Privacy Policy

    Effective Date: 14th April 2026 | Last Updated: 14th April 2026

    This Privacy Policy explains how EnBright Pty Ltd (ACN 685 093 805) ("we," "us," or "our") collects, uses, discloses, and manages personal information through the AHIP Collect mobile application ("AHIP Collect" or "the App") in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and other applicable laws.

    AHIP Collect is a professional NaTHERS compliance automation tool used by accredited NaTHERS assessors and data collectors. It captures property data, photographs, and evidence for the purpose of producing NaTHERS energy ratings for existing homes.

    1. Who This Policy Applies To

    This policy applies to three categories of individuals whose information we may handle:

    • Assessors and Data Collectors ("Platform Users"): Accredited NaTHERS assessors and authorised data collectors who use the App to capture property assessment data. You are our direct customers.
    • Property Owners and Tenants ("Property Subjects"): Individuals whose homes are being assessed. Your consent is captured in-app before any data collection begins, as required by NaTHERS Technical Note §2.1–2.3.
    • Website Visitors: Individuals who visit the AHIP Collect website or marketing pages.

    2. Information We Collect

    2.1 Platform User (Assessor/DC) information

    • Account details: name, email, phone number, NaTHERS accreditation number, ABN.
    • Assessment activity: properties assessed, assessment dates, time spent, quality scores.
    • Device information: device model, operating system version, app version.
    • Subscription and payment information (processed by our secure payment partner).

    2.2 Property assessment data

    During an assessment, the App captures the following data about the property (not the individual):

    • Property address, year of construction, climate zone, property type.
    • Photographs and video: exterior facades, room interiors, equipment nameplates, roof space, evidence photos. These are captured by the assessor/DC using the device camera.
    • LiDAR 3D scan data: room dimensions, wall positions, window/door locations (if LiDAR-equipped device is used).
    • EXIF metadata: GPS coordinates, timestamp, device identifier — embedded in each photo per NaTHERS Technical Note Table 1 requirements.
    • Building characteristics: wall construction type, floor covering, window types, ceiling fixtures, HVAC equipment, insulation, solar PV, and other construction details.
    • Equipment data: brand, model, capacity, and efficiency data extracted from appliance nameplates via on-device OCR.

    2.3 Consent and identification data

    • Property owner/tenant name and digital signature (captured in-app for NaTHERS consent compliance).
    • Conflict of interest declaration.
    • Training data consent (whether the property owner consents to their assessment data being used for AI model improvement).

    2.4 Training data

    When an assessor selects a classification option (e.g., wall material, window type) and confirms it as an on- site observation, that selection may be used as labelled training data for our AI classification model. Training data is:

    • De-identified — property address and owner identity are stripped before training use.
    • Only used with consent — property owners can opt out via the consent screen.
    • Subject to exclusion rules — subjective fields (wall colour, window covering fit) and "not sure" selections are never used for training.

    2.5 Potentially personally identifiable information in photos

    IMPORTANT: Property photos may inadvertently capture personally identifiable information (PII), such as faces of occupants, personal documents, mail, or family photographs. The App includes a post-capture PII review step where the assessor can flag and blur sensitive content before submission. We implement on- device PII detection to assist with this process.

    3. How We Use Your Information

    Platform User data:

    • To provide and operate the AHIP Collect app and associated services.
    • To manage your subscription and account.
    • To provide customer support and communicate product updates.
    • To generate aggregated, de-identified analytics about platform usage.

    Property assessment data:

    • To produce a structured AccuRate Enterprise import file for the NaTHERS rating.
    • To calculate the Submission Quality Score.
    • To apply the Defaults Engine (Technical Note default values).
    • To store evidence for audit compliance (7-year retention per NaTHERS §3.7).
    • To train and improve our AI classification model (de-identified, with consent only).

