Privacy Policy — Roadmapp

Roadmapp is committed to protecting your privacy. This policy is written to satisfy the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR) 2016/679, and the UK General Data Protection Regulation (UK GDPR) as retained in UK law. We collect only what is necessary to operate the platform and will never sell your data.

1. Who We Are

Vick Solutions Pty Ltd (trading as Digital Roadmap and operating the Roadmapp platform) is incorporated in Australia. We operate Roadmapp at app.roadmapp.com.au.

Privacy contact: hello@roadmapp.com.au

EU & UK Representative (Article 27 GDPR / UK GDPR):
We are in the process of appointing a formal Article 27 representative for the EU and UK. In the interim, all data subject requests and supervisory authority communications may be directed to hello@roadmapp.com.au and will receive a response within the applicable statutory timeframes.

2. Information We Collect

2.1 Account and Identity Information

Information	Why we collect it
Full name	Identify you within your organisation and display your name in the platform
Work email address	Account login, notifications, and support communications
Job title / role	Permission management
Phone number (optional)	Displayed in the team directory if provided
Password (hashed)	Authentication — passwords are never stored in plain text
MFA data	Account security where MFA is enabled

2.2 Work and Project Data

Project records, tasks, milestones, RAID logs, timesheets, resource allocation, stakeholder details, and uploaded files. This data is owned by your organisation.

2.3 Usage and Technical Data

IP address (country/state level only), browser type, pages visited, error logs. Not used for advertising profiles.

3. Lawful Basis for Processing (EU & UK Users)

Processing activity	Lawful basis
Account creation and login	Contract performance (Art. 6(1)(b))
Work and project data	Contract performance / Legitimate interests (Art. 6(1)(b), (f))
Transactional emails	Contract performance (Art. 6(1)(b))
Usage analytics and error logging	Legitimate interests (Art. 6(1)(f))
Security and audit logging	Legitimate interests / Legal obligation (Art. 6(1)(f), (c))

4. Controller and Processor Roles

When your organisation subscribes to Roadmapp, it is the data controller for all project and operational data entered into the platform. Vick Solutions Pty Ltd acts as the data processor for that data. A full Data Processing Agreement (DPA) incorporating EU SCCs (Module 2) and the UK IDTA is available.

5. Sub-processors

Sub-processor	Purpose	Data location	Transfer mechanism
Supabase Inc. (USA)	Database, auth, file storage	AWS ap-southeast-2 (Sydney)	DPA + SCCs / IDTA
Netlify Inc. (USA)	Web hosting and CDN	Global CDN (static assets only)	DPA + SCCs
Microsoft Corporation (USA)	Transactional email (Graph API)	Microsoft datacentres	Microsoft DPA + SCCs

We provide at least 30 days’ notice before adding any new sub-processor that processes EU or UK personal data.

6. International Data Transfers

6.1 EU/EEA → Australia

Transfers are protected by EU Standard Contractual Clauses (Module 2: Controller to Processor), Commission Implementing Decision 2021/914. We have conducted a Transfer Impact Assessment confirming Australian law does not unduly impair SCC protections.

6.2 UK → Australia

Australia holds a UK adequacy decision under the UK GDPR (Section 17A, Data Protection Act 2018). No additional mechanism is required for UK→Australia transfers. Onward transfers to US sub-processors are covered by the UK International Data Transfer Agreement (IDTA).

7. Data Retention

Data category	Retention period
Account and identity data	Active account duration; anonymised within 30 days of account deletion
Project and work data	Duration of subscription; export available 30 days post-termination
Usage / technical logs	Up to 12 months
Audit logs	Up to 3 years
Support communications	Up to 3 years

8. Security

TLS 1.2+ encryption in transit · AES-256 encryption at rest · bcrypt/Argon2 password hashing · Row-level security (RLS) · Role-based access control · MFA available · Audit logging with IP capture · Automatic session timeout.

8.1 Breach Notification

EU (GDPR Art. 33/34): Supervisory authority notified within 72 hours; high-risk breaches also notified to affected data subjects.
UK (UK GDPR Art. 33/34): ICO notified within 72 hours.
Australia (NDB scheme): OAIC and affected individuals notified as required.

9. Your Privacy Rights

9.1 All Users (Australian Privacy Act)

Access · Correction · Deletion · Complaint to OAIC

9.2 EU and UK Users (GDPR / UK GDPR)

Right	Article	How to exercise
Access	Art. 15	Download My Data in Profile settings, or email us
Rectification	Art. 16	Update in Profile settings, or email us
Erasure	Art. 17	Delete Account in Profile settings, or email us
Restriction	Art. 18	Email hello@roadmapp.com.au
Portability	Art. 20	Download My Data (CSV export) in Profile settings
Object to processing	Art. 21	Email hello@roadmapp.com.au
Withdraw consent	Art. 7(3)	Email hello@roadmapp.com.au

We respond to rights requests within 30 days. No fee charged unless the request is manifestly unfounded or excessive.

10. Cookies

We use only strictly necessary and functional cookies — authentication session tokens, refresh tokens, and UI preferences. No advertising cookies, tracking pixels, or third-party analytics that profile individuals.

11. Contact and Supervisory Authorities

Privacy contact: hello@roadmapp.com.au

Jurisdiction	Supervisory authority
Australia	Office of the Australian Information Commissioner (OAIC) — oaic.gov.au · 1300 363 992
United Kingdom	Information Commissioner’s Office (ICO) — ico.org.uk · 0303 123 1113
European Union	Your local national data protection authority — full list at edpb.europa.eu