Skip to content
Droprack

Legal

Privacy Policy

Last updated: 14 May 2026

DropTrack Pty Ltd ("DropTrack", "we", "our", "us") respects your privacy. This Privacy Policy explains how we collect, use, store, disclose and protect your personal information when you use our website (https://droptrack.com.au), our applications, or our services. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Who we are

DropTrack is an Australian-incorporated company providing GPS-verified letterbox distribution services, including AI-generated campaign reporting. We are based in Canberra, ACT, and our infrastructure is hosted in AWS Sydney (ap-southeast-2).

Our Privacy Officer can be reached at hello@droptrack.com.au.

2. What personal information we collect

We collect the following categories of personal information:

  • Account information: name, business name, email address, mobile number, business address and ABN.
  • Campaign information: the polygons you draw, the briefs you submit, the leaflet artwork you upload and the dates and locations of your campaigns.
  • Dropper information (where applicable): employment details, transport mode, GPS location while on shift, and performance metrics. This is collected from individuals we directly employ.
  • Payment information: we do not store payment card details ourselves; payments are processed by Stripe under their own privacy policy.
  • Technical information: IP address, browser type, device identifiers, pages visited, and cookies (see our Cookie Policy).

We do not collect personal information about the people who receive your flyers. We pin the GPS coordinates of letterboxes, never the identity of residents.

3. How we use your information

We use personal information only for the purposes for which it was collected, including:

  • delivering the campaigns you commission, including GPS verification and reporting;
  • paying our droppers and managing employment obligations;
  • generating AI-written campaign reports using Claude 3.5 Haiku via AWS Bedrock in Sydney;
  • improving our products and tuning Fraud Shield thresholds (using aggregated, de-identified data);
  • responding to your enquiries and providing customer support;
  • meeting our legal, regulatory and tax obligations in Australia.

4. Where your information is stored

All personal information collected by DropTrack is stored in Amazon Web Services' Sydney region (ap-southeast-2). We do not replicate, back up or transfer data to any region outside Australia. This restriction is enforced through AWS IAM policies and is contractual, not aspirational.

Data is encrypted at rest using AWS KMS (AES-256) and in transit using TLS 1.3. Authentication runs on AWS Cognito with short-lived JWT access tokens.

5. Who we disclose your information to

We disclose personal information only to:

  • Our service providers — Stripe (payments), Amazon Web Services (hosting and AI inference), Mapbox (map tile rendering) — under written agreements that restrict their use to providing services to us;
  • Your assigned dropper, who receives the campaign polygon and leaflet count for the duration of their job;
  • Australian regulators or law enforcement, where we are legally required to do so.

We do not sell personal information. We do not share information with data brokers, marketing networks or third-party advertising platforms.

6. Cookies and tracking

DropTrack uses a minimal set of strictly-necessary cookies and analytics cookies. We do not use advertising cookies or cross-site tracking. See our Cookie Policy for the full list.

7. Accessing, correcting or deleting your information

You have the right to access your personal information, request correction of inaccurate information, and request deletion. Email hello@droptrack.com.au from the address on your account.

Export is provided in JSON and PDF within five business days. Deletion is processed within 30 days and is irreversible. Aggregate, anonymised statistics may be retained to improve the service — we will tell you exactly what before you sign up.

8. How long we keep your information

We retain personal information for as long as your DropTrack account is active, plus seven years after closure to meet Australian tax, employment and dispute-resolution obligations. Campaign GPS data is retained indefinitely in an immutable, signed form so your audit trail remains valid for vendor, AEC or compliance review.

9. Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. These include AWS KMS encryption, TLS 1.3, AWS Cognito identity, scoped IAM policies, audit logging via AWS CloudTrail, and regular review of access by the small DropTrack team.

If a notifiable data breach occurs, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with Part IIIC of the Privacy Act 1988.

10. Children's privacy

DropTrack is a B2B service and is not directed at children. We do not knowingly collect personal information from anyone under 18. If you believe we have collected such information, contact us and we will delete it.

11. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page will reflect any changes. Material changes will be emailed to account holders at least 14 days before they take effect.

12. Complaints

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, please email hello@droptrack.com.au. We will acknowledge your complaint within five business days and respond substantively within 30 days.