Privacy Policy

Sidekick Agent Last updated: [DATE] Effective: [DATE]

Before publishing: Replace every [PLACEHOLDER] with your actual details. Have this reviewed by an Australian solicitor familiar with the Privacy Act 1988 (Cth) before going live. The small business exemption (turnover under $3M) may technically apply to you at launch, but the policy below is written to the full Australian Privacy Principles (APPs) standard — which is best practice and what agents and agencies will expect.

1. Who We Are

Sidekick Agent is operated by [YOUR FULL LEGAL ENTITY NAME] (ABN [YOUR ABN]), a company incorporated in Victoria, Australia ("Sidekick Agent", "we", "us", "our").

We can be contacted at:

• Email: [YOUR CONTACT EMAIL]
• Postal address: [YOUR ADDRESS], Victoria, Australia

2. What This Policy Covers

This policy explains how we collect, use, store, and disclose personal information in connection with the Sidekick Agent platform (the "Service") and our website at [YOUR DOMAIN].

The Service is used by licensed real estate selling agents ("Agents") to manage their campaigns, track record, and client relationships. In using the Service, Agents input personal information about their own clients (vendors, buyers, and contacts). Where that happens, the Agent is the controller of that data and Sidekick Agent is the processor — we hold and protect it on the Agent's behalf but we do not use it for any other purpose. This section applies equally to data Agents hold about their own clients.

3. Personal Information We Collect

3.1 Information you give us directly

• Account information: your name, preferred name, email address, and password (stored as a hashed credential via Supabase Auth — we never see your plaintext password).
• Subscription information: your plan selection and billing period. Payment card details are collected and stored by Stripe, our payment processor — we never see or store your card number, CVV, or full card details.
• Professional information you choose to enter: your agency name, licence number, and track record data.

3.2 Data you input on behalf of your clients

When you use the Service, you may input personal information about your clients — including vendors' names, contact details, property addresses, price expectations, and buyer enquiry records. This is your clients' personal information, processed by us on your behalf. See Section 7 for how we handle it and what your obligations are.

3.3 Usage and technical data

• Log data: IP address, browser type, pages visited, and timestamps, collected automatically when you access the Service.
• Device information: browser version and screen size, used solely to ensure the Service displays correctly.

4. How We Use Your Information

We use personal information to:

• Provide, operate, and maintain the Service.
• Process your subscription and billing through Stripe.
• Send transactional emails: account confirmation, billing receipts, and password resets.
• Respond to support requests.
• Maintain security and prevent fraud.
• Improve the Service (using aggregated, de-identified usage data only — never individual client records).

We do not use your information or your clients' information for advertising, data brokering, or sale to third parties.

5. When We Disclose Your Information

We disclose personal information only in the following circumstances:

Service providers: We share information with infrastructure and payment providers who process it on our behalf under confidentiality obligations:

• Stripe (payment processing, Sydney-region data processing where available) — [Stripe's privacy policy: https://stripe.com/au/privacy]
• Supabase (database and authentication, hosted in the AWS ap-southeast-2 Sydney region)
• Vercel (web hosting and content delivery)

Legal requirements: We may disclose information where required by Australian law, a court order, or a regulator with jurisdiction over us or you.

Business transfer: If we are acquired or merge with another entity, personal information held by us may be transferred as part of that transaction. We will notify you before this occurs.

We will never sell your personal information or your clients' personal information.

6. Cross-Border Disclosure

Our primary data storage is in Sydney, Australia (Supabase, AWS ap-southeast-2). Our web application is hosted via Vercel, whose content delivery infrastructure operates globally. Vercel may cache application assets (not your personal data or client records) in servers outside Australia.

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure they are subject to privacy obligations that are at least as protective as the Australian Privacy Principles. Stripe and Vercel maintain published data processing commitments; links are in Section 5 above.

[REVIEW with solicitor]: APP 8 cross-border disclosure obligations. If any of your infrastructure or subprocessors are outside Australia, your solicitor should confirm you have adequate safeguards or a user consent mechanism in place.

7. Your Clients' Data — Your Obligations as an Agent

When you store your clients' personal information in Sidekick Agent, you are the data controller and you bear the primary privacy obligations to those individuals under the Privacy Act 1988 (Cth) and any applicable state legislation. You must:

• Collect your clients' personal information lawfully and tell them you hold it.
• Use their information only for the purposes for which you collected it.
• Keep it reasonably secure and accurate.
• On request, give your clients access to their personal information you hold.

Sidekick Agent processes this data only as your processor — we do not access, use, or disclose it for any purpose other than providing the Service to you.

8. Data Security

We use industry-standard safeguards including:

• Encryption in transit (TLS/HTTPS on all connections).
• Encrypted data at rest (Supabase default encryption).
• Row-level security (RLS) ensuring each Agent's data is accessible only to them and, in team or agency accounts, to the principal who owns that subscription.
• Access controls: no Sidekick Agent staff can access your client records without your explicit request for support.

No method of transmission or storage is 100% secure. We will notify you promptly if we become aware of a data breach that is likely to result in serious harm, as required under the Notifiable Data Breaches scheme (Privacy Act Part IIIC).

9. Data Retention

While your account is active: We retain all personal information you have stored.

On cancellation: We retain your data for 30 days after cancellation, during which you can export everything via the one-click data export. After 30 days, we permanently delete your account and all associated personal information from our systems (excluding records we are required to retain for legal or tax purposes, such as billing records).

Backups: Deletion from live systems may take up to a further [7 days] to propagate through backup systems.

10. Your Rights

Under the Australian Privacy Act, you have the right to:

• Access the personal information we hold about you.
• Correct personal information that is inaccurate, incomplete, or misleading.
• Complain about a breach of the APPs.

To exercise any of these rights, contact us at [YOUR CONTACT EMAIL]. We will respond within 30 days.

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au — 1300 363 992.

11. Cookies

The Sidekick Agent web application uses only essential cookies required for authentication (session tokens) and security. We do not use tracking or advertising cookies.

Our public website at [YOUR DOMAIN] may use [Google Analytics / no analytics — confirm]. If analytics are used, they collect de-identified usage data (page views, sessions). [Update this section based on your actual analytics setup before publishing.]

12. Children

The Service is intended for licensed real estate agents and is not directed at children under 18. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or by a notice in the Service at least 30 days before the change takes effect. Your continued use of the Service after that date constitutes acceptance of the updated policy.

14. Contact Us

Privacy enquiries and requests:

• Email: [YOUR PRIVACY CONTACT EMAIL]
• Post: [YOUR ADDRESS], Victoria, Australia

For complaints: see Section 10.