Privacy Policy

Oxide Construct Pty Ltd (referred to in this policy as "Oxide Construct", "we", "us", or "our") is committed to protecting the personal information of every homeowner, insurer, loss adjuster, strata manager, tradesperson, supplier, and visitor who interacts with us. This Privacy Policy explains what personal information we collect, how we collect it, why we collect it, who we share it with, how we keep it secure, and the rights you have over it.

We are bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APP 1 to APP 13) that sit in Schedule 1 of that Act. This policy is published in accordance with APP 1, which requires Australian organisations to maintain a clearly expressed and up to date privacy policy about their handling of personal information.

This policy applies to oxideconstruct.com.au, all forms and online tools hosted on that website, every interaction you have with our office or site teams, and all insurance repair, make safe, maintenance, and private building services we deliver across Victoria. Where you make a policyholder excess payment through this website, that payment is processed by Stripe and the payment record flows into our internal claims management platform so the work can be scheduled. We describe that integration in more detail throughout this policy.

This policy is published in good faith pending professional legal review. As noted in the draft banner above, the language and structure may be refined before final publication. The substantive obligations described here, however, reflect our current practice and the applicable Australian law.

Oxide Construct Pty Ltd is an Australian proprietary limited company and a registered building practitioner in Victoria. We specialise in insurance repair, make safe, and restoration work delivered on behalf of insurers, loss adjusters, strata managers, and homeowners. Our office is in South Melbourne and our work is performed across metropolitan and regional Victoria.

We are not licensed to perform building work outside Victoria. Any reference in this policy to "our services" or "our jurisdiction" means services delivered within Victoria under our Victorian licence. We do not operate in New South Wales, Queensland, or any other Australian state or territory.

Operationally, the public website you are reading shares a backend infrastructure with our internal claims management platform. The platform is the system our coordinators, estimators, and trade partners use to deliver each repair from first notification of loss through to practical completion. We describe how the two systems interact, and what that means for your information, throughout this policy.

• ✓Legal name: Oxide Construct Pty Ltd
• ✓ABN: 77 690 166 799
• ✓ACN: 690 166 799
• ✓Building practitioner licence: CDB-U 76013 (issued by the Victorian Building Authority)
• ✓Jurisdiction: Victoria only
• ✓Registered office: 101 Moray St, South Melbourne, VIC 3205

In accordance with APP 3 (collection of solicited personal information), we only collect personal information that is reasonably necessary for, or directly related to, our functions and activities as a Victorian insurance repair builder. The categories below describe the types of information we may collect about you. Not every category applies to every interaction. A general website enquiry may involve only your name and contact details, while a full insurance claim necessarily involves much more.

Identity information

• ✓Full legal name, preferred name, salutation, and date of birth where date of birth is needed to confirm policy ownership.
• ✓Photographic identification (driver licence, passport) where required to verify identity before releasing information or completing high value transactions.

Contact information

• ✓Postal address, residential or site address, email address, mobile and landline numbers, and your preferred channel for communication.

Property information

• ✓Site address, ownership status (owner occupier, landlord, tenant, body corporate), property type (detached dwelling, townhouse, apartment, commercial premises), approximate age, construction details (materials, number of storeys, roof type), and history of previous damage or repairs where relevant to scoping the current works.

Claims information

• ✓Insurer name, policy number, claim reference number, date of loss, cause of loss, scope of works, excess amount, authorised contact person, and any special access or scheduling instructions.

Financial information

• ✓Payment card details for excess payments are entered directly into Stripe and never touch our servers. We receive only the transaction outcome, the last four digits of the card, and the receipt reference. We never store full card numbers, CVV codes, or full bank account details on our systems.
• ✓Bank account details, ABN, ACN, and GST status for tradies and suppliers we engage on the panel, collected through our supplier onboarding process.

Imagery and assessment data

• ✓Photographs and video of damage, work in progress, and completed works, drone footage of roof and external structures where access is unsafe by other means, structural and engineering reports, hydraulic and electrical assessments, and scope of works documents. The dedicated CCTV, Site Imagery and Drone Footage section below describes how this material is captured and stored.

