Privacy Policy

Introduction

RocketShoes Pty Ltd ("RocketShoes", "we", "us", "our") operates the Project Hail Money application ("the App"), a cloud-based client relationship management tool provided to consultancy organisations as a software-as-a-service ("SaaS") platform.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in connection with the App. We are committed to handling personal information in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth), and where applicable, the Privacy and Data Protection Act 2014 (Vic).

Further information about the APPs is available from the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

About the App and Who This Policy Covers

The App is used by two categories of people:

• Organisation Users — staff and administrators of consultancy businesses ("Organisations") who subscribe to the App to manage their clients, projects, time, and billing.
• End Clients — individuals whose information is entered into the App by an Organisation User (e.g., a student or client of a consultancy).

This policy covers personal information collected from both categories. Where an Organisation uses the App to store information about their own clients, that Organisation is responsible for ensuring they have appropriate authority to store that information and have notified those individuals in accordance with applicable privacy laws.

What Personal Information We Collect

Organisation Users

When an Organisation or its staff members access the App, we may collect:

• Full name and email address (via Google Sign-In / Firebase Authentication)
• Organisation name and role
• Login activity and session data
• Usage logs and feature interaction data

End Client Records (entered by Organisation Users)

Organisation Users may enter the following types of information about their clients into the App:

• Full name, email address, and phone number
• Company or educational institution
• Project and engagement details
• Time records and billing information (hours, rates, amounts)
• Uploaded documents (e.g., contracts, correspondence, student records)
• Notes and internal records

Automatically Collected Information

When you use the App, we may automatically collect:

• Device type, browser, and operating system
• IP address and approximate location
• Log data including access times and pages viewed
• Authentication tokens and session identifiers

How We Collect Personal Information

We collect personal information:

• Directly from Organisation Users when they register, sign in, and use the App
• Via Google Sign-In (Firebase Authentication), which provides your name and email address from your Google account
• When Organisation Users enter information about their End Clients into the App
• Automatically through application logs and Firebase platform services

We do not collect personal information from third parties except as described above.

Sensitive Information

We do not intentionally collect sensitive information (as defined in the Privacy Act 1988, including racial or ethnic origin, health information, political opinions, religious beliefs, or biometric data) through the App.

However, Organisation Users — particularly those in the education or migration consultancy sectors — may enter sensitive information about their clients as part of their case records. Where this occurs:

• The Organisation User is responsible for ensuring they have the individual's consent to store that information
• We treat all such data with the same security standards as other personal information
• We do not access, use, or process sensitive client records except as necessary to provide and maintain the App

Why We Collect Personal Information

Primary Purposes

• To provide, operate, and maintain the App and its features
• To authenticate users and manage access to Organisation accounts
• To enable Organisations to manage client records, projects, time entries, and billing reports
• To communicate with Organisation Users about their accounts, support requests, and service updates

Secondary Purposes

Secondary uses are directly related to the primary purposes above. We may use contact details to:

• Send service notifications and important updates
• Respond to support and billing enquiries
• Conduct platform improvement research (aggregated and de-identified where possible)

Organisation Users may opt out of non-essential communications at any time by contacting us at the address below.

Disclosure of Personal Information

We do not sell, rent, or trade personal information. We may disclose personal information to:

• Firebase / Google Cloud — our infrastructure provider. Data is stored and processed using Firebase services (Firestore, Firebase Authentication, Firebase Storage, Firebase Hosting). Google may store data on servers located outside Australia, including in the United States. Google's data handling practices are governed by the Google Cloud Privacy Notice.
• Our staff and contractors — only to the extent necessary to provide support or maintain the App, and subject to confidentiality obligations
• Legal and regulatory authorities — where required or authorised by law

Where personal information is disclosed to overseas recipients (including Google Cloud infrastructure), we take reasonable steps to ensure those recipients handle the information consistently with the APPs, noting that APP 8.1 obligations apply.

Multi-Tenancy and Data Isolation

The App is a multi-tenant platform. Each subscribing Organisation's data is logically isolated from other Organisations' data using Firestore security rules scoped to the Organisation's account. Organisation Users can only access data belonging to their own Organisation. RocketShoes does not grant one Organisation access to another Organisation's data.

Retention and Destruction of Personal Information

• Active account data is retained for as long as the Organisation's subscription remains active
• Upon account closure, Organisation data is retained for a minimum of seven (7) years to meet legal and accounting obligations, after which it is securely destroyed or de-identified
• Uploaded documents are retained in Firebase Storage subject to the same schedule
• Users may request earlier deletion of their personal information (see below), subject to any legal retention requirements

Cookies and Local Storage

The App uses browser-based authentication tokens and local storage to maintain your session. These are managed by Firebase Authentication and are necessary for the App to function. No third-party advertising or tracking cookies are used.

Access, Correction and Complaints

Organisation Users — Access and Correction

You have the right to access and correct personal information we hold about you. To make a request:

• Submit your request in writing to the contact details below
• We may require verification of your identity before granting access
• We will respond within a reasonable timeframe (generally 30 days)
• No fee is charged for making an access or correction request; an administrative fee may apply for providing copies of records

Organisation Users — Data Portability

Organisation Users may export their client and billing data from the App's Reports section at any time during an active subscription.

Complaints

If you believe we have breached the APPs or the Privacy and Data Protection Act 2014 (Vic), you may lodge a complaint with us in writing. We will investigate and respond within 30 days. If you are not satisfied with our response, you may refer your complaint to:

• Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au — 1300 363 992
• Office of the Victorian Information Commissioner (OVIC): ovic.vic.gov.au — 1300 006 842

Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify Organisation Users via the App or by email. Continued use of the App after notification constitutes acceptance of the updated policy.