Privacy Policy

1. About Regovix

Regovix (ABN 19 735 810 326) is an Australian HSEQ compliance software platform operated by Madhu Pattarambil. Our platform comprises eleven purpose-built web applications designed to help Australian businesses manage workplace health and safety compliance obligations.

This Privacy Policy applies to all Regovix applications, the regovix.com.au website, and all communications between Regovix and its customers, users, and visitors.

2. What personal information we collect

Account and contact information

• Full name and job title
• Business email address and phone number
• Company name, ABN, and business address
• Username and encrypted password
• Billing and payment information (processed securely by Stripe — Regovix does not store card details)

Workplace compliance data

Depending on which Regovix apps your organisation uses, we may process:

• Risk assessments and SWMS — task descriptions, hazard details, control measures, worker sign-off records
• Incident records — incident descriptions, locations, dates, photos, corrective actions
• Chemical register data — product names, UN numbers, DG classifications, SDS documents
• Fleet inspection records — vehicle details, inspection results, defect reports
• Pre-shift wellness check-in data — fatigue ratings, sleep hours, wellness self-assessments, fitness for duty declarations. This constitutes sensitive health information under the Privacy Act.
• Training and induction records — completion status, sign-off dates, licence details
• Permit to work records — permit details, approvals, close-out records
• Audit and inspection records — findings, photos, NCR details, corrective actions
• DG stock and disposal records — chemical quantities, disposal dates, contractor details, manifest numbers

Technical and usage data

• IP address and browser type
• Pages visited and features used within Regovix applications
• Device type and operating system
• Login timestamps and session data

3. How we collect personal information

• Directly from you — when you register, complete a form, submit a report, or contact us
• From your organisation — when your employer or HSEQ consultant sets up your user account
• Automatically — through cookies and technical logs when you use our applications
• From third parties — payment processing information from Stripe upon subscription

4. Why we collect and use your information

We collect and use personal information for the following purposes:

• Providing, operating, and improving the Regovix platform and applications
• Creating and managing your user account and subscription
• Processing payments and managing billing
• Generating compliance reports, audit trails, and document exports on your behalf
• Sending service-related notifications — expiry alerts, review reminders, corrective action reminders
• Providing customer support and onboarding assistance
• Improving application features based on usage patterns (aggregated, not individually identified)
• Complying with legal obligations applicable to Regovix as a software service provider

5. Sensitive information — WellnessCheck

WellnessCheck collects pre-shift health and wellness data including fatigue ratings, hours slept, physical and mental wellness self-assessments, and fitness for duty declarations. This constitutes sensitive personal information under the Privacy Act 1988.

We handle this data with additional care:

• Consent — workers provide explicit informed consent before their first check-in, and consent can be withdrawn at any time
• Minimum collection — we do not collect medication names, diagnoses, or treatment details — only acknowledgement declarations
• Access controls — individual check-in records are visible only to the worker themselves and their direct supervisor in the context of a specific shift
• Aggregate reporting only — HSE Managers see workforce-level trends, not individual health records
• No third-party sharing — wellness check-in data is never shared with insurers, workers compensation bodies, or regulators without explicit written consent or a valid legal obligation
• Retention limits — configurable data retention periods per organisation, after which records are anonymised or deleted

6. Who we share your information with

We share personal information only in the following limited circumstances:

6.1 Anthropic (Claude AI — AI processing)

Regovix integrates Claude AI, developed by Anthropic PBC (United States), to power specific AI features within the platform. The following Regovix products directly call the Anthropic API and transmit your input data to Anthropic for processing:

• RegWatchAI — your regulatory query inputs and alert interaction data are sent to Anthropic's API to generate compliance analysis and regulatory summaries.
• CallAssist — call transcription text and operator queries are sent to Anthropic's API to generate live guidance responses.
• Regovix website chatbot — messages you send to the Regovix AI assistant are sent to Anthropic's API to generate responses.

The following Regovix apps are built on the Base44 platform and do not directly call the Anthropic API: RiskMatrix, RiskReady, InductGuard, ToolboxGen, IncidentLoop, FleetCheck, ChemTrack, AuditMate, WellnessCheck, ComplianceVault, and DGVault. These apps may use Base44's own AI infrastructure — refer to Base44's Privacy Policy for details of their data processing.

• Anthropic is located in the United States. By using RegWatchAI, CallAssist, or the Regovix chatbot, you consent to the relevant input data being processed in the United States.
• Anthropic processes data under its own Privacy Policy and API usage terms. Anthropic states it does not train models on API data by default.
• You should avoid entering sensitive personal information (such as individual worker names, medical details, or personal incident details) into AI input fields unless necessary for the task.
• Anthropic acts as a data processor on behalf of Regovix solely for the purpose of generating AI outputs in the products listed above.

