Privacy Policy

Effective: 1 Aug 2022 • Last updated: 15 Oct 2025

Dev Force One Pty Ltd ABN 29 661 393 273 (“Dev Force One”, “we”, “us”, “our”) designs and develops web and mobile apps for startups, businesses, and our own products. This policy explains how we handle personal information across:

• Client Apps (we are a processor): we build/operate apps for a client. The client is the data controller.
• Dev Force One Apps (we are a controller): our own apps and websites, including devforceone.io.

We follow the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) and, where applicable, the GDPR (EU/UK) and the CCPA/CPRA (California).

Types of Information

Personal information: is information or an opinion, whether true or not and whether recorded in a material form or not, about an individual who is identified or reasonably identifiable.

Sensitive information: is a sub-set of personal information that is given a higher level of protection. Sensitive information means information relating to your racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation or practices, criminal records, health information or biometric information.

1) What we collect

Personal information: The types of personal information we may collect about you include:

• your name;
• your contact details, including email address, mailing address, street address and/or telephone number;
• your organisation and role;
• OAuth identifiers and tokens (no passwords from third‑party providers), access scopes, session identifiers;
• your credit card or payment details (through our third party payment processor);
• your preferences and/or opinions;
• information you provide to us through customer surveys;
• details of products and services we have provided to you, you have downloaded and/or that you have enquired about, and our response to you;
• your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour;
• information about your access and use of our Services, including through the use of Internet cookies, your communications with our online Services, the type of browser you are using, the type of operating system you are using and the domain name of your Internet service provider;
• data you store or upload (notes, images, video, documents);
• job/workflow details, bookings, messages, and similar domain data;
• additional personal information that you provide to us, directly or indirectly, through your use of our Services, associated applications, associated social media platforms and/or accounts from which you permit us to collect information; and
• any other personal information requested by us and/or provided by you or a third party.

Information from our clients: In providing our Services to our clients (including managed services), we may require access to their software, hardware, networks and IT systems (Systems) and see personal information that they collect about their customers. We will treat such information in accordance with this Privacy Policy.

Sensitive information: We do not actively request sensitive information about you. If at any time we need to collect sensitive information about you, unless otherwise permitted by law, we will first obtain your consent and we will only use it as required or authorised by law.

How we collect personal information

We collect personal information in a variety of ways, including:

Directly: We collect personal information which you directly provide to us, including through the 'contact us' form on our website, when you request our assistance via email or over the telephone, when you register for an account on any of our mobile apps, and when you enter into a business relationship with us.

Indirectly: We may collect personal information which you indirectly provide to us while interacting with us, such as when you use our website, in emails, over the telephone and in your online enquiries.

From third parties: We collect personal information from third parties, including details of your use of our website from our analytics and cookie providers and marketing providers. See the "Cookies & tracking" section below for more detail on the use of cookies. We may also see your personal information when providing Services to our clients and they provide us access to their Systems.

2) How we use data

Personal information: We may collect, hold, use and disclose personal information for the following purposes:

• to provide our Services to you;
• to enable you to access and use our mobile applications and associated social media platforms;
• to contact and communicate with you about our Services;
• for internal record keeping, administrative, invoicing and billing purposes;
• for analytics, market research and business development, including to operate and improve our Services, associated applications and associated social media platforms;
• for advertising and marketing, including to send you promotional information about our products and services and information that we consider may be of interest to you;
• to comply with our legal obligations and resolve any disputes that we may have;
• if you have applied for employment with us, to consider your employment application; and
• if otherwise required or authorised by law.

Where GDPR applies, our lawful bases are contract, legitimate interests, consent (for optional features), and legal obligation.

We do not sell personal data.

3) When we act as processor vs controller

• Client Apps (processor): we process personal data only under the client’s written instructions and contract (DPA available on request). The client controls consents, retention, and deletion.
• Dev Force One Apps (controller): we decide the purposes and means of processing for our own products and websites and provide this policy and applicable consents.

4) Sharing & disclosures

Disclosure of personal information to third parties

We may disclose personal information to:

• third party service providers for the purpose of enabling them to provide their services to us, including (without limitation) IT service providers (including Google Suite, Atlassian Suite, HubSpot and Xero), data storage, web-hosting and server providers, couriers, maintenance or problem-solving providers, marketing or advertising providers, professional advisors and payment systems operators;
• our employees, contractors and/or related entities;
• our existing or potential agents or business partners;
• anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred;
• third-party platforms and integrations you enable (we share only the minimum necessary to deliver the feature);
• courts, tribunals and regulatory authorities, in the event you fail to pay for goods or services we have provided to you;
• courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
• third parties to collect and process data, such as Google Analytics (to find out how Google uses data when you use third party websites or applications, please see www.google.com/policies/privacy/partners/); and
• any other third parties as required or permitted by law, such as where we receive a subpoena.

