Last updated: 29 June 2026
Velo4U Privacy Policy
1. About This Policy & Who We Are
This Privacy Policy explains how Velo4U Pty Ltd (ABN 39 698 550 033) ("Velo4U", "we", "us", "our") collects, holds, uses and discloses your personal information.
Velo4U is an Australian proprietary limited company based in Victoria, Australia. We operate a car‑wrap advertising marketplace. We connect:
- Drivers — individuals who apply through our mobile app (iOS and Android), have their personal vehicle wrapped in advertising livery, drive normally, and are paid a flat weekly rate as independent contractors; and
- Advertisers — businesses that request quotes and run wrap‑advertising campaigns through our website and receive coverage reporting.
We are the entity responsible for, and accountable for, the personal information described in this policy (in data‑protection terms, the "data controller").
This policy is designed to comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs), and in particular with APP 1, which requires us to maintain a clearly expressed and up‑to‑date privacy policy that openly and transparently manages personal information.
This policy applies to:
- our driver mobile app (iOS and Android); and
- our advertiser website at https://velo4u.com.
Effective date: 29 June 2026
Privacy contact: privacy@velo4u.com
We do not publish a street address in this policy. For the privacy and safety of the individuals involved, we ask that you contact us using the email address above and quote our ABN (39 698 550 033).
2. Scope & Privacy Act Applicability
The Privacy Act and the APPs apply in full to "APP entities". Small businesses with an annual turnover of $3 million or less are sometimes exempt, but a number of exceptions remove that exemption.
Velo4U treats itself as bound by the Privacy Act and all 13 Australian Privacy Principles, and commits to handling all personal information in accordance with them, regardless of turnover. We adopt this position because:
- we disclose personal information about an individual (a driver) to another person (an advertiser) in connection with coverage reporting, for a benefit, service or advantage — an activity that removes the small‑business exemption under the Privacy Act (the "disclosing for benefit" exception, s 6D(4)(c)); and
- we collect and handle sensitive information (continuous precise location, in context) about drivers; and
- as a matter of policy, we voluntarily commit to the APPs in any event.
Because drivers and advertisers give us very different information for different reasons, this policy separates driver handling from advertiser handling wherever it matters. Where a section is specific to one group, it is labelled.
3. Personal Information We Collect (Drivers)
This section lists, as exhaustively as we can, the personal information we collect from and about drivers. We collect only what is reasonably necessary for our functions and activities (APP 3).
(a) Identity and account information
- Full name
- Email address
- Phone number
- Password (handled by Google Firebase Authentication; we do not see or store your plain‑text password)
- Date of birth (to confirm you are 18 or over)
(b) Address and location of residence
- Full home address (street, suburb, state, postcode)
- Geocoded coordinates derived from your address (latitude/longitude), used to match you to campaigns by area
(c) Eligibility and background information
- Student status and university/institution name (where relevant to a campaign)
- Driver's licence, vehicle registration and insurance status as required for eligibility
(d) Vehicle information
- Vehicle make, model, year, colour
- Vehicle registration (number plate) and the state of registration
(e) Photographs
- Vehicle verification photos you submit when you join (to confirm the vehicle and its condition); stored in
vehicleVerifications - Weekly check‑in photos of your wrapped vehicle, submitted as part of the check‑in cycle that gates your pay
(f) Location information — continuous background GPS (sensitive in context)
When, and only when, you are on an active campaign and have given the necessary permissions, our app collects your device's precise location in the background, including:
- latitude and longitude,
- heading (direction of travel),
- speed, and
- a timestamp for each fix.
Location is sampled roughly every 30 seconds, or every 50 metres of travel, whichever comes first. Each fix is written as a "latest" position to driverLocations/{your‑id} (overwriting the previous one) and appended to a route‑history trail at driverLocations/{your‑id}/history. The result is a detailed record of where your wrapped vehicle has travelled while a campaign is active.
We treat this continuous precise route history as sensitive information in context and handle it accordingly. See Section 5 for full detail, including how to turn it off.
(g) Financial information
- For payment, either your bank account details (account name, BSB, account number) or your PayID (a phone number or email address linked to your bank)
- Your earnings, payment history and payout records
(h) Device and technical information
- Device model, operating system and version, app version
- A persistent identifier for your signed‑in session stored securely on your device
- In‑app activity (e.g. screens used, check‑ins submitted, campaign status)
(i) Crash and diagnostic information
- Crash reports, error logs and diagnostic data via Sentry (see Sections 8 and 9), which may include a user identifier and technical metadata about the error
(j) Push notification tokens
We do not currently collect push‑notification tokens in the live app. If we introduce push notifications, we will collect a device push token to deliver notifications, and we will update this policy before doing so. We mention this so that this policy is not over‑claiming a feature that does not yet exist.
