1pm
Start free trial

Privacy Policy

Legal Entity

1pm.app is the registered business name of 1pm.app operated by WorkZerk PTY Ltd (ABN 72 163 622 508).

1. Definitions

"Agreement" means this privacy policy.

"1pm" or "1pm.app" or "onepm" means the company WorkZerk PTY LTD (ABN 72 163 622 508) operating 1pm.app under the registered business name of '1pm.app' in the state of QLD, Australia and its associated websites.

"Data" means any data inputted, typed, pasted, entered, imported or uploaded by You or with Your authority into the Website 1pm.app or related domains and sub domains, including files or images.

"Service" means the software application made available (as may be changed or updated from time to time by 1pm) via the Website, located at live.1pm.app, or any other such locations acting as application servers or sub domains or other associated domains for 1pm (which may change from time to time, without notice).

"Subscriber" means the person who registers to use the Service, and, where the context permits, includes any entity on whose behalf that person registers or assigns to use the Service.

"Stripe Billing Portal" means the Stripe billing portal system that provides billing and subscription services to you as the Subscriber, and is accessed directly from that third party external platform.

"User" means any person or entity, including the Subscriber, that uses the Service with the authorization of the Subscriber from time to time.

"Crew" means any person who provides, uses or submits information through the Service at the request of a Planner, including but not limited to the application located at live.1pm.app or its sub domains.

"Websites" means the Internet sites at the domain, or subdomains, at 1pm.app, or any other site operated by 1pm.app.

"You" means the Subscriber, and where the context permits, a User. "Your" has a corresponding meaning.

2. How We Protect Your Privacy and Manage Your Data

This policy may be updated from time to time. 1pm.app reserves the right to change the provisions of this Policy at any time. We will alert You of changes that have been made by indicating on the Policy the date it was last updated (at the bottom of this document). We encourage You to review this policy from time to time to make sure that You understand how any personal information you provide will be used.

This policy references the 1pm.app Terms of Use required to be accepted to use the 1pm.app application and available as a footer link at 1pm.app.

1pm.app processes personal data in two general contexts:

  1. As a business engaging with clients, suppliers, prospects, and other stakeholders through a number of channels including its website, email, video chat, online chat, phone, video training sessions, webinars, advertising, and social media ("1pm.app as a Business"), and
  2. As a provider of online onboarding and compliance management services ("1pm.app as a Service Provider").

For clarity, the privacy considerations are presented in each of these contexts.

3. Australian Privacy Act Compliance

3.1 Privacy Act 1988 (Cth)

1pm.app is committed to protecting Your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Policy describes how We collect, hold, use, and disclose personal information, and how You can access and correct Your personal information or make a complaint.

3.2 Types of Personal Information Collected

We may collect the following types of personal information:

  • Name and contact details (email, phone, address)
  • Business information (company name, role)
  • Photos, files or images (as uploaded by You or Your Crew)
  • Payment information (processed securely by Stripe)
  • Usage data and preferences

3.3 Sensitive Information

1pm.app may collect sensitive information as defined under the Privacy Act, including health information, criminal history checks, or other compliance-related documentation uploaded by Subscribers or Onboardees. We only collect sensitive information with consent or where required by law, and We take additional steps to protect this information.

3.4 Purpose of Collection (APP 3 & 6)

We collect personal information for the primary purpose of providing the 1pm.app Service, including:

  • Facilitating the management of live events
  • Managing credential expiry and notifications
  • Enabling document storage and verification workflows
  • Processing payments
  • Providing customer support

We will not use or disclose personal information for a secondary purpose unless You have consented or it is required by law.

3.5 Data Storage and Security (APP 11)

All Data is stored on Microsoft Azure's global network of servers and geo-redundant replicas, which includes locations within the Australia East and East US regions. The exact physical location of Your data is at our discretion. To ensure high availability and disaster recovery, Your Data may be stored or replicated across various Azure data centers worldwide. Consequently, Data may reside outside of Australian jurisdiction. We continue to protect Your information using industry-standard security measures, including TLS encryption in transit and at rest, secure authentication, and strict access controls.

3.6 Cross-Border Disclosure (APP 8)

Because Our infrastructure provider (Microsoft Azure) operates a global network and We use both Australian and US Azure regions, Your personal information may be transferred to, stored in, and accessed from countries outside Australia, including the United States.

We also use a small number of overseas service providers to operate the Service. The current list — including each provider's purpose, location, and DPA — is maintained at 1pm.app/Subprocessors.

