Privacy Policy
Last modified: April 2nd, 2026
At NetDesk, we believe in collecting only what we need, keeping it only as long as we must, and being transparent about both. This policy describes exactly what data we collect, why we collect it, who we share it with, and how long we keep it.
This Privacy Policy is to be read alongside our Terms of Service. By using NetDesk, you agree to the practices described here.
1. Legal framework
The Services are operated by NetDesk Pty Ltd ACN 111 222 333 (the "Company", "we", "us"), domiciled in Melbourne, Victoria, Australia. Our services are governed by the laws of Australia, including the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs).
We provide services to Australian residents only. This policy is governed exclusively by Australian law.
2. What we collect and why
Our policy is to collect the minimum data necessary to deliver our services. Below is a complete description of every category of personal data we collect, with the reason for collection and its legal basis.
2.1 Account creation
Creating a NetDesk account requires your first name, last name, email address, and a password. This information is necessary to create and secure your account, verify your identity, and contact you about your bookings and account activity.
Passwords are hashed by Supabase and are never stored or accessible in plain text. We cannot retrieve your password.
Legal basis: Performance of a contract (providing the service you signed up for).
2.2 Phone number
When you book a support session, we collect your phone number for the purpose of connecting you with a technician during that session via voice call. Your phone number is deleted from our systems immediately when the session ends. A secondary automated process runs daily to remove any phone numbers that were not cleared at session end.
We do not use your phone number for marketing, pass it to third parties beyond Twilio (our call infrastructure provider), or retain it beyond the session.
Legal basis: Performance of a contract (delivering the session you booked).
2.3 Session and booking details
When you book a session, we collect details about your issue: the type of problem, device type, operating system, and any notes you choose to provide. This information is used to match you with an appropriate technician and to deliver the session effectively.
Legal basis: Performance of a contract.
2.4 Call recordings and transcripts
Support sessions conducted by voice are recorded via Twilio. The audio recording is transcribed automatically and then permanently deleted — audio is never retained. The resulting text transcript is retained for two years, after which it is permanently deleted from our systems. Transcripts are retained as evidence in the event of billing disputes.
You will be informed before a session begins that it will be recorded.
Legal basis: Legitimate interest (billing dispute resolution and service quality).
2.5 Payment information
Payments are processed by Stripe. Your card details are entered directly into Stripe's secure payment interface and never transmitted to or stored on NetDesk's servers. We store only the transaction amount, currency, and Stripe's payment reference identifier — sufficient to issue refunds and maintain financial records.
Financial records are retained for seven years in accordance with our obligations under Australian taxation law.
Legal basis: Performance of a contract; legal obligation (ATO record-keeping requirements).
2.6 Contact enquiries
When you submit a contact form on our website, we collect your name, email address, and message. We also record your IP address and browser user agent at the time of submission for the purpose of detecting and preventing automated abuse. This information is used solely to respond to your enquiry.
Legal basis: Legitimate interest (responding to enquiries; preventing abuse).
2.7 IP addresses and security logging
We log IP addresses temporarily for security purposes — specifically to detect and block automated attacks, brute-force login attempts, and abusive bot traffic. In production, this data is stored in Upstash Redis and expires within 30 days. IP addresses are not linked to your account for any other purpose.
Legal basis: Legitimate interest (protecting the service and its users from abuse).
2.9 Error monitoring
We use Sentry to capture application errors. Error reports may include technical context such as the page you were on, the action you were performing, and general request information. We configure Sentry to minimise the inclusion of personal data in error reports. Error data is used solely for diagnosing and fixing software faults.
Legal basis: Legitimate interest (maintaining service reliability).
2.10 Communications from NetDesk
We use your email address to send transactional communications: account verification, booking confirmations, session reminders, and receipts. We do not send marketing or promotional emails. You cannot opt out of transactional emails as they are necessary to deliver the service.