Sensitive information (only when relevant)

• ✓Health information where injury was caused by the insured event, accessibility or mobility requirements that affect repair design, and indicators of vulnerability such as bereavement, displacement, or family violence. Sensitive information is only collected with consent under APP 3.3 unless an exception in the Privacy Act applies.

Technical information

• ✓IP address, approximate location derived from IP, browser type and version, device type and operating system, referring URL, pages viewed, time spent on each page, timestamps, and cookie identifiers. This data is captured automatically by our hosting and analytics providers.

Trade panel applications

• ✓Trade qualifications, public liability insurance certificates, workers compensation certificates, references, recent project history, and (with your prior written consent) criminal history check results, where required by an insurer for work on residential property.

In accordance with APP 5 (notification of the collection of personal information), we make a reasonable effort to ensure that you know what information we hold about you, why we hold it, and what we do with it. We collect personal information through four broad channels.

Directly from you

• •Enquiry forms, contact forms, expression of interest forms for the trade panel, and excess payment forms hosted on this website.
• •Phone calls and SMS messages to and from our office.
• •Email correspondence sent to any of our published email addresses.
• •In person, when our estimators, project managers, or trades meet you on site to scope, perform, or complete repair works.

Indirectly, from people you have authorised to deal with us

• •From your insurer or loss adjuster when a claim is referred to us. The referral typically includes your name, contact details, the property address, the claim reference, and a description of the loss.
• •From strata managers, body corporate committees, and owners corporations where the work involves common property or strata title arrangements.
• •From licensed trades and subcontractors engaged on a specific job, who may share information about access arrangements, scope variations, or hazards encountered on site.

Where an insurer or loss adjuster refers a claim to us, we make contact with you at the earliest practical opportunity and introduce ourselves. That first contact serves as the APP 5 notification that we now hold your information and explains how this policy applies to the work that is about to begin.

Automatically, when you use our website

• •Cookies and similar technologies, server access logs, performance analytics, and error reports. The Cookies and Tracking section below explains the specific cookies we use and how you can control them.

From third parties and public registers

• •Victorian Building Authority public register, when we verify the licence status of a tradesperson applying to our panel.
• •Australian Business Register (ABR), to verify the ABN of a contractor or supplier.
• •Professional reference checks supplied by referees you have nominated as part of a trade panel application.

Under APP 6 (use or disclosure of personal information), we may only use the personal information we hold about you for the primary purpose for which it was collected, or for a closely related secondary purpose that you would reasonably expect, unless you have consented to another use or another exception in the Privacy Act applies.

Primary purposes

• •Responding to enquiries submitted through this website, by phone, or in person.
• •Scoping, quoting, scheduling, performing, and completing insurance repair work, including emergency make safe and restoration work.
• •Coordinating make safe and emergency response work outside business hours.
• •Managing claims through to practical completion and handover, including all related communications with you, your insurer, and any third party authorised to act on your behalf.
• •Processing policyholder excess payments through Stripe and reconciling those payments against the relevant claim file.
• •Coordinating licensed trades and material suppliers required to deliver each job.
• •Meeting our obligations under the Domestic Building Contracts Act 1995 (Vic) and the Building Act 1993 (Vic), including the issue of compliant building contracts and certificates.

Secondary purposes (related and reasonably expected)

• •Customer service follow up, satisfaction surveys, and post completion check ins.
• •Warranty management and any future rectification work performed under the statutory warranty period for domestic building work in Victoria.
• •Internal quality assurance, training of our staff and trade partners, and continuous improvement of our processes (using de identified or aggregated data wherever practical).
• •Dispute resolution, complaint handling, and the conduct of any tribunal or court proceedings related to a particular claim.
• •Fraud prevention, including the detection of duplicate or inflated claims that may affect insurer underwriting.

