Privacy Policy

This Privacy Policy explains how Grid (operated by Rizwan Meghani, hereafter "we", "us", or "Grid") collects, uses, stores, and shares information when you use the Grid mobile application, web application, and related services available at gridops.com.au (collectively, the "Service").

By using Grid, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Who we are

Grid is an all-in-one operations platform for cafés, restaurants, and quick-service venues. Grid is provided by Rizwan Meghani, an individual operating from Australia. Contact details are in section 14 below.

2. Information we collect

2.1 Information you give us

• Account information: name, email address, phone number (optional), password, and profile photo (optional).
• Business information: business name, address, ABN or business number (optional), trading hours, timezone, and business settings you configure.
• Employee records: if you are a business owner or manager, you may upload employee data including names, emails, dates of birth, employment type, classifications, pay rates, tax file numbers (if entered for Xero sync), and emergency contacts.
• Authentication credentials: 4-6 digit PIN codes used for in-store clock-in. PINs are stored securely and used only to verify identity at a shared in-store device.
• Time and attendance data: clock-in and clock-out times, breaks, rostered shifts, leave requests, and acknowledgements.
• Operational content: tasks, checklists, inventory counts, delivery records, wastage logs, training progress, feedback, vouchers, job applications you create or upload.
• Communications: messages, posts, and reactions you create in Grid's in-app chat ("Space") feature.
• Photos and files: images and documents you upload for tasks, deliveries, inventory, training, or other features.
• Financial data: when connected to Square or Xero, sales totals, transaction summaries, employee earnings, and pay run data flow through Grid.

2.2 Information we collect automatically

• Device information: device model, operating system version, app version, language, and unique device identifiers.
• Usage data: features used, pages viewed, errors encountered, and approximate time spent in the app, collected via Firebase Analytics and Crashlytics.
• Push notification tokens: a unique device token issued by Apple (APNs) or Google (FCM) so we can send you push notifications you have opted into.
• IP address: recorded by Firebase services for security and abuse detection.
• Local storage: the app stores small amounts of data on your device (such as your current business ID, in-store mode flag, and cached personal identifiers) so it can function offline and load faster on return visits.

2.3 Location data

Grid does not collect your real-time GPS location. When you set up a business, you enter a street address; we send what you type to Google Places API for address autocomplete and to Google Time Zone API to determine your business's timezone. We do not request precise device location permission.

2.4 Children

Grid is not intended for use by children under 16. We do not knowingly collect personal information from anyone under 16 without verifiable consent from a parent, guardian, or employer (in the case of legally employed young workers above 13 in Australia, where employee records may include date of birth for award-rate calculation under the Fair Work Act). If you become aware that a child under 16 has provided us with personal information without appropriate consent, please contact us so we can delete it.

3. How we use information

We use the information we collect to:

• Provide and maintain the Service, including rostering, time tracking, payroll calculations, inventory management, and team communication.
• Authenticate users, enforce role-based access (owner, manager, supervisor, staff), and detect unauthorised access.
• Send transactional emails (account confirmation, password reset, staff invitations) via our email provider, Resend.
• Send push notifications you have opted into (shift reminders, message alerts, task assignments, etc.).
• Calculate award-compliant pay rates under the Fair Work Act using your business's award code, employee classification, employment type, and date of birth.
• Generate AI-powered insights (sales forecasts, staffing recommendations, AI chat answers) using third-party large language models — see section 4.
• Sync data with third-party services you explicitly connect (Square, Xero, Fresho, Opera Foods, Markris Foods, etc.) — see section 4.
• Diagnose technical issues, prevent fraud, and improve the Service through aggregated, anonymised usage analytics.
• Comply with legal obligations including Fair Work record-keeping requirements (which require retention of pay records for seven years).

4. Third-party services

Grid relies on the following third-party services. Each operates under its own privacy policy.

4.1 Infrastructure and core services

• Google Firebase (Google LLC): hosts our database (Firestore), authentication, file storage, cloud functions, push notifications, analytics, and crash reporting. Data is stored on Google Cloud servers, primarily in the United States. See Google's Privacy Policy.
• Google App Check (reCAPTCHA Enterprise): verifies that requests come from a legitimate Grid client. Collects anonymised device signals.
• Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM): delivers push notifications you have opted into.

4.2 Optional integrations (only when you connect them)

• Square, Inc.: if you connect Square as your point-of-sale, we read sales totals and item-level transaction summaries. See Square's Privacy Notice.
• Xero Limited: if you connect Xero for payroll, we read employee records and earnings rates, and push timesheet data to Xero on your instruction. See Xero's Privacy Notice.
• Fresho, Opera Foods (Neto/Sana Commerce), Markris Foods: if you connect a supplier integration, we send your order data to the supplier's ordering system.

4.3 AI services

• Anthropic, PBC (Claude): we send relevant business context (sales data, roster data, your typed question) to Claude's API to generate AI insights and chat answers. Anthropic does not train its models on your data when accessed via the API. See Anthropic's Privacy Policy. You should not share customers' personal information, medical information, or sensitive personal data with Grid's AI features.

