1. About Neuva and this policy
Neuva is a multi-tenant software-as-a-service (SaaS) platform that helps labour-hire and field-workforce businesses coordinate their workforce — tracking compliance documents, worker readiness, mobilisation and scheduling, timesheets and invoicing. This policy is published by [PLACEHOLDER — confirm with lawyer: legal entity name] (ABN [PLACEHOLDER — confirm with lawyer: ABN]) of [PLACEHOLDER — confirm with lawyer: registered address] (“Neuva”, “we”, “us”).
It explains what personal information we collect, how we use and protect it, who we share it with, and the rights individuals have. The legal framework assumed here is the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles. [PLACEHOLDER — confirm with lawyer: confirm governing privacy law and any other jurisdictions whose laws apply (e.g. state health-records or surveillance laws, overseas data-protection laws if customers or workers are outside Australia)]
2. Our role — controller vs processor
Neuva’s role depends on whose information is involved. This distinction is central to how the platform works:
- Worker information — Neuva is a data processor. When a customer organisation (a “tenant” — for example a labour-hire firm) uses Neuva to manage its workforce, that organisation decides what worker information is collected and why. The tenant is the controller of that information; Neuva processes it on the tenant’s behalf and under its instructions, to provide the service.
- Our own business information — Neuva is the controller. For information we collect directly for our own purposes — the contact details of the administrators who run a tenant account, and enquiries from prospective customers via our website — Neuva is the controller.
Where Neuva acts as a processor, individuals (such as workers) should usually direct requests about their information to the tenant organisation that employs or engages them; we will assist that organisation as needed. [PLACEHOLDER — confirm with lawyer: confirm whether a separate Data Processing Agreement / Data Processing Addendum with tenants is required, and align this section with it]
3. Information we collect
3.1 Worker information (processed for tenants)
On behalf of tenant organisations, the platform holds information about their workers, which may include:
- Identity & contact details — legal name and preferred name, phone, email, residential/suburb address, and emergency-contact details.
- Employment & engagement details — employing firm, role, employment type, start date, availability, placement and leave history, and reliability information derived from placement history.
- Compliance documents & licences — uploaded photos or PDFs of licences, tickets, medicals, inductions and similar, together with extracted details such as document type, document number, issue and expiry dates, and licence classes.
- Timesheets — hours worked by day and shift, and related comments.
- A profile photo, where provided.
- Approximate location at timesheet submission — where a worker’s device permits it, the platform may record the latitude/longitude and accuracy at the moment a timesheet is submitted, as a submission-integrity record. This is optional, the worker is shown a notice, and it never blocks submission. Raw coordinates are visible only to the tenant’s administrators, never to other workers. [PLACEHOLDER — confirm with lawyer: confirm this is disclosed to workers by the tenant and the lawful basis for capturing location]
Data minimisation — sensitive financial data is deliberately not collected. Neuva does not store Tax File Numbers, bank-account details or superannuation details. These are intentionally excluded from onboarding, imports, the worker app, compliance packs and all general flows. Payroll/banking is handled outside Neuva. [PLACEHOLDER — confirm with lawyer: confirm no other sensitive information (within the meaning of the Privacy Act — e.g. health information in medicals) needs specific consent handling; some compliance medicals may constitute health information]
3.2 Account-user information (tenant administrators & staff)
- Name, email address, role, and authentication credentials (passwords are stored only in hashed form by our authentication provider).
- Records of actions taken in the platform (an append-only audit log of approvals, edits, deletions and similar), for security and compliance traceability.
3.3 Prospective-customer enquiries
- When you contact us through the website (for example “Request access” or “Book a demo”), we receive the details you choose to send us — typically your name, company, role, contact details and message.
3.4 Technical information
- Essential authentication/session cookies needed to keep you securely signed in. [PLACEHOLDER — confirm with lawyer: confirm whether any analytics, performance-monitoring or marketing cookies/tools are used; if so, list them and the consent approach]
- Server and security logs generated by our hosting providers (for example IP address, timestamps and request metadata) used to operate and secure the service. [PLACEHOLDER — confirm with lawyer: confirm log contents and retention with hosting providers]
4. How we use information
As a processor for tenants, we use worker information only to provide and support the platform’s functions, including to:
- track compliance documents and calculate worker readiness;
- match and mobilise workers to jobs, and manage schedules, placements and leave;
- capture timesheets and generate client invoices and compliance evidence;
- send compliance and timesheet reminders (note: reminders are drafted for the tenant’s administrator to send from their own email; Neuva does not, by default, email workers directly);
- maintain security, prevent misuse, and keep audit records.
As a controller of our own business information, we use it to provide and improve the service, manage accounts, respond to enquiries, and meet our legal obligations. [PLACEHOLDER — confirm with lawyer: confirm billing-related uses once the subscription/billing model is finalised]
We do not sell personal information, and we do not use worker information for our own advertising or marketing.
