Privacy Policy · Lacroo Pro

Lacroo Technologies Pty Ltd ("Lacroo", "we", "us", or "our") operates the Lacroo Pro platform, comprising the web application at app.lacroo.ai, mobile applications published on the Apple App Store and Google Play Store, and the supporting API at api.lacroo.ai (together, the "Service"). This Privacy Policy describes what personal data we collect, how we use it, who we share it with, and the rights you have.

Lacroo Pro is a business-to-business construction management tool used by head contractors, supervisors, engineers, field workers, and suppliers. Most data flowing through the Service is operational project data (plant records, dockets, diaries, sign-ons, photos, timesheets) contributed by authenticated users performing their work tasks.

1. What data we collect

1.1 Account and identity

Name, email address, and optional profile photograph — collected when your employer (or a supplier you work for) invites you to the Service.
Role assignment (admin, engineer, supervisor, operator, field worker, client, supplier) and project memberships — assigned by your organisation's administrators.
Single sign-on (SSO) identifiers from Microsoft Entra if your organisation uses Entra for authentication.
Login credentials (stored as hashed secrets — we never see your plaintext password) and session tokens issued by Better Auth.

1.2 Operational project data

Project information: names, stages, cost codes, budgets, schedules, custom fields defined by your organisation.
Daily shift data: prestart briefings, sign-ons, diaries, dockets, activities, comments, and attached files.
Plant and equipment records: make, model, serial numbers, operator assignments, hire periods, meter readings.
Photographs uploaded from the mobile app or web app, including embedded metadata (EXIF) such as camera model, capture timestamp, and GPS coordinates when device location services are enabled.
Voice transcriptions (when you use the voice-to-diary feature) — audio is sent to OpenAI Whisper for transcription and discarded immediately after processing; only the transcript text is retained.

1.3 Device and usage data

Device information: device model, operating system version, application version, language preference, and time zone.
IP address, general geographic region, and user-agent string, collected via standard server logging.
Approximate or precise geolocation when the mobile app has been granted location permission by the operating system, used for photo tagging and optional site check-in features. We never request location in the background.
Camera access on the mobile app — used to capture photos of site conditions, QR codes (for shift sign-ons), and delivery documentation. The camera feed is never streamed off-device; only photos you choose to capture are uploaded.
Microphone access on the mobile app — used only when you initiate voice-to-diary transcription. Audio is uploaded for transcription and then deleted.
Performance traces, error reports, and activity logs (through Sentry and Axiom) used to diagnose issues and improve reliability.

1.4 Data we do NOT collect

Biometric data (fingerprints, face scans).
Payment card numbers (billing is invoiced; we do not process cards in-app).
Health, medical, or genetic data.
Contacts, calendar entries, or SMS/call logs from your device (the app does not request those permissions).
Data for advertising or behavioural-advertising purposes.

2. How we use your data

Providing the Service: authenticate you, associate your actions with the correct organisation and project, render the UI, store your contributions, and synchronise across devices.
Security and fraud prevention: detect suspicious activity, enforce tenant isolation, maintain audit logs, and investigate incidents.
Reliability and performance: diagnose errors via Sentry and Axiom, optimise query and rendering paths, and guide product improvements.
Compliance and record-keeping: retain project records for the periods required by Australian construction law, workplace health and safety regulations, and our customer contracts.
Communications: transactional email (password resets, invitations, alerts) via Postmark. We do not send marketing email through the Service unless you have separately opted in.

3. Legal bases for processing

Under Australian privacy law, the GDPR (where applicable), and similar regimes:

Performance of a contract between Lacroo and the organisation that licenses the Service for you.
Legitimate interests in operating, securing, and improving the Service.
Legal obligations including construction-industry record retention.
Consent for optional features (e.g. device location) which you can withdraw at any time via your device settings.