Marketing

We only use your information for direct marketing where you have given consent, or where you are an existing customer and the marketing is for related services that you would reasonably expect. The Direct Marketing and Spam Act section below explains your opt out rights in detail.

Legal and regulatory compliance

• •Reporting incidents and notifiable events to WorkSafe Victoria as required.
• •Notifications and disclosures to the Victorian Building Authority.
• •Tax record keeping and reporting to the Australian Taxation Office.
• •Compliance with court orders, subpoenas, search warrants, and other lawful requests.

Oxide Construct Pty Ltd does not sell, rent, or trade your personal information to anyone, ever. We disclose personal information only where it is necessary to deliver the services you have asked for, where it is required or authorised by law, or where you have consented. Disclosure is governed by APP 6 (use or disclosure of personal information).

Service delivery recipients

• •Insurance providers and loss adjusters: for claim processing, scope approval, variation authorisation, payment, and reporting on the status of the work.
• •Licensed trades and subcontractors on our panel: to enable the actual execution of repair work, including access details, scope of works, and any health and safety information relevant to the site.
• •Licensed engineers, hydraulic consultants, building consultants, and surveyors: for specialist assessments where the cause or extent of damage requires independent expert review.
• •Material suppliers and merchants: for procurement of building materials. We only share the information needed to fulfil and deliver the order, such as a delivery address and a site contact name.
• •Strata managers and body corporate committees: where the work involves common property or affects neighbouring lot owners.

Technology and platform providers

• •Stripe: payment processor for excess payments. Card data is captured and processed entirely within Stripe. Refer to the Stripe Privacy Policy for details of how Stripe handles cardholder data.
• •Sanity: headless content management system used to publish blog articles, service descriptions, and other marketing content. Sanity does not receive personal information from website forms.
• •Cloudflare: edge hosting and content delivery network. Cloudflare processes server access logs in order to deliver pages and protect the site from abuse.
• •Sentry: error monitoring. Sentry receives anonymised error reports that help us identify and fix bugs.
• •Resend: transactional email delivery for confirmations, receipts, and similar service messages.
• •Our internal claims management platform: a separate company system used by our coordinators, estimators, and field teams to manage each claim from start to finish. The public website and the internal platform share underlying infrastructure but are protected by appropriate access controls so that website visitors cannot access internal claim files and internal users only see the data they are authorised to see.

Professional advisers

• •Lawyers, accountants, auditors, and insurance brokers engaged by us under professional confidentiality obligations.

Government and regulatory bodies

• •The Victorian Building Authority, WorkSafe Victoria, the Australian Taxation Office, courts, tribunals, and any other body where disclosure is required or authorised by Australian law.

All third parties to whom we disclose personal information are bound by contractual confidentiality obligations and are required to handle the information in a manner consistent with the Australian Privacy Principles or an equivalent standard.

Wherever practical, your personal information is stored on Australian based servers operated by providers with a permanent presence in Australia. However, some of the technology providers we use are headquartered overseas or operate global infrastructure, which means a small subset of information may be processed or stored outside Australia.

Likely overseas recipients

• •Stripe (United States) for payment processing.
• •Sentry (United States) for error monitoring of anonymised diagnostic data.
• •Cloudflare (global content delivery network with Australian edge locations) for hosting and security.

Each overseas provider is bound by contractual obligations requiring data handling practices that are at least equivalent to the Australian Privacy Principles, and each maintains its own public privacy policy and security certifications. We regularly review the privacy posture of our key providers as part of our vendor management programme.

A cookie is a small text file that a website places on your device so that the site can recognise the device on subsequent visits. Cookies make websites work, remember your preferences, and help us understand how the site is used so we can improve it. We use cookies sparingly and only for purposes that are useful to you or necessary to operate the site.

We do not use third party advertising cookies, retargeting pixels, or cross site tracking technologies. Our analytics provider is configured to be privacy first and does not track individuals across other websites.