For transfers from the European Economic Area, the United Kingdom or Switzerland, We rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms approved under applicable law. For Australian customers, all overseas providers are bound by contract to standards substantially similar to the Australian Privacy Principles. If You enable third-party integrations that transfer Data overseas outside the providers We engage, You are responsible for ensuring those services meet Your privacy requirements.

3.7 Access and Correction (APP 12 & 13)

You have the right to:

  • Request access to the personal information We hold about You
  • Request correction of any inaccurate, incomplete, or out-of-date information
  • Request deletion of Your personal information (subject to legal retention requirements)
  • Withdraw consent for marketing communications
  • Request that We restrict or object to Our processing of Your information in certain circumstances
  • Request a portable copy of Your information in a structured, machine-readable format

Subscribers can self-serve most of these actions: account export and account deletion are available from inside Your account settings. For other requests, or if You are a Crew member (see clause 5), contact us at hello@1pm.app. We will respond within 30 days.

If You are an individual in the European Economic Area, the United Kingdom, or Switzerland, additional rights under the GDPR apply — see clause 11 below.

3.8 Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. When Data is no longer required, We will take reasonable steps to destroy or de-identify it. Specific retention windows currently in effect include:

  • Active accounts: retained while the account is active and for the duration of any paid Subscription Period.
  • Trial accounts that don't convert: automatically deleted 150 days after the trial begins (120-day trial + 30-day grace period).
  • Cancelled paid accounts: automatically deleted 270 days after cancellation. We send a warning email at least 60 days before deletion so You can export Your Data, log in to keep the account active, or resubscribe.
  • Backup copies: may persist in Azure-managed backups for up to 35 days after deletion as part of disaster-recovery snapshots, after which they are overwritten.
  • Audit logs for support impersonation sessions (see clause 9): retained separately from the account so the record survives account deletion.
  • Email delivery records and suppression lists: retained for the operational lifetime of the Service to honour unsubscribes and bounce handling.

Subscribers may export their Data at any time via the account export function before deletion.

4. 1pm.app as a Service Provider

4.1 Data Controller and Processor Relationship

When You use 1pm.app, You (the Subscriber) act as the data controller for the personal information collected from Crew. 1pm.app acts as a data processor, processing that information on Your behalf and in accordance with Your instructions. For European Economic Area, UK and Swiss data, the processor obligations set out in Article 28 of the GDPR (and equivalent UK GDPR provisions) apply and are incorporated by reference into the Terms of Use, clause 4.

We engage a small number of subprocessors (hosting, email delivery, billing, telemetry) to operate the Service. Each is bound by contract to confidentiality and security obligations no less protective than those We owe You. The current subprocessor list is published at 1pm.app/Subprocessors and updated when subprocessors change.

4.2 You Own Your Data

The Data entered, or imported on instruction, by You remains Your property. 1pm.app will not use nor make available for use any of this information without Your permission.

4.3 You Control Who Has Access to Your Data

The Data entered, or imported on instruction, by You is stored securely in a database, or electronic file system, and is only accessible to any person You have authorised to use the Service. It is Your responsibility to delete login credentials or other planner/admin users access credentials when they are no longer needed.

4.4 1pm.app Monitors System Usage

The Data entered, or imported on instruction, by You is stored securely in a database and is only accessible to persons You have authorised to use the Service. It is Your responsibility to keep Your password safe. 1pm.app, 1pm.app's staff and 1pm.app's partners do not have access to Your password. 1pm.app and 1pm.app staff may need to access some of Your Data to resolve system errors or to recreate scenarios to resolve support requests.

4.5 Your Data is Sent Securely Across the Internet

1pm.app's servers have SSL Certificates so all Data transferred between Users and the Service is encrypted including uploaded files. However, the Internet is not in itself a secure environment. Users should only enter, or instruct the importation of, Data to the database within a secure environment. This means that Your browser must support the encryption security used in connection with the Service.

4.6 1pm.app Does Not Store Any Credit Card Details

Any credit card details are encrypted and securely stored by Stripe to enable 1pm.app to bill the cards. Credit card details are not stored by the Service and cannot be accessed by 1pm.app staff.

4.7 Third Party Applications

You may optionally connect the Service to other applications. If You do so then You are solely responsible for checking the Privacy Policy of any third-party applications the Service links to and satisfying Yourself that they meet Your needs.

