Privacy Policy
Legal

Privacy Policy

ACR Systems Pty Ltd  ·  Effective: 21 March 2026  ·  Version 1.0 (Beta)

1. Who We Are

FoxTrak is operated by ACR Systems Pty Ltd ("we", "us", "FoxTrak"), a company incorporated in Victoria, Australia. We take privacy seriously and are committed to handling all personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains what personal information we collect, how we use and protect it, who we share it with, and what rights you have. It applies to our web application at app.foxtrak.com, our iOS mobile app, and all related services.

By using FoxTrak, you consent to the practices described in this policy. If you do not agree, please do not use the platform.

2. What Data We Collect

Data You Provide Directly

Data Source Purpose
Business name, contact name Account registration Account identity, billing, communications
Email address Account registration Login, notifications, billing, support
Phone number Account registration Authentication, account recovery
Customer names, emails, phone numbers Operator data entry Job tracking, customer communications
Job details, step notes, descriptions Operator data entry Core platform functionality
Photos, files, attachments Operator uploads Job records, customer communications
Invoice and quote data Operator data entry Billing, customer records
Team member names and emails Operator invitations Team access and collaboration
Customer feedback and approval responses End customer input Job progress records

Data Generated Automatically

Data Purpose
Login timestamps, session data Security, account activity monitoring
Device type, OS version, app version Technical support, compatibility
IP address Security, fraud prevention
SMS and email delivery logs Communication records, support, disputes
In-app activity (job updates, step changes) Platform improvement, analytics
Error logs and crash reports Bug fixing and platform stability
Push notification tokens (iOS) Delivering push notifications

We collect only the data necessary to operate and improve the platform. We do not build advertising profiles or sell personal data.

Note on business address and tax ID: FoxTrak does not directly collect or store your business address or ABN/tax ID. If you connect Stripe or Xero, those providers may collect this information independently as part of their own onboarding and compliance requirements, governed by their respective privacy policies.

3. How We Use Your Data

We use personal information for the following purposes:

  • Providing the service - operating FoxTrak, processing jobs, sending communications, and enabling integrations
  • Account management - creating and maintaining your account, authenticating logins, and managing team access
  • Billing - processing subscription payments, issuing receipts, and managing plan changes
  • Communications - sending you transactional emails (receipts, notifications, security alerts) and, where you have opted in, product updates
  • Customer communications on your behalf - sending SMS and email messages to your end customers when you trigger them through the platform
  • Support - responding to your queries, resolving issues, and providing technical assistance
  • Security - detecting, investigating, and preventing fraud, abuse, or unauthorised access
  • Product improvement - analysing aggregate usage patterns to improve platform features and performance
  • Legal compliance - meeting our obligations under applicable law

We do not use your personal information for targeted advertising, and we do not sell or rent personal information to third parties.

4. SMS & Email Communications Data

What We Log

When an Operator sends a communication through FoxTrak, we log:

  • The recipient's phone number (for SMS) or email address (for email)
  • The message content (SMS body, email body, push notification body - stored per channel)
  • Sender identity (which Operator account sent the message)
  • Timestamp of the send event
  • Delivery status returned by the sending provider (Twilio or SendGrid)
  • The job or context the message was associated with

Why We Log This

Communication logs exist to allow Operators to review their sent message history, to support dispute resolution between Operators and their customers, to detect misuse of the communication features, and to comply with applicable telecommunications and spam laws.

Recipient Data

When a message is sent, the recipient's phone number or email address is transmitted to Twilio or SendGrid (as applicable) solely for message delivery. These providers act as data processors on our behalf and are contractually bound to process this data only for delivery purposes.

Operator Responsibility

Operators are responsible for ensuring they have a lawful basis to communicate with each recipient and that all communications comply with applicable spam and telecommunications laws. See our Terms of Service, Section 6, for Operator obligations.

5. Customer Data (End Customers)

Two Distinct Roles

FoxTrak operates with two types of users whose data we handle differently:

  • Operators - businesses who sign up for FoxTrak accounts. ACR Systems Pty Ltd is the data controller for Operator account data.
  • End Customers - the customers of those businesses, whose data is entered into FoxTrak by Operators. For end customer data, the Operator is the data controller and ACR Systems Pty Ltd acts as a data processor on the Operator's behalf.

