SiteLeads Privacy Policy

Last updated: 22 May 2026

This Privacy Policy describes how Longtek Pty Ltd (ABN 37 670 334 451) of 35 Market Street, South Melbourne VIC 3205 ("SiteLeads", "we", "us", "our") collects, holds, uses and discloses personal information when you use the SiteLeads website at www.siteleads.com.au, the SiteLeads mobile application, and any related services we provide (collectively, the "Service").

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using the Service you consent to the collection, use and disclosure of your personal information as set out in this policy.

1. Information we collect

We collect the following categories of personal information directly from you and through your use of the Service.

1.1 Account and identity information

Full name, email address, phone number and postal/business address.
Account credentials (hashed password, multi-factor tokens).
Google account identifier and email if you sign in with Google.
Date you joined and last sign-in metadata.

1.2 Business and verification information

Business or trading name, ABN/ACN.
Industry, job categories, work areas/service locations.
Identity verification documents you upload, including driver's licence or other government ID, occupational licences, professional certifications, and insurance certificates of currency.
ABN status checks via the Australian Business Register and similar public registries.
SMS verification of your mobile number.

1.3 Profile and content

Profile photo, biography, portfolio projects and images, listed services, and pricing or terms you choose to publish.
Messages and other content you submit through the Service.

1.4 Transaction and credits information

Records of credit packs purchased, credits consumed, leads unlocked or revealed, and verification reveals performed.
Payment metadata returned to us by Stripe (last 4 digits of card, brand, country, billing postcode, Stripe customer ID). We do not store full card numbers, CVV or full PANs. All card data is collected and processed directly by Stripe, our PCI-DSS compliant payment processor.
Invoice/tax records we are required to keep.

1.5 Lead and search data

Locations, suburbs, brand names, filters and queries you submit, the leads you view or unlock, and saved searches.
Inferences derived from your activity, such as recommended sites or suburbs and brand-fit scores.

1.6 Device, technical and usage data

IP address, device identifier, operating system, app version and language, time zone, crash logs and diagnostic data.
Location data, including approximate geolocation derived from your IP address and, where you grant the permission, precise location from your device's GPS or location services. We use location data both to power the feature that requested it and, in line with §3.2 and §3.3, to personalise the Service and to improve our recommendation, scoring, ranking and analytics models.
Service usage logs, including page/screen views, feature use, WebSocket session metadata, and audit log entries for sensitive actions.

1.7 Cookies and similar technologies

On the website we use first-party cookies and local storage for authentication, session management, security (CSRF protection), and to remember your preferences. We use a small set of analytics cookies to understand aggregate usage. You can disable cookies in your browser but parts of the Service will not function without them. The mobile app uses local secure storage instead of browser cookies.

1.8 Information from third parties

Identity attributes returned by Google when you use Google Sign-In (name, email, Google account ID, profile picture).
Public information from the Australian Business Register, planning authorities, and councils that we match against your account (for example, ABN validation).

We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected such information, we will delete it.

2. Information about other people that appears on the Service

SiteLeads surfaces information about development applications (DAs) and other planning records published by Australian local councils and state authorities. This may include the names, business names, ABNs, addresses, phone numbers or email addresses of applicants, architects, planners, landowners, builders, traffic engineers, arborists, surveyors, acoustic consultants and other professionals named in a publicly lodged DA.

That information is sourced from publicly available council planning registers and is presented to authorised SiteLeads users to support legitimate commercial property research and outreach. Where we display this information:

We act as a handler of information that is already in the public domain via official council registers.
Where the information is personal information under the Privacy Act, we rely on the APPs and on the lawful collection of that information from the public registers in which it has been published by the relevant council.
We apply technical controls (such as server-side blurring of applicant names and contact details until a user uses a credit to "reveal") to reduce unnecessary disclosure.
If you are an individual named in a DA and you wish to query how your information is being shown, contact us at info@siteleads.com.au and we will respond within 30 days.

3. How we use your information

We use personal information for the purposes set out below. These purposes form part of our primary purpose of collection, and by using the Service you acknowledge and consent to them.

3.1 Operating the Service

Create and manage your SiteLeads account and authenticate you.
Provide the core Service: searching, scoring, ranking and recommending sites and leads, displaying and unlocking lead content, processing credit purchases, running verification flows, messaging, and delivering notifications.
Verify your identity, ABN, occupational licences and insurance, and operate the signup-bonus / verified-professional program. (Identity-verification documents — government ID, licence and insurance documents — are used only for verification, fraud prevention and re-verification, and are not used for the model-training or aggregated-insights purposes in §3.3 and §3.4.)
Process payments via Stripe and reconcile credit balances.
Send transactional communications.
Provide customer support.
Comply with our legal obligations, enforce our Terms of Service, prevent prohibited use, and protect our rights and the rights of others.