6.2 Base44 (application platform)

Eleven of the thirteen Regovix apps (RiskMatrix, RiskReady, InductGuard, ToolboxGen, IncidentLoop, FleetCheck, ChemTrack, AuditMate, WellnessCheck, ComplianceVault, and DGVault) are built on the Base44 platform. Data you enter into these apps is processed and stored by Base44's infrastructure.

• Base44 acts as a data processor on behalf of Regovix for these applications.
• Base44's data processing practices are governed by Base44's Privacy Policy and Terms of Service.
• Please refer to Base44's privacy documentation for details of their data storage locations and security practices.

6.3 Netlify (website hosting and serverless functions)

The Regovix website and application are hosted on Netlify, Inc. (United States). Netlify processes web traffic, form submissions, and serverless function requests. Data transmitted through the Regovix website passes through Netlify's infrastructure.

• Netlify is located in the United States and processes data under its own Privacy Policy.
• Form submissions (contact requests, trial requests) are processed by Netlify before being forwarded to Regovix.
• Netlify's infrastructure is compliant with SOC 2 Type II standards.

6.4 Stripe (payment processing)

Subscription and payment information is processed by Stripe, Inc. (United States). Regovix does not store credit card numbers or payment card data. Stripe acts as a data processor for payment transactions.

• Stripe is PCI DSS Level 1 compliant — the highest level of payment security certification.
• Stripe is located in the United States and processes data under its own Privacy Policy.

6.5 Within your organisation

Data entered by workers, supervisors, and administrators within your Regovix account is accessible to other authorised users within your organisation based on their assigned role and permissions.

6.6 Legal obligations

We may disclose personal information if required to do so by law, court order, or regulatory authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Regovix, our customers, or others.

6.7 Business transfers

If Regovix is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected customers via email and update this Privacy Policy accordingly.

7. Data storage, security, and overseas disclosure

7.1 Where your data is stored and processed

Regovix operates as a distributed platform. Your data may be stored and processed in the following locations:

• Australia — Regovix is an Australian business (ABN 19 735 810 326) and your primary account data and contact information is managed from Australia.
• United States (Netlify) — The Regovix website and application are hosted on Netlify infrastructure located in the United States.
• United States (Anthropic) — When you use AI-powered features, your input data is processed by Anthropic's API servers located in the United States.
• United States (Stripe) — Payment and billing information is processed by Stripe servers located in the United States.

7.2 Overseas disclosure — your consent

Under the Australian Privacy Act 1988, we are required to inform you that your personal information may be disclosed to overseas recipients. By using Regovix, you acknowledge and consent to your personal information being processed in the United States by Anthropic, Netlify, and Stripe as described in Section 6.

Regovix has taken reasonable steps to ensure these overseas recipients handle your information in a manner consistent with the Australian Privacy Principles. However, you should be aware that once your data is disclosed to an overseas recipient, the Australian Privacy Act may not apply to the recipient's handling of that data, and you may not be able to seek remedies under the Australian Privacy Act in relation to overseas processing.

7.3 Security measures

• All data is transmitted over encrypted HTTPS connections at all times
• Regovix does not store credit card numbers or payment card data — all payment processing is handled by Stripe
• Access to customer data is restricted to authorised Regovix personnel on a need-to-know basis
• We conduct regular reviews of our security practices and respond promptly to any identified vulnerabilities
• AI input data sent to Anthropic is not used to train Anthropic's models under Anthropic's standard API terms

7.4 Data breach notification

If a data breach occurs that is likely to result in serious harm to affected individuals, we will notify affected customers and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

8. How long we keep your information

• Active account data — retained for the duration of your subscription plus 30 days after cancellation
• Compliance records — retained for the period required by applicable Australian legislation. POEO Act waste records require 5-year retention. WHS incident records should be retained for the duration of any investigation or legal proceedings.
• Billing records — retained for 7 years to satisfy ATO requirements
• Wellness check-in data — configurable per organisation, default 12 months
• Deleted account data — securely purged within 90 days of account deletion request

9. Your privacy rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

• Access — request a copy of the personal information Regovix holds about you
• Correction — request that inaccurate or incomplete information be corrected
• Deletion — request deletion of your personal information, subject to our legal retention obligations
• Complaint — lodge a complaint with Regovix, and if unresolved, with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
• Opt out of marketing — unsubscribe from marketing communications at any time using the unsubscribe link in any email, or by contacting us directly

To exercise any of these rights, contact us at maddypat@regovix.com.au. We will respond within 30 days.

10. Cookies

Regovix uses essential cookies required for application functionality — session management, authentication, and security. We do not use advertising cookies or tracking pixels.

If we add analytics cookies in future (such as Google Analytics), we will update this policy and request your consent where required.

11. Third-party links

The Regovix website and applications may contain links to third-party websites, including regulatory bodies and industry resources. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users at least 14 days before taking effect. The current version is always available at regovix.com.au/privacy.html.

Continued use of Regovix after a policy update constitutes acceptance of the revised terms.

13. Contact us