Privacy Policy

1. Who We Are

OchreOnline Pty Ltd (ABN 66 783 251 59) ("we", "us", "our") operates OchreKiosk, a cloud-based visitor management system for Australian buildings. Our registered contact address is in the Northern Territory, Australia.

We are an APP entity under the Privacy Act 1988 (Cth) and we are committed to handling personal information responsibly and transparently.

2. Personal Information We Collect

We collect different types of personal information depending on the context.

Information about building visitors (collected via the kiosk)

• Full name
• Mobile phone number
• Company or organisation name
• Reason for visit
• Photograph (if the camera feature is enabled by the building manager)
• Signature (if the signature feature is enabled)
• Keys issued and returned
• Sign-in and sign-out timestamps
• House rules acknowledgement status

Information about building managers and administrators

• Email address (used for Cloudflare Access authentication — no password is stored)
• Building name and settings preferences

Information about customers (building owners and facility managers)

• Name and email address provided during account signup
• Building name (collected during Stripe checkout)
• Billing information — handled entirely by Stripe. We do not store credit card numbers.

Information collected via our website

• Name and email address provided via the contact/enquiry form
• Anonymised website usage data via Cloudflare analytics

We only collect personal information that is reasonably necessary for the purposes described in this policy (APP 3). We do not collect sensitive information (such as health information, racial or ethnic origin, or government identifiers) unless required by a specific service arrangement and with explicit consent.

3. How We Collect It

We collect personal information in the following ways:

• Directly from individuals — visitors entering information at a kiosk terminal; customers completing the online checkout or contact form
• Via SMS interaction — when visitors interact with their visitor pass link sent by BreezeConnect
• Via third-party services — Stripe provides billing and payment information; Cloudflare Access provides authentication event information
• Via website analytics — Cloudflare's edge network collects anonymised request data

We will always collect personal information by lawful and fair means, and we will not collect personal information in an unreasonably intrusive way (APP 3.5).

4. Why We Collect It

We collect personal information for the following primary purposes:

• To operate the OchreKiosk visitor management system — recording visitor sign-ins and sign-outs on behalf of building managers
• To enable building managers to track keys, generate compliance reports, and fulfil their duty of care and OH&S obligations
• To send visitors a digital visitor pass and sign-out link via SMS
• To send automated overdue alerts and monthly reports to building managers
• To process customer subscriptions and billing via Stripe
• To authenticate building administrators via Cloudflare Access email OTP
• To respond to enquiries and provide customer support
• To improve the performance and functionality of the service

Where we use personal information for a secondary purpose, we will only do so where that use is related to the primary purpose and you would reasonably expect it, or where you have consented (APP 6).

5. Disclosure to Third Parties

We share personal information with the following third-party service providers as necessary to deliver OchreKiosk:

• Cloudflare — infrastructure, database (D1), edge hosting, Zero Trust access control, and DNS. All customer data is hosted in Cloudflare's Australian data centres.
• Stripe — payment processing and subscription billing. Stripe is a PCI-DSS compliant payment processor. We do not receive or store full card details.
• Resend — transactional email delivery (overdue alerts, welcome emails, monthly reports)
• BreezeConnect — SMS delivery for visitor passes and alerts

We do not sell, rent, or trade personal information to any third party for marketing or commercial purposes.

We may disclose personal information where required to do so by law, court order, or in response to a lawful request by a government authority.

6. Overseas Disclosure

Visitor and customer data is stored in Cloudflare's Australian edge network and does not leave Australia.

Some of our service providers (Stripe, Resend) operate infrastructure internationally. To the extent personal information is processed by these providers, it may transit servers outside Australia. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles the information in a manner consistent with the APPs (APP 8).

By using OchreKiosk, you acknowledge that some processing may occur via overseas-headquartered service providers, while your primary data remains stored in Australia.

7. How We Protect Your Information

We take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure (APP 11). Our security measures include:

• Per-customer data isolation — each building has its own dedicated Cloudflare D1 database. No data is commingled between customers.
• Cloudflare Access authentication — admin panels are protected by email one-time password (OTP) authentication. No passwords are stored.
• HTTPS everywhere — all data in transit is encrypted using TLS.
• Encrypted storage — data at rest is encrypted by Cloudflare D1's underlying infrastructure.
• No PII in URLs — personal information is not embedded in URL parameters or query strings.
• Access logging — Cloudflare logs access events to assist in detecting unauthorised access.
• Minimal data collection — we only collect information required for the stated purpose, consistent with ACSC guidance on limiting personal data collected.

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. We will also report eligible incidents to the Australian Signals Directorate (ASD) via the ReportCyber portal.

8. Retention and Deletion

We retain visitor records for as long as required by the building manager's subscription and any applicable legal obligations. Building managers can export and delete visitor records from the admin panel at any time.

When a customer subscription is cancelled, we retain data for a period of up to 12 months to allow for dispute resolution and compliance obligations, after which it is deleted.

We destroy or de-identify personal information when it is no longer required for any purpose, in accordance with APP 11.2.

9. Your Rights — Access and Correction

Under APP 12 and APP 13, individuals have the right to:

• Request access to personal information we hold about them
• Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading

To make an access or correction request, contact us at privacy@ochrekiosk.com.au. We will respond within 30 days.

Note: visitor records are held by building managers (our customers) on their behalf. For access requests relating to visitor sign-in data, we may need to direct you to the relevant building management organisation.

We will not charge a fee for access requests, but may charge a reasonable fee for the costs of providing access if the request is complex.

10. Direct Marketing

We may use customer contact information to send service-related communications such as subscription confirmations, renewal reminders, and product updates. These are not marketing communications and are necessary for the operation of your subscription.

We do not use personal information for unsolicited direct marketing without consent. If we send any optional marketing communications, we will provide a clear opt-out mechanism in each message.

Visitor information collected via the kiosk is not used for any marketing purpose by OchreOnline.

11. Cookies and Website Analytics

Our marketing website uses cookies for the following purposes:

• Essential cookies — required for the site to function, including Cloudflare security cookies
• Analytics — Cloudflare's privacy-respecting analytics provides aggregate traffic data. No personal information is stored in analytics cookies. IP addresses are anonymised.

We do not use third-party advertising cookies or tracking pixels. We do not share browsing data with advertisers.

The kiosk application does not use cookies. It communicates directly with our API endpoints.

12. Complaints

If you believe we have mishandled your personal information, please contact us first at privacy@ochrekiosk.com.au. We take all privacy complaints seriously and will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The effective date at the top of this page will be updated accordingly.

We encourage customers and visitors to review this policy periodically. For material changes, we will notify active customers by email.

14. Contact Us

For privacy-related enquiries, access requests, or complaints:

• Email: privacy@ochrekiosk.com.au
• General enquiries: info@ochrekiosk.com.au
• Website: ochrekiosk.com.au
• ABN: 66 783 251 59