5. Information for Users

If You are a Crew Member using 1pm.app at the request of another organisation:

  • The Subscriber is the primary controller of Your personal information
  • 1pm.app processes Your information on behalf of the Subscriber
  • Questions about how Your information is used should be directed to the Subscriber in the first instance
  • You may contact 1pm.app at hello@1pm.app for questions about how We protect and store Your information
  • You have the right to request access to or correction of Your personal information

6. Data Breaches and Complaints

6.1 Notifiable Data Breaches Scheme

1pm.app complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If We become aware of an eligible data breach that is likely to result in serious harm to any individual, We will:

  • Promptly assess the breach
  • Notify affected individuals as soon as practicable
  • Notify the Office of the Australian Information Commissioner (OAIC)
  • Take steps to contain the breach and prevent future occurrences

6.2 Breach Notification to Subscribers

If We become aware that Your Data has been accessed by, or disclosed to, an unauthorised party, We will notify You within 72 hours of becoming aware of the breach, providing details of the nature of the breach, the types of information involved, and recommended steps You should take.

6.3 Complaints

If You believe We have breached the Australian Privacy Principles, You may lodge a complaint by emailing hello@1pm.app. We will investigate Your complaint and respond within 30 days. If You are not satisfied with Our response, You may escalate Your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

1pm.app will cooperate with investigations conducted by the Privacy Commissioner or other authorised government privacy bodies.

7. 1pm.app as a Business

When You visit our websites and infrastructure at 1pm.app, live.1pm.app or other sub domains or associated websites or engage in marketing activities such as events, meetings, discussions and webinars or submit help requests or contact us we may collect personal information from You such as:

7.1 Active Collection

We may collect certain information You voluntarily provide to us which may contain Personal Information. For example, when You fill out a form, submit a comment, or contact us by email, online chat or other means.

7.2 Automatic Collection

When you visit our website and use the 1pm.app application, some information is also automatically collected, such as your internet protocol (IP) address, your operating system, the browser type, the address of a referring web site, and your activity on the sites.

We treat this information as personal information if we combine it with or link it to any of the identifying information mentioned above. Otherwise, it is used in the aggregate only (non-identifying).

7.3 Your Rights

You can unsubscribe from any marketing communication by following the unsubscribe instructions contained in the communication (usually in the footer section). You also have rights which include:

  • Knowing what personal data we hold about You
  • Asking us to correct any personal data we hold about You
  • Asking us to delete or restrict any personal data we hold about You including uploaded files such as identity documents, certificates and PDF or image based credentials stored on our file storage server (Azure Blob Storage).

You can exercise these rights by sending an email to hello@1pm.app.

8. Cookies and Similar Technologies

A cookie is a small file containing an identifier sent by a web server to Your browser and stored by the browser. Persistent cookies survive until their expiry date or until You delete them; session cookies are cleared when You close the browser. Cookies do not by themselves identify You, but information We hold about You can be linked to the cookie's identifier.

We use only cookies that are strictly necessary to operate the Service. We do not use advertising cookies, behavioural-tracking cookies, social-media cookies, or third-party analytics cookies such as Google Analytics, Hotjar, or the Facebook pixel. Because all cookies We set fall within the "strictly necessary" exemption under the EU ePrivacy Directive, no cookie consent banner is required.

The cookies We set are:

  • Authentication cookie (.AspNetCore.Identity.Application): identifies You while You are signed in. Expires when You sign out or after the session lifetime.
  • Antiforgery cookie (.AspNetCore.Antiforgery.*): protects form submissions from cross-site request forgery. Session cookie.
  • SSE cookie (the share-link viewer identifier): set when a Crew member loads a /v/ or /r/ page so the live-update stream can verify access. Session cookie scoped to /sse/.
  • Cloudflare cookies (__cf_bm, cf_clearance): set by our content-delivery and security provider Cloudflare to distinguish humans from automated traffic. Required to use the Service.
  • Stripe cookies: set only on billing-related pages where Stripe Elements are loaded, for fraud prevention. Required to complete a payment.

8.1 Telemetry

We use Microsoft Azure Application Insights to monitor Service health, errors, and performance. Application Insights is configured to not store client IP addresses or other directly identifying data — telemetry is aggregated to the request level (URL, status code, response time) and used solely for operational debugging and capacity planning. It is not used for marketing, profiling, or any cross-site tracking.

