// legal

Privacy Policy

This policy applies to all AIOZ SaaS platforms — including PickEasy and ValetMate — their mobile apps, web portals, and APIs. It explains exactly what personal data we collect, why, how we use and protect it, how long we keep it (including after deletion), and your rights under Australian, EU, and US law. We do not use vague language — if something happens to your data, this document says so plainly.

Effective: 1 May 2026 Last updated: 2 May 2026 privacy@aioz.com.au
Privacy Act 1988 (AU) GDPR / UK GDPR (EU) CCPA / CPRA (US) CAN-SPAM (US) COPPA (US)
// contents
1. Who We Are 2. Scope 3. Information We Collect 4. How We Use Your Information 5. Legal Basis (GDPR) 6. Sharing & Disclosure 7. Third-Party Services 8. International Transfers 9. Data Retention & Backups 10. Cookies 11. Security 12. Your Rights 13. Children 14. Changes to This Policy 16. Email & CAN-SPAM 15. Contact & Complaints
Related documents Terms of Service → Cookie Policy → Cookie Settings →

01 Who We Are

AIOZ is a registered business name (ABN 30 612 944 968) of Andre Fritz Klaus Iwers, an Australian sole trader based in Tasmania, Australia. AIOZ is not a separate legal entity — all rights, obligations, and liabilities under this policy are those of Andre Fritz Klaus Iwers trading as AIOZ. We develop and operate cloud-based SaaS platforms for workforce and operations management, including PickEasy (fruit harvest management) and ValetMate (valet parking management).

Under the Privacy Act 1988 (Cth), the APP entity responsible for your personal information is Andre Fritz Klaus Iwers trading as AIOZ.
Under the EU General Data Protection Regulation (GDPR), the data controller is Andre Fritz Klaus Iwers trading as AIOZ.
Under the California Consumer Privacy Act (CCPA/CPRA), the business is Andre Fritz Klaus Iwers trading as AIOZ.

Australian Privacy Act — voluntary compliance: AIOZ voluntarily complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in full. Sole traders and small businesses with annual turnover below AUD $3 million are generally exempt from the Act; however, AIOZ has elected to apply the APPs as a matter of good practice so that our users receive the full benefit of those protections.

CCPA/CPRA — voluntary compliance: AIOZ voluntarily extends CCPA/CPRA rights to all California residents. As a small business, AIOZ may not meet the statutory thresholds that trigger mandatory CCPA compliance (annual gross revenues exceeding USD $25 million; processing personal information of 100,000+ consumers or households per year; or deriving 50%+ of annual revenue from selling personal information), but we believe these protections should apply to our users regardless.

GDPR — EU/UK representative: AIOZ is not established in the EEA or UK. As a small sole trader that only occasionally processes EEA/UK personal data and does not process special-category data at scale, AIOZ relies on the Art. 27(2) GDPR exemption from appointing a formal EU representative. EEA/UK residents may contact us directly using the details below; any competent EEA supervisory authority may exercise jurisdiction over our processing of EEA personal data.

Privacy enquiries: privacy@aioz.com.au  ·  Andre Fritz Klaus Iwers trading as AIOZ  ·  Tasmania, Australia  ·  ABN 30 612 944 968
To obtain a postal address for written correspondence, please email us first.

02 Scope

This policy applies to:

  • PickEasy — iOS & Android apps (com.au.afk.pickeasy) and web portal at pickeasy.aioz.com.au
  • ValetMate — iOS & Android apps (com.au.afk.valetmate) and web portal at valetmate.aioz.com.au
  • The AIOZ website at aioz.com.au
  • Any related APIs, backend services, or systems operated by AIOZ

Where you access our platforms through an employer or business that has licensed our platform (an "Operator"), AIOZ may process personal information both for our own service, security, and support purposes and on behalf of that Operator. This policy describes AIOZ's handling practices. Operators remain responsible for the information they choose to enter into the platform and for any workplace, employment, parking, customer-service, or safety notices they give to end users.

