Skip to content
Legal

Privacy Policy

How Chlor handles personal information under the Australian Privacy Principles.

Last updated: 13 April 2026

This Privacy Policy explains how Chlor (ABN 47 142 335 509) (“Chlor”, “we”, “us”) handles personal information when you use our pool service management software (the “Service”) and the chlor.app website. We are bound by the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) and, where applicable, the Notifiable Data Breaches scheme.

1. Information we collect

We collect the following categories of personal information:

  • Account information: your name, email address, phone number, business name, ABN, password hash, and the role you hold inside your business (owner, technician).
  • Customer records you upload: names, email addresses, phone numbers, property addresses, gate codes, access notes and notification preferences for your pool service customers.
  • Pool service data: water chemistry test results, chemical dosing records, equipment details, service history, photos taken during a service visit, and free-text technician notes.
  • Billing information: subscription plan, billing interval, invoice and transaction history. Payment card numbers and bank account details are collected and stored exclusively by Paddle (our payment processor and Merchant of Record) and are never stored on Chlor servers.
  • Communications: emails and SMS we send on your behalf to your customers, support tickets, and onboarding survey responses.
  • Technical data: IP address, browser type, device identifiers, pages visited, session duration and crash diagnostics, collected via Vercel Analytics in an aggregate, non-cookie form.
  • Location data: when you use route optimisation or map features we process the property addresses you have entered; we do not collect background location.

2. How we collect it

We collect personal information directly from you when you sign up, configure your account, import customer data, take a water test, send a message through the platform, or contact support. We also collect technical data automatically when you use the Service. Where you upload your customers’ personal information you confirm you have a lawful basis to do so under APP 3.6.

3. Why we collect it

  • To provide, operate and maintain the Service.
  • To process subscriptions, invoicing and payments through Paddle.
  • To send transactional communications on your behalf (appointment reminders, on-the-way SMS, service-complete reports, invoice delivery and payment reminders).
  • To provide customer support and respond to enquiries.
  • To improve the Service through product analytics, debugging and security monitoring.
  • To comply with Australian legal and regulatory obligations (including tax, anti-fraud and law-enforcement requests).

4. Disclosure to third parties

We disclose personal information to the following third-party service providers, each of whom is bound by their own privacy and security obligations:

  • Supabase Inc. — database, authentication and file storage. Project data is hosted in the AWS ap-southeast-2 (Sydney) region.
  • Paddle.com Market Ltd — payment processing, subscription management and tax compliance as Merchant of Record.
  • Stripe Payments Australia Pty Ltd — used by your customers when paying invoices issued through Chlor (Stripe Connect). Stripe acts as a separate controller for that data.
  • Resend — transactional email delivery (signup confirmations, invoices, reports, password resets).
  • Twilio — SMS delivery for appointment reminders and on-the-way notifications.
  • Google Maps Platform — address autocomplete, geocoding and route optimisation.
  • Vercel Inc. — application hosting and aggregate web analytics.

We may also disclose personal information where required by Australian law, in response to a lawful request from a regulator or law-enforcement agency, or where necessary to prevent serious harm.

5. Overseas data transfers

Although your operational data is stored in Australia (Supabase AWS ap-southeast-2), several of our processors are based overseas: Paddle (United Kingdom and Ireland), Stripe (United States and Australia), Twilio (United States), Resend (United States), Google (United States) and Vercel (United States). Before disclosing personal information to an overseas recipient we take reasonable steps under APP 8.1 to ensure the recipient handles the information in a way that is consistent with the APPs, including binding contractual data-processing terms.

6. Data retention

We retain personal information for as long as your account is active. After you close your account we retain your data for up to 30 days to allow re-export, after which it is deleted from production systems. Financial records (invoices, transactions, tax documents) are retained for at least 7 years to comply with the Taxation Administration Act 1953 (Cth) and the Corporations Act 2001 (Cth). Encrypted backups may persist for up to 90 days before being overwritten.

7. Security

We implement reasonable technical and organisational measures to protect personal information against loss, misuse, unauthorised access, modification and disclosure. Measures include TLS 1.2+ for all data in transit, encryption at rest, role-based access controls, least-privilege service accounts, audit logging and regular dependency security reviews. No internet-facing system is completely secure; we cannot guarantee absolute security.

8. Notifiable data breaches

If a data breach is likely to result in serious harm to any individual whose personal information we hold, we will notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, in accordance with Part IIIC of the Privacy Act 1988 (Cth). Our internal breach response process targets initial assessment within 24 hours and OAIC notification within 72 hours where required.

9. Cookies and analytics

We use a small number of strictly-necessary cookies for authentication, session management and CSRF protection. We do not use advertising cookies. Vercel Analytics measures aggregate page views without setting personal-data cookies and without tracking you across other websites.

10. Children

Chlor is a business-to-business product and is not directed at persons under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us so we can delete it.

11. Your rights

Under the APPs, you may:

  • Request access to the personal information we hold about you (APP 12).
  • Request correction of inaccurate or out-of-date information (APP 13).
  • Request deletion of your personal information, subject to legal retention requirements.
  • Withdraw consent to non-essential processing (such as marketing emails) at any time.
  • Export your data in a structured, machine-readable format from the Settings page.

Where you have uploaded personal information about your own customers, you are the responsible APP entity for those individuals; we act as your service provider. Requests from your customers should be directed to you in the first instance.

12. How to contact us or make a complaint

For any privacy enquiry, access request or complaint, please email privacy@chlor.app or write to us at:

Privacy Officer
Chlor
Queensland, Australia

We will acknowledge your complaint within 7 days and respond substantively within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner at oaic.gov.au, by phone on 1300 363 992, or by post to GPO Box 5288, Sydney NSW 2001.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “last updated” date. Material changes will also be notified to account holders by email at least 14 days before they take effect.

This policy is governed by the laws of Queensland, Australia. See also our Terms of Service, Refund Policy and Acceptable Use Policy.