What End Customer Data We Process

End customer data typically includes: name, phone number, email address, job history, approval responses, feedback, and any files or notes added to their jobs by the Operator.

Our Role

We process end customer data only as directed by Operators and only for the purpose of delivering the FoxTrak service to that Operator. We do not independently use, market to, or share end customer data for our own purposes.

End Customer Rights

If you are an end customer of a FoxTrak Operator and wish to access, correct, or delete your personal data, you should contact the Operator directly, as they are the data controller for your information. If you are unable to reach the Operator, you may contact us at hello@foxtrak.com and we will assist where we reasonably can.

6. Payment Data

FoxTrak Subscription Payments

Subscription payments from Operators to ACR Systems Pty Ltd are processed by Stripe. We do not store full credit card numbers, CVV codes, or other sensitive card data on our servers. Stripe handles all payment card data in accordance with PCI DSS compliance standards.

We retain records of payment transactions (amounts, dates, plan changes) for accounting and billing purposes.

Customer Payments via Operator Stripe Accounts

When an Operator's end customer makes a payment for a job or invoice through FoxTrak, the payment is processed directly through the Operator's own connected Stripe account. In these transactions, FoxTrak passes payment-relevant data (invoice amount, job reference, customer contact details) to the Operator's Stripe account solely to facilitate the transaction.

ACR Systems Pty Ltd does not store end customer payment card details and is not a party to these transactions. Stripe's privacy policy governs how Stripe handles this data.

7. Data Storage & Location

Your data is stored in Australia. FoxTrak uses Google Firebase infrastructure located in the australia-southeast1 region (Sydney, NSW) for all primary data storage, including Firestore (database) and Cloud Storage (files and media).

This means your data - and your customers' data - does not leave Australia for primary storage purposes.

Exceptions

The following scenarios may involve data processing outside Australia:

  • SMS delivery - recipient phone numbers are transmitted to Twilio (US-based) for message routing and delivery. Twilio is bound by our data processing agreement.
  • Email delivery - recipient email addresses and message content are transmitted to SendGrid (US-based). SendGrid is bound by our data processing agreement.
  • Payment processing - payment data is transmitted to Stripe (US-based) as described in Section 6.
  • Xero integration - if you connect Xero, invoice and business data is shared with Xero in accordance with Xero's privacy policy.
  • Push notifications - device notification tokens are transmitted to Apple (APNs) or Google Firebase Cloud Messaging (FCM) for push notification delivery.
  • Web hosting - our web applications (foxtrak.com and app.foxtrak.com) are hosted on Vercel, whose infrastructure may process request data outside Australia.

In all cases where data is transmitted internationally, we ensure appropriate safeguards are in place through contractual arrangements with our providers.

8. Third-Party Services

We work with the following third-party providers to operate FoxTrak. Each receives only the minimum data necessary for their specific function.

Firebase (Google)
Database (Firestore), file storage, authentication, and push notifications (FCM)
Privacy policy ↗
Twilio
SMS message delivery to end customers
Privacy policy ↗
SendGrid
Transactional email delivery to end customers
Privacy policy ↗
Stripe
Subscription billing and customer payment processing
Privacy policy ↗
Xero
Optional accounting integration (invoice/quote sync)
Privacy policy ↗
Apple (APNs)
iOS push notification delivery
Privacy policy ↗
Vercel
Web application hosting (foxtrak.com and app.foxtrak.com)
Privacy policy ↗

We do not sell personal data to any of these providers or any other third parties. These providers are authorised to process personal data only for the specific functions described above and are contractually required to maintain appropriate security standards.

9. Data Sharing & Disclosure

We do not sell, rent, or trade personal information. We disclose data only in the following circumstances:

  • Service providers - to the third-party providers listed in Section 8, strictly for the purposes described
  • Within your account - team members within your FoxTrak account can access data appropriate to their assigned role (Admin, Editor, or Viewer)
  • Legal obligations - when required by applicable law, court order, or lawful request from a government or regulatory authority
  • Protection of rights - where we reasonably believe disclosure is necessary to protect the rights, property, or safety of ACR Systems Pty Ltd, our users, or the public
  • Business transfer - in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections. We will notify affected users in advance.