Overseas disclosure: Where we disclose your personal information to third parties listed above, these third parties may store, transfer or access personal information outside of Australia, including but not limited to the United States of America.

A current list of key sub‑processors is available on request.

5) International transfers & location

Where we disclose your personal information to third parties listed above, these third parties may store, transfer or access personal information outside of Australia, including but not limited to the United States of America.

We will only disclose your personal information to countries with laws which protect your personal information in a way which is substantially similar to the Australian Privacy Principles or we will take such steps as are reasonable in the circumstances to protect your personal information in accordance with the Australian Privacy Principles.

Data may be processed in other countries by our sub‑processors with appropriate safeguards (e.g., SCCs/IDTA or APP‑compatible contracts).

6) Security

Storage and security

We are committed to ensuring that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

We use industry practices including:

• encryption in transit (TLS);
• encryption at rest;
• role‑based access and least‑privilege IAM;
• audit logging;
• network isolation; and
• regular backups.

While we are committed to security, we cannot guarantee the security of any information that is transmitted to or by us over the Internet. The transmission and exchange of information is carried out at your own risk.

No system is perfectly secure; we will notify the relevant party and, where required by law, affected individuals of material incidents.

7) Retention & deletion

• Client Apps: we retain per client instruction/contract. On termination or written request, we delete or return data within the agreed period, subject to legal holds and backups.
• Dev Force One Apps: we keep data while your account is active and for a reasonable period (typically up to 24 months of inactivity) unless you request deletion sooner.
• Backups and logs may persist for a limited time (typically 30–120 days).

8) Your rights

Your rights and controlling your personal information

Subject to law and app context, you may request: access, correction, deletion, portability, restriction, or objection.

Your choice: Please read this Privacy Policy carefully. If you provide personal information to us, you understand we will collect, hold, use and disclose your personal information in accordance with this Privacy Policy. You do not have to provide personal information to us, however, if you do not, it may affect our ability to provide our Services to you and your use of our Services.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent to provide the personal information to us.

Anonymity: Where practicable we will give you the option of not identifying yourself or using a pseudonym in your dealings with us.

Restrict and unsubscribe: To object to processing for direct marketing/unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details below or opt-out using the opt-out facilities provided in the communication.

Access: You may request access to the personal information that we hold about you. An administrative fee may be payable for the provision of such information. Please note, in some situations, we may be legally permitted to withhold access to your personal information.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, out of date, incomplete, irrelevant or misleading. Please note, in some situations, we may be legally permitted to not correct your personal information.

Complaints: If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. You also have the right to contact the relevant privacy authority.

California residents: We do not "sell" or "share" data for cross‑context behavioural advertising. You may exercise CCPA rights as applicable.

To make a request, contact us (see the Contact section). For Client Apps, we will forward requests to the client (controller) and assist them.

9) Cookies & tracking

Cookies

We may use cookies on our online Services from time to time. Cookies are text files placed in your computer's browser to store your preferences. Cookies, by themselves, do not tell us your email address or other personally identifiable information. However, they do recognise you when you return to our online Services and allow third parties, such as Google and Facebook, to cause our advertisements to appear on your social media and online media feeds as part of our retargeting campaigns. If and when you choose to provide our online Services with personal information, this information may be linked to the data stored in the cookie.

We use essential cookies and similar technologies for authentication and session management. Optional analytics are minimised and may be disabled in Client Apps or run only under client instruction.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our online Services.

10) Third‑party services & AI

Some features use third‑party platforms (e.g., email/SMS gateways, storage/CDN, analytics). For optional AI features, we apply data‑minimisation and do not use sensitive data to train public models. We only send data to AI providers when features require it and where contractually permitted; opt‑out is available for Client Apps.

Links to other websites

Our Services may contain links to other websites. We do not have any control over those websites and we are not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.

11) Children

Our services are not directed to children under 16. For Client Apps that serve minors, the client is responsible for obtaining required consents; we act under their instructions.

12) Garmin API Integration

This section applies where you connect a Dev Force One app to Garmin Connect or other Garmin services.