5. How artificial intelligence is used
Neuva uses AI to read uploaded compliance documents and propose details (document type, number, issue/expiry dates and licence classes) to speed up data entry. This is done via a third-party AI provider’s API (see section 6). Important limits:
- AI never decides compliance. Readiness (Green/Amber/Red) is computed by a fixed, deterministic rules engine, not by AI. A human reviews and approves every document; the AI only assists by reading.
- An in-app support assistant answers “how the platform works” questions. It has no access to live records, and its conversations are session-only — they are not stored.
[PLACEHOLDER — confirm with lawyer: confirm the AI provider’s data-processing terms — in particular that submitted document content is not used to train the provider’s models and any retention period applied by the provider]
6. Third parties and sub-processors
We use a small number of trusted infrastructure providers (“sub-processors”) to run the service. They process information on our instructions to provide their part of the platform. The current providers are:
- Supabase — database, authentication and file storage (the documents and records described above). [PLACEHOLDER — confirm with lawyer: confirm Supabase plan, data region and data-processing terms]
- Vercel — application hosting and delivery. [PLACEHOLDER — confirm with lawyer: confirm Vercel data region and data-processing terms]
- Resend — transactional email delivery (used where the platform sends email, e.g. portal invitations). [PLACEHOLDER — confirm with lawyer: confirm Resend usage scope and data-processing terms]
- Anthropic — AI processing of uploaded documents and the support assistant (see section 5). [PLACEHOLDER — confirm with lawyer: confirm Anthropic API data-processing/no-training terms]
- Google — address autocomplete/lookup when an address is typed into a form. [PLACEHOLDER — confirm with lawyer: confirm Google Maps Platform terms and what address data is sent]
We may also disclose information to the tenant organisation that controls it, to our professional advisers, or where required or authorised by law. [PLACEHOLDER — confirm with lawyer: confirm the full, current sub-processor list and keep it maintained; confirm whether a public sub-processor list/notice-of-change commitment is offered to tenants]
7. Where information is stored and overseas disclosure
Information is stored using the cloud infrastructure providers listed above. Neuva intends to host customer data in an Australian region where available. [PLACEHOLDER — confirm with lawyer: confirm the actual hosting region(s) for the database and storage]
Some providers — in particular email, AI processing and address lookup — may process limited information outside Australia. Under Australian Privacy Principle 8 (cross-border disclosure), this must be disclosed and handled appropriately. [PLACEHOLDER — confirm with lawyer: confirm which providers process data overseas, the countries involved, and the safeguards relied on; list the likely countries here]
8. How we protect information
We take reasonable steps to protect personal information, including:
- Database-level access control (row-level security). Access rules are enforced in the database itself, so each organisation’s data is isolated, and workers can only ever reach their own records — even if application code had a bug.
- Encryption in transit — connections to the platform use HTTPS/TLS.
- Role-based access — admins/staff and workers see different surfaces; sensitive actions are restricted.
- Tightly-scoped data access for workers (they read only their own data, through narrow functions that never expose other people’s records or internal fields).
- An append-only audit log of significant actions.
- Data minimisation — sensitive financial identifiers (TFN/bank/super) are not collected at all.
No system is perfectly secure, and we cannot guarantee absolute security. [PLACEHOLDER — confirm with lawyer: confirm encryption-at-rest with the storage/database provider before stating it; confirm any certifications (e.g. SOC 2, ISO 27001) held by Neuva or its providers; confirm the data- breach notification process aligned with the Notifiable Data Breaches scheme]
9. Retention and deletion
Because compliance records may need to be produced long after a worker stops working, deactivating or archiving a worker keeps their record rather than deleting it; the tenant controls this. Where Neuva is a processor, retention is ultimately directed by the tenant (the controller).
[PLACEHOLDER — confirm with lawyer: confirm retention periods for each data category (e.g. compliance documents, timesheets, audit logs, account data, enquiry data)] [PLACEHOLDER — confirm with lawyer: confirm what happens to a tenant’s data when they stop using Neuva — export, return and deletion timeframes — and any legal minimum-retention obligations]
10. Your rights
Under the Australian Privacy Principles, individuals generally have the right to:
- access the personal information held about them;
- request correction of information that is inaccurate, out of date or incomplete;
- make a complaint about how their information has been handled.
For worker information, the quickest route is usually through the tenant organisation that controls it (your employer or engager); Neuva will support that organisation in responding. For information Neuva controls, contact us using the details in section 13. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC). [PLACEHOLDER — confirm with lawyer: confirm the access/correction/complaints handling process and response timeframes]
11. Children
The platform is intended for adults in a workforce context and is not directed at children.[PLACEHOLDER — confirm with lawyer: confirm any minimum-age position and whether any workers may be minors (e.g. apprentices under 18) requiring additional handling]
12. Changes to this policy
We may update this policy from time to time. When we do, we will revise the effective date above and, where appropriate, notify tenants. [PLACEHOLDER — confirm with lawyer: confirm how material changes will be communicated]
13. Contact us
For privacy questions or requests, contact [PLACEHOLDER — confirm with lawyer: privacy contact name / role (e.g. Privacy Officer)] at [PLACEHOLDER — confirm with lawyer: privacy contact email], or by mail at [PLACEHOLDER — confirm with lawyer: postal address].