This policy applies to F*IT, operated by Zen Window Cleaning Pty Ltd trading as F*IT (ABN 91 621 178 129) ("we", "us", "our"). Our registered address is Gold Coast, Queensland, Australia. Contact: [email protected].
1. What this policy covers
This Privacy Policy describes how F*IT collects, uses, stores, and discloses personal information when you use the F*IT platform ("the Service"). It applies to:
- Visitors to fxit.au and related subdomains.
- Business customers ("tenants") who subscribe to and operate the F*IT platform.
- End users (the tenants' customers) whose data is processed through the Service on behalf of tenants.
F*IT is a software platform for Australian trade and service businesses. Tenants use it to manage customer relationships, scheduling, invoicing, marketing, and advertising. When a tenant uses F*IT to manage their operations, F*IT processes personal information about that tenant's customers as a data processor on the tenant's behalf.
This policy is framed under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
2. Information we collect
2.1 Information you provide directly
- Contact details: name, email address, phone number, business name.
- Account credentials: email address and hashed password (passwords are never stored in plain text).
- Billing information: collected and processed directly by Stripe. We do not store card numbers.
- Business information: ABN, trading name, service areas, pricing, staff details entered during onboarding.
- Communications: messages you send to us via contact forms or email.
2.2 Information collected automatically
- Log data: IP address, browser type, pages visited, timestamps, referring URL.
- Device information: operating system, screen resolution, browser version.
- Session tokens stored in HTTP-only cookies for authentication.
2.3 Information collected from third-party integrations
When you connect third-party services to your F*IT account, we receive data from those services as authorised by you. The services currently supported include:
- Google Ads (OAuth scope:
https://www.googleapis.com/auth/adwords): campaign data, performance metrics, keyword lists, ad creative, spend data. - Gmail (OAuth scope:
https://www.googleapis.com/auth/gmail.readonlyor equivalent): email metadata and message content for customer communication management. Service-mailboxes only — personal owner mailboxes are not connected. - Google Search Console (OAuth scope:
https://www.googleapis.com/auth/webmasters.readonly): search performance data for your business website. - Google Calendar (OAuth scope:
https://www.googleapis.com/auth/calendar): job scheduling and appointment data. - Twilio: call logs and SMS message records for your business phone number.
- Stripe: payment transaction data (tokenised; no raw card data).
You authorise these connections explicitly through OAuth or API key entry within the platform. You can disconnect any integration at any time from your account settings.
2.4 Customer data processed on behalf of tenants
Tenants input data about their own customers (contacts, job records, invoices, notes) into F*IT. We process this data as a data processor acting on the tenant's instructions. The tenant is the data controller for their customers' data and is responsible for ensuring their use of F*IT complies with applicable privacy laws.
3. How we use your information
We use the information we collect to:
- Provide, operate, and improve the F*IT platform.
- Authenticate and manage your account.
- Process subscription payments and issue invoices.
- Run AI-assisted automations you have configured (scheduling, marketing, advertising optimisation, phone answering).
- Send transactional communications: account alerts, invoices, security notifications.
- Provide customer support.
- Monitor platform performance and diagnose technical issues.
- Comply with legal obligations.
We do not use your data for behavioural advertising on behalf of third parties. We do not sell personal information.
4. How we share your information
4.1 Sub-processors and service providers
We engage third-party service providers to operate the platform. These providers act on our instructions and may not use your data for their own purposes.
- Hetzner Cloud (Germany / Australia) — server infrastructure. Note: data is hosted in the Hetzner AU region where available.
- Cloudflare (USA) — CDN, DNS, static site hosting, DDoS protection.
- Stripe (USA) — payment processing.
- Twilio (USA) — SMS and voice telephony.
- Resend (USA) — transactional email.
- Anthropic / LiteLLM (USA) — AI inference for platform automation features. Prompts may include customer data to perform requested automations.
We do not share personal information with third parties for their own marketing purposes.
4.2 Legal requirements
We may disclose personal information where required by law, court order, or regulatory demand, or where disclosure is necessary to protect the rights, property, or safety of F*IT, our tenants, or the public.
4.3 Business transfers
If F*IT is acquired, merged with, or sold to another entity, personal information may be transferred as part of that transaction, subject to equivalent privacy protections.
