processing based on legitimate interests (Article 21).
- Not be subject to solely automated decision-making with significant legal effects (Article 22), where applicable.
To exercise any of these rights, email team@sitelive.group with the subject line 'Data Subject Request'. We will respond within 30 calendar days, with a possible 60-day extension for complex requests (we will notify you if an extension applies).
14.4 Complaints
You have the right to lodge a complaint with your local supervisory authority. In the EU, this is the data protection authority in your country of residence. In the UK, it is the Information Commissioner's Office (ico.org.uk).
14.5 Data breach notification
In addition to our obligations under the Australian NDB scheme (Clause 8), where EU or UK GDPR applies:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach (GDPR Article 33 / UK GDPR Article 33).
- We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34 / UK GDPR Article 34).
14.6 International transfers
Where we transfer personal information from the EU or UK to countries not deemed to have adequate data protection laws (including Australia, which does not currently hold an EU adequacy decision), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA) approved by the UK Secretary of State, as applicable, to ensure your data receives an equivalent level of protection.
14.7 Representatives
As required by GDPR Article 27 and UK GDPR Article 27, you can contact us about EU and UK data protection enquiries at:
- EU Representative: team@sitelive.group (marked 'EU GDPR — Attn: EU Representative')
- UK Representative: team@sitelive.group (marked 'UK GDPR — Attn: UK Representative')
14.8 Retention
The 7-year retention period described in Clause 9 is justified under Article 6(1)(c) (legal obligation) for tax and financial records, and under Article 6(1)(b) (contract performance) for the duration of active subscriptions. De-identification or deletion occurs on the schedule described in Clause 9.
15. Age restriction
The Service is intended for users aged 18 years and over. We do not knowingly collect personal information from individuals under the age of 18. If you are a parent or guardian and believe we have collected information about a minor, please contact us at team@sitelive.group and we will take prompt steps to delete it.
16. California residents (CCPA / CPRA)
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know, access, delete and correct personal information we hold about you, and the right not to be discriminated against for exercising these rights.
SiteLive does not sell or share your personal information as defined by the CCPA/CPRA.
To submit a California privacy request, email team@sitelive.group with the subject line 'California Privacy Request'. We will verify your identity and respond within 45 calendar days.
