1. Who we are
Verdant (“we”, “us”, “our”) is a field-service management platform operated by Lewin Digital (ABN 20 731 183 059), located at 16 Hedgerow Avenue, Parkes NSW 2870, Australia. This Privacy Policy explains how we collect, use, store and disclose personal information when you use Verdant (the “Service”). It applies to organisations that subscribe to Verdant, the staff and owners they invite, and the clients those organisations record in the Service.
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. If you have questions about this policy, contact us at [email protected].
2. Information we collect
We collect different categories of information depending on how you interact with the Service:
- Account information — name, email address, hashed password, role (owner, staff, master admin), and any two-factor authentication secret you enable.
- Organisation information — legal name, ABN, licence and accreditation numbers, business address, contact phone, logo URL, brand colour, and other settings entered by an organisation’s owner.
- Client & job information — contact details, site addresses, notes, scheduled and completed jobs, invoices, recurrence rules, and messages sent to clients, entered by the subscribing organisation.
- Usage information — timestamps for job starts/pauses/ends, SMS and email send logs, impersonation events, sign-in times, and audit metadata needed to operate the Service.
- Payment information — we do not store full card numbers. Payments and invoicing are processed through Stripe; we store only the Stripe customer, invoice, and connected-account identifiers that are necessary to link records.
- Integration tokens — OAuth tokens for Xero, MYOB, QuickBooks Online, and Stripe Connect when an organisation chooses to connect those services. Tokens are encrypted at rest.
- One-way import data — when an organisation chooses to import existing clients and job history from ServiceM8, the API key they provide is used once to pull those records from ServiceM8 and is not retained by Verdant. The imported client and job records are then stored under the organisation’s account in Verdant.
- Technical information — IP address, browser type, and basic server logs used for diagnostics and security.
- Location information (optional) — when an organisation on an Organisation-tier plan enables GPS tracking, Verdant requests the browser’s geolocation permission and records the approximate latitude/longitude and accuracy of staff members at the moments they clock in, clock out, and at regular intervals while they are clocked in. The capture interval is configurable by the organisation. Location information is captured only when a staff member is clocked in, and is not captured from their personal device at any other time. If a staff member declines the browser permission, location is not collected.
3. How we use your information
We use personal information to:
- Provide and operate the Service, including authentication, scheduling, invoicing, and client communications;
- Send SMS and email notifications to clients on behalf of the subscribing organisation (via ClickSend and SMTP providers configured by the organisation);
- Generate and deliver invoices, quotes, PDFs, and payment links;
- Synchronise data with third-party accounting systems that the organisation has connected;
- Investigate faults, secure the Service, prevent abuse, and comply with legal obligations;
- Communicate with account owners about service updates and changes;
- When GPS tracking is enabled by an organisation, verify that staff clock in near an expected work area (a geofence) and provide the organisation’s owners with the approximate location trail associated with each clock-in/clock-out record.
4. Who controls your data
When a subscribing organisation adds a client record or invites a team member, that organisation is the data controller and Verdant acts as a data processor on their behalf. If you are a client of a Verdant-subscribing business and want to access, correct, or delete your information, please contact that business directly. We will assist them in honouring your request.
For your own Verdant account (for example, the email address and name you sign in with), you can request access, correction, or deletion by contacting us at [email protected].
5. How we share information
We share personal information only as follows:
- Within the organisation — users of the same organisation can see the clients, jobs, and records belonging to that organisation, subject to the permissions configured by the owner.
- With sub-processors — trusted service providers that run parts of the Service, including Stripe (payments and invoicing), ClickSend (SMS), Fastmail and other SMTP providers (email), the hosting provider that runs our servers, and accounting integrations (Xero, MYOB, QuickBooks Online) when the organisation connects them.
- With ServiceM8 (one-off import only) — if an organisation uses Verdant’s ServiceM8 import tool, the API key they enter is sent to ServiceM8 to pull their existing clients and job history. Verdant does not push data back to ServiceM8, does not sync ongoing changes with it, and does not retain the API key after the import.
- When legally required — if disclosure is required by law, court order, or regulator, or necessary to protect rights, property, or safety.
- With the account owner — if an organisation’s owner requests it, we may disclose account data to them.
We do not sell your personal information, and we do not use it for advertising or third-party marketing.
6. Overseas transfers
Some of our sub-processors — including Stripe, Intuit (QuickBooks Online), and Xero — process data outside Australia. Where personal information is transferred overseas we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles.
7. How we store and protect information
Verdant runs on servers operated by Lewin Digital. Data is stored in a PostgreSQL database with encrypted integration tokens, passwords hashed using bcrypt, and transport protected by TLS. Backups are retained for operational continuity. We restrict internal access to production systems to authorised personnel and log access events.
No system is perfectly secure. If you become aware of a suspected breach, please contact us immediately at [email protected].
8. How long we keep information
We retain personal information for as long as the subscribing organisation’s account is active and for a reasonable period afterwards to comply with tax, accounting, and audit obligations (typically seven years for invoices and financial records, consistent with Australian record-keeping requirements). Message logs and audit records are kept for the life of the organisation’s account unless a longer period is legally required.
When an organisation cancels, we can delete or export their data on request. Deleted records cannot generally be recovered.
9. Cookies and analytics
Verdant uses first-party cookies that are strictly necessary to keep you signed in and remember your session. We do not use third-party advertising cookies or trackers. Basic server logs record IP addresses and browser user-agents for security and diagnostics.
10. Messages sent to your clients
When a subscribing organisation uses Verdant to send SMS or email notifications, those messages are sent under the organisation’s own sender identity (alpha tag, email address, etc.). A copy of each message is stored in Verdant’s message log so organisations can audit what was sent. Clients who wish to stop receiving messages should contact the subscribing organisation directly.
11. Children
Verdant is a business tool and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we hold information about a child, please contact us so we can remove it.
12. Your rights
Subject to applicable law, you have the right to:
- Ask what personal information we hold about you;
- Request correction of information that is inaccurate or out of date;
- Request deletion of your personal information, subject to our record-keeping obligations;
- Withdraw consent for optional processing at any time;
- Complain to us, or to the Office of the Australian Information Commissioner (OAIC), if you believe we have breached your privacy rights.
To exercise any of these rights, email [email protected].
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. If a change is material, we will notify subscribing organisations by email or an in-app notice before it takes effect.
14. Contact
For privacy questions or requests, contact: