Petrol Australia
Summary in plain English
Petrol Australia helps you compare petrol prices using data from official government sources. You can use the app as a guest without an account. If you register, we collect limited account details and may store an optional home location you choose to save. We use service providers (including Supabase for accounts and data hosting, map providers on mobile and web, and push notification services) to run the app. This policy explains what we collect, why, who we share it with, overseas handling where relevant, and how you can access, correct, or delete your information. No system is completely secure: we use reasonable safeguards, but you accept the residual risk of any internet-based service. If you are not happy with how we handle your privacy, you may complain to us or to the Office of the Australian Information Commissioner (OAIC).
1. Who we are
This Privacy Policy applies to the Petrol Australia mobile applications (iOS and Android) and our website at https://petrolaustralia.com.au (together, the Services), operated by the sole trader trading as Petrol Australia (ABN 74 852 609 635).
This policy applies to users in all Australian states and territories (NSW, VIC, QLD, SA, WA, TAS, NT, ACT).
2. Our commitment to Australian privacy law
We are committed to protecting your privacy in line with the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs), and to complying with the Spam Act 2003 (Cth) where it applies to electronic messages we send. We also aim to align with the expectations of Apple and Google app platforms (including App Tracking Transparency on iOS and Google Play's data safety disclosures on Android).
This policy is not legal advice. If you need advice about your own situation, consider consulting a qualified professional.
3. What personal information we collect
3.1 Guest users
If you use the Services without registering, we do not require you to provide a name, email, or account. Our systems and third-party infrastructure may still process limited technical information needed to deliver the Services (for example, IP address, device or browser type, and standard server logs on the website), as described in sections 5 and 9.
3.2 Registered users
If you create an account, we collect:
- Email address
- Username
- Password (stored using secure authentication practices by our service provider)
- Account creation and update timestamps
We may also store optional profile information you provide, such as:
- Preferred fuel type or similar preferences
- Home location (latitude, longitude, and a human-readable address) if you choose to save a home location in the app
Price "analytics" or insights shown in the app relate to fuel price information presented to you, not third-party behavioural advertising analytics. We do use a third-party crash and performance diagnostics provider (Sentry) on a de-identified basis — see section 3.7.
3.3 Location information
- Foreground location (GPS): The app may request permission to use your device location to centre the map, show nearby stations, and support similar features. That processing occurs on your device as part of providing the functionality. We do not rely on sending your live GPS coordinates to our servers on every map interaction to supply bulk price data; price data is obtained in line with our technical design (for example, by state or region datasets).
- Saved home location: If you choose to save a home location, the coordinates and address you save are stored on our systems (via our backend) as part of your profile so we can provide the feature across sessions and devices.
- Location verification for price reports: When you submit a price correction or station status (for example, "out of fuel" or "site closed"), the app captures your device location once at the moment of submission to verify you are physically at the station. We compute the distance between your device and the station coordinates on our servers and store only that distance (a single integer in metres) on the resulting report. We do not store the user-submitted latitude or longitude values themselves. Reports filed more than 500 m from the station are rejected before any data is stored.
3.4 Notifications
If you enable push notifications, we use platform push services (for example, Apple Push Notification service and Firebase Cloud Messaging on Android, dispatched through Expo Push Service) to deliver messages. That involves technical identifiers (push tokens) which we associate with your account in our backend so we can send you the alerts you opted into and stop sending them when you turn the feature off, sign out, delete your account, or your device returns a delivery error.
We also keep an internal notification dispatch log for fuel-cycle alerts (drop incoming, buy now, top up before rise). Each log entry records the user the alert was sent to, the alert type, the fuel type, the rounded local-area key (no precise coordinates), the provider receipt status, and the timestamp. We use this ledger to enforce the in-app cooldown and daily cap, to investigate delivery issues, and to improve alert quality. Logs are retained for a short period and are not used for advertising or third-party analytics.
Fuel-cycle alerts are advisory only — they reflect statistical patterns in publicly available fuel price data near your saved home location and do not guarantee any particular price will be available at any particular station.