In practice, the same record may be relevant to both AIOZ and the Operator that administers the relevant PickEasy or ValetMate workspace. Contractual arrangements may allocate operational responsibilities between us, but they do not remove any privacy obligations that apply by law to either party.

03 Information We Collect

3.1 Account & Identity Information

When you or your employer creates an account, we collect:

  • Full name
  • Email address
  • Phone number (where provided)
  • Role, job title, and employer / company name
  • Login credentials (password is stored as a one-way hash — we cannot read it)
  • Profile settings and preferences stored within the app

3.2 Operational & Service Data

  • PickEasy work records such as farm assignments, QR scans, picker onboarding UUIDs, harvest sessions, row/block/variety selections, farm and row-map configuration, and evacuation-plan data (including warden contact details entered by Operators)
  • ValetMate operational records such as session/ticket history, QR tag tokens, parking locations, key movements, locker assignments, pickup-request times, ratings, customer comments, and staff activity timelines
  • Manager and admin web-portal records such as staff directory details, role assignments, car park or farm configuration, imported employee data, report filters/exports, and audit trails of operational changes
  • Customer vehicle information where provided, including number plates and optional saved vehicle details (for example nickname, make, model, or colour)

3.3 Media & Uploaded Files

  • ValetMate parking photos, damage-inspection photos, locker photos, and related notification images
  • Company, car park, or branding images uploaded through the web portals

3.4 Communications & Notification Data

  • Email address and related verification or password-reset records for staff, pickers, and customers who create accounts
  • Push notification tokens for PickEasy and ValetMate mobile apps (Firebase Cloud Messaging)
  • Browser web-push subscription data for ValetMate customer pages, including endpoint URLs and encryption keys
  • Optional customer phone numbers where provided for ValetMate SMS updates

3.5 Technical, Session & Log Data

  • IP address, request metadata, and security logs used for fraud prevention, abuse detection, rate limiting, and service diagnostics
  • Session/authentication state, CSRF tokens, login state, and cookie-consent records for our websites and web portals
  • Pages and features accessed, timestamps, and error diagnostics needed to operate and support the service

3.6 Location, Camera & Device Permissions (Mobile Apps)

  • PickEasy requests camera access for QR scanning
  • PickEasy requests foreground location permission so the evacuation map can show the user's position and orientation on-device; in the current reviewed build, that live GPS stream is not normally transmitted to our servers as part of everyday use
  • ValetMate requests camera access to scan QR codes and capture parking or damage photos
  • ValetMate requests photo-library access on supported devices to attach existing photos or save captured photos
  • ValetMate does not request device GPS location in the current reviewed mobile builds

3.7 Payment Data

  • Payments are processed directly by Stripe, Inc. for operator subscriptions and ValetMate customer payments
  • AIOZ does not receive, store, or have access to full card numbers, CVV codes, or full bank-account credentials
  • We do receive payment status, amounts, currency, transaction IDs, customer/subscription references, and related billing metadata required to run the service

3.8 Cookie & Tracking Data

See Section 10 — Cookies for full details.

3.9 What We Do NOT Normally Collect

  • Background GPS location
  • Biometric identifiers
  • Advertising IDs or cross-app tracking data for behavioural advertising
  • Government-issued identification numbers unless a separate written product scope explicitly requires them
  • Health or medical information as part of the standard PickEasy or ValetMate product workflows

3.9 Government identifiers (APP 9)

AIOZ will not adopt, use, or disclose a government-related identifier (such as a tax file number, Medicare number, or passport number) as its own identifier of an individual. We do not request, store, or process government-issued identification numbers as part of normal platform operations.

3.10 Unsolicited personal information (APP 4)

If AIOZ receives personal information that we did not solicit — for example, if a user sends us third-party details in a support email — and we are not required or permitted to collect it under the APPs, we will destroy or permanently de-identify that information as soon as reasonably practicable, provided it is lawful and reasonable to do so.