Cookie categories we use

• •Strictly necessary cookies: session management, secure form submission, and cross site request forgery (CSRF) protection. These cookies cannot be disabled because the site will not function correctly without them.
• •Performance cookies: Cloudflare Web Analytics, used in privacy first mode with no cookies on most page loads and no cross site tracking. These help us measure Core Web Vitals and understand which pages are most useful.
• •Functional cookies: remembering your preferences, such as whether you have dismissed a notice or selected a particular form option.

Controlling cookies

Most browsers let you view, manage, and delete cookies through their settings menu. You can also configure your browser to block cookies or to warn you before a cookie is set. We honour Do Not Track browser signals where the relevant standard is supported. Disabling strictly necessary cookies will prevent forms and protected pages from working correctly.

Direct marketing is regulated by APP 7 (direct marketing), the Spam Act 2003 (Cth), and the Do Not Call Register Act 2006 (Cth). We take all three obligations seriously.

• •We send marketing emails or SMS messages only where you have given consent, or where you are an existing customer and the message is for related building services that you would reasonably expect.
• •Every marketing message we send identifies us clearly as the sender, provides a functional unsubscribe mechanism, and is honoured within 5 business days of an unsubscribe request.
• •We do not make unsolicited telemarketing calls and we check the Do Not Call Register before any outbound call campaign.
• •We do not sell or share marketing lists with third parties.

How to opt out

You can opt out of direct marketing at any time by clicking the unsubscribe link in any marketing email, by replying STOP to a marketing SMS, or by emailing [email protected] with the subject "Opt out". Operational messages required to deliver a service you have asked for, such as appointment reminders or payment receipts, are not classified as marketing and will continue regardless of marketing preferences.

Under APP 10 (quality of personal information), we take reasonable steps to ensure that the personal information we collect is accurate, up to date, complete, and relevant for the purpose for which it is used. Inaccurate information about a property, an insurance claim, or a contact person can cause real harm in the construction industry, including missed appointments, failed payments, and incorrect repairs.

How we maintain accuracy

• •Validating information at the point of collection, including format checks on email addresses, phone numbers, postcodes, and ABNs.
• •Confirming key claim and contact details with you at first contact and again when work is scheduled.
• •Periodic review of records that have been inactive for a long period, with deletion or archival as appropriate.
• •Acting on customer driven correction requests promptly and free of charge.

If you believe any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact our Privacy Compliance Officer (see Contact Us). We will correct it within 30 days, in line with APP 13 (correction of personal information), or explain why we are unable to and tell you what your options are.

Under APP 11 (security of personal information), we are required to take reasonable steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security programme is built around the principle of defence in depth: multiple independent controls so that the failure of any one control does not expose information.

Technical controls

• •AES-256 encryption for data at rest in our databases, document storage, and backups.
• •TLS 1.3 encryption for all data in transit between your browser and our servers, and between our servers and our service providers.
• •Australian based primary infrastructure with encrypted off site backups.
• •Web application firewall, automated bot mitigation, and distributed denial of service protection at the edge.
• •Continuous monitoring of authentication, authorisation, and unusual activity patterns.
• •Regular vulnerability scanning and periodic penetration testing of customer facing systems.

Access controls

• •Role based access control aligned to the principle of least privilege. Staff can access only the records they need to perform their job.
• •Multi factor authentication is mandatory for all staff and trade partner accounts that touch claim records.
• •Separation between the public website and our internal claims management platform, so that website visitors cannot enumerate or access internal records, even where the underlying infrastructure is shared.
• •Audit logging of access to sensitive records, with logs retained for security review.

Organisational controls

• •Privacy and information handling training for all staff at induction and refreshed annually.
• •A secure software development lifecycle, including code review, dependency scanning, and security gates before deployment.
• •Vendor security review before onboarding any new technology provider that will handle personal information.
• •A documented incident response and data breach plan, rehearsed periodically and aligned to the Notifiable Data Breaches scheme.

No security system is one hundred per cent impenetrable. If a breach occurs that is likely to cause serious harm, we will notify you and the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme described in the next sections.