3.5 Photos and camera (optional)
If you use features that allow a profile image, the app may request access to your photo library or camera. We only use that access for the feature you activate and do not retain images beyond what is needed to display them on your profile.
3.6 Website — cookies and similar technologies
Our website may use:
- Strictly necessary cookies and local storage to operate the site, sign you in, and remember security and preference state (for example, Supabase authentication cookies);
- Umami website analytics (Umami Cloud) for privacy-friendly, cookieless usage measurement. Umami records aggregate page views, referrer, country (derived from IP), browser, operating system, device type, screen size, and language. It does not set cookies on your browser, does not collect personal information, and does not use cross-site identifiers. IP addresses are hashed daily and discarded; we do not see your IP. Umami Cloud is operated by Umami Software, Inc. (United States) — see section 7 for the cross-border safeguard.
You can control cookies through your browser settings. We do not currently respond to "Do Not Track" or Global Privacy Control signals, but we will update this policy if that changes.
Umami is only used on our website (https://petrolaustralia.com.au). Our iOS and Android apps do not load Umami.
3.7 Crash and performance diagnostics (Sentry)
We use Sentry (operated by Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA) to collect crash reports and performance diagnostics so we can identify and fix bugs and improve app stability.
What Sentry collects:
- Device model, operating system version, locale, and app version and build number;
- Navigation breadcrumbs within the current session (for example, screen transitions);
- Error and exception stack traces;
- Sampled performance traces (currently 10% of sessions).
What we have configured Sentry NOT to collect:
- Your name, email address, or username;
- Your home address or saved coordinates;
- Your IP address;
- Your account identifier;
- Any other directly identifying information.
We strip these fields client-side before any event leaves your device, and Sentry's organisation-level scrubbers provide a second layer of protection.
Where it is processed: the United States. See section 7 for the cross-border safeguards we rely on.
Retention: we have configured Sentry to retain events for 30 days from capture, after which they are automatically deleted. We do not use Sentry data for advertising, behavioural analytics, or third-party data sharing.
3.8 Home-screen widgets (iOS and Android)
If you add the Petrol Australia widget to your iOS or Android home screen, the widget shows fuel-price information already available to you in the app — for example, the cheapest station within your saved radius for your chosen fuel type, or a favourite station you have pinned.
How widget data is shared with the widget:
- The widget runs in a system-level extension on your device. It does not make its own network requests.
- The app prepares a small payload (selected station name, brand, address, suburb, fuel price, distance from your home, fuel type, and a generated-at timestamp) and writes it to on-device storage: an iOS App Group (
group.au.com.petrolaustralia.widget) on iPhone, or local widget storage via the Android widget framework. This storage is sandboxed by the operating system to our app and its widget extension. - The payload does not leave your device as part of the widget feature, is not sent to our servers because of the widget, and is not shared with any third party.
- The widget never displays your full home address; it only displays public station information and a distance.
What you control:
- You choose whether to add the widget at all, which mode to use (cheapest within radius vs. a pinned favourite), and which fuel type to track in Profile → Widgets.
- Removing the widget from your home screen, or signing out of the app, stops the payload being updated.
- Uninstalling the app removes the App Group / widget storage with it.
4. How we collect personal information
We collect personal information:
- Directly from you when you register, update your profile, contact us, or use optional features;
- Automatically when you use the Services (for example, authentication tokens, security logs, and technical metadata);
- From your device when you grant permission (location, notifications, photos/camera).
5. Why we collect, use, and disclose personal information (purpose)
We collect, hold, use, and disclose personal information to:
- Provide, operate, and improve the Services;
- Create and manage accounts and authenticate users;
- Show maps, stations, prices, favourites, alerts, and related features;
- Store optional home location and preferences you choose to save;
- Send service-related and (where you opt in) promotional or informational communications, including push notifications;
- Maintain security, prevent abuse, detect and respond to fraud, and protect our rights and users;
- Comply with legal obligations and respond to lawful requests;
- Plan for and describe future features (such as advertising or subscriptions) in line with this policy.