3.2 Personalising the Service for you

We use information about you — including your location (IP-derived and, where you grant the permission, precise GPS), your searches, filters, saved views, leads you view or reveal, messages and message metadata, the brands and sectors you follow, your engagement patterns, and inferences we make from any of the foregoing — to personalise the Service for you. This includes:

ranking, filtering and recommending leads, sites, suburbs, brands and contacts;
generating brand-fit, site-quality and other scores;
pre-filling or suggesting search criteria;
choosing which notifications, prompts and in-app content you receive;
choosing which marketing and promotional content you see (where you have opted in to marketing).

3.3 Building, training and improving models, algorithms and products

We use information collected through the Service — including account and business attributes, location data, search and engagement behaviour, lead-view and lead-reveal patterns, scoring inputs and outputs, messaging metadata, error and crash logs, and data derived or inferred from any of the foregoing — to:

design, build, train, test, evaluate, fine-tune and improve the Service's recommendation, ranking, scoring, search, classification, valuation, fraud-detection and other algorithms and machine-learning models, including large language models and other AI systems we use internally;
monitor and improve the performance, accuracy and quality of the Service;
conduct research and analytics about how the Service is used, what leads convert, and which features create value;
prototype, test and launch new features and products.

Where reasonably practicable we use de-identified, pseudonymised or aggregated data for these purposes. Where personal information is used, we apply access controls limiting use to authorised personnel and contractors bound by confidentiality obligations.

3.4 Aggregated and de-identified data and insights

We create aggregated, statistical, pseudonymised and de-identified datasets, models, embeddings, indexes and insights from information collected through the Service (for example: anonymised demand heatmaps by suburb, brand-gap reports, market activity benchmarks, conversion analytics, scoring model weights). Once data has been aggregated or de-identified such that it no longer reasonably identifies an individual, it is not personal information under the Privacy Act 1988 (Cth), and we may:

use, retain, copy, modify, combine with other data, and create derivative works from it;
publish, license, sell or otherwise commercialise it (including in the form of reports, dashboards, data feeds, APIs, embedded scores and model outputs) to councils, real-estate operators, brands, investors, researchers, advertisers and other third parties; and
retain it indefinitely,

without further notice to you, and without payment to you. We will not attempt to re-identify de-identified data and we will require recipients of de-identified data not to attempt re-identification.

3.5 Marketing

Where you have opted in (or where we are otherwise permitted under the Spam Act 2003 (Cth)) we send marketing emails, SMS and in-app prompts about new features, leads, brands and offers. Marketing may be personalised based on §3.2. You can opt out at any time using the unsubscribe link or your account settings; we will retain a suppression record so we can honour your opt-out.

3.6 Algorithmic ranking and automated decisions

The Service relies on algorithmic ranking, scoring and recommendation. These are decision-support outputs, not automated decisions that produce legal or similarly significant effects on you. Where we make a decision that materially affects your account (for example suspending a verification, denying a refund) a human is involved.

4. When we share your information

We share personal information only in the following circumstances.

4.1 With other SiteLeads users

Your published profile (name or trading name, photo, business details, work areas, portfolio) is visible to other SiteLeads users in order to facilitate the marketplace. You control what you publish in your profile. Information that is not part of your published profile (for example your account email, phone number or uploaded verification documents) is not shown to other users.

4.2 With our service providers

We disclose information to vendors that help us run the Service, under contract and on the basis they only use the information for SiteLeads' purposes. Current key providers include:

Provider	Purpose	Data location
Amazon Web Services (AWS)	Hosting, databases (RDS), file storage (S3), email delivery	Sydney (`ap-southeast-2`)
Stripe Payments Australia Pty Ltd	Payment processing for credit packs	Australia / United States
Supabase	Auxiliary database for commercial listings	Singapore / EU (region as configured)
Google LLC	Google Sign-In (OAuth)	Global
SMS / messaging provider	One-time codes for phone verification	Australia
Email delivery provider	Transactional and marketing emails	Australia / United States

Some of these providers may store or process data outside Australia. Where we transfer personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the APPs.

4.3 With professional advisers

We may disclose information to our auditors, accountants, insurers and lawyers as reasonably required.

