Privacy Policy
CourtesyBus.app Privacy Policy
Last updated: July 13, 2026
1. Introduction
At CourtesyBus.app, operated under the registered business name COURTESY BUS APP (ABN 13 802 730 350), we are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This privacy policy explains how we collect, use, disclose, and protect your personal information when you use our fleet management platform.
CourtesyBus.app is a business-to-business (B2B) fleet management system that enables clubs and organizations to manage their courtesy bus operations. Our service is used by authorized staff members of clubs and businesses to manage their transportation fleet, bookings, and operations.
This policy also covers our Courtesy Bus Driver mobile application for iOS and Android. The Driver app is a companion to the platform: authorized drivers sign in with their existing staff account to view the runs and bookings assigned for the current day and to open turn-by-turn directions. Drivers can also update the status of their own run (for example, marking it "In Progress" or "Completed") and can optionally share their vehicle's live location with their organization's operators (see Section 10). Section 10 (Mobile Application) describes the app's specific data handling, on-device storage, and device permissions.
2. Personal Information We Collect
We collect the following types of personal information:
Staff User Information:
- Identity Information: Full name, email address, username
- Account Information: Username, employee ID (if provided by staff for operator identification), password (encrypted)
- System Activity: Login times, IP addresses, session data
- Technical Information: Browser type, device information, operating system, time zone settings (automatically collected)
- Usage Data: Information about how you use our platform, features accessed, and interaction patterns
- Vehicle Location Data (Driver app, optional): When a driver turns on location sharing in the Courtesy Bus Driver app and selects a vehicle, the app sends the vehicle's live GPS position (coordinates, heading, speed, and accuracy) to our platform, together with the reporting staff account and an app-install identifier. Only the latest position is held, for a few minutes at most; no location history or route records are kept. See Section 10 for details
- Communication Data: Records of correspondence with our support team and feedback provided
Customer Booking Information (entered by authorized staff, or submitted directly by customers through a venue's online booking widget):
- Customer Identity: Full names of booking customers
- Customer Contact: Phone numbers (used, where your organization enables SMS, to send booking notifications)
- Location Data: Pickup/dropoff locations
- Booking Details: Travel dates and times, special requirements
- Service Records: Trip history, operational notes, and service feedback
Billing and Subscription Information:
- Transaction Data: Subscription details, payment history, billing records (processed through Stripe)
- Organization Data: Club/business name, billing address, contact person details
We also collect, use and share aggregated data such as statistical or demographic data for platform improvement purposes. Aggregated data is derived from your personal data but does not directly or indirectly reveal your identity.
3. How We Collect Personal Information
We collect personal information through the following methods:
- Direct registration when staff create accounts on our platform
- Manual entry by authorized personnel when creating customer booking records
- Direct submission by customers through the online booking widget embedded on a venue's website (name, phone number, pickup/dropoff address, and booking details)
- Automated collection during platform usage (login sessions, system interactions)
- Email and support ticket communications
- Platform analytics to monitor system performance and user engagement
- Third-party services for payment processing and infrastructure hosting
4. How We Use Your Personal Information
Your personal information is used exclusively to deliver our fleet management platform and maintain contact with you regarding your service. We process your data based on the following legal foundations:
- Fulfilling our service agreement with your organization
- Meeting legal and regulatory obligations
- Pursuing legitimate business interests while respecting your privacy rights
- With your explicit permission for optional features
Platform Operations:
- Account creation and user authentication
- Granting access to authorized staff members
- Storing and managing booking data entered by your team
- Processing payments via third-party billing services
- System monitoring and security protection
- Data backup and recovery through cloud providers
Essential Communications:
- Platform updates and system maintenance notices
- Support ticket responses and technical help
- Account and billing notifications
- Security alerts and important service changes
Third-Party Service Integration:
- Subscription billing managed through external payment processors
- Cloud hosting infrastructure for platform availability
- Email delivery services for account, verification, and notification emails
- SMS delivery services for customer booking notifications, where enabled by your organization
- Mapping and geocoding services to look up addresses and calculate optimized routes
- Bot-protection and login security screening
- Breached-password screening when you set or change an account password, to prevent the use of passwords exposed in known data breaches
- Product analytics to understand feature usage and improve the platform
We never use your information for advertising, marketing campaigns, or commercial purposes beyond our core service delivery. Third-party providers are bound by strict agreements to protect your data and use it only for their designated functions.