04 How We Use Your Information

PurposeData Used
Providing the service — delivering core harvest, evacuation, valet, locker, reporting, manager-portal, and customer-session functionalityAccount data, operational records, uploaded media, payment status, notification data
Account management — creating and managing user accounts, authentication, password resets, and email verificationName, email, password hash, verification/reset records, phone (where provided)
Notifications & communications — sending transactional emails, mobile push, browser push, and optional SMS updatesEmail address, push token, browser push subscription data, phone number, session status
Billing & payments — processing operator subscriptions, ValetMate customer payments, and receiptsEmail, number plate (where provided for self-start parking), Stripe transaction/payment metadata
Safety & incident records — displaying evacuation plans and storing parking, locker, damage, and operational-audit recordsRoute/location labels, warden contact details entered by Operators, vehicle photos, notes, timestamps, staff activity history
Security & fraud prevention — detecting unauthorised access, abuse, policy violations, and suspicious payment or session activityIP address, session data, request metadata, usage logs
Support & troubleshooting — diagnosing bugs and responding to help requestsAccount data, operational context, error diagnostics, relevant support correspondence
Legal compliance — meeting obligations under Australian and applicable international lawAs required by law
We do not sell, rent, or trade your personal information to any third party. We do not use your personal data for cross-context behavioural advertising or marketing profiling.

Transactional communications vs. direct marketing (APP 7 / CAN-SPAM)

AIOZ sends transactional and service-related communications only — including account verification codes, password resets, subscription billing confirmations, payment receipts, session status notifications, security alerts, and planned maintenance notices. Depending on the feature and your choices, these may be delivered by email, mobile push, browser push, or SMS. These communications are necessary to deliver the service and are not direct marketing.

We do not send promotional or marketing emails without your prior express consent. All commercial emails sent to US recipients comply with the CAN-SPAM Act: each email identifies AIOZ as the sender, includes a valid postal address, and contains a clear opt-out link. Opt-out requests are processed within 10 business days. See Section 16 for full CAN-SPAM details.

Current deployments reviewed on 03 May 2026: the AIOZ landing page, PickEasy web portal, and ValetMate web portal do not currently load third-party advertising scripts or behavioural analytics SDKs. If that changes, we will update this policy and the relevant consent mechanisms before enabling them.

05 Legal Basis for Processing (GDPR)

For users in the EEA or United Kingdom, we rely on the following legal bases under Article 6 GDPR:

  • Contract (Art. 6(1)(b)) — Processing necessary to provide the service, manage your account, and fulfil our Terms of Service.
  • Legitimate interests (Art. 6(1)(f)) — Security monitoring, fraud prevention, support, service reliability, and limited internal diagnostics needed to operate the platform without advertising or cross-context behavioural profiling. When we rely on legitimate interests, we consider the impact on users and offer controls where required by law.
  • Legal obligation (Art. 6(1)(c)) — Processing required to comply with Australian or applicable international law (e.g. tax records, workplace safety obligations).
  • Consent (Art. 6(1)(a)) — Device or browser notification permissions, PickEasy foreground location permission for the evacuation map, and any optional non-essential website cookies we may enable. You may withdraw consent at any time without affecting the lawfulness of prior processing. To withdraw push-notification consent, disable notifications for the app or browser in your device or browser settings.

06 Sharing & Disclosure

We share personal information only in the following circumstances:

  • With your Operator — Work records, session logs, and reports are accessible to the business that manages your account. This is the core function of the platform.
  • With service providers — Trusted third-party processors acting on our instructions under written data processing agreements (see Section 7).
  • For legal compliance — Where required by law, court order, or government authority, or to protect rights, property, or safety.
  • Business transfer — In the event of a merger, acquisition, or asset sale, personal information may transfer subject to equivalent privacy protections and advance notice to affected users.

We have never sold personal information and have no intention of doing so.