4. Personal Information We Collect (Advertisers / Website)
When a business enquires about, requests a quote for, or runs a campaign through our website at https://velo4u.com, we collect:
- Business/company name
- Industry or business type
- Contact person's name
- Contact email address
- Contact phone number
- Target suburbs or areas for the campaign
- Number of vehicles requested
- Campaign duration and placement preferences
- Any other details submitted in the quote or campaign request form
These submissions are stored in our quotes and campaignRequests records.
Website cookies. The website uses cookies and similar technologies that are necessary for the site to function. We do not use cookies for third‑party advertising.
The website carries its own short collection notice at the point of the form (APP 5). This policy supplements that notice.
5. Sensitive Information & Location Tracking
This is the most important section of this policy and concerns the most sensitive information we handle.
What we collect. While you are on an active campaign, we collect your device's precise location in the background, including latitude, longitude, heading, speed and a timestamp, sampled approximately every 30 seconds or every 50 metres of travel. We build this into a continuous route‑history trail plus a live "latest" position.
Why we treat this as sensitive. A continuous, precise record of where you drive can reveal a great deal about you — where you live, work, worship, seek medical care, and who you associate with. For that reason we treat it with the same care the Privacy Act gives to sensitive information, and we only collect it with your express, separate opt‑in consent.
When we collect it. Only when all of the following are true:
- you are an approved driver on an active campaign; and
- you have granted the operating‑system location permission (including the "Always"/background permission); and
- background tracking is running for that campaign.
Location tracking stops when:
- the campaign ends or is paused;
- you withdraw the operating‑system location permission; or
- you delete your account.
Why we collect it (purposes). We use your location only to:
- verify that the advertising wrap is actually being displayed on the road;
- produce coverage reporting for advertisers (what areas a campaign reached); and
- power your own "Trips" view in the app so you can see your driving history.
How consent works. Before any background location is collected, the app shows you a dedicated, separate consent screen explaining what is collected and why, and asks you to opt in. This consent is not bundled into your acceptance of our Terms & Conditions. You give it (or decline it) as a distinct, affirmative choice, in addition to the operating‑system permission prompts. Granting the consent is necessary to be an active driver, because verifying wrap exposure is the core of the service; you can decline, but you will not be able to run a campaign.
How to withdraw consent or turn it off. You can stop background location collection at any time by:
- turning off location permission for the Velo4U app in your device's settings (iOS: Settings › Privacy & Security › Location Services; Android: Settings › Location / App permissions); and/or
- ending your campaign or deleting your account.
Withdrawing location permission will stop tracking and will generally prevent you from continuing an active campaign or earning while it is off.
Surveillance devices laws. Australian states and territories have Surveillance Devices Acts that regulate the use of tracking devices, and these laws vary between jurisdictions. In Victoria, the Surveillance Devices Act 1999 (Vic) restricts the use of a tracking device to determine the geographical location of a person or object without consent. Because Velo4U tracks the location of a driver's vehicle, we obtain the driver's express consent (as described above) and rely on that consent for the purposes of these laws.
6. How We Collect Your Information
We collect personal information by lawful and fair means, and only to the extent reasonably necessary for our functions (APP 3). We collect it:
- Directly from drivers through in‑app sign‑up and profile screens;
- From your device camera when you submit vehicle verification and weekly check‑in photos;
- From a background location worker on your device during active campaigns (Section 5);
- From advertisers through the quote/campaign request form on https://velo4u.com;
- Through Firebase Authentication when you create and sign in to your account; and
- Automatically, in the form of device, activity, crash and diagnostic data, as you use the app.
Wherever it is reasonable and practicable, we collect personal information directly from you.
Just‑in‑time collection notices (APP 5). We show short, plain‑language notices at the moment we collect the more sensitive items — in particular:
- before we request background‑location permission and present the dedicated location‑consent screen;
- before you enter bank account or PayID details; and
- at the point you capture or upload vehicle and check‑in photos.
7. Why We Use Your Information (Purposes)
We use personal information for the following primary purposes:
- to create, operate, secure and support your account;
- to assess driver eligibility and match drivers to campaigns;
- to verify that the advertising wrap is displayed on the road (using location and check‑in photos);
- to operate the weekly check‑in cycle and to calculate and gate weekly pay on completed check‑ins;
- to pay drivers the flat weekly rate via bank transfer/PayID (processed manually through NAB);
- to produce coverage reporting for advertisers;
- for fraud prevention and verification of check‑ins and campaign activity;
- to provide customer and operational support;
- for safety and to protect our and others' rights;
- to communicate with you about your account, campaigns and this service; and
- to comply with our legal, tax and record‑keeping obligations.
We may use de‑identified or aggregated information (which is not personal information) to understand and improve the service and for reporting.
