Privacy Policy

This Privacy Policy describes how Black Mountain AI Pty Ltd (ABN 87 673 936 448) (“BMAI”, “we”, “us”) collects, uses, discloses, and protects personal information in connection with DirectCold Monitor (“the Service”). We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We collect the following categories of information:

• Account information: name, email address, hashed password, and role assignment when you are invited to the Service.
• Driver information: name, mobile phone number (E.164), and optional email address for drivers added to the system.
• Recipient information: name, phone number, and email of team members added to notification groups.
• Telemetry data: temperature readings, GPS coordinates, power state, defrost status, and other vehicle/trailer telemetry obtained from CoolTrax on behalf of the Customer.
• Usage data: login timestamps, IP addresses, user-agent strings, and actions performed within the Service (audit log).
• Notification metadata: records of SMS, email, and webhook notifications sent, including recipient identifiers, timestamps, and delivery status.

We use the information we collect to:

• Operate, maintain, and improve the Service;
• Authenticate users and enforce role-based access;
• Send alert notifications via SMS, email, and webhooks;
• Generate compliance reports and analytics;
• Detect and respond to service faults and security incidents;
• Maintain audit trails for accountability and regulatory compliance;
• Communicate with you about your account, the Service, or changes to these policies.

We may disclose personal information to:

• Third-party service providers that assist in operating the Service:
  • Twilio (SMS delivery) — USA
  • Resend (email delivery) — USA
  • Vercel (hosting, serverless functions) — Sydney region
  • Neon (database hosting) — Sydney region (ap-southeast-2)
  • Upstash (Redis cache) — nearest region
  • CoolTrax (upstream telematics) — Australia
• Law enforcement or regulators where required by Australian law or a valid court order.
• Your organisation’s other authorised users — the Service is multi-user; other users in your organisation with appropriate roles can see shared data (assets, alerts, readings, audit logs).

We do not sell, rent, or trade personal information to third parties for marketing purposes.

Some of our service providers (Twilio, Resend) are located in the United States. When personal information is transferred overseas, we take reasonable steps to ensure it is protected in accordance with the APPs, including by using providers with appropriate security certifications and contractual data protection obligations.

Telemetry data and the primary database are hosted in the ap-southeast-2 (Sydney) region for Australian data sovereignty.

Telemetry readings and resolved alerts are retained for a configurable period (default: 6 hours; maximum: 30 days) and are then permanently deleted. Active alerts are retained until resolved. Account information is retained for the duration of the Customer’s agreement and for a reasonable period thereafter (no less than 30 days) for audit purposes.

We implement reasonable security measures including:

• Encryption in transit (TLS/HTTPS on all connections);
• Encryption at rest for database storage (Neon/Postgres);
• Password hashing using industry-standard algorithms (scrypt);
• Rate limiting on authentication endpoints;
• Role-based access control with audit logging;
• Security headers (HSTS, X-Frame-Options, CSP) on all responses;
• SHA-256 hashed password-reset tokens (raw token only in email, never stored).

No system is completely secure. We cannot guarantee the absolute security of your information.

Under the Privacy Act 1988, you have the right to:

• Access the personal information we hold about you;
• Correct inaccurate or incomplete personal information;
• Complain about a breach of the APPs.

To exercise these rights, contact us at jordan@blackmountainai.com.au. We will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

The Service uses session cookies for authentication. We do not use third-party advertising or analytics cookies. The session cookie is strictly necessary for the Service to function and is not used for tracking.

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notice at least 14 days before taking effect. The “Last updated” date at the top of this page indicates when the policy was last revised.