    4. Disclosure of Information

    We disclose personal and assessment information only as follows:

    • To the assessor's AccuRate software: The structured export file containing property data (not property owner personal information) is exported locally to the assessor's device for import into CSIRO AccuRate Enterprise.
    • Between DC and Assessor: When a data collector submits an assessment, the evidence package is shared with the assessor who commissioned it. Both parties are bound by NaTHERS accreditation obligations.
    • GEMS registry: Equipment brand and model data may be sent to the GEMS (Greenhouse and Energy Minimum Standards) registry for efficiency lookups. No personal information is included.
    • Cloud storage: Assessment data is synced to our servers when connected, for backup and 7-year retention. See Section 6.
    • Service providers: Trusted third-party providers under data processing agreements (see Section 6).
    • Legal requirements: Where required by Australian law, regulation, or court order.

    We do not sell, rent, or trade personal information or assessment data to third parties.

    5. Data Retention

    We retain data according to the following schedule:

    Data TypeRetention PeriodBasis
    Assessment evidence (photos, data, consent)7 years from assessment dateNaTHERS Technical Note §3.7
    Platform User account dataDuration of account + 2 yearsLegitimate business purpose
    Training data (de-identified)Indefinite (de-identified)AI model improvement
    Payment records7 yearsATO record-keeping
    Automatically collected technical data26 monthsAnalytics

    When retention periods expire, we securely destroy or de-identify the data.

    6. Security and Storage

    • On-device processing: All AI processing (OCR, object detection, room detection) runs on-device using Google ML Kit. No property photos are sent to external AI services for analysis.
    • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256).
    • Local-first: Assessment data is stored locally on the device (SQLite) and synced to cloud storage when connected.
    • Cloud infrastructure: AWS Sydney region (primary), with geo-redundant backup.
    • Access controls: Role-based access. Only the assessing assessor (and their commissioned DC) can access assessment data.
    • Notifiable Data Breaches: We comply with the NDB scheme and will notify affected individuals and the OAIC in the event of an eligible data breach.

    7. International Transfers

    Assessment data is primarily stored in Australia (AWS Sydney). Some service providers may process data overseas:

    • Google ML Kit: on-device only, no data transmitted to Google servers.
    • Cloud backup: AWS Sydney (primary). Geo-redundant backup may involve other AWS regions.
    • Cloud infrastructure and edge services: We use Cloudflare Workers and R2 for application hosting, data storage, and content delivery. These services operate on a globally distributed network, which means personal information may be processed in multiple countries, including the United States, the European Union, and Singapore.
    • Cloud hosting and backups:We use Amazon Web Services (AWS), with primary infrastructure located in Australia (Sydney region) and backups that may be stored in the United States.
    • Email delivery: We use Resend, which processes data in the United States.
    • Analytics: We use Google Analytics, which may process data on servers located outside Australia, including in the United States.

    We take reasonable steps to ensure overseas recipients comply with the APPs per APP 8.

    8. Rights of Property Owners and Tenants

    If your property has been assessed using AHIP Collect:

    • Your consent was captured before any data collection (per NaTHERS §2.1–2.3).
    • You may request access to the assessment data held about your property by contacting us.
    • You may request correction of inaccurate data.
    • You may withdraw training data consent at any time by contacting us. Withdrawal does not affect the validity of the NaTHERS assessment.
    • Photos containing your personal information are subject to PII review before storage.

    9. Rights of Platform Users (Assessors/DCs)

    • You may access, correct, or delete your account information at any time.
    • You may export your assessment data in a structured format.
    • You may cancel your subscription at any time (see AHIP Collect Terms of Service).

    10. Complaints

    Contact our Privacy Officer: privacy@enbright.com.au. We will investigate and respond within 30 days. If unsatisfied, you may lodge a complaint with the OAIC at www.oaic.gov.au.

    11. Changes to This Policy

    Material changes will be communicated via in-app notification and email to registered users at least 14 days before taking effect.

    12. Contact

    Privacy Officer

    EnBright Pty Ltd

    Email: privacy@enbright.com.au