If we use or disclose information for a purpose you would not reasonably expect, we will seek your consent or otherwise act as required by the APPs.
6. Disclosure of personal information
We may disclose personal information to:
- Service providers who assist us (for example, Supabase for authentication, database, and file hosting; map providers — Google Maps on native apps via the maps SDK, and Pigeon Maps with map tiles on web; Expo and related infrastructure for builds and notifications; Sentry (Functional Software, Inc.) for crash and performance diagnostics on a de-identified basis as described in section 3.7; Umami Software, Inc. (Umami Cloud) for website-only, cookieless usage analytics on a de-identified basis as described in section 3.6; and email or messaging providers if we use them);
- Government authorities or regulators where required or permitted by law (including in response to subpoenas, court orders, or NDB obligations);
- Professional advisers (lawyers, accountants) under confidentiality obligations;
- A purchaser or successor in a merger, acquisition, or asset sale, subject to appropriate protections.
We do not sell your personal information. If we introduce advertising, we will describe any sharing that supports ad delivery in an updated policy and, where required, obtain appropriate consent.
7. Overseas disclosure and storage
Some of our service providers may store or process information outside Australia (for example, where Supabase or a map or push provider hosts data in another country, including the United States or Europe). Where we disclose personal information overseas, we take reasonable steps to ensure the recipient handles it in accordance with the APPs, including by contractual measures where practicable.
Supabase: Personal information held in your account may be processed by Supabase Pty Ltd and its infrastructure in accordance with Supabase's documentation and privacy policy. The actual region for your project (for example, Australia, EU, or US) depends on settings in our Supabase dashboard; we will update this policy if we standardise on a specific region for all production data.
Sentry: Crash and diagnostic data is processed in the United States by Functional Software, Inc. We rely on Sentry's signed Data Processing Addendum (DPA), Standard Contractual Clauses where they apply, and Sentry's SOC 2 Type II certification as the reasonable steps required by APP 8. We have configured the SDK to strip personally identifying information before transmission, and Sentry's organisation-level scrubbers and IP-storage suppression provide a second layer of protection.
Umami Software, Inc. (Umami Cloud): Aggregate website analytics events for petrolaustralia.com.au are processed in the United States by Umami Software, Inc. The data is cookieless and de-identified at source (IP addresses are salt-hashed daily and not retained, no cross-site identifiers are set). We rely on Umami's processor terms and the same APP 8 reasonable-steps rationale (de-identification at source, contractual measures) for this transfer. Umami is not used in our mobile apps.
8. Australian Privacy Principles — how we address them
We aim to comply with all 13 APPs. In summary:
| APP | Our approach (summary) |
|---|---|
| APP 1 — Open and transparent | This policy and available contact details. |
| APP 2 — Anonymity and pseudonymity | Guest use where practicable; account optional. |
| APP 3 — Collection of solicited information | We collect what is reasonably necessary for our functions. |
| APP 4 — Dealing with unsolicited information | We destroy or de-identify unsolicited information where we should not have received it. |
| APP 5 — Notification | We notify via this policy and collection points. |
| APP 6 — Use or disclosure | We use or disclose for primary purposes, related secondary purposes, or as the APPs allow. |
| APP 7 — Direct marketing | We only direct market with consent or as permitted by law, with opt-out (see section 21). |
| APP 8 — Cross-border disclosure | See section 7; we take reasonable steps. |
| APP 9 — Adoption of government identifiers | We do not use government identifiers as our own identifier. |
| APP 10 — Quality | We take reasonable steps to keep information accurate and up to date. |
| APP 11 — Security | We use reasonable technical and organisational measures (see section 9). |
| APP 12 — Access | You may request access as set out in section 12. |
| APP 13 — Correction | You may request correction as set out in section 12. |
9. Security — what we do and what you accept
We implement reasonable technical and organisational measures appropriate to the nature of the information and the risks, including:
- HTTPS / TLS encryption in transit;
- Reputable cloud providers with established security programs (for example, Supabase);
- Row-level security and least-privilege access controls on our backend;
- Secure password hashing handled by our authentication provider;
- Secret management for API keys;
- Rate limiting, anti-spam guards, and audit logging for sensitive actions.
However, no method of transmission, storage, or processing is completely secure. You acknowledge and accept that:
- No security control is perfect, and even leading providers can suffer outages, vulnerabilities, or breaches;
- Some information passes through, or is stored by, third parties whose security we cannot directly control;
- The security of your account also depends on you (using a strong unique password, keeping your device secure, and not sharing credentials);
- Despite our reasonable safeguards, we cannot guarantee absolute security and we are not liable for any loss arising from a security incident not caused by our gross negligence or wilful misconduct, except where liability cannot lawfully be limited (see Terms section 23).
If a security incident occurs, we will respond in line with section 10 (Notifiable Data Breaches scheme).
10. Notifiable Data Breaches (NDB scheme)
If we become aware of unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm to individuals, we will assess the incident under the NDB scheme and, if eligible, notify the OAIC and affected individuals as soon as practicable, and provide recommended steps you can take.
11. Children's privacy
The Services are intended for users aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you are under 18, do not use the Services or submit any personal information. If you believe a child has provided us personal information, contact us at [email protected] and we will take reasonable steps to delete it, subject to law.
12. Access, correction, and deletion
You may request access to personal information we hold about you, or request correction of inaccurate information, by contacting [email protected]. We will respond within a reasonable time and as required by the Privacy Act.
You may delete your account (where available in the app) or ask us to delete your account and associated personal information. We will action requests as soon as practicable, subject to legal or legitimate retention needs (for example, fraud prevention, dispute records, or accounting records). We will explain any exception that applies.
13. Data retention
We retain personal information only as long as needed for the purposes in section 5, unless a longer period is required or permitted by law. Indicative retention periods (subject to change and to legal obligations):
| Category | Indicative retention |
|---|---|
| Account profile (email, username, hashed password, preferences) | While the account is active; deleted within a reasonable period after account deletion, subject to backups |
| Saved home location | While the account is active or until you remove it |
| Push notification tokens | While registered to an active device; revoked on sign-out, app uninstall, or delivery error |
| Notification dispatch logs (fuel-cycle alerts) | Short retention window for cooldown enforcement, abuse prevention, and quality monitoring (typically up to 90 days) |
| Price reports / station status submissions | While operationally relevant for moderation, anti-spam audit, and feed reconciliation |
| Server logs and security telemetry | Short period appropriate to security and operational needs |
| Crash reports and performance diagnostics (Sentry) | 30 days from event capture, then automatically deleted (project-level retention setting) |
| Website analytics events (Umami Cloud) | Aggregated, cookieless events retained per our Umami project retention setting; no personal identifiers are stored |
| Backups | Standard provider backup cycles, then overwritten |
When data is no longer needed, we take reasonable steps to destroy or de-identify it. We may retain aggregated or de-identified data indefinitely (see section 22).
14. Apple App Tracking Transparency (ATT) and similar controls
We do not describe the Services as relying on cross-app tracking for third-party advertising at the time of this policy's effective date.
Sentry is not tracking under ATT. Sentry is used solely for first-party crash and performance diagnostics. It does not link app activity with data from other companies' apps or websites for advertising purposes, and it is not classified as "tracking" under Apple's App Tracking Transparency framework. We do not currently trigger an ATT prompt.
Umami is not present in the apps and is not subject to ATT. Umami runs on our website only.
If we introduce features that require tracking consent on iOS, we will implement ATT and platform requirements and update this policy before or when those features go live.
15. Google Play and data safety
We aim to describe our collection and sharing in this policy in a way that is consistent with Google Play's data safety disclosures. The Play Console declarations will reflect the app's actual behaviour at release.
