⚠ DRAFT — REVIEW BY A LAWYER BEFORE PUBLISHING. This template was auto-generated as a starting point. It has not been reviewed by a legal professional and may contain inaccuracies, omissions, or misalignments with the Australian Privacy Act 1988 (Cth) requirements, Australian Consumer Law, or migration regulation. Have an Australian lawyer or privacy consultant review and adapt before going live.

Privacy Policy

Last updated: [DATE — fill in]

1. Who we are

LodgeReady (operating as Lodge-Ready) provides a document-readiness tool for Australian visa applicants at lodgeready.com. In this policy, "we", "us" and "our" refer to the operator of LodgeReady.

Contact for privacy matters: hello@lodgeready.com

This policy explains how we handle personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP).

2. Personal information we collect

  • Account information: name, email address, password (stored as a hash — see section 4), plan tier, company/agency if applicable.
  • Case data: target visa subclass (e.g. 600, 500, 485), planned lodgement date, applicant name, travel companions including their age and role, itinerary details, translation requests, notification preferences, consent records, and audit log entries.
  • Uploaded documents: the documents you upload for readiness checking (e.g. passports, financial statements, invitation letters, education documents). These may contain sensitive information about you and people travelling with you, including children.
  • Technical and usage data: IP address, browser/device data, timestamps, and actions taken in the app (kept in an audit log).
  • Payment information: we do not currently process payments. When billing is added, payment details will be handled by a third-party processor (to be disclosed at that time) and we will update this policy before collecting any payment data.

3. How we use your information

  • Run document-readiness checks against the requirements you tell us apply to your case.
  • Send your documents to our AI provider for analysis (see section 5).
  • Operate the translator marketplace if you request a NAATI-certified translation.
  • Send transactional emails (email verification codes, translation status, account notices). We rely on consent and the necessity of the service under the Spam Act 2003 (Cth); transactional emails are not marketing.
  • Detect duplicate uploads using a SHA-256 file hash.
  • Detect and prevent fraud and abuse.
  • Comply with legal obligations.

We do not sell your personal information. We do not share your personal information with marketing third parties. Our AI provider does not use your content to train its models (see section 5).

4. How we store and protect your information

  • Documents at rest: encrypted with AES-256-GCM and stored in Cloudflare R2 (S3-compatible object storage). Decryption only occurs when the document is sent to the AI provider for analysis.
  • Documents in transit: TLS/HTTPS.
  • Passwords: stored only as PBKDF2 hashes; never in plaintext.
  • Database: PostgreSQL hosted with a managed provider (currently Neon).
  • Multi-tenant isolation: if you signed up through a migration agency, your data is isolated to that company and is not visible to other agencies on the platform. Translators see only the documents assigned to them and cannot see commercial pricing.
  • Audit log: access and key actions are logged for security and dispute resolution.

We have not yet obtained external certifications such as SOC 2 or ISO 27001 and we do not represent that we hold them.

No system is perfectly secure. You upload information at your own risk.

5. Who we share your information with

Third partyPurposeLocation
Anthropic (Claude API)AI document analysis. Per Anthropic's API terms, content submitted via the API is not used to train models.United States
CloudflareR2 object storage, CDN, DNSGlobal / United States
Neon (or comparable Postgres host)Database hostingRegion depends on configuration (typically AU or AP)
Resend (or comparable SMTP provider)Transactional email deliveryUnited States
NAATI-certified translators on the platformOnly if you request a translation; the translator receives the document(s) you assign. Commercial pricing is stripped from translator views.Australia
Your migration agentIf you signed up under an agency, the agency's authorised users can see your case.Varies

We may also disclose information where required by Australian law or to protect our rights or the safety of others.

6. Cross-border disclosure (APP 8)

Some of the providers above process personal information outside Australia, principally in the United States. By using LodgeReady you acknowledge this cross-border disclosure. We rely on each provider's contractual terms and security practices and take reasonable steps to ensure your information is handled consistently with the APP, but APP 8.1 protections may not be equivalent to Australian law in every jurisdiction.

7. Children's information

Tourist 600 family applications often include minors travelling with a parent or guardian. If you upload documents about a person under 18, you confirm that you are their parent or legal guardian, or that you have authority from a parent or legal guardian to do so. We rely on you to obtain that consent. Contact us at hello@lodgeready.com if you need a child's data removed.

8. Retention

After the retention window for your plan, a scheduled job deletes documents, person records, cases, notifications and consent records. The audit log is retained for compliance and dispute purposes.

PlanRetention window
Free7 days
Solo90 days
Agency365 days

If you opted to "keep file" on a document, the encrypted file is retained for the window above (rather than deleted immediately after analysis) so you can download it.

9. Your rights under the Privacy Act

Under APP 12 and APP 13, you may:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate, out of date or incomplete.
  • Delete a case and its associated documents, persons, notifications and consents via the in-app delete action (/api/privacy/case/:id). Deletion removes the encrypted file from R2 and is recorded in the audit log.
  • Delete your account by contacting us at hello@lodgeready.com.
  • Complain about how we have handled your information.

To make a request, email hello@lodgeready.com. We will respond within a reasonable time (typically 30 days). If you are not satisfied with our response you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Cookies and similar technologies

We use a JSON Web Token (JWT) stored in your browser's localStorage to keep you signed in. We do not use third-party advertising or tracking cookies. Minimal session storage may be used to operate the app.

11. Changes to this policy

We may update this policy. The "Last updated" date at the top will change. If we make material changes we will notify registered users by email.

12. Contact

Email: hello@lodgeready.com