5. Google API user data — Limited Use disclosure
Google API Services User Data Policy compliance statement: F*IT's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect a Google service to F*IT, we access only the data scopes you authorise. The following principles govern how we handle Google user data:
- Limited Use: We use Google user data only to provide or improve user-facing features that are clearly disclosed in this policy and in the OAuth consent screen. We do not use Google user data to serve advertising to users. We do not allow humans to read Google user data unless you have given us explicit permission, or doing so is necessary for security purposes or to comply with applicable law.
- No transfer for advertising: We do not transfer Google user data to third parties for advertising purposes or to data brokers.
- No cross-user analysis: We do not use Google user data for any purpose other than operating the requested service for the individual account that authorised access.
- Revocation: You can revoke F*IT's access to any Google account at any time via your Google Account settings at myaccount.google.com/permissions or from within your F*IT account settings.
5.1 Google Ads data
Data accessed under the https://www.googleapis.com/auth/adwords scope is used solely to operate the Google Ads Manager feature: creating and optimising campaigns on your behalf, reporting performance to your dashboard, and generating Coach insights. This data is not shared with other tenants or used for any purpose outside your account.
5.2 Gmail data
Data accessed from Gmail (where the Gmail integration is enabled) is used solely to surface customer email threads in your F*IT inbox view and to allow AI-assisted drafting of replies on your behalf. We do not index Gmail data for cross-tenant analysis. Only service-mailboxes (not personal owner mailboxes) are eligible for connection.
5.3 Google Calendar data
Calendar data is used solely to create, update, and display job appointments within the F*IT scheduling interface and to avoid double-booking when the AI Dispatcher schedules new jobs.
5.4 Google Search Console data
Search Console data is used solely to provide website SEO performance reporting within your F*IT dashboard and to inform the Watcher agent's content gap analysis for your business website.
6. Retention and deletion
- Account data: retained for the duration of your subscription plus 90 days after cancellation to allow for reactivation or export. After 90 days, account data is permanently deleted from production systems.
- Google API data: OAuth tokens are stored encrypted and are deleted upon disconnection of the relevant integration or account closure. Cached Google data (campaign snapshots, search console data) is deleted within 30 days of integration disconnection.
- Customer data (tenant contacts, jobs, invoices): retained for the subscription term plus 90 days. Tenants can request immediate deletion of their data at any time via [email protected].
- Log data: server logs retained for up to 90 days for security and diagnostic purposes, then deleted.
- Backup data: encrypted backups may retain data for up to 30 days beyond the primary deletion date before being purged from backup systems.
To request deletion of your data, email [email protected] with the subject line "Data deletion request" and your account email address. We will action the request within 30 days.
7. Security
We implement security measures appropriate to the nature of the data we hold:
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest on our servers is encrypted.
- OAuth tokens are stored encrypted with access restricted to the authenticated tenant.
- Passwords are hashed using bcrypt with a work factor appropriate to current hardware.
- Row-level security policies on our database prevent cross-tenant data access.
- Multi-factor authentication is available for all accounts and recommended.
No transmission over the internet or storage system can be guaranteed as completely secure. If you believe your account has been compromised, contact us immediately at [email protected].
8. Your rights — Australian Privacy Principles
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:
- Access personal information we hold about you (APP 12).
- Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
- Know why we collect your personal information, how we will use it, and to whom we may disclose it (APPs 3, 5).
- Complain about a breach of the APPs (see section 12 below).
- Opt out of direct marketing communications (APP 7).
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
9. Cookies and analytics
We use the following types of cookies:
- Essential cookies: session authentication tokens stored as HTTP-only cookies. Required for the platform to function.
- Preference cookies: store UI preferences such as dashboard layout settings.
We do not currently use third-party analytics trackers or advertising pixels on the main platform. The marketing site at fxit.au may in future use analytics tools; this policy will be updated if and when such tools are introduced.
10. Children
F*IT is a business-to-business platform intended for use by adults operating or employed by trade and service businesses. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it promptly.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify active account holders by email and update the "Last updated" date at the top of this page. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact and complaints
For privacy questions, access requests, correction requests, or deletion requests:
Email: [email protected]
Subject line: Privacy enquiry
Entity: Zen Window Cleaning Pty Ltd trading as F*IT
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992