Privacy Policy

MechOS is operated by MechOS Pty Ltd (ABN 80 698 552 706). We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

We collect two distinct categories of information:

Customer Data — information you enter into MechOS about your workshop and its customers:

• Workshop details (business name, ABN, address, contact info)
• Staff details (name, role, email, assigned jobs)
• Your customer records (name, phone, email, vehicle details, service history)
• Financial records (invoices, estimates, payments, expenses)

Account Data — information about your use of MechOS:

• Login email address and hashed password
• IP address and user agent on login (for security + audit)
• Subscription and payment details (processed by VenueSmart — we store only the last 4 digits + a token)

We use your information to:

• Provide the MechOS service to your workshop
• Send operational emails (invoices on your behalf, service reminders, password resets)
• Bill your subscription
• Investigate security incidents (see Section 7)
• Meet our legal obligations under Australian law

We do not sell your data. We do not use Customer Data for advertising or profiling.

We share information only with service providers necessary to operate MechOS:

• Supabase (AU region) — database + authentication hosting
• Vercel (US region) — web application hosting
• Resend (Tokyo region) — email delivery
• Anthropic (US region) — AI-powered invoice scanning (only PDF content you upload; no customer records)
• VenueSmart / Optty / Fat Zebra (AU) — EFTPOS card payment processing for your customers
• Stripe (AU/US) — your MechOS subscription billing only (not your customers' payments). Your subscription card details are stored by Stripe directly; we never see them.
• Sentry (US region) — error monitoring. Stack traces and request paths only; PII is scrubbed before send.

Some of these providers are located overseas (specifically, Vercel and Anthropic in the USA). We take reasonable steps to ensure they handle your information in accordance with the Australian Privacy Principles.

Primary data (your workshop records) is stored in Supabase's Tokyo region (ap-northeast-1). Email delivery is also Tokyo. Application hosting is on Vercel's global edge network. Backup snapshots are retained for 7 days.

• Encrypted in transit (HTTPS) and at rest (AES-256 on Supabase).
• Row-Level Security enforces that your workshop's data can only be read by your staff.
• Storage paths are namespaced per workshop so even public URLs are unguessable.
• All administrator actions are logged to an append-only audit trail.
• We do not store your customers' credit card numbers. Payments go through VenueSmart's PCI-DSS compliant system.
• Independent security review and penetration testing scheduled annually.

If we become aware of a data breach that poses a risk of serious harm, we will:

• Contain the breach within 24 hours of detection.
• Notify affected workshops by email within 72 hours.
• Notify the Office of the Australian Information Commissioner (OAIC) within 30 days.
• Provide a post-incident report including root cause and remediation.

See our Incident Response Plan (available on request to customers and regulators) for full procedures.

You have the right to:

• Access the personal information we hold about you — from Settings → Download My Data (export), or by emailing privacy@getmechos.com.au.
• Correct incorrect information — edit in the app or email us.
• Delete your data — from Settings → Delete Organization. 30-day grace period then permanent deletion.
• Complain to us or to the OAIC if you believe we've mishandled your information.

We keep Customer Data for the life of your subscription. When you delete your organisation from Settings → Delete Organization, the following happens:

• Immediately: your workshop is hidden from all logins. Staff lose access. Your Stripe subscription is scheduled to end at the close of the current billing period — no further charges.
• For 30 days: a grace period during which the owner can cancel the deletion and recover the workshop. Your data sits idle but is not used by us for any purpose during this window.
• After 30 days: permanent deletion. We hard-delete every database row tied to your workshop (clients, vehicles, invoices, estimates, expenses, bookings, inspections, photos, audit trails — all of it), every stored photo or inspection report image, and your Stripe subscription is fully cancelled. If the deleted workshop was the only one tied to your login, your login account itself is also deleted at this point.
• Encrypted backups retain a copy for 7 days after deletion as a disaster-recovery safety net, then are destroyed.

What we keep after deletion (and why):

• A single system-level audit row — date of deletion, workshop name, slug — for our own compliance recordkeeping. Held in a separate table that does not contain any customer records, only the fact that the deletion occurred.
• Your Stripe customer recordremains in Stripe's own systems (not ours) under their retention policy. Australian tax law (ATO) requires transaction records to be kept for 7 years; that obligation rests with Stripe as the payment processor of record.
• Aggregate, de-identified usage statistics (e.g. "MechOS had 14 active workshops in May 2026") with no workshop-identifying information.

Export before you delete. Use Settings → Download My Data to grab a JSON export of everything we hold for your workshop. After the 30-day grace window closes, the data is gone and we cannot retrieve it from backups for you.

MechOS uses essential cookies required for authentication (sessions). We do not use third-party advertising cookies. We may use privacy-respecting analytics (such as Plausible or PostHog) to understand feature usage; these are disclosed on request and do not identify individual users.

MechOS is designed for automotive workshops. We do not knowingly collect information from children under 16.

We may update this policy from time to time. For material changes we will notify account holders by email at least 14 days before they take effect.

Privacy questions: privacy@getmechos.com.au
Formal complaints: legal@getmechos.com.au
External escalation: Office of the Australian Information Commissioner — oaic.gov.au