Our Play Console Data Safety form declares Crash Logs and Diagnostic / Performance Data as collected (via Sentry), not linked to user identity, not used for tracking, with security practices including encryption in transit and a data deletion request option.
16. Future advertising
The Services are currently free and do not display third-party advertising in a way that shares personal information with ad networks as of the effective date. If we introduce advertising, we may:
- Show ads in the app or on the website;
- Use advertising partners who set cookies or device identifiers;
- Measure ad performance.
We will update this policy, provide in-app or website notice where appropriate, and obtain consent where required by law or platform rules before using personal information for targeted advertising.
17. Future paid memberships and payments
If we introduce paid subscriptions or one-off purchases, payments will be processed by Apple, Google, or another approved payment provider. We will not store your full payment card details on our servers. We may receive limited transaction metadata (for example, subscription status). We will update this policy to describe payment data handling and any new retention practices.
18. Automated decision-making
We do not use personal information in solely automated decision-making that produces legal or similarly significant effects on you. Server-side anti-spam guards (cooldowns, location verification, rate limits) operate automatically but are administrative measures, not legally significant decisions about you.
19. Changes to this policy
We may update this policy from time to time. We will publish the updated version on our website with a new effective date. If a change is material, we will provide additional notice where practicable (for example, by email to registered users or an in-app notice) at least 30 days before the change takes effect, unless we are required to make an immediate change for legal or security reasons.
20. Complaints — internal and OAIC
If you have a privacy complaint, contact us at [email protected]. We will acknowledge and investigate complaints promptly and aim to respond within 30 days.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):
- Website: https://www.oaic.gov.au
The OAIC provides information about how to make a privacy complaint.
21. Direct marketing and Spam Act 2003 (Cth)
If we send you marketing emails or push notifications:
- We will only do so where you have opted in or where the Spam Act 2003 (Cth) otherwise permits;
- Every commercial electronic message will identify us as the sender and include a working unsubscribe option (or, for push, an in-app toggle);
- You can opt out at any time by using the unsubscribe link, in-app notification settings, or by contacting [email protected];
- Service-related messages (account, security, transactional, legal notices) are not marketing and may be sent regardless of marketing preferences.
22. Aggregated and de-identified data
We may create aggregated or de-identified data from personal information (for example, fuel-price trend statistics or usage patterns). Once data is genuinely de-identified so that it can no longer reasonably identify you, it is not personal information under the Privacy Act, and we may use, share, or retain it for any lawful purpose, including service improvement, research, and reporting.
23. Withdrawal of consent
Where we rely on your consent to handle your personal information (for example, for marketing or for optional location features), you can withdraw that consent at any time by changing your in-app settings or contacting [email protected]. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and it does not require us to delete information we are legally required or permitted to retain.
24. State and territory privacy regulators
The Privacy Act and the OAIC are the primary privacy regime that applies to us. Some Australian states and territories have their own privacy frameworks that mainly regulate state public-sector agencies rather than private operators like us, but you may still wish to contact them for guidance:
- NSW: Information and Privacy Commission NSW (IPC) — https://www.ipc.nsw.gov.au
- VIC: Office of the Victorian Information Commissioner (OVIC) — https://ovic.vic.gov.au
- QLD: Office of the Information Commissioner Queensland — https://www.oic.qld.gov.au
- WA: Office of the Information Commissioner WA — https://www.oic.wa.gov.au
- SA: State Records of South Australia / Privacy Committee SA — https://archives.sa.gov.au
- TAS: Tasmanian Ombudsman — https://www.ombudsman.tas.gov.au
- NT: Office of the Information Commissioner NT — https://infocomm.nt.gov.au
- ACT: OAIC (handles privacy complaints under the Information Privacy Act 2014 (ACT)) — https://www.oaic.gov.au
25. Beta and early-access acknowledgement
Some features may be released as beta, preview, or early access. Beta features may have additional logging for diagnostic purposes, may change or be removed without notice, and are provided on the same "as is" / "no guarantees" basis as the rest of the Services. We will use reasonable efforts to safeguard any personal information collected via beta features under this policy.