07 Third-Party Services

Google Firebase

Used for push notification delivery (Firebase Cloud Messaging) in the PickEasy and ValetMate mobile apps. In the current reviewed deployments, Firebase Analytics is not enabled. Operated by Google LLC. Data may be processed in the United States. Google Privacy Policy →

Stripe

Payment processing for operator subscriptions and ValetMate customer payments. AIOZ does not store full card details. Payment data is handled by Stripe under Stripe's own infrastructure. Stripe Privacy Policy →

Twilio (optional)

Used only when a ValetMate Operator enables SMS updates for a car park. Customer phone numbers and message-delivery metadata may be processed by Twilio. Twilio Privacy Policy →

Mapping & Geocoding Providers

PickEasy's web portal can use OpenStreetMap tiles, Esri satellite imagery, Nominatim geocoding, and optionally Google Maps where an Operator configures that provider. These services may receive IP address, browser metadata, and map-related requests needed to render maps or geocode locations.

Browser Push Services

ValetMate customer web pages can register browser push subscriptions. The subscription endpoint is processed via the relevant browser vendor's push service together with our VAPID keys so we can send status updates to the browser.

Google Fonts

Our public AIOZ website may load fonts from Google Fonts after the relevant page is allowed to do so by your consent preferences and browser settings. This transmits your IP address to Google's servers.

Hosting Infrastructure

Backend servers and databases are hosted on self-managed infrastructure. We store data within Australia where reasonably practicable.

We review vendor privacy and security terms when selecting third-party services and enable optional integrations only where they are needed for the relevant product feature.

08 International Data Transfers

AIOZ is based in Australia. Some service providers (including Google Firebase and Stripe) are based in or operate infrastructure in the United States and other countries.

Australian users

Cross-border disclosures are made in accordance with Australian Privacy Principle 8. We take reasonable steps to ensure overseas recipients handle your information consistently with the APPs, including through contractual obligations.

EEA / UK users

Where personal data is transferred outside the EEA or UK, we rely on one or more of: EU Standard Contractual Clauses (SCCs), adequacy decisions recognised by the European Commission, or the UK International Data Transfer Agreement (IDTA). A copy of the applicable safeguards is available on request at privacy@aioz.com.au.

US users

Data involving US users is processed in accordance with applicable US state privacy law together with the contractual and service-provider terms that apply to the relevant third-party services we use.

09 Data Retention & Backups

Active data retention

Data typeRetention periodReason
Account & profile dataDuration of account + up to 30 days after deletion requestService provision, recovery window, and support
Operational records (for example harvest entries, valet sessions, parking/damage/key events, ratings)Retained while needed for service delivery, reporting, dispute resolution, and legal obligationsCore platform recordkeeping; direct identifiers may be stripped earlier under the more specific rules below
PickEasy session FCM tokensTypically cleared after 90 days on older session recordsNotification delivery no longer needed for older sessions
PickEasy unlinked picker identity snapshots on old sessionsTypically anonymised after 3 yearsOperational reporting while reducing long-term personal-data retention
ValetMate customer email / phone / FCM token on closed, unclaimed sessionsTypically removed after 90 daysReceipts and notifications are only needed for a limited period after closure
Payment and billing recordsUp to 7 years or longer where law or processor obligations requireAccounting, tax, fraud prevention, and dispute handling
Server & access logs (including IP)Typically around 90 days, subject to operational needSecurity monitoring and incident response
Cookie consent records (platform users)12 monthsStored in the web-portal database with consent choices plus hashed IP/session metadata for auditability
Cookie consent records (aioz.com.au visitors)12 monthsStored in browser localStorage and the aioz_cid cookie only

Account deletion

When you or your Operator deletes an account, we aim to remove the direct identifiers that are no longer needed from live production systems within 30 days. Historical operational or financial records may continue to exist where they are needed for reporting, dispute handling, safety, accounting, or legal compliance, but we will remove or de-identify direct personal identifiers where reasonably practicable.

Backup retention disclosure: Our systems use automated encrypted backups. Deleted personal data may continue to exist in backup copies for up to 90 days following deletion from live systems, after which backups are permanently overwritten or destroyed. During this period, backup data is encrypted, not accessible for normal operations, and not restored unless required for disaster recovery.