We do not sell your personal information. We do not, and will not, sell your personal information to third parties.
What this means for location data. Our app tells drivers we never sell their personal details and that advertisers never see their identity or home address. We want to be precise about what this means, because advertisers do receive coverage reporting that is derived from location data:
- We do not sell location data.
- We do not give advertisers your identity, name, home address, or raw real‑time location pins.
- What advertisers receive is coverage reporting derived from location — for example, the areas and extent of coverage a campaign achieved.
Secondary use. We will only use or disclose your personal information for a purpose other than the one for which it was collected where you would reasonably expect it and the purposes are related (or directly related for sensitive information), where you consent, or where the law permits or requires it (APP 6).
8. Who We Disclose Your Information To
We disclose personal information to the following categories of recipients, only as needed for the purposes in Section 7:
- Advertisers — coverage reporting derived from driver location data (see the precision note in Section 7);
- National Australia Bank (NAB) — bank account/PayID details and payment amounts, to pay drivers (payments are processed manually/offline through NAB);
- Google / Firebase — Firebase Authentication, Cloud Firestore (database), Cloud Storage (photos), Cloud Functions (server logic) and Google Maps (geocoding of addresses and mapping);
- Resend (Resend Inc.) — your name and email address, to send transactional emails;
- Sentry (Functional Software, Inc.) — crash and diagnostic data, which may include a user identifier and error metadata;
- Velo4U operations and administration staff — who access personal information on a need‑to‑know basis to run the service; and
- Others where required or authorised by law, or where you have consented (for example, law enforcement or regulators on a valid request).
We do not disclose your personal information to any other party except with your consent, or as permitted or required by law.
Several of these recipients are overseas or may store/process data overseas — see Section 9.
9. Overseas Disclosure (APP 8)
Some of our service providers are located overseas or may transfer or access personal information overseas. Under APP 8, before we disclose personal information to an overseas recipient we take such steps as are reasonable in the circumstances to ensure the recipient handles it consistently with the APPs (typically through the provider's contractual data‑processing terms). Importantly, under s 16C of the Privacy Act we generally remain accountable for personal information handled by these overseas recipients.
Onshore (Australian) hosting — Google Firebase. Our core systems — Firebase Authentication, Cloud Firestore, Cloud Storage and Cloud Functions — are hosted in the Google Cloud australia‑southeast2 (Melbourne) region, so this data is primarily stored in Australia. However, Google is a global provider and a limited amount of access or processing (for example, support, security or service operation) may occur outside Australia. Google may therefore be located in, or access data from, the United States and other countries in which Google operates.
Overseas recipients we disclose to:
| Recipient | Country | What is disclosed |
|---|---|---|
| Sentry — Functional Software, Inc. | United States | Crash/diagnostic data, including a user identifier and error metadata |
| Resend — Resend Inc. (email delivery; uses an Amazon SES backbone) | United States | Names and email addresses in transactional emails |
| Google LLC / Google Maps | United States (and global) | Geocoding queries (addresses) and map service requests; limited global access to Firebase data as noted above |
10. Security of Your Information (APP 11)
We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11). Our measures include:
- Authentication. Accounts are protected by Firebase Authentication; we never store your plain‑text password.
- Access controls in the database. Firestore security rules restrict who can read and write data. Sensitive fields — including financial details (bank/PayID) and payout records — are restricted so that they can only be written/processed by administrators and server‑side Cloud Functions, not by ordinary client devices.
- Secure on‑device storage. The signed‑in driver identifier is stored on the device using secure storage (
expo-secure-store, backed by the iOS Keychain / Android Keystore), configured to remain protected while the device is locked. - Encryption in transit. Data is transmitted over encrypted connections (TLS/HTTPS).
- Encryption at rest. Data stored in Google Cloud is encrypted at rest using Google‑managed encryption.
- Australian data residency. Core data is hosted in the australia‑southeast2 (Melbourne) region (see Section 9).
- Need‑to‑know access for staff and administrators.
Given the heightened sensitivity of the information we hold — bank/PayID details and continuous location — we treat the security of these items with particular care. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; if you believe your account has been compromised, contact us immediately at privacy@velo4u.com.
11. Data Retention & Deletion
We keep personal information only for as long as it is needed for the purposes set out in this policy or as required by law, and we take reasonable steps to destroy or de‑identify personal information we no longer need (APP 11.2).
Location route history. A driver's continuous location route history is retained only for as long as necessary to verify wrap exposure, finalise advertiser coverage reporting, and resolve any related disputes. After that, it is destroyed or de‑identified. You may ask us to delete your location data at any time (see Sections 12 and 13).
Financial and tax records. We retain payment, earnings and payout records for the period required by Australian tax and business‑records law, even after an account is deleted.
