X:0000 Y:0000 0/100%
HIGH VISIBILITY COLOUR SCHEMES
ALL COLOUR SCHEMES
Legal / Privacy

PRIVACY POLICY

Last updated: 16 April 2026

Look, we've gone a bit big on this document for where we are right now. T/X/Y/and/Z is currently one person, me, building a tool I think genuinely matters. This policy covers scenarios we haven't reached yet. It's written that way on purpose: you deserve to know exactly what happens to your data before you hand it over, not after something goes wrong.

A few things that matter most, before you read the detail.

Your data is yours. The checkpoint records you create, the product journeys you build, the compliance documentation you generate: that's yours. We store it. We protect it. We never sell it, share it commercially, or use it to train machine learning models. Not now. Not later.

We name every company we share data with. The list is below in Section 4. It's the infrastructure that makes the service run. No advertisers. No data brokers. No profiling.

We're straightforward when things go wrong. If something affects your data, we'll tell you specifically what happened and what we've done about it.

Questions about any of this: use our contact form

TABLE OF CONTENTS

  1. What information do we collect?
  2. Why do we collect it?
  3. What legal basis do we rely on?
  4. Who do we share it with?
  5. Do we use cookies and tracking?
  6. Social logins
  7. International data transfers
  8. How long do we keep it?
  9. How do we protect it?
  10. Children
  11. Your privacy rights
  12. Do-Not-Track
  13. US residents
  14. Australian residents
  15. Do we update this policy?
  16. How to contact us
  17. How to access, update, or delete your data

1. WHAT INFORMATION DO WE COLLECT?

What you give us directly

Every person who uses T/X/Y/and/Z needs an account. That includes supply chain managers, field workers submitting checkpoints, and brand owners building chains. When you create an account and use the service, we collect:

  • Your name
  • Your email address
  • Your phone number, if you provide it
  • Your job title
  • Your username and password, or your Google account credentials if you use social login
  • Contact preferences
  • GPS coordinates at the point of each checkpoint scan

That last one is the product. GPS-anchored checkpoints are what makes a T/X/Y/and/Z record verifiable. Without location data, checkpoint scanning doesn't work.

What we collect automatically

When you use the app or visit the website, our servers automatically record:

  • IP address
  • Device type, model, and operating system
  • Browser type and version
  • Which pages and features you used
  • Date and time stamps
  • Error reports and crash data

This technical data keeps the service running and helps us understand how it's being used. It doesn't identify you by name.

Location data

When you submit a checkpoint, we record the GPS coordinates of that scan. That's the verified record. You can disable location access in your device settings, but without it, checkpoint scanning won't work.

Payment data

If you subscribe to a paid plan, payments are handled by Stripe. We don't store your card number or security code. Stripe does. Their privacy policy is at stripe.com/au/privacy. We don't currently accept payments, but plan to soon.

Social login data

If you sign in with Google, we receive the profile information Google shares with us. Typically your name, email address, and profile photo. We use this only to create and manage your account.

Google API

Our use of information received from Google APIs follows the Google API Services User Data Policy, including the Limited Use requirements.

2. WHY DO WE COLLECT IT?

Here's exactly what we use your information for:

  • Running your account. Creating it, keeping you logged in, keeping it secure.
  • Delivering the service. Checkpoint scanning, chain building, QR code resolution. The service only works with the data that powers it.
  • Responding to you. If you contact us with a question or a problem, we use your contact details to reply.
  • Keeping you informed. Sending updates about the service, changes to these terms, or notices that directly affect your account.
  • Processing payments. When payment is live, handling your subscription and billing.
  • Protecting the service. Monitoring for fraud, abuse, and security threats.
  • Legal obligations. Complying with applicable law when required.

We don't use your data for targeted advertising. We don't sell your data. We don't build profiles for commercial purposes beyond operating this product. We don't use your data or your supply chain records to train machine learning models. Ours or anyone else's.

3. WHAT LEGAL BASIS DO WE RELY ON?

If you're in the EU or UK

The GDPR requires us to name a legal basis for processing your data. Ours:

Contract. Processing that's necessary to deliver the service you've signed up for. If you create an account and submit checkpoints, we need to process that data to give you what you came for.

Consent. For any processing we've specifically asked for your permission on. You can withdraw consent at any time by contacting us.

Legitimate interests. Limited technical processing to keep the service secure and functional, where this doesn't override your rights.

Legal obligation. Where the law requires it.

If you're in Australia

We operate under Australia's Privacy Act 1988. This policy covers all required disclosures under the Act.

4. WHO DO WE SHARE YOUR INFORMATION WITH?

Only the providers we need to run the service:

Provider What they do
Google Cloud Platform / Firebase Database, authentication, file storage
Cloud Firestore Stores your account data and checkpoint records
Firebase Authentication Manages your login
Google Sign-In Social login
Stripe Payment processing, when live
Web3Forms Contact and waitlist form submissions

Each provider is under a contractual obligation to handle your data lawfully.

