Privacy Policy

Tradeforge Pty Ltd (trading as Karven) ("Karven", "we", "us", "our") is an Australian company that builds a quoting platform for licensed tradies. We respect the privacy of every person whose personal information we hold, whether you're a tradie who has signed up, a customer whose details a tradie has uploaded into Karven to send a quote, or a visitor to our marketing pages.

This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, where it is stored, how long we keep it, and the rights you have under the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs). It also covers the General Data Protection Regulation (GDPR) where applicable, for example if a tradie's customer is located in the European Union.

If you have any questions about this policy or about how Karven handles your personal information, please contact our Privacy Officer at privacy@karven.com.au. Our registered business address is The Avenue, Granville NSW 2142.

We try to collect the minimum information needed to deliver the service. The categories below describe everything we may hold about a given person. Most accounts only generate a subset.

• Account information: your name, email address, password (stored as a salted hash, never in plain text), business name, ABN, postcode, business phone, business hours, and any logo you upload.
• Quote and customer data: the names, addresses, phone numbers, email addresses, site notes, photos and dimensions you key into Karven when preparing a quote for one of your customers. We treat this as your data: you are the controller, we are the processor.
• Subcontractor data: where you use the subbies module, the personal information and compliance documents (public liability certificate of currency, licence, white card) you upload for each subcontractor.
• Billing information: a Stripe customer ID, your subscription tier, the status of your subscription, invoice metadata and the email address you use for billing. We never see or store full card numbers; Stripe holds those under its own PCI-DSS Level 1 compliance.
• Usage and device information: pages visited on karven.com.au, IP address, browser type, operating system, viewport size, referrer URL, and timestamps for each action you take while signed in.
• Communications: any email, SMS or in-app message you send us, plus our reply. We retain support correspondence for at least 24 months so the next person who picks up your ticket has the full thread.
• Cookies and similar technologies: see Section 9 and the separate Cookie Policy for the full list of what we set and why.

We do not knowingly collect sensitive information as defined by APP 3.3 (health, racial or ethnic origin, religious beliefs, sexual orientation, etc.). Please do not paste that kind of information into quote line items, customer notes, or support emails.

Karven is a B2B product for licensed Australian tradies. We do not knowingly collect personal information from anyone under 16. If you believe a child has signed up, email the Privacy Officer and we will delete the account.

Most personal information is collected directly from you: when you sign up, complete onboarding, build a quote, upload a logo, upload a subcontractor certificate, configure billing, or contact support.

Where it is impractical or unreasonable to collect from you directly, for example when you ask us to look up your ABN against the Australian Business Register, we may collect from a third-party source. We tell you in-product whenever we are about to make that kind of call, and we cache the result for no longer than seven days.

We may also collect anonymous usage data automatically (page views, button clicks, feature use) for the purpose of improving the product. Where that data can be tied back to an identifiable person it is treated as personal information under this policy.

Under APP 3 we only collect personal information that is reasonably necessary for one or more of our functions or activities. Our functions are:

• Delivering the Karven service: calculating quotes, generating PDFs, sending quote emails, processing payments, and providing customer support. Legal basis: performance of our contract with you (your subscription) and the Australian Privacy Principles.
• Communicating with you about the service: onboarding, important product updates, subbie compliance reminders, billing notices, security alerts. Legal basis: contractual necessity. You cannot opt out of transactional emails while your account is active.
• Marketing communications: newsletters and product announcements. Legal basis: your express or inferred consent. Every marketing email contains a one-click unsubscribe link, and we honour that link within 24 hours as required by the Spam Act 2003 (Cth).
• Improving the product: diagnostic analytics, A/B testing, and aggregated usage analysis. Legal basis: our legitimate interest in operating a competitive product; aggregated data only and never used to profile individuals.
• Complying with the law: responding to a lawful request from an Australian regulator, court order, or law enforcement agency where we are legally compelled to disclose.

If we ever want to use your personal information for a purpose materially different from the ones above, we will seek your express consent first.

We do not sell, rent, trade, or otherwise commercialise your personal information. We share it only with the service providers we use to deliver Karven, and only the minimum necessary for them to do their job. Each provider is bound by a written contract that includes data-protection obligations equivalent to those under the Privacy Act.

• Supabase, Inc. (database, authentication, file storage). Sydney region (ap-southeast-2). All application data sits here.
• Stripe Payments Australia Pty Ltd / Stripe, Inc. (payments). Australia and United States. Holds card details and billing history.
• Resend, Inc. (transactional email). United States. Delivers quote emails, password resets, billing receipts. Sees recipient address and email body.
• Twilio Inc. / Twilio Australia Pty Ltd (SMS). Australia and United States. Used when you opt in to SMS quote sends and reminders.
• MYOB Australia Pty Ltd and Xero Australia Pty Ltd (accounting integrations). Australia. Only when you connect your account; only the data you authorise syncs across.
• Google LLC and Google Australia Pty Ltd (Google Sign-In, reCAPTCHA, fonts). Australia and United States.
• Vercel, Inc. (application hosting, edge network). Global with primary region in Sydney. Sees request metadata such as IP address and URL.
• Sentry.io (error monitoring). United States. Sees stack traces and the user ID that triggered the error; we strip request bodies before they leave the server.
• Our professional advisers (lawyers, accountants, auditors) under confidentiality where it is necessary for them to advise us, and our debt collection partners if your account becomes severely overdue.

If Karven is ever acquired or merges with another business, the acquirer will be bound by this Privacy Policy in respect of all personal information collected before the change of control. We will notify you of the change before any new uses begin.