2.11 Social media
Any information you submit to us via social media platforms is done at your own risk without any guarantee of privacy. Your interactions with those platforms are governed by their own privacy policies.
3. Data processors
We rely on the following third-party processors to deliver our services. Each processor is bound by their platform terms to use personal data only for the specific purpose for which it is shared.
Supabase Inc.
- Purpose: Database storage and user authentication
- Data: Account details, session records, booking history
- Processing location: United States
- Safeguards: Standard Contractual Clauses, SOC 2 Type II
Vercel Inc.
- Purpose: Application hosting and content delivery
- Data: Web request data (IP addresses, headers) in transit
- Processing location: United States and global edge network
- Safeguards: Standard Contractual Clauses
Stripe Inc.
- Purpose: Payment processing
- Data: Payment card details (handled directly by Stripe; never transmitted to NetDesk), transaction amounts
- Processing location: United States
- Safeguards: PCI DSS Level 1, Standard Contractual Clauses
Twilio Inc.
- Purpose: Voice calls and SMS during support sessions
- Data: Phone numbers, call audio (deleted after transcription)
- Processing location: United States
- Safeguards: Standard Contractual Clauses, ISO 27001
Resend Inc.
- Purpose: Transactional email delivery
- Data: Email address, name, email content
- Processing location: United States
- Safeguards: Standard Contractual Clauses
Zoho Corporation
- Purpose: Remote desktop access during support sessions
- Data: Screen content and device information during active, user-authorised sessions only
- Processing location: Australia (AU datacenter)
- Safeguards: ISO 27001, SOC 2
Functional Software Inc. (Sentry)
- Purpose: Application error monitoring
- Data: Technical error context (minimised to exclude personal data where possible)
- Processing location: United States
- Safeguards: Standard Contractual Clauses, SOC 2
Upstash Inc.
- Purpose: Rate limiting and bot protection (temporary IP tracking)
- Data: IP addresses (expires within 30 days)
- Processing location: United States
- Safeguards: Standard Contractual Clauses
4. Data retention
We retain personal data only for as long as necessary. The following schedule applies:
| Data type | Retention period | Reason |
|---|---|---|
| Name, email address | Life of account + 30 days | Contract performance; chargeback window |
| Phone number | Deleted at session end | Session delivery only; no ongoing basis |
| Call audio recordings | Deleted immediately after transcription | No ongoing basis once transcribed |
| Session transcripts | 2 years | Billing dispute evidence |
| Financial records | 7 years | ATO tax record-keeping obligation |
| IP addresses (security) | Up to 30 days | Fraud and abuse prevention |
| Contact enquiries | Until resolved, then deleted | Responding to your enquiry |
5. Data disclosure
We will only disclose personal data if legally required to do so by a binding request from a competent Australian authority. Our policy is to challenge requests where there are doubts as to their validity or where there is a public interest in doing so, and not to comply until all available legal remedies have been exhausted.
Under Australian law, individuals who are the subject of a judicial procedure must be notified of that procedure where possible.
We do not sell, rent, or trade personal data to any third party for commercial purposes.
6. Your privacy rights
Under the Australian Privacy Act 1988, you have the following rights regarding your personal data:
- Access — you can request a copy of the personal data we hold about you
- Correction — you can update your name and email through your account settings at any time
- Export — you can download your account data, booking history, and device records via your account settings. Session call transcripts are available on written request to privacy@netdesk.au — please include the session date and reason for your request
- Deletion — you can delete your account and associated personal data through your account settings, subject to our retention obligations for financial records
- Objection — you can object to processing based on legitimate interest
To exercise any of these rights, or if your account has been suspended and you wish to make a privacy request, contact us at privacy@netdesk.au.
If you believe your privacy rights have been violated, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
7. Modifications to this policy
We may update this Privacy Policy from time to time. The date at the top of this page reflects when it was last changed. For material changes, we will notify you by email. Continued use of the Services after a change constitutes acceptance of the updated policy.