We do not share your data with advertisers, data brokers, marketing platforms, or AI training datasets.

If T/X/Y/and/Z is sold or acquired, your data may transfer as part of that transaction. If that happens, we'll notify you before your data becomes subject to a different privacy policy.

Supply chain records you submit — checkpoint data, product journeys — may be visible to other users in your chain and to consumers scanning QR codes. That's the product. Your personal account information is never public.

5. DO WE USE COOKIES AND TRACKING?

We use cookies and similar technologies to keep you logged in, remember your preferences, and keep the service working.

We use Google Analytics to understand how the service is being used in aggregate. If you want to opt out, use the Google Analytics opt-out browser add-on.

We don't use tracking for advertising. No tracking pixels. No retargeting tools.

6. SOCIAL LOGINS

If you sign in with Google, we receive the profile information Google provides. Typically your name, email, and profile photo. We use this to create and manage your account. We don't control how Google collects or uses your data on their side. Their privacy policy covers that.

7. INTERNATIONAL DATA TRANSFERS

Our primary infrastructure is hosted in Australia via Google Cloud Platform. Some of our service providers operate globally, which means your data may be processed in other countries.

If you're in the EEA or UK: we handle international transfers using the European Commission's Standard Contractual Clauses. We can provide a copy on request.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

We keep your personal information for as long as you have an account with us.

When you close your account, we delete or anonymise your personal information. The exception is where we're legally required to retain specific records, or where it's technically necessary to hold certain data in backup systems before it can be fully purged.

Supply chain checkpoint records may be retained beyond account closure where they form part of a compliance audit trail that another party in the chain has a legitimate ongoing need to access. We'll be transparent about this in your account settings when that feature is live.

9. HOW DO WE PROTECT YOUR INFORMATION?

We use technical and organisational security measures appropriate to the sensitivity of the data: encryption in transit, access controls, and infrastructure provided by Google Cloud Platform.

No system is 100% secure. We can't promise a breach will never happen. What we can promise: we take security seriously, we'll notify you promptly if a breach affects your personal data, and we won't downplay it.

10. CHILDREN

T/X/Y/and/Z is a business tool for adults. We don't knowingly collect data from anyone under 18. If you become aware that a minor has created an account, use our contact form and we'll delete it.

11. YOUR PRIVACY RIGHTS

Depending on where you live, you have some or all of the following rights:

  • Access. See what personal information we hold about you.
  • Correction. Fix inaccurate information.
  • Deletion. Ask us to delete your data.
  • Portability. Receive your data in a portable format.
  • Restriction. Limit how we process your data.
  • Objection. Object to certain types of processing.
  • Withdraw consent. Pull back consent you've given, at any time.

To exercise any of these, use our contact form. We'll respond within 30 days.

If you're in the EEA or UK and believe we're processing your data unlawfully, you can complain to your national data protection authority or the UK ICO.

If you're in Switzerland, contact the Federal Data Protection and Information Commissioner.

If you're in Australia, you can lodge a complaint with the Office of the Australian Information Commissioner.

12. DO-NOT-TRACK

Most browsers include a Do-Not-Track setting. There's no agreed standard for how websites should respond to these signals. We don't currently respond to them. If that changes, we'll update this policy.

13. US RESIDENTS

If you live in California, Colorado, Connecticut, Virginia, or another US state with specific privacy legislation, you have rights under those laws. Including the right to know what data we've collected, correct it, delete it, and opt out of any sale of your personal data.

We haven't sold any personal information to third parties. We don't use your data for targeted advertising.

To exercise your US state privacy rights, use our contact form.

California residents may request a list of any personal information we've shared with third parties for direct marketing purposes in the past year. We haven't done this. If you want written confirmation, ask.

14. AUSTRALIAN RESIDENTS

We operate under Australia's Privacy Act 1988. This policy covers all required disclosures: what we collect, where it comes from, what we use it for, and who we share it with.

If you choose not to provide information we need to run the service, we may not be able to deliver it. GPS location is required for checkpoint scanning. Email is required for account creation.

You have the right to access and correct your personal information at any time. Use our contact form.

If you believe we've breached the Australian Privacy Principles, you can lodge a complaint with the Office of the Australian Information Commissioner.

15. DO WE UPDATE THIS POLICY?

Yes. When we do, we'll update the date at the top of this page. If the changes are material, if they meaningfully affect how we use your data, we'll notify you directly by email before they take effect. You won't be surprised.

16. HOW TO CONTACT US

Contact form: txyandz.com/#contact

Post:

T/X/Y/and/Z
44 Albion Street
Sydney, New South Wales 2024
Australia

17. HOW TO ACCESS, UPDATE, OR DELETE YOUR DATA

Use our contact form and put DATA REQUEST in the message subject.

Tell us what you'd like: access, correction, deletion, or a copy of your data. We'll verify your identity and respond within 30 days.

You can also update most account information directly in your account settings.

© 2026 T/X/Y/and/Z. All rights reserved.