Some of the service providers listed above are located outside Australia, primarily in the United States. Before disclosing personal information to an overseas recipient we take reasonable steps under APP 8.1 to ensure the recipient does not breach the Australian Privacy Principles. In practice this means:

• Each overseas processor is contractually bound to comply with the APPs as if they were an Australian APP entity.
• Where the recipient is in the European Union or United Kingdom, the European Commission Standard Contractual Clauses (or the UK International Data Transfer Addendum) apply by reference to the underlying processor agreement.
• We pin Supabase to the Sydney region so application data does not leave Australia unless you connect an integration that requires it.

By using Karven you acknowledge that personal information may be transferred to and processed in the countries listed in Section 5 in accordance with this policy.

We hold personal information only for as long as we need it for the purpose it was collected or for as long as the law requires us to keep it.

• Live account data: kept for the life of your subscription plus 30 days after closure. The 30-day window gives you time to change your mind and lets us complete any pending billing or refund actions.
• Quote and customer data: kept while your account is active. Soft-deleted when you delete the account, hard-deleted 30 days later.
• Billing records (invoices, tax records): kept for seven years to satisfy obligations under the Income Tax Assessment Act 1997 (Cth) and the A New Tax System (Goods and Services Tax) Act 1999 (Cth).
• Email delivery logs: retained by Resend for 30 days for deliverability diagnostics, then purged.
• Backups: encrypted daily snapshots retained for 30 days then automatically destroyed.
• Privacy and security incident records: kept for at least seven years from the date of the incident to comply with our Notifiable Data Breaches obligations.

After the relevant retention period the personal information is either destroyed or de-identified so it can no longer be associated with you.

You have the following rights in respect of the personal information we hold about you. Most of them are available self-service inside the Karven app; the rest are one email to the Privacy Officer.

• Right of access (APP 12): request a copy of all personal information we hold about you. Available self-service at /settings/data-export. The ZIP we produce contains your profile, every quote, every customer record, every subbie record, every uploaded file, and your billing history.
• Right of correction (APP 13): ask us to correct any personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading. Most fields you can edit yourself inside Karven; for everything else, email the Privacy Officer.
• Right of erasure: ask us to delete your account. Available self-service at /settings/delete-account. We soft-delete immediately, anonymise PII, then hard-delete after 30 days. Some data (billing records, security incident records) is retained for the legal periods listed in Section 7.
• Right to withdraw consent: at any time, for any purpose for which we relied on your consent. Withdrawing consent does not affect the lawfulness of any processing we did before you withdrew it.
• Right to make a complaint: see Section 11.
• Right to anonymity or pseudonymity (APP 2): where lawful and practical you may interact with us anonymously, for example when contacting our public support inbox. You cannot operate a paid account anonymously because we are legally required to identify the contracting party.

We will respond to any access or correction request within 30 days of receipt. Where a request is unusually complex we may extend that period by up to 30 days and will let you know in writing.

We use a small number of strictly-necessary cookies (session, CSRF, plan tier) plus optional analytics cookies that only run with your consent. The full list is in our Cookie Policy.

On first visit a banner offers three choices: accept all, reject non-essential, or manage preferences. Your decision is stored in localStorage and in the cookie_consents table so we have a verifiable record of consent. You can change your decision any time from the footer link or by clearing your browser storage.

We take reasonable steps under APP 11 to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Tenant isolation is enforced at the database layer via Postgres row-level security, not at the application layer. A bug in our code cannot leak data across tenants.
• Access to production data by Karven staff requires SSO, hardware-key 2FA, and a logged just-in-time elevation. There is no shared admin password.
• All code changes go through pull-request review and automated security checks (npm audit, secrets scanning, dependency review) before they reach production.
• We follow a documented incident-response plan and rehearse it at least annually.

Despite our best efforts no method of transmission over the internet or method of electronic storage is 100% secure. If we become aware of an eligible data breach we will notify affected individuals and the OAIC under the Notifiable Data Breaches (NDB) scheme. See Section 12.

Step one: email the Privacy Officer at privacy@karven.com.au with a description of what happened, when, and what outcome you'd like. Or use the form at /privacy-contact. We will acknowledge within five business days and respond substantively within 30 days.

Step two: if you are unhappy with our response, you can lodge a complaint with the Office of the Australian Information Commissioner at https://www.oaic.gov.au or on 1300 363 992. The OAIC may investigate the complaint and make a determination that is binding on us.

Step three (EU/UK residents only): you may also lodge a complaint with your local data-protection authority. The OAIC will refer EU complaints to the appropriate authority where applicable.

Karven complies with the Notifiable Data Breaches scheme set out in Part IIIC of the Privacy Act 1988 (Cth). If we suffer an eligible data breach, one likely to result in serious harm to an affected individual, we will notify affected individuals and the OAIC as soon as practicable.

The notification will describe the breach, the kinds of information affected, the steps we recommend you take to protect yourself, and what we are doing in response. We will also publish a summary on our status page once any active investigation is complete.

We may update this policy from time to time. The version date at the top tells you when the current version took effect; an archive of prior versions is available on request.

If we make a material change, for example adding a new category of personal information or a new overseas recipient, we will notify you by email at least 14 days before the change takes effect. Minor edits (typo fixes, clarifications) are deployed silently and reflected in the version date.

Privacy Officer: privacy@karven.com.au

General support: hello@karven.com.au

Postal: Tradeforge Pty Ltd (trading as Karven), The Avenue, Granville NSW 2142.

We endeavour to respond to all privacy-related correspondence within five business days.