4.4 Communications and content

• Resend (Resend, Inc.): sends transactional emails on our behalf (from admin@gridops.com.au). Receives recipient email address and message content.
• Bunny.net: delivers training videos via CDN. Receives requesting IP address and basic delivery metrics; does not collect personal information about viewers.
• Google Maps Platform (Places + Time Zone APIs): autocompletes business addresses you type and detects your business's timezone. Google receives the address string.
• WeatherAPI.com: looks up historical and forecast weather for your business's location to power AI insights. Receives your business's latitude/longitude.

4.5 Future planned integrations

We may add additional integrations such as additional accounting platforms, additional supplier-ordering systems, or additional payment processors. Where an integration meaningfully changes what data is shared, we will update this policy before the integration is enabled.

5. How we share information

We do not sell your personal information.

We share information only in the following limited circumstances:

• Within your business: data you create as a member of a business is shared with other authenticated members of that business according to their role. For example, owners and managers can view all staff timesheets; staff can view only their own pay information.
• With third-party services you connect: as described in section 4.
• With service providers: infrastructure and platform providers (Firebase, Apple, Google, Resend, etc.) who process data only on our instructions.
• For legal reasons: if required by law, court order, or to protect rights, safety, or property.
• In a business transfer: if Grid is acquired, merged, or its assets transferred, your data may transfer to the acquirer subject to this policy.

6. Data retention

We retain your information for as long as your account is active. Specifically:

• Account and profile data: kept until you delete your account.
• Payroll, timesheet, and pay-rate history: retained for at least seven (7) years after the relevant pay period, to comply with Fair Work record-keeping obligations under Australian law. This retention applies even after account deletion in cases where you were employed under a business owner who must keep these records.
• Messages and chat content: retained until manually deleted by the author or as part of business deletion.
• Uploaded photos and files: retained until manually deleted or as part of business deletion.
• Aggregated analytics data: retained indefinitely in anonymised form.
• Backups: Firestore backups are retained for 30 days. Deleted records may persist in backups for up to 30 days after deletion.

7. Security

• All data is encrypted in transit (HTTPS / TLS) and at rest on Firebase servers.
• Authentication uses industry-standard Firebase Authentication with bcrypt-hashed passwords and short-lived ID tokens.
• Access to data is enforced server-side by Firestore Security Rules and Cloud Function authorisation checks, scoped to the user's role within their business.
• PIN codes for in-store clock-in are stored alongside the employee record and used only to verify identity at a shared device.
• App Check (reCAPTCHA Enterprise on web, Play Integrity on Android, DeviceCheck on iOS) protects our backend from abuse.
• Session tokens expire after 12 hours of inactivity.
• We maintain daily encrypted backups with 30-day retention.

No system is perfectly secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

8. International data transfers

Grid is operated from Australia, but our infrastructure provider (Google Firebase) stores data primarily in the United States. By using Grid, you acknowledge that your data may be transferred to and processed in the United States and other countries where Google Cloud operates data centres. These jurisdictions may have different data protection laws than your country of residence.

9. Your rights

Depending on your location, you may have rights under data protection laws including the Australian Privacy Act 1988, the EU GDPR, the UK GDPR, or the California Consumer Privacy Act (CCPA). These rights may include:

• Access: view the personal information we hold about you. Most of this is visible directly in the app under Profile and the relevant feature pages.
• Correction: update inaccurate information. You can edit most of your data directly in the app, or contact us.
• Deletion: request deletion of your account. You can delete your account from Profile → Account. Some data must be retained under section 6 (Data retention).
• Data export: request a copy of your personal information in a portable format.
• Restrict processing: ask us to limit how we use your data in specific situations.
• Object: object to processing based on our legitimate interests.
• Withdraw consent: where processing is based on consent, you may withdraw it.
• Complain: lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) or your local data protection authority.

To exercise any of these rights, contact us at the email address in section 14.

10. Cookies and local storage

The Grid web application uses browser local storage (not traditional cookies) to remember your business ID, in-store mode preference, and cached UI state. The mobile application uses equivalent on-device storage. Firebase services may set their own cookies on the web version for authentication and security. You can clear this data at any time via your browser or device settings, but doing so will sign you out and clear cached preferences.

11. Push notifications

Grid sends push notifications for events such as shift reminders, new messages, task assignments, leave-request responses, and acknowledgement reminders. You can opt out at any time:

• iOS: Settings → Notifications → Grid → toggle off.
• Android: long-press the Grid app icon → App Info → Notifications → toggle off.
• Per-category preferences can be configured in Profile → Notifications inside the app.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you in-app or by email if the change is significant.
• Where required by law, obtain your consent before applying the change to data already collected.

Continued use of the Service after a policy change indicates acceptance of the updated policy.

13. Account deletion

You can permanently delete your Grid account by going to Profile → Account → Delete account within the app. Account deletion:

• Removes your user profile, email, phone, profile photo, and authentication credentials.
• Removes your access to all businesses you are a member of.
• Anonymises or removes your authorship of messages, posts, and tasks where retention is not legally required.
• Does not remove payroll, timesheet, or pay-rate records that the business owner is required to retain for seven years under Fair Work record-keeping rules — these remain in the business owner's records, with your name attached as it was at the time of work.
• Removes derived data (cached personal preferences, push notification tokens) within 30 days, except in encrypted backups which expire after 30 days.

14. Contact us

If you have questions about this Privacy Policy, want to exercise your rights, or need to report a privacy concern, please email us. We aim to respond within 5 business days.