10 Cookies

We use cookies and similar tracking technologies on our websites and web portals. This section explains what cookies we use and how to manage them.

What are cookies?

Cookies are small text files placed on your device by a website. They may also include similar technologies such as local storage, pixel tags, and session identifiers.

Categories of cookies we use

CategoryExamplesCan be declined?
Essential
Always active		 Session authentication tokens, CSRF protection, login state, security cookies No — required for the platform to function securely
Analytics No third-party analytics scripts are currently active in the reviewed deployments. This category is reserved so we can request consent before enabling optional analytics in the future. Yes — and currently unused
Functional Consent-state preferences and optional user-experience settings where we introduce them in future. Public aioz.com.au pages do not currently set separate optional functional cookies beyond your consent choice itself. Yes — and currently limited

We do not use advertising, targeting, or third-party marketing cookies.

GDPR consent

For users in the EEA or UK, non-essential cookies are blocked until you provide explicit consent via our cookie consent banner. You may withdraw or change your consent at any time:

Browser controls

You can also control or delete cookies through your browser settings. Clearing cookies will reset your consent preferences and you will be shown the consent banner again on your next visit. Most browsers support Do Not Track (DNT); we respect this signal where technically feasible.

11 Security

We implement appropriate technical and organisational security measures including:

  • Encrypted data transmission (HTTPS/TLS 1.2+) for all network communications
  • Passwords stored as one-way hashes (bcrypt) — we cannot retrieve your password
  • Encrypted credential storage on-device via the OS secure keychain / keystore
  • Encrypted database backups at rest
  • Access controls and role-based permissions limiting data access to authorised personnel
  • Regular security reviews of infrastructure and application code

No method of transmission or electronic storage is 100% secure. We cannot guarantee absolute security, but we will notify you promptly if a breach affects your data.

Breach notification: In the event of an eligible data breach, AIOZ will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC). Where GDPR applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach.

12 Your Rights

To exercise any right below, contact privacy@aioz.com.au. We will acknowledge within 5 business days and respond fully within 30 days (or sooner where required by law). For California residents: we will respond within 45 days as required by the CCPA; where necessary and with prior notice, this period may be extended by a further 45 days. We may need to verify your identity before acting on a request. We will not charge a fee for reasonable requests.

Access

Request a copy of the personal data we hold about you.
(AU · EU · US)

Correction

Ask us to correct inaccurate or incomplete information.
(AU · EU)

Deletion / Erasure

Request deletion of your personal data. Subject to legal retention obligations and backup rotation (see Section 9).
(AU · EU · US)

Portability

Receive your data in a structured, machine-readable, commonly used and interoperable format (e.g. JSON or CSV). Fulfilled within 30 days.
(EU)

Automated Decisions

We do not make solely automated decisions (including profiling) that produce legal or similarly significant effects about you. No opt-out mechanism is required.
(EU — Art. 22)

Objection

Object to processing based on legitimate interests or for direct marketing.
(EU)

Restriction

Request that we limit processing of your data in certain circumstances.
(EU)

Opt-Out of Sale

We do not sell personal information. No opt-out is required, but you may request written confirmation.
(US)

Non-Discrimination

Exercising your privacy rights will never result in denial of service or different pricing.
(US)

Authorised agents (CCPA)

California residents may appoint an authorised agent to submit requests. We require written proof of authorisation and may verify your identity directly before acting.

CCPA — Categories of personal information collected

For California residents, the following categories of personal information were collected in the preceding 12 months (Cal. Civ. Code § 1798.140):

Statutory categoryExamples collectedSold or shared?
IdentifiersName, email address, phone number, IP address, push-notification token, session/customer tokens, vehicle number plateNo
Commercial informationSubscription records, payment status, billing history, and transaction IDs via StripeNo
Internet or other electronic network activity informationAccess logs, session timestamps, request metadata, and feature usage needed to operate the serviceNo
Audio, electronic, visual, or similar informationParking photos, damage-inspection photos, locker photos, and other uploaded service imagesNo
Professional or employment-related informationStaff role, company, farm/car-park assignment, and Operator-entered evacuation warden detailsNo

We do not sell or share any of the above categories for cross-context behavioural advertising. The reviewed deployments do not include third-party advertising SDKs or Google Signals. No "Limit the Use of My Sensitive Personal Information" link is required based on the current standard product flows described in this policy.