4.4 With authorities and in legal processes

We may disclose information where required or authorised by law, including in response to a lawful subpoena, court order, search warrant or regulator request, and where reasonably necessary to protect the safety, rights or property of SiteLeads, our users or the public.

4.5 In a corporate transaction

If we sell, merge or transfer all or part of our business, customer data may be transferred as part of that transaction. We will require the recipient to honour this Privacy Policy.

4.6 With your consent

We will share personal information for any other purpose where you have consented to that disclosure.

4.7 Aggregated and de-identified data

As described in §3.4, we create aggregated, statistical and de-identified data from information collected through the Service. That data is not personal information under the Privacy Act and we may use, publish, license, sell or otherwise share it with any third party (including councils, brands, real-estate operators, advertisers, researchers and commercial partners) for any purpose, without further notice to you.

We do not sell information that identifies you as an individual.

5. Where we store data

The Service's primary infrastructure is hosted in AWS Sydney (ap-southeast-2). Backups, logs and certain third-party services may store or process data outside Australia (see §4.2). By using the Service you consent to the transfer of your personal information to those locations.

6. How long we keep your information

Account profile and authentication data: while your account is active, and then for up to 12 months after closure to support reactivation and dispute resolution.
Identity verification documents (ID, licences, insurance): for the duration of your verification status, plus the period required by our verification policy (currently 24 months) for re-verification and fraud prevention.
Transaction, invoice and credit-ledger records: at least 7 years from the date of the transaction to meet Australian Taxation Office and Corporations Act 2001 record-keeping requirements.
Server logs, security and audit logs: typically 90–365 days, longer where required for an active investigation or legal claim.
Marketing preference data: until you unsubscribe, plus a suppression record so we honour the unsubscribe.

We will delete or de-identify personal information when we no longer need it for any lawful purpose.

De-identified, aggregated, statistical and derived data (including model weights, embeddings, training datasets and analytics outputs built from your activity) may be retained indefinitely, including after you close your account, because it is no longer personal information under the Privacy Act.

7. Security

We use a combination of technical and organisational measures to protect personal information, including:

TLS encryption in transit and AES-256 encryption at rest for databases and S3 buckets.
Hashed passwords (bcrypt/PBKDF2) and JWT-based session tokens.
Role-based access controls, audit logging of sensitive actions, and least-privilege IAM policies on cloud resources.
Server-side blurring of sensitive applicant details until the user spends a credit to reveal them.
Regular dependency updates, security review of changes, and monitoring for anomalous activity.

No method of internet transmission or electronic storage is completely secure. If we become aware of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

8. Your rights

Under the Privacy Act and the APPs you have the right to:

Access the personal information we hold about you.
Correct information that is inaccurate, out of date, incomplete, irrelevant or misleading.
Withdraw consent for processing that is based on consent (this may limit the Service we can provide).
Opt out of marketing communications at any time using the unsubscribe link in our emails or by emailing us. We will still send you transactional and account messages.
Request deletion of your account and associated personal information, subject to (a) records we are required to retain by law (see §6), and (b) de-identified, aggregated and derived data, which is no longer personal information and which we may retain and continue to use under §3.4 and §6.
Complain to us about how we have handled your personal information.

To exercise any of these rights, email info@siteleads.com.au with enough detail to identify your account. We may need to verify your identity before acting on a request. We aim to respond within 30 days.

If you are not satisfied with our response, you can complain to the OAIC at www.oaic.gov.au or 1300 363 992.

9. Push notifications, email and SMS

If you enable push notifications, we send notifications about leads, account activity and service updates. You can disable push notifications in your device settings at any time.

We use email and SMS for:

Transactional messages — receipts, security alerts, verification codes, lead updates and account notices. You cannot opt out of these while your account is active because they are necessary to provide the Service.
Marketing messages — only where you have opted in (or where we are otherwise permitted under the Spam Act 2003 (Cth)). Every marketing email contains an unsubscribe link.

10. Children

The Service is not directed to children. You must be at least 18 years old (or the age of contractual capacity in your jurisdiction, if higher) to register for the Service. We do not knowingly collect personal information from children.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent change. If we make a material change we will notify you by email, by a notice in the app, or by another reasonable means before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact us

For privacy enquiries, access or correction requests, or complaints:

Longtek Pty Ltd (trading as SiteLeads) ABN 37 670 334 451 35 Market Street, South Melbourne VIC 3205 Email: info@siteleads.com.au