Privacy Policy

QTask ("we", "our", or "us") operates the equipment maintenance management platform available at qtask.co.nz. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the New Zealand Privacy Act 2020 and, where applicable, the Philippine Data Privacy Act 2012 (Republic Act 10173).

By creating an account or using QTask, you agree to the collection and use of information as described in this policy.

We collect the following categories of personal information:

• Account information: Full name, email address, phone number, and password (stored as a secure hash — never in plain text).
• Role-specific information: Company name, industry, billing email, contact person, and address (Customers); company name, licence number, licence expiry, service area, specialisations, and hourly rate (Service Providers); authority name, accreditation number, and certification scope (Certifiers).
• Equipment records: Asset names, serial numbers, models, locations, and maintenance history.
• Maintenance records: Schedules, service records, labour hours, costs, technician notes, and completion dates.
• Compliance certificates: Certification details, validity periods, and certifier notes.
• Usage data: IP addresses, browser user-agent strings, and access timestamps, collected for security and audit purposes.

We use your personal information only for the purposes for which it was collected:

• Providing, operating, and improving the QTask platform.
• Matching equipment owners with qualified service providers and certifiers.
• Generating and storing compliance certificates for equipment maintenance.
• Sending notifications relevant to your scheduled maintenance activities.
• Complying with legal obligations under the NZ Health and Safety at Work Act 2015 and related regulations.
• Investigating and responding to security incidents.

We do not use your personal information for advertising or sell it to third parties.

Your information is shared only as necessary to deliver the service:

• Service Providers: Can view the equipment details and maintenance requirements for jobs assigned to them.
• Certifiers: Can view the maintenance records and equipment details for certifications they are asked to issue.
• Infrastructure providers: Railway (hosting), Neon/PostgreSQL (database). These providers process data on our behalf and are contractually bound to protect it.
• Legal obligations: We may disclose information if required by law, court order, or to WorkSafe New Zealand.

Your data is stored on servers hosted by Railway. Data is encrypted in transit (TLS 1.2+) and at rest. We implement role-based access controls, rate limiting, and security headers to protect your information.

All passwords are hashed using bcrypt (cost factor 12) and are never stored or transmitted in plain text.

Despite our safeguards, no system is completely secure. If we become aware of a breach that is likely to cause serious harm, we will notify the Office of the Privacy Commissioner and affected individuals as required by the Privacy Act 2020.

We retain personal information only for as long as necessary for the purpose it was collected, or as required by law:

• Account data: Retained while your account is active. Anonymised within 30 days of a verified deletion request.
• Maintenance and financial records: Retained for a minimum of 7 years to comply with NZ business record-keeping requirements.
• Compliance certificates: Retained for the life of the associated equipment or a minimum of 10 years.
• Audit logs: Retained for 7 years.

Under the NZ Privacy Act 2020, you have the right to:

• Access the personal information we hold about you.
• Correct any personal information that is inaccurate or out of date.
• Request deletion of your personal information, subject to legal retention requirements.
• Lodge a complaint with the Office of the Privacy Commissioner (privacy.org.nz) if you believe we have breached the Privacy Act.

If you are a resident of the Philippines, you additionally have rights under the Data Privacy Act 2012, including the right to data portability and the right to be informed of any breach affecting your data within 72 hours.

To exercise any of these rights, contact our Privacy Officer at privacy@qtask.co.nz. We will acknowledge your request within 5 working days and respond within 20 working days.

QTask uses session cookies for authentication. These are strictly necessary for the platform to function and do not track you across other websites. We do not use advertising or analytics cookies.

Your data may be stored and processed in countries outside New Zealand (including the United States, where Railway's infrastructure is located). We take steps to ensure that such transfers comply with the cross-border disclosure requirements of the NZ Privacy Act 2020.

We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes. Continued use of QTask after the effective date of a revised policy constitutes acceptance of the changes.

For privacy enquiries, data access requests, or complaints: