Privacy Policy

1. Who We Are

OG Portal is a client portal platform operated by OverGeek ABN 67 285 792 296 ("we", "us", "our"). This policy explains how we collect, use, and protect your personal information when you use our platform.

2. What We Collect

We collect the following information:

• Account information: name, email address, and password (stored securely hashed)
• Organisation data: business name, branding preferences (logo, colours), and ServiceM8 API credentials (stored encrypted)
• ServiceM8 synced data: job records, site/company information, contact details, form responses, and attachments synced from your ServiceM8 account
• Usage data: page views, feature usage, and session information for analytics purposes
• Billing information: payment details are collected and processed directly by Stripe — we do not store your card details

3. Why We Collect It

We use your information to:

• Provide and maintain the OG Portal service
• Authenticate your identity and manage your account
• Sync and display your ServiceM8 data within the portal
• Process subscription payments
• Send transactional emails (password resets, account invitations)
• Improve the platform based on usage patterns

4. Third-Party Services

We use the following third-party services to operate the platform:

• ServiceM8: job management data is synced from your ServiceM8 account via their API
• Stripe: handles payment processing and subscription management
• Mailjet: sends transactional emails (password resets, invitations)
• Mapbox: provides map displays for site locations

Each of these services has their own privacy policy governing how they handle your data.

5. Cookies

We use a single session cookie (og_session) to keep you signed in. This is an essential cookie required for the platform to function and expires after 24 hours. We do not use advertising or tracking cookies.

6. Data Security

We take reasonable measures to protect your information, including:

• Passwords are hashed using bcrypt and never stored in plain text
• ServiceM8 API credentials are encrypted at rest using AES-256
• All connections use HTTPS encryption in transit
• Session tokens are signed using JWT with secure, httpOnly cookies

7. Data Retention

Your account data is retained for as long as your account is active. ServiceM8 synced data is refreshed periodically and can be purged by an administrator if the organisation is deactivated. You may request deletion of your account and associated data at any time by contacting us.

8. Your Rights

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and data
• Withdraw consent for data processing

9. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated revision date.

10. Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us at help@overgeek.com.au