5. Disclosure of Personal Information
We may disclose personal information to:
- Other authorized staff within your club or organization
- Cloud hosting and technical infrastructure providers
- Payment processing providers (Stripe, a USA-based company) for subscription billing
- Email and SMS delivery providers to send verification codes, account notices, and customer booking notifications
- A product analytics provider that helps us understand how the platform is used
- A bot-protection and security provider to screen logins and public online booking submissions, protecting against automated abuse
- A breached-password screening service (Have I Been Pwned): when you set or change an account password, we check whether it has appeared in known data breaches. Only the first five characters of a one-way cryptographic hash of the password are sent to the service — never the password itself, the full hash, or anything identifying you — so the service cannot determine your password or link the check to your account
- Mapping and geocoding providers for address lookup and route optimization. Address text typed into the online booking widget's address field is sent to Google's address autocomplete service to suggest valid addresses. In addition, when a driver opens turn-by-turn directions from the Driver app, the relevant pickup/dropoff addresses are passed to Google Maps to build the route; that app is governed by its own privacy policy (see Section 10)
- Law enforcement or government agencies when legally required
We do not sell, trade, or rent personal information to third parties. Customer booking information — whether entered by staff or submitted by the customer through the online booking widget — is only accessible to authorized staff of the relevant club or organization and our support team for technical assistance purposes.
6. Data Security
We have implemented appropriate technical and organizational security measures to prevent your personal information from being accidentally lost, used, accessed in an unauthorized way, altered, or disclosed. These measures include:
- Encryption of data in transit
- Access controls
- Secure subscription billing through Stripe
- Regular backups and disaster recovery procedures
- Incident response procedures for data breaches
- Regular software updates and security patches
We limit access to your personal information to employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions and are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. Data Retention
We maintain personal information only as long as required for business operations and legal compliance. Our retention schedule includes:
- User account data: Retained while your organization's subscription remains active
- Payment and billing records: Kept in accordance with Australian taxation and financial regulations
- System logs and security data: Retained for as long as necessary for security monitoring and troubleshooting
- Communication records: Retained as long as necessary for customer service quality and dispute resolution
- Live vehicle positions (Driver app location sharing): Only the most recent position per vehicle is held, and it is automatically deleted within minutes of the vehicle's last report. No history of positions is retained
When retention periods expire, we securely delete or anonymize personal information unless extended retention is required by law or ongoing legal proceedings.
8. Your Rights
Australian privacy legislation grants you specific rights regarding your personal information. These rights include:
- Access Rights: You may request details about what personal information we hold about you
- Correction Rights: You can ask us to update or fix incorrect personal information
- Deletion Rights: You may request removal of your personal information (where legally permissible)
- Processing Objection: You can object to certain types of data processing
- Processing Limitations: You may request we restrict how we process your information
- Data Portability: You can request your data in a machine-readable format
- Consent Withdrawal: You may revoke consent for optional data processing
- Complaint Rights: You can lodge complaints about our privacy practices
To exercise any of these rights, contact us through the channels listed below. We will process your request promptly and within timeframes required by Australian privacy law.
Some rights may have limitations based on legal obligations, security requirements, or our legitimate business interests in maintaining accurate operational records.
9. Cookies and Tracking
We use cookies and similar technologies. Some are essential for our platform to function: our fleet management system requires cookies for user authentication, session management, and security purposes, and the platform will not function without these enabled. We also use a small number of non-essential analytics cookies.
The types of cookies we use include:
- Essential Cookies: Required for login, authentication, and basic platform functionality
- Security Cookies: Used to maintain secure sessions and prevent unauthorized access
- Functional Cookies: Store user preferences and settings within the platform
- Analytics Cookies: Set by our analytics provider to measure how the platform is used so we can improve it. These are not required for the platform to function
By using our platform, you consent to our use of these cookies.
10. Mobile Application (Courtesy Bus Driver App)
This section applies specifically to our Courtesy Bus Driver mobile application for iOS and Android. The app is a companion to the platform, intended for authorized drivers only. It adds no separate account system: drivers sign in with their existing staff credentials, and the same session is used to retrieve the runs and bookings for the current business day. Beyond viewing, drivers can update the operational status of their run (for example, "In Progress" or "Completed") and can optionally share their vehicle's live location; these updates are sent to our platform and are visible to authorized operator staff.