Other personal information is retained while your account is active and for a reasonable period afterwards, then deleted or de‑identified, subject to any legal retention requirement.
Requesting deletion. You can ask us to delete your personal information at any time — see Sections 12 and 13 for how, what is deleted, and what we must lawfully retain.
12. Accessing & Correcting Your Information (APP 12 / APP 13)
You have the right to access the personal information we hold about you, and to ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading.
- Self‑service. As a driver, you can view and edit many of your profile fields directly in the app.
- On request. For anything you cannot change yourself — including your location route history and your check‑in/vehicle photos — email us at privacy@velo4u.com and tell us what you would like to access or correct.
We will respond to access and correction requests within a reasonable time, and in any case within 30 days of your request. We will not charge for making a request, and any charge for giving access will not be excessive.
We may need to verify your identity before acting on a request. In limited circumstances we may decline an access request (for example, where giving access would be unlawful, would unreasonably affect the privacy of others, or another exception in APP 12 applies). If we refuse access or correction, we will tell you why in writing and explain how you can complain (see Section 18). If we correct information we have previously disclosed, you may ask us to notify the recipients of the correction.
13. Account & Data Deletion
You can delete your Velo4U account and associated personal information.
How to request deletion. Email us at privacy@velo4u.com from the address associated with your account and ask us to delete your account. We will verify your identity and then delete or de‑identify your personal information, keeping only the financial and payment records we are required to retain by law (see "What we retain" below).
What is deleted. When your driver account (users/{your‑id}) is deleted, our automated cleanup process removes the related data, including:
- your Firebase Authentication account (so your email can be re‑registered);
- your applications records;
- your vehicle verifications (
vehicleVerifications/{your‑id}); - your verification records;
- your installation bookings;
- your location data and route history (
driverLocations/{your‑id}and its history); and - your chats/messages.
What we retain. We retain certain information where we are legally required or permitted to, in particular payment, earnings and payout records for tax and business‑records purposes (see Section 11), and any information we must keep for fraud prevention, dispute resolution or legal compliance. Retained records are kept securely and used only for those purposes.
14. Automated Decision‑Making
Some of our processes use personal information in automated logic that can affect you:
- Check‑in counting and pay‑gating. Our system automatically counts your weekly check‑ins and determines when a week becomes "payable" — generally once you have completed 3 check‑ins in the week and a full week has elapsed since the cycle started. Submitting a check‑in optimistically increments your count; if a check‑in is later rejected, an automated process reverses the count (and reverses any credited‑but‑unpaid amount for that week).
- Stalled‑driver flagging. We automatically identify drivers who appear to have stalled (for example, who have not progressed or checked in as expected) so we can follow up.
What this means for you. These automated steps influence whether and when a weekly payment is due, but final payout and verification decisions involve human review by Velo4U staff. The information used includes your check‑in submissions and timestamps, check‑in photos, campaign status and (for verification) location data.
15. Data Breaches (Notifiable Data Breaches Scheme)
We comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act.
If we suspect an eligible data breach may have occurred, we will assess it within a maximum of 30 days. If we determine there has been an eligible data breach — that is, unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm — we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
Because we hold bank/PayID details and continuous location data, we recognise that a breach involving this information carries a heightened potential for serious harm, and we treat any such incident with corresponding urgency.
We have processes in place to assess and respond to eligible data breaches in line with the Notifiable Data Breaches scheme, including breaches occurring at our service providers (for example, Firebase, Resend or Sentry) as well as our own systems.
16. Children
Velo4U's service is intended for adults aged 18 and over. Drivers must be at least 18 and must hold a valid driver's licence, vehicle insurance and a bank account or PayID. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us with personal information, please contact us at privacy@velo4u.com and we will take reasonable steps to delete it.
17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, technology or legal obligations. When we do, we will revise the "Last updated" date at the top of this policy and publish the updated version on https://velo4u.com and in the app.
Where changes are material, we will take reasonable steps to notify you — for example, by email or by an in‑app notice. Where required, we will ask you to re‑accept the updated policy and/or our Terms before you continue to use the service.
18. Contact Us & Complaints (OAIC Escalation)
Contact us. If you have a question, an access/correction request, or a privacy concern, contact our privacy officer:
- Email: privacy@velo4u.com
- Velo4U Pty Ltd, ABN 39 698 550 033 (please quote our ABN; we do not publish a street address — see Section 1)
Making a complaint. If you believe we have mishandled your personal information or breached the APPs:
- Contact us first at privacy@velo4u.com. Please describe your concern so we can investigate. We will acknowledge your complaint and aim to respond within a reasonable time (and in any case within 30 days).
- Escalate to the OAIC. If you are not satisfied with our response, or we do not respond within a reasonable time, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992