In all other cases, we will seek your consent before disclosing your personal information to any third party.

10. Data Retention

Active Accounts

We retain your data for as long as your FoxTrak account is active and as long as reasonably necessary to provide the service.

Account Closure

When an account is closed, we retain your data for 90 days to allow for data export and to handle any post-closure queries. After 90 days, your data is permanently and irreversibly deleted from our systems, unless we are required by applicable law to retain it for longer.

Communication Logs

SMS and email communication logs are retained for 24 months from the date of the communication. This retention period supports dispute resolution, spam law compliance, and delivery record requirements.

Billing Records

Transaction and billing records are retained for 7 years in accordance with Australian tax and accounting law requirements.

Beta Period

During the beta period, certain data may be reset as part of platform updates. We will provide reasonable advance notice before any such reset where possible.

11. Security

We implement industry-standard security measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Firebase security rules with role-based access controls limiting data access to authorised users
  • Secure secret management for API keys and credentials (Firebase Secret Manager)
  • Two-factor authentication (2FA) available for all Operator accounts
  • Regular security reviews of Firestore and Storage access rules
  • Automated security scanning of the codebase

No method of data transmission or storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at hello@foxtrak.com.

In the event of a data breach that is likely to result in serious harm to individuals, we will notify affected users and, where required, the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

12. Your Rights

Under the Australian Privacy Act and applicable law, you have the following rights in respect of your personal information:

  • Access - request a copy of the personal information we hold about you
  • Correction - request that we correct inaccurate, incomplete, or outdated information
  • Deletion - request deletion of your personal data (subject to our retention obligations)
  • Data portability - export your job and customer data in CSV or PDF format at any time from within the platform
  • Opt-out of marketing - unsubscribe from non-transactional marketing emails at any time using the unsubscribe link in any such email, or by contacting us
  • Complaints - lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe we have handled your data improperly

How to Exercise Your Rights

To make any request, email hello@foxtrak.com with "Privacy Request" in the subject line. We will respond within 30 days. We may need to verify your identity before processing the request.

OAIC Contact

If you are unsatisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner at oaic.gov.au or on 1300 363 992.

13. Cookies & Analytics

Web Application

Our web application uses session cookies and local storage to maintain your login state and preserve your preferences. These are strictly necessary for the platform to function and are not used for advertising.

Analytics

We do not currently use any third-party analytics tools on the FoxTrak platform or marketing website. We do not use Google Analytics or similar services. Any usage insights we gather are derived from aggregate, anonymised data within our own infrastructure and do not identify individual users.

Marketing Website

Our marketing website (foxtrak.com) does not currently use tracking or advertising cookies. If this changes in the future, we will update this policy and add an appropriate cookie notice to that site.

14. International Users

FoxTrak is primarily designed for businesses operating in Australia, with support also available for businesses operating in the United States. All data is stored in Australia (Google Cloud australia-southeast1) and processed in accordance with Australian privacy law.

United States

For US-based Operators and their customers, FoxTrak's SMS communications are subject to the Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act. Operators are responsible for compliance with these laws when using FoxTrak to communicate with US customers.

European Users

FoxTrak is not currently marketed to individuals in the European Economic Area (EEA). If you are an EEA resident using FoxTrak, please be aware that our platform has not been specifically designed to comply with GDPR. Contact us at hello@foxtrak.com if you have questions.

15. Changes to This Policy

We may update this Privacy Policy as the platform evolves or as legal requirements change. We will notify you of significant changes via email and/or in-app notice at least 14 days before they take effect. The current version is always available at foxtrak.com/privacy.

Continued use of FoxTrak after an updated policy takes effect constitutes your acceptance of the changes.

16. Contact & Complaints

For all privacy-related queries, requests, or complaints:

ACR Systems Pty Ltd
ABN: 88 691 470 890  ·  ACN: 691 470 890
Melbourne, Victoria, Australia
hello@foxtrak.com
Subject line: Privacy Request

We aim to acknowledge all privacy requests within 5 business days and resolve them within 30 days.

If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.