Legal

Privacy Policy

Last updated: 6 May 2026 · Version 1.1

Burgy (we, our, us) respects your privacy and is committed to protecting the personal information we collect from you in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, use, store, and disclose your personal information when you use our platform, applications, and related services (the Services). It should be read alongside our Terms & Conditions.

1. Information We Collect

We collect only the information necessary to operate the Burgy platform effectively and maintain compliance with workplace safety and record-keeping obligations. This may include:

  • Personal details: name, phone number, email address, role, and (where you provide them) custom profile fields configured by your admin (e.g., emergency contacts, bank, TFN, allergies).
  • Employment information: company name, trade, licence numbers, expiry dates, and uploaded ID / licence documents.
  • Worksite and safety data: jobs, sites, addresses, SWMS, JSA, Take 5, toolbox meetings, hot work permits, vehicle access permits, weed & seed declarations, hazards, controls, signatures, and acknowledgements.
  • Operational data: vehicle records, prestart checks, repair jobs, fuel entries, oil samples, chemical register entries, attendance and clock-in/out logs, dockets, and timesheets.
  • Device and usage data: browser type, IP address, device identifier, pages visited, features used, click and scroll behaviour, session length, error reports, and other product analytics (see clause 3).
  • Customer-uploaded content: photos, files, and signatures uploaded for compliance documentation.

We collect information directly from you, from your company's authorised representatives, or automatically as you use the Services.

2. How We Use Your Information

Your information is used to:

  • Create, store, and manage SWMS, JSA, and other compliance documentation.
  • Enable company administrators to manage users, licences, and site safety records.
  • Generate and store compliance reports required under WHS obligations.
  • Provide technical support and respond to your enquiries.
  • Send transactional and service communications (welcome emails, password resets, expiry reminders, summaries).
  • Track how the Services are used so we can identify bugs, fix issues, and improve performance and reliability.
  • Develop, improve, and roll out new features (including AI-assisted features) — see clause 3.
  • Meet our legal obligations and maintain audit trails for safety records.

We will never sell your personal information to third parties.

3. Usage Tracking, Product Improvement & AI Training

We track how customers use Burgy so we can make the platform faster, more reliable, and more useful. By using the Services you agree that we may collect, generate, and use de-identified, anonymised, and/or aggregated data derived from your use to:

  • Operate, maintain, and secure the Services.
  • Diagnose problems, fix bugs, and monitor performance.
  • Build, train, test, validate, and improve our software, machine-learning models, and analytics, including AI-assisted features (such as task / hazard / control suggestions, document drafting, and anomaly detection).
  • Produce industry benchmarks, usage statistics, and research insights.

De-identified and aggregated data does not personally identify you, your workers, or your customers, and is no longer treated as personal information once it has been de-identified. We do not use raw, identifiable Customer Data to train third-party AI models without your consent.

Where you choose to use AI-assisted features (for example, a task or hazard suggestion that calls a third-party AI provider), the relevant content is processed by that provider for the duration of the request only. We use providers that contractually agree not to retain or train on customer prompts.

4. Data Storage and Security

  • All personal and company data is stored securely in cloud infrastructure operated by our sub-processors (see clause 8). Where possible, we elect Australian regions (such as AWS Sydney) for primary storage. Where data is processed outside Australia (for example, transactional email delivery or AI inference), equivalent privacy protection is ensured in accordance with APP 8 (cross-border disclosure).
  • Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access ensures users can only view their own company's data.
  • Passwords are encrypted using strong hashing algorithms.
  • Regular backups and security reviews are performed to maintain data integrity.

5. Access and Correction

You can access or update your personal information at any time by logging into your Burgy account.

If you believe any of your information is inaccurate or incomplete, please contact us to request correction. You can also request a full export of your personal data from the “Download My Data” option on your profile.

6. Data Retention

Workplace safety documentation (e.g., SWMS, JSAs, dockets, prestart records, permits) is retained for a minimum of 7 years to comply with WHS record-keeping laws, unless otherwise required or requested for deletion. On termination of an account, Customer Data is available for export for at least 30 days before deletion, except where retention is required for legal, regulatory, audit, or backup purposes.

7. Cookies and Analytics

We use cookies, local storage, and analytics tools (including session-replay and heat-mapping tools such as Microsoft Clarity, where enabled) to understand how the platform is used and to improve user experience.

Where session-replay or heat-mapping is in use, sensitive fields (such as passwords, payment details, and other clearly-marked content) are masked. We do not use these tools to identify individual workers or customers — the data is used in aggregate to spot UX issues and bugs.

You can disable optional analytics cookies via your browser settings. Required cookies (for login, security, and core functionality) cannot be disabled without breaking the Services.

8. Sub-processors

We rely on a small number of trusted third-party providers to operate Burgy. By using the Services you consent to your data being processed by, at a minimum:

  • Supabase — database, authentication, and file storage.
  • Vercel — web hosting and content delivery.
  • Resend — transactional email delivery.
  • Sentry — error and performance monitoring.
  • Microsoft Clarity or equivalent — anonymised usage analytics (where enabled).
  • Xero — only when you explicitly connect a Xero organisation.
  • Google Cloud / Anthropic / OpenAI or equivalent — only when you use AI-assisted features.

An up-to-date list is available on request. Each sub-processor is contractually bound to confidentiality and equivalent or stronger data-protection obligations.

9. Disclosure to Third Parties

We may share information only with:

  • Our sub-processors (clause 8), strictly for the purposes of operating the Services.
  • Government or regulatory authorities when legally required.
  • Your company's authorised representatives.
  • A purchaser of our business (with appropriate confidentiality and data-protection obligations) in the event of a corporate sale, merger, or restructure.

We do not sell raw personal information.

10. Data Breach Response

In the event of a suspected or confirmed data breach, Burgy will:

  • Investigate immediately.
  • Notify affected users and the Office of the Australian Information Commissioner (OAIC) where required under the Notifiable Data Breaches scheme.
  • Take corrective action to secure data and prevent future breaches.

11. Children

The Services are not intended for users under 16. If you become aware that a worker on your account is under 16, contact us so we can take appropriate action.

12. Contact Us

For any questions, access requests, or complaints regarding privacy:

Burgy Privacy Officer
Email: hello@burgy.com.au
Web: burgy.com.au

We will respond to all enquiries within a reasonable period (usually within 30 days) in accordance with the APPs. If you're not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC).

13. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available within the Burgy app and on our website. For material changes that adversely affect you, we'll give reasonable notice (typically by in-app notification or email).