Other US state privacy laws

AIOZ will comply with applicable US state privacy laws as they apply to our users, including the Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and similar legislation enacted in other states. The rights described in this section are generally available to residents of states with comprehensive privacy legislation. To exercise any applicable state privacy right, contact privacy@aioz.com.au.

13 Children's Privacy

Our platforms are designed exclusively for professional workplace use by adults. Account creation requires users to confirm they are at least 18 years old (Terms of Service §2.1); this age gate is our primary control against collecting personal information from minors. We do not knowingly collect personal information from individuals under the age of 16.

If you believe we have inadvertently collected personal information from a minor under 13 (or under 16 for EEA residents), please contact us immediately at privacy@aioz.com.au. Upon confirmation, we will delete the relevant information within 30 days, or as soon as reasonably practicable in accordance with the requirements of COPPA (15 U.S.C. § 6501 et seq.) and applicable law.

14 Changes to This Policy

We may update this policy from time to time. When we make material changes we will:

  • Update the "Last updated" date at the top of this page
  • Notify Operators by email at least 14 days before the change takes effect (for material changes affecting user rights)
  • Where GDPR requires, seek fresh consent where the legal basis for processing changes

Continued use of the platform after the effective date constitutes acceptance of the revised policy.

16 Email Communications & CAN-SPAM

All commercial emails sent by AIOZ to recipients in the United States comply with the CAN-SPAM Act (15 U.S.C. § 7701 et seq.). The following requirements apply to every commercial email we send:

  • The email clearly identifies AIOZ as the sender with an accurate "From" name and address
  • The subject line accurately reflects the content of the email — no deceptive subject lines
  • Every commercial email includes AIOZ's valid physical postal address
  • Every commercial email contains a clear and conspicuous opt-out (unsubscribe) mechanism
  • Opt-out requests are honoured within 10 business days of receipt and remain in effect for a minimum of 30 days
  • We do not send commercial emails to any recipient who has previously opted out
  • We do not sell, lease, or transfer opt-out lists to third parties

Transactional emails (account verification, password resets, billing receipts, security alerts, service-status notices) are necessary for delivery of the service. These are not commercial messages subject to CAN-SPAM opt-out requirements; however, users may contact us at privacy@aioz.com.au to discuss communication preferences at any time.

To opt out of commercial emails or manage communication preferences, use the unsubscribe link in any marketing email, or contact privacy@aioz.com.au. Opt-out requests are processed within 10 business days.

15 Contact & Complaints

Privacy enquiries

privacy@aioz.com.au
Andre Fritz Klaus Iwers trading as AIOZ · Tasmania, Australia · ABN 30 612 944 968
We will acknowledge within 5 business days and respond fully within 30 days.

Australian complaints — OAIC

If we do not resolve your complaint to your satisfaction, you may escalate to the Office of the Australian Information Commissioner:

EU complaints — Supervisory Authority

EEA residents may lodge a complaint with their local data protection supervisory authority. A full list of EU authorities is available at:

US complaints — CPPA

California residents with unresolved privacy complaints may contact the California Privacy Protection Agency:

Limitation of liability: To the maximum extent permitted by applicable law, AIOZ's aggregate liability for privacy-related claims is limited to the amount paid by you or your Operator for the service in the 12 months preceding the claim, or AUD $100 where no amount was paid.

This limitation does not apply to: (a) liability for compensation under GDPR Article 82 or any other mandatory data protection legislation that cannot be contractually excluded or limited; (b) liability arising from fraud or wilful misconduct; or (c) any right or remedy that cannot be excluded under the Australian Consumer Law, the Privacy Act 1988 (Cth), or other non-excludable legislation.