PitlaneHQ
LEGAL · PRIVACY

Privacy policy.

Last updated: 1 June 2026

This Privacy Policy explains how Surau Engineering (ABN 51 696 483 468), trading as “Pitlane HQ” (“PitlaneHQ”, “we”, “us”, or “our”), handles personal information in connection with our workshop management software and related services (the “Service”).

We comply with the Australian Privacy Principles (“APPs”) in the Privacy Act 1988(Cth) (“Privacy Act”), the Spam Act 2003(Cth) for electronic marketing, and applicable state and territory privacy legislation. “Personal information” has the meaning given in the Privacy Act.

1. Our two roles: when we control data, and when we only process it

PitlaneHQ handles personal information in two distinct capacities. Understanding which applies determines who is accountable under the Privacy Act and how you exercise your rights.

  • As the responsible entity (we decide how data is handled). For information about the workshop business and its users— the account holder's name, login, billing details, and how the workshop itself uses the Service — PitlaneHQ is the APP entity. This policy governs that information directly.
  • As a service provider acting on a workshop's instructions (the workshop decides). For the operational data a workshop stores in the Service about its own customers, vehicles, employees, jobs, invoices, and communications, the workshop is the APP entityand is responsible for that data under the Privacy Act. PitlaneHQ processes it only to provide the Service, on the workshop's behalf, under the terms of our Data Processing Addendum. If you are an end customer or employee of a workshop, your privacy enquiries should generally be directed to that workshop; we will assist them in responding.

2. Information We Collect

2.1 Workshop account information (we are the responsible entity)

When a workshop registers for PitlaneHQ, we collect information to create and manage the account:

  • Name and contact details of account users (email address, phone number)
  • Business name, ABN, and business address
  • Billing information (payment method and transaction history are processed and stored by Stripe; we do not store full card numbers)
  • Login credentials (passwords are securely hashed and never stored in plain text)

2.2 Workshop operational data (the workshop is the responsible entity)

In the course of running their business, a workshop may store the following in the Service. PitlaneHQ processes this data on the workshop's instructions and does not use it for our own purposes:

  • Customer names, contact details, and vehicle information (including registration plate and VIN)
  • Job records, inspections, quotes, invoices, payments, and related financial information
  • Employee and technician records, including timesheets and payroll information where the workshop uses our HR & Payroll module (see section 8)
  • Stock, supplier, and purchase order information
  • Uploaded files and documents (photos, PDFs, attachments)
  • SMS, email, and in-app communication history

2.3 End-customer information (collected directly via customer-facing features)

Where a workshop enables customer-facing features — the customer portal, online booking, or the Pitlane Marketplace — end customers may provide personal information directly to the Service (name, contact details, vehicle, booking and quote details). We process this to deliver the requested feature and make it available to the relevant workshop.

2.4 Usage and technical data

  • Browser type, operating system, and device information
  • IP address and approximate (city-level) location
  • Pages visited, features used, and time spent in the Service
  • Error logs and performance data used to operate and improve the Service

2.5 Cookies and analytics

We use cookies and similar technologies for essential functionality (authentication, security, site preferences) and for analytics and marketing measurement:

  • Essential cookies — required for login, security (CSRF protection), and core Service operation. These cannot be disabled without breaking the Service.
  • Google Analytics 4 (GA4) — understanding aggregate usage to improve the Service.
  • Meta Pixel — measuring the effectiveness of our marketing campaigns. This involves disclosure to Meta Platforms (United States); see section 11.
  • Sentry — error and performance monitoring.

For non-essential (analytics and marketing) cookies on our public website, we rely on your consent, which is indicated by your continued use of the site after being presented with this policy. You can control or block cookies through your browser settings. We are progressively rolling out a granular cookie-preference control; until then, you may opt out of analytics and marketing cookies by adjusting your browser settings or contacting us at privacy@pitlanehq.com.au.

3. How We Use Personal Information

We use personal information only for purposes connected with providing and operating the Service:

  • Provide and maintain the Service— deliver workshop management features and process data on the workshop's behalf
  • Communicate with you — send transactional messages (invoices, booking confirmations, password resets), service announcements, and support responses
  • Process billing — manage PitlaneHQ subscription billing via Stripe
  • Improve the Service — analyse aggregate usage, diagnose issues, and develop features
  • Security and fraud prevention — detect and prevent unauthorised access, abuse, and other threats
  • Legal compliance — meet our obligations under Australian law

We will not use or disclose personal information for a purpose other than the one for which it was collected unless you would reasonably expect it, you consent, or the use is otherwise permitted under the APPs.

4. Artificial Intelligence and Automated Processing

Some optional features (collectively, “Workshop Brain” and our AI assistance features) use machine-learning models to generate draft text and suggestions — for example, drafting SMS replies, polishing quote and invoice wording, cleaning up technician notes, and assisting with job estimation. Where these features are enabled:

  • Relevant workshop data is processed by our AI sub-processor (Amazon Web Services — Bedrock) to generate the output. This processing occurs to deliver the feature you requested.
  • Outputs are drafts for human review. We do not make decisions that produce legal or similarly significant effects about an individual by automated means alone — a workshop user reviews and decides whether to use any AI-generated output.
  • Workshop-scoped only.AI features draw on the requesting workshop's own data. We do not pool one workshop's data into features served to another workshop.
  • Technical reference data sourced from licensed third-party providers is excluded from any model training, consistent with our licensing obligations.