Bus Location Sharing (optional, off by default):
The app includes an optional "Share bus location" feature that lets your organization's operators see the vehicle you are driving on a live map. It works as follows:
- Opt-in only: Location is only collected while the "Share bus location" switch is turned on and a vehicle is selected. The switch is off by default, and turning it on requires granting the operating system's location permission.
- What is sent: The device's precise GPS position (coordinates, heading, speed, and accuracy), the selected vehicle, the reporting staff account, and an app-install identifier used to ensure only one phone reports for a vehicle at a time. Positions may be sent while the app is in the background or the screen is off.
- When it is sent: Sharing runs the entire time a vehicle is selected — during trips and while the vehicle is parked or waiting between trips — not only while driving. The reporting frequency varies with movement: positions are sent more often while the vehicle is moving and occasionally while it is stationary, and a vehicle that remains stationary for an extended period stops reporting until it next moves. These frequencies may be tuned from our platform to balance map accuracy against device battery use, always within the opt-in conditions described here.
- Who can see it: The vehicle's live position is shown only to authorized staff of your own club or organization, on the platform's live map. It is presented as the vehicle's position, alongside the vehicle's name.
- Retention: Positions are ephemeral. Only the most recent position per vehicle is held, and it is automatically deleted within minutes of the last report. We do not build location histories, movement profiles, or route records from this data.
- Your control: Sharing stops immediately when you turn the switch off, set the vehicle to "None", log out, switch sites, or revoke the location permission in your phone's settings. The app shows a clear indicator whenever it is sharing.
- No advertising or tracking: Location data is used solely to display the bus on your organization's live map. It is never used for advertising, sold, or shared with third parties.
Information Stored on Your Device:
- Session Data: A secure session cookie and a local sign-in flag are stored on the device so that you remain logged in between app launches. These are cleared when you log out.
- Cached Run and Booking Data: To let drivers keep working when mobile reception is poor, the app temporarily caches the current day's runs and bookings in the device's local storage. This cache can include customer names, phone numbers, pickup/dropoff addresses, and related booking details.
- App Preferences: Non-personal settings such as the selected site and light/dark theme.
- Location Sharing Settings: The state of the "Share bus location" switch, the selected vehicle (which expires after 12 hours), and a randomly generated app-install identifier used for vehicle claiming. The identifier is not derived from your device's hardware and identifies the app installation, not you personally.
Cached booking data is limited to the current business day and is automatically discarded when the business day rolls over. All locally stored data is removed when you log out of the app, and is deleted from the device when you uninstall the app.
Device Permissions:
- Network access is used to sign in and to retrieve run and booking data from our platform.
- Location access (including background location) is requested only if you turn on the optional "Share bus location" feature, and is used solely for that feature as described above. If you never enable sharing, the app does not access your location at all.
- The app does not access your camera, microphone, photos, contacts, calendar, or files.
Navigation and Third-Party Map Apps:
When you tap "Navigate", the app opens Google Maps and passes it the ordered pickup/dropoff addresses for the route. Once directions are opened, your use of Google Maps is governed by Google's own privacy policy, not this one.
The Driver app contains no advertising or third-party marketing or analytics SDKs, and we do not sell or share the data it handles for advertising purposes.
11. International Data Transfers
Some of our service providers are located overseas. Payments are processed by Stripe through Stripe Payments Australia Pty Ltd, however payment information may be processed or stored by Stripe in Australia, the United States, or other countries in which Stripe operates. Other service providers may also process limited personal information outside Australia — including our analytics provider, our security/bot-protection provider, our breached-password screening provider, our mapping provider, and our email delivery provider, which are based in or operate from the United States. We ensure that any international transfers of personal information comply with Australian privacy laws and provide adequate protection for your information through appropriate safeguards and contractual arrangements.
12. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of our services after any changes indicates your acceptance of the updated policy.
13. Contact Us
If you have any questions about this privacy policy, wish to exercise your privacy rights, or have concerns about how we handle your personal information, please contact us:
General Inquiries: [email protected]
Privacy Officer: [email protected]
Data Breach Reports: [email protected]
We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response to your privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or call 1300 363 992.
Last updated: July 13, 2026 • For privacy questions, please contact [email protected]