Data we receive from Garmin APIs:

We may collect the following information through the Garmin API(s) with your consent:

• Account identifiers and athlete profile information (name, email, age, gender, weight, height as permitted by scope);
• Activity data including workout summaries, detailed activity files (FIT format), GPS tracks, routes, and segments;
• Health and fitness metrics including heart rate, heart rate variability, respiration rate, pulse oximetry (SpO2), stress levels, body battery, sleep data, and training readiness;
• Performance metrics including VO2 max, lactate threshold, training status, training load, recovery time, and fitness age;
• Device information including device model, firmware version, and sensor data;
• Goals, plans, and scheduled workouts;
• Any other data you authorize us to access through Garmin Connect; and
• OAuth tokens and scopes (we do not receive or store your Garmin password).

How we use Garmin data:

We use data from Garmin API(s) solely to:

• Import, analyze, and display your activities, workouts, and health metrics within our application;
• Generate personalized training plans, insights, and recommendations you request;
• Synchronize activities and plans back to Garmin Connect where you have enabled this feature;
• Provide coaching, analytics, and performance tracking features;
• Improve our Services through aggregated, anonymized data analysis; and
• Fulfill any other purposes you explicitly authorize.

We do not:

• Sell your Garmin data to third parties;
• Use your Garmin data for advertising or marketing purposes;
• Combine your Garmin data across customers for commercial purposes;
• Use your Garmin data to train public machine learning models; or
• Share your Garmin data with third parties except as described in this policy (e.g., contracted sub-processors necessary to provide the service, or where required by law).

Storage & security:

• Garmin data is stored in our secure cloud environment with encryption at rest and in transit;
• Access is restricted to authorized personnel and system components on a need-to-know basis;
• OAuth tokens are stored securely, encrypted, and rotated/revoked per Garmin's platform guidance;
• We implement appropriate technical and organizational measures to protect your Garmin data in accordance with this policy.

Data retention:

• We retain Garmin data while your account is active and you maintain the Garmin integration;
• Historical activity and health data may be retained to provide ongoing analytics and insights;
• Upon disconnection or token revocation, we will cease accessing new data from Garmin immediately;
• Retention of historical data follows our standard data retention policies as outlined in section 7 (Retention & deletion).

Your control:

• Connect/Disconnect: You control your Garmin integration through our app settings or your Garmin Connect account;
• Revoke access: You can revoke our access to your Garmin data at any time via your Garmin Connect account settings;
• Data portability: You may request a copy of your Garmin data we hold;
• Deletion requests: Email privacy@devforceone.io to request deletion of your Garmin data. For Client Apps, we act under the client's instructions.

Compliance:

• We adhere to the Garmin Developer Program Agreement, API Terms of Use, and Branding Guidelines;
• We only access the data scopes you consent to and use data solely to deliver the features you request;
• We comply with applicable data protection laws including the Australian Privacy Principles, GDPR, and CCPA/CPRA.

Third-party responsibility:

• Garmin's collection and use of your data is governed by Garmin's Privacy Policy (available at garmin.com/privacy);
• We are not responsible for Garmin's privacy practices or their handling of your data.

13) Contact

For any questions or notices, please contact our Privacy Officer at:

Dev Force One Pty Ltd
Email: privacy@devforceone.io
Support: support@devforceone.io

14) Changes

Amendments

We may, at any time and at our discretion, vary this Privacy Policy by publishing the amended Privacy Policy on our website. We recommend you check our website regularly to ensure you are aware of our current Privacy Policy.

The "Last updated" date at the top of this policy reflects the current version. Material changes will be notified via the app or email where appropriate.

Privacy Collection Notice

We are Dev Force One Pty Ltd, and in this privacy collection notice we, us or our. We collect personal information from you or from third parties so that we can provide our services to you, answer any enquiries you submit to us, deliver our website to you and for the purposes otherwise set out in our privacy policy.

We may disclose this personal information to third parties, including our employees, contractors and related entities, third party service providers that provide their services to us (including IT service providers, marketing and advertising providers and website analytics suppliers), if we are required to disclose personal information by law and as otherwise set out in our privacy policy (linked above). Where we disclose your personal information to third parties listed in our privacy policy, these third parties may store, transfer or access personal information outside of Australia including but not limited to the United States of America.

If you do not provide your personal information to us, you may not be able to use all of the features on our website and we may not be able to provide our services to you.

Our privacy policy (linked above) describes further how we collect, store, use and disclose your personal information. It also describes how you can access and correct your personal information, how you can make a privacy-related complaint and our complaint-handling process.

By providing your personal information to us, you agree to the collection, use, storage and disclosure of that information as described in this privacy collection notice.