5. Disclosure and Sub-processors

We do not sell personal information.We disclose information only to the service providers (“sub-processors”) needed to deliver the Service, and only as necessary for that purpose. The full, authoritative list — including each provider's location, purpose, and the categories of data they process — is published at pitlanehq.com.au/legal/sub-processors.

Categories of recipient include:

  • Infrastructure — hosting, database, and encrypted backups (Microsoft Azure in Australia; Cloudflare; AWS and Backblaze for backups)
  • Payments and communications — Stripe (PitlaneHQ subscription billing), PitlanePay/eWAY (customer card payments), Twilio (SMS), Resend (email)
  • Observability — Sentry (error and performance monitoring)
  • Opt-in integrations — engaged only when a workshop activates them: accounting providers (Xero, QuickBooks Online), vehicle data and visualisation providers. Data flow stops when the workshop disconnects the integration.

We provide workshops at least 30 days' notice before engaging a new sub-processor that will process workshop or customer personal information. We may also disclose information where required by law, court order, or governmental authority, or to protect the rights, property, or safety of PitlaneHQ, our users, or others.

6. Direct Marketing and the Spam Act

We may send you marketing communications about PitlaneHQ where permitted. In doing so we comply with APP 7 and the Spam Act 2003 (Cth):

  • We send commercial electronic messages only with your express or inferred consent
  • Every marketing message identifies us and includes a functional unsubscribe facility
  • We action unsubscribe requests promptly (within the statutory period)

Note for workshops using the Marketing module: when a workshop sends SMS or email campaigns to its own customers through the Service, the workshop is the sender and is responsible for holding the necessary consents and complying with the Spam Act for those messages. The Service provides consent-management and unsubscribe tooling to assist, but the workshop remains accountable for its own marketing.

7. Data Security

We implement technical and organisational measures appropriate to the sensitivity of the data, including:

  • Encryption in transit — all traffic to and from the Service uses TLS/HTTPS
  • Encryption at rest — sensitive credentials and integration tokens are encrypted at rest using strong, industry-standard encryption
  • Access controls — role-based permissions restrict users to data relevant to their role
  • Multi-tenant isolation— each workshop's data is logically segregated and inaccessible to other workshops
  • Secure authentication — passwords are securely hashed; user sessions use secure, short-lived tokens; optional two-factor authentication
  • Australian data residency — primary hosting and the primary database are located in Australia (Azure Australia East), with point-in-time recovery and geo-redundant encrypted backups
  • Audit logging — data modifications are logged for accountability

No system is perfectly secure. While we take reasonable steps to protect personal information as required by APP 11, we cannot guarantee absolute security.

8. Employee and Payroll Data

Where a workshop uses our HR & Payroll module, the Service processes employee personal information — which may include contact details, employment records, timesheets, pay and superannuation details, and tax identifiers. This information is treated with heightened care:

  • The workshop is the employer and the responsible entityfor its employees' personal information; PitlaneHQ processes it solely to provide the HR and payroll features and, where the workshop enables it, to sync payroll records to the workshop's connected accounting platform.
  • Tax File Numbers and similar identifiers are subject to additional protections; we handle them only as necessary to deliver payroll functionality and in line with the relevant Tax File Number Rule.
  • The same encryption, access-control, and Australian-residency measures in section 7 apply.

9. Data Retention

We retain personal information only for as long as necessary for the purposes set out in this policy, or as required by law:

  • Workshop operational data(jobs, invoices, customers, vehicles) is retained for the duration of the workshop's subscription so the workshop can run its business.
  • After cancellation, we retain data for a limited reactivation and wind-down window, then delete or de-identify it, except where longer retention is required by law (for example, financial and tax records). A workshop may request earlier deletion of its data.
  • Audit and security logs are retained for a defined period (currently at least 90 days, and longer in tamper-evident archive where required for compliance) to support security and accountability.
  • Backups are retained on a rolling basis and cycle out automatically; data deleted from the live Service is purged from backups as they expire.

10. Your Rights (APP 12 and APP 13)

Subject to the Privacy Act, you have the right to:

  • Access — request a copy of the personal information we hold about you
  • Correction — request correction of inaccurate, out-of-date, or incomplete information
  • Deletion — request deletion of your personal information, subject to legal retention obligations
  • Complaint — complain to us and, if unsatisfied, to the Office of the Australian Information Commissioner (OAIC)
  • Data export— workshops can export their data via the Service's export features at any time

If your request concerns data a workshop holds about you as its customer or employee (section 1, second role), we will refer you to, and assist, the relevant workshop, who is the responsible entity for that data. To exercise a right or make an enquiry, contact privacy@pitlanehq.com.au. We aim to respond within 30 days.

11. Cross-Border Disclosure (APP 8)

Some sub-processors process data outside Australia (see the sub-processors pagefor each provider's location and the safeguards that apply). Where we disclose personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs — through Data Processing Addendums, Standard Contractual Clauses, or reliance on the recipient being bound by substantially similar protections. For overseas disclosures that depend on your consent, your use of the relevant feature indicates that consent.

12. Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we become aware of an eligible data breach that is likely to result in serious harm, we will notify affected individuals and the OAIC as soon as practicable, in accordance with the scheme. Where PitlaneHQ acts as a processor for a workshop, we will notify the affected workshop without undue delay so it can meet its own obligations, and we will reasonably assist its response.

13. Children's Privacy

The Service is intended for businesses and is not directed to individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have done so, we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice in the Service. The “Last updated” date above reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact Us

For privacy enquiries or to exercise your rights, contact us:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Start free trial