We keep personal information only for as long as it is needed for the purposes for which it was collected, or as required by Australian law. Insurance repair work, like other domestic building work in Victoria, carries long statutory warranty periods, which means some records must be retained well beyond the date a job is completed.

Indicative retention schedule

• •Active claim files: for the life of the claim plus the statutory warranty period that applies to domestic building work in Victoria, which is currently 6 years from the date of practical completion (with longer periods for major structural defects).
• •Financial records (invoices, payments, tax records): at least 7 years, in line with Australian Taxation Office record keeping requirements.
• •Workplace health and safety records: as required by WorkSafe Victoria and the Occupational Health and Safety Act 2004 (Vic).
• •Marketing consents and unsubscribe records: until withdrawn, and then archived for a reasonable period to demonstrate that we honoured the unsubscribe.
• •Website analytics: aggregated and anonymised after 26 months.
• •Job applications and trade panel applications: up to 12 months from the date of application unless an ongoing engagement proceeds.

Secure destruction

When information is no longer required, we destroy or de identify it. Electronic records are securely deleted from production systems and from the next backup rotation. Paper records are shredded by an accredited destruction service. Where information has been combined with operational data that cannot be separately deleted, we de identify it so that you can no longer be reasonably identified from the remaining data.

The Australian Privacy Principles give you several rights in relation to the personal information we hold about you. We respect those rights and have made it as straightforward as possible to exercise them.

• •Right to access (APP 12): you may request a copy of the personal information we hold about you. We will respond within 30 days. Access is free of charge in most cases. We will only charge a reasonable, cost based fee where the request involves significant manual collation, and we will tell you the estimated cost before any work begins.
• •Right to correct (APP 13): you may ask us to correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• •Right to withdraw consent: you may withdraw consent for any optional data collection or for direct marketing at any time. We will stop the relevant processing as soon as practicable after we receive your request.
• •Right to anonymity or pseudonymity (APP 2): for general enquiries that do not involve a specific claim, you may interact with us anonymously or under a pseudonym, where it is lawful and practical to do so.
• •Right to request deletion: you may ask us to delete your personal information where it is no longer required for the purpose it was collected, subject to the legal record keeping obligations described in the Data Retention section.
• •Right to complain: if you are not satisfied with the way we have handled your information, you can complain to us first and then escalate to the Office of the Australian Information Commissioner. The Complaints Process section explains both steps.

To exercise any of these rights, contact our Privacy Compliance Officer using the details in the Contact Us section. To protect your information, we may need to verify your identity before releasing or correcting records, and we may ask for proof of authority where you are acting on behalf of someone else.

During the scoping, repair, and completion of building works we capture imagery as part of our normal record keeping. This is a standard part of how Australian insurance repairers document a site, justify a scope of works to an insurer, and demonstrate quality at handover. We tell you about it up front so there are no surprises.

Types of imagery we capture

• •Photographs of damage, work in progress, and completed works.
• •Video walkthroughs taken on a phone or handheld camera to record the condition of a property at a particular point in time.
• •Drone footage of roofs, gutters, and external structures where access by ladder or scaffold is unsafe or impractical. All drone operations are conducted in accordance with Civil Aviation Safety Authority (CASA) regulations and are flown only by appropriately certified operators.

Purpose

Imagery is used to scope and quote the work, to justify the scope to your insurer, to brief the trades performing the work, to quality check the result, to support any future warranty or dispute resolution, and (in de identified or aggregated form) for internal training. Where we wish to use imagery for marketing, case studies, or testimonials we obtain separate written consent from the property owner first.

Minimising incidental capture

Wherever possible we avoid capturing identifying images of people, vehicle number plates, or features of neighbouring properties. Where incidental capture cannot be avoided, the relevant frames are restricted within the claim file or blurred before any wider use.

Storage and access

Imagery is stored in our internal claims management platform alongside the relevant claim file, with the same role based access controls described in the Data Security section. You can request a copy or deletion of imagery captured of your property through your access and correction rights described in Your Rights, subject to the retention obligations in the Data Retention section.