4. Who we share data with

We share data only as necessary to deliver the Service. Lacroo does not sell personal data. Our sub-processors:

Vercel Inc. (USA): hosts the web and documentation front-ends, edge caching, deployment infrastructure.
Fly.io (USA, Sydney region): hosts the Go API and background workers.
Neon (AWS ap-southeast-2, Sydney): managed PostgreSQL database where all customer data is stored. Data residency remains in Australia.
Upstash (ap-southeast-2, Sydney): managed Redis for caching and queue coordination.
Cloudflare R2: object storage for uploaded photos and files.
Sentry (USA): error monitoring. Sensitive payload fields are redacted before leaving our backend.
Axiom (USA): log aggregation for observability. Sensitive payload fields are redacted before leaving our backend.
OpenAI (USA): voice-to-diary transcription via the Whisper API, used only when you initiate the feature. Audio is not retained by OpenAI under our API configuration.
Google Maps Platform: reverse geocoding of photo GPS coordinates to addresses.
Postmark: transactional email delivery.
Microsoft Entra: single sign-on (only if your organisation uses Entra).
Apple and Google: mobile app distribution, including crash reporting from device operating systems.
Temporal Technologies: durable workflow infrastructure for background job coordination (hosted by Lacroo on Fly.io).

We also disclose data when required by law, to respond to lawful government requests, or to protect the rights, property, or safety of Lacroo, our users, or the public.

5. Where your data is stored

Primary storage (database, file storage, API compute) is located in Sydney, Australia. Some sub-processors (Vercel, Sentry, Axiom, OpenAI, Postmark) route traffic through servers located in the United States and other regions. Where cross-border transfer occurs, we rely on contractual safeguards (Standard Contractual Clauses, data processing agreements, and the sub-processor's own certifications) to protect your data.

6. Data retention

Operational project data is retained for the life of your organisation's subscription plus the statutory retention period (typically seven years for construction records in Australia). Audit logs are retained for seven years. When your organisation ends its subscription, we provide an export option and permanently delete your data within 90 days of confirmed termination, unless longer retention is required by law.

Individual users: your user record persists as long as you remain a member of at least one organisation using Lacroo Pro. You may request deletion of your individual identity data (name, email, profile photograph) at any time by contacting privacy@lacroo.ai. Project contributions made while you were active are retained under your organisation's ownership.

7. Your rights

Depending on your location, you have the right to:

Access the personal data we hold about you.
Correct or update inaccurate data.
Request deletion of your personal data (subject to retention obligations described in section 6).
Receive an export of your personal data in a structured, machine-readable format.
Object to or restrict certain processing.
Withdraw consent for optional features (location, voice transcription).
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or your local data protection authority.

To exercise any right, email privacy@lacroo.ai. We respond within 30 days.

8. Security

We operate under a Zero Trust security model: all requests between your client and our servers are authenticated; database queries are strictly tenant-scoped; secrets are held in platform key vaults and rotated regularly. Data is encrypted in transit (TLS 1.3) and at rest (provider-managed encryption). Access to production systems is limited to authorised engineers, logged to immutable audit trails, and reviewed regularly. Despite these controls, no system is absolutely secure. If you believe you have identified a vulnerability, please email security@lacroo.ai.

9. Children's privacy

Lacroo Pro is intended for professional use in construction by users aged 18 or older. We do not knowingly collect data from children under 18. If we learn we have inadvertently collected such data, we will delete it.

10. Mobile app permissions

The Lacroo Pro mobile application requests the following device permissions. Each permission is requested at runtime only when the user engages the corresponding feature; you may deny or revoke any of these in device settings at any time.

Camera: to capture site photos, scan QR codes for shift sign-on, and capture delivery documentation. Images are uploaded only when you choose to save or send them.
Photo library: to attach existing photos to diary entries or dockets.
Microphone: only when you initiate the voice-to-diary feature.
Location: to tag photos with GPS coordinates and support optional site check-in. Not accessed in the background.
Storage: to cache application data and offline-available records.

11. Changes to this policy

We may update this Privacy Policy as the Service evolves or as laws change. Material changes will be communicated by in-app notice and, where possible, email to active users at least 14 days before taking effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

12. Contact

Lacroo Technologies Pty Ltd
Email: privacy@lacroo.ai
Security disclosures: security@lacroo.ai
General enquiries: hello@lacroo.ai