9. Support Access to Your Account

To help You debug an issue or recover from a problem, members of the 1pm.app support team may access Your account by signing in as You from inside the Service. This is called a support impersonation session. We do this only when needed and apply the following safeguards every time:

  • Only support staff on a configured allow-list can start a session. The allow-list is short and reviewed periodically.
  • Support staff must have two-factor authentication enabled on their own account before they can start a session.
  • A reason must be entered before each session begins, and that reason is recorded in our audit log together with who started the session, when, and from which IP address.
  • Sessions are read-only by default. To take any action on Your behalf the support staff member must explicitly request write mode and record a second reason. Write mode is never the default.
  • Some actions are blocked even in write mode, including changing Your password, changing Your email address, changing or disabling Your two-factor authentication, and any billing action.
  • You may receive an email at the email address on Your account when a session starts, telling You that we accessed the account, when, and the reason recorded by the support staff member. The email is skipped when the support staff member confirms You have already contacted us for support; in that case the session is still logged in the audit trail. The audit row records whether or not the email was sent. If You did not ask for support, You may contact us at any time at hello@1pm.app and we will investigate.
  • The audit log of impersonation sessions is retained separately from Your account data, so it survives even if You later delete Your account.

10. Please Read Our Terms of Use

Use of the Service is subject to 1pm.app's Terms of Use, and this Privacy Policy should be read in conjunction with these Terms of Use. In the event of a conflict or disagreement between this Privacy Policy and the Terms of Use, the Terms of Use will prevail.

11. Notice to Individuals in the European Economic Area, United Kingdom and Switzerland (GDPR)

If You are an individual whose personal data is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or the Swiss Federal Act on Data Protection, the additional terms in this clause apply to You and supplement (rather than replace) the rights described elsewhere in this policy.

11.1 Lawful Bases for Processing

We process personal data on the following lawful bases under Article 6 of the GDPR:

  • Performance of a contract (Article 6(1)(b)): processing Subscriber account data, billing data, and Data uploaded into the Service to deliver the Service the Subscriber has signed up for.
  • Legitimate interests (Article 6(1)(f)): operational telemetry, security monitoring, fraud prevention, anti-abuse rate limiting, and direct service-related communications with Subscribers. We have assessed that these interests are not overridden by Your rights.
  • Legal obligation (Article 6(1)(c)): retaining records We are required by tax, accounting, or anti-money-laundering law to retain.
  • Consent (Article 6(1)(a)): marketing emails You explicitly opt in to. You may withdraw consent at any time via the unsubscribe link in every marketing email or by contacting hello@1pm.app.

Where We act as a data processor on behalf of a Subscriber (the data controller), the Subscriber determines the lawful basis for processing Crew personal data and is responsible for ensuring an appropriate basis exists. We do not process Crew personal data for Our own purposes.

11.2 Your Rights Under the GDPR

In addition to the rights at clause 3.7, You have the right to:

  • Access the personal data We hold about You (Article 15)
  • Rectification of inaccurate data (Article 16)
  • Erasure ("right to be forgotten" — Article 17), subject to retention obligations
  • Restriction of processing in certain circumstances (Article 18)
  • Data portability in a structured, machine-readable format (Article 20)
  • Object to processing based on legitimate interests (Article 21)
  • Not be subject to solely automated decision-making producing legal or similarly significant effects (Article 22). We do not perform such automated decision-making.

If You are a Crew member (i.e. Your data was uploaded into the Service by a Subscriber), We will action access and erasure requests where We can do so without breaching Our processor obligations to the Subscriber. In most cases We will refer the request to the Subscriber, who is the controller of Your data, and assist them in responding within the statutory time limits.

11.3 International Transfers

As noted in clause 3.6, personal data may be transferred to and processed in countries outside the EEA, UK or Switzerland — primarily Australia (Our place of business) and the United States (some Azure regions and our email-delivery provider). Where such a transfer occurs:

  • For transfers to the United States and other non-adequate third countries, We rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where required by the transfer-impact-assessment factors set out in EDPB guidance.
  • For transfers to Australia, the European Commission has not granted an adequacy decision. Transfers to Our hosting infrastructure in Australia are made under SCCs.
  • You may request a copy of the SCCs in place by emailing hello@1pm.app.

11.4 Right to Lodge a Complaint with a Supervisory Authority

If You believe Our processing of Your personal data infringes the GDPR or UK GDPR, You have the right to lodge a complaint with Your local data protection authority. In the EU, the list of national supervisory authorities is published by the European Data Protection Board at edpb.europa.eu. In the UK, the relevant authority is the Information Commissioner's Office (ico.org.uk). We would appreciate the opportunity to address Your concern first by contacting hello@1pm.app, but Your right to escalate is not contingent on contacting Us.

11.5 Data Protection Contact

For all data-protection enquiries, including exercise of rights, complaints, and requests for SCCs or other documentation, contact hello@1pm.app. We are not currently required to appoint a Data Protection Officer or an EU representative under Article 27 of the GDPR. If We become required to do so, this clause will be updated with their contact details.

Last updated: 22 May 2026