Sensitive information has a special status under the Privacy Act. It includes things like health information, disability information, racial or ethnic origin, religious beliefs, and membership of a trade union. Under APP 3.3 (collection of sensitive information), we may only collect sensitive information with your consent and where it is reasonably necessary for our functions, unless an exception in the Privacy Act applies.

For an insurance repairer in Victoria, the most common reasons we may need sensitive information are when an injury was caused by the insured event, when a household member has accessibility requirements that affect the design of the repair, or when a vulnerability indicator is relevant to how we communicate with you. We collect only what we need, we explain why we need it, and we do not retain it for longer than necessary.

Vulnerable customers commitment

We recognise that some customers come to us at the worst moment of their year. A house fire, a flood, a serious storm, or a burst pipe can be deeply traumatic. Customers may be grieving, displaced, financially stressed, experiencing family violence, living with a disability, supporting an elderly relative, or communicating in a language other than English.

• •Our staff are trained to recognise vulnerability and to handle these conversations with care, patience, and respect.
• •We offer alternative communication channels (phone, email, in person, or through a nominated representative) so that you can deal with us in the way that works for you.
• •We accept nominated authorised representatives, including family members, friends, financial counsellors, and family violence support workers, where you have authorised them to act on your behalf.
• •Where appropriate, we refer customers to specialist support services such as Lifeline, the Insurance Council of Australia disaster hotline, and Victorian community legal centres.

Our services and our website are intended for adults: property owners, insurers, loss adjusters, strata managers, tradies, and suppliers. We do not knowingly collect personal information from children under the age of 16. If you are a parent or guardian and you believe that your child has provided personal information to us, please contact our Privacy Compliance Officer and we will delete it as soon as we are able.

Our website contains links to third party websites operated by insurers, government bodies, suppliers, professional associations, and other organisations. We provide these links for convenience and reference only. We do not control those websites and we are not responsible for their content, security, or privacy practices. We recommend that you review the privacy policy of any third party website before submitting personal information to it.

The Notifiable Data Breaches scheme sits in Part IIIC of the Privacy Act 1988 (Cth) and applies to all Australian Privacy Principles entities. It requires us to assess any suspected breach of personal information and, where the breach is likely to result in serious harm, to notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC).

What we do if a breach is suspected

• •Contain: take immediate steps to limit the breach, prevent further unauthorised access, and preserve evidence.
• •Assess: investigate within 30 days whether the incident is an "eligible data breach" likely to cause serious harm.
• •Notify: if it is, notify affected individuals as soon as practicable and notify the OAIC using the prescribed form.
• •Remediate: identify the root cause, implement corrective controls, and update our incident response plan.

Notifications to affected individuals will describe the information involved, what has happened, what we are doing about it, and what steps you can take to protect yourself. Where contacting individuals directly is not practical, we will publish a notification on this website and take other reasonable steps to bring it to your attention.

If you have a concern about how we have handled your personal information, we want to know about it. Most issues can be sorted out quickly when you bring them to our attention. The steps below describe a clear path from initial contact through to external escalation if needed.

Step 1. Contact us first

Email [email protected] or write to the Privacy Compliance Officer at our registered office (see Contact Us). Include enough detail for us to identify the issue, the information involved, and the outcome you are seeking. We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days.

Step 2. Internal escalation

If you are not satisfied with our initial response, you may ask for the matter to be reviewed by our Director. The Director will review the file independently and respond within a further 30 days.

Step 3. External escalation

If you remain unsatisfied, you can complain to the Office of the Australian Information Commissioner (OAIC), which is the independent regulator for the Privacy Act. The OAIC can investigate and make findings about how organisations handle personal information.

We may update this Privacy Policy from time to time to reflect changes in the law, our practices, or the technology we use. Material changes will be notified by updating the "Last updated" date at the top of this page and, where the change is significant, by direct notice to affected individuals or by a clear notice on this website. The current version is always available at oxideconstruct.com.au/privacy. Your continued use of our services or website after a change means that you accept the updated policy.