Loading...
Loading...
This Privacy Policy describes how National Restoration Professionals Group Pty Ltd (ABN 85 151 794 142), trading as Disaster Recovery ("we", "us", "our"), manages personal information collected through our website disasterrecovery.com.au and our claim intake and contractor matching services.
We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy sets out how we meet our obligations under APPs 1–13.
By using our website or submitting a claim through our platform, you agree to the collection and use of your personal information as described in this policy.
We collect personal information that is reasonably necessary to match you with a certified restoration contractor and to support your insurance claim process. This includes:
We collect this information directly from you when you submit a claim through our platform (APP 3). We do not collect sensitive information (as defined by the Privacy Act) unless it is necessary for your claim and you have consented to its collection.
Where it is lawful and practicable to do so, you may use our website anonymously or by pseudonym (APP 2). However, the claim intake process requires identification to enable contractor matching and insurance liaison.
We collect personal information for the following primary purposes:
We will not collect personal information that is not reasonably necessary for one of these purposes (APP 3.3).
We use and disclose your personal information only for the primary purposes for which it was collected, or for related secondary purposes that you would reasonably expect.
Your personal information may be disclosed to:
We do not sell, rent, or trade your personal information to third parties for marketing purposes (APP 7).
Personal information we collect is processed by the following providers. Where a provider operates outside Australia, we take reasonable steps to ensure they handle your information consistently with the Australian Privacy Principles, including through contractual data processing agreements.
| Provider | Country | Function |
|---|---|---|
| Vercel | United States, European Union | Web hosting, serverless compute |
| Supabase | Australia (ap-southeast-2) | Primary database |
| Anthropic | United States | AI content generation for internal ops |
| OpenAI | United States | AI services (where used) |
| Global | Analytics, Tag Manager, Gemma translation API | |
| Microsoft | Global | Clarity session recording (opt-in only) |
| Meta | United States | Pixel tracking (opt-in only, when enabled) |
| Stripe | United States | Payment processing |
| Twilio / ElevenLabs | United States | Voice telephony and AI call transcription |
| Cloudflare | Global | CDN and DNS |
Session recording disclosure. If you consent to product-experience cookies via our cookie banner, Microsoft Clarity records anonymised mouse movement, clicks, scrolling and page interactions for usability analysis. Recordings exclude fields marked sensitive (payment card, passwords). Session recordings are retained on a 90-day rolling deletion. Clarity is off by default; it activates only if you opt in.
By using our platform, you consent to the disclosure of your personal information to the overseas recipients above where reasonably necessary to provide our services. Opt-in cookies (Clarity, Meta Pixel) do not activate unless you accept them via the cookie banner.
When you call our intake line, your call may be answered by Sarah, an AI voice assistant built on ElevenLabs Conversational AI (Flash v2.5). Telephony is carried by Twilio. Both ElevenLabs and Twilio are United States-headquartered providers, and voice audio, transcripts, and associated metadata are processed on servers located in the United States (Twilio edge infrastructure may also be configured to route through Australian points of presence; core processing remains in the US).
Informed consent at call open (APP 8): At the start of every call, before any audio is streamed to ElevenLabs, the Twilio layer plays a short opening utterance that discloses (i) the call may be handled by an AI assistant, (ii) the call is recorded so we can help you, and (iii) your information may be processed by our technology providers overseas under the Australian Privacy Principles. You are asked whether that is OK to continue. You can press 0 at any time to speak to a person. If you decline, stay silent, or press 0, the call is immediately transferred to a human operator and no audio is streamed to the AI provider.
What the voice channel collects: your name, phone number (via caller line identification), email address (spelled out during the call), postcode and property address, description of the damage, and insurance information (insurer name, policy number, claim number). This is the same categories of information collected through our web claim form — the voice channel is simply an alternative intake path.
Recording and retention: calls are recorded and machine-transcribed. Default retention is 30 days for audio recordings, 90 days for transcripts, and 7 years for the redacted audit log (call metadata, consent outcome, claim reference — with direct identifiers removed). These retention windows align with our claim-record obligations under APP 11 and with the minimum retention needed to resolve billing and dispute matters with our carriers.
How to withdraw consent: you may decline consent at the opening prompt by pressing 0, saying "no", or staying silent (no audio leaves Twilio for the AI provider in any of those cases), or you may request a human transfer at any point during the call by saying "human" or "operator" — Sarah is configured to transfer on that request at every turn.
Automated decision-making (APP 1.7, commences 10 December 2026): Sarah collects information and books appointments; she does not make decisions that produce a legal or similarly significant effect on you. All contractor-assignment, scope-of-work, and insurance decisions remain with the assigned human contractor and your insurer, consistent with the "AI-Assisted Features and Automated Processing" section below. We are preparing for the APP 1.7 transparency requirements ahead of the 10 December 2026 commencement date.
Disclosure to ElevenLabs and Twilio is made in accordance with APP 8 (cross-border disclosure) and is governed by data processing agreements with each provider. Review of this consent mechanism by privacy counsel is part of our pre-go-live checklist.
Our platform includes a multilingual interface powered by an AI language model — specifically Gemma 4, developed by Google DeepMind and accessed via Google's generative AI services. This model is used solely to translate UI text, page headings, form labels, and informational content into 23 languages, enabling users across the Asia-Pacific region and beyond to access our services in their preferred language.
What the AI model does and does not process: The translation feature sends page content and interface strings to the AI model. It does not send your personal information — including your name, address, contact details, damage description, insurance information, or claim details — to the AI model. Personal information you submit through our claim intake form is handled entirely within our own systems and is not passed to any AI translation service.
Contractor matching and automated decisions: Matching your claim with an NRPG network contractor is performed by our internal contractor matching system based on location, damage category, and contractor availability. This process does not constitute automated decision-making that has a legal or similarly significant effect on you. A human contractor reviews your claim details and makes all decisions relating to the provision of restoration services. No automated system determines your entitlements, your insurance outcome, or the scope of work — those decisions rest with the contractor and your insurer.
Cross-border processing: Google's AI services process translation requests on servers that may be located outside Australia, including in the United States. This processing is limited to UI strings and informational content (not personal information), and is consistent with the cross-border disclosure above (APP 8). We rely on Google's data processing agreements and contractual safeguards to ensure appropriate handling of any data transmitted to these services.
This disclosure is made in accordance with APP 3 (transparency about collection practices) and APP 8 (cross-border disclosure), and reflects our commitment to transparency ahead of the Privacy Act amendments taking effect 1 July 2026.
If you are in New Zealand or submit a claim for a property located in New Zealand, the New Zealand Privacy Act 2020 and its 13 Information Privacy Principles (IPPs) apply to our handling of your personal information, in addition to the Australian Privacy Act and APPs.
IPP 3 collection notice. When you submit a claim from New Zealand we collect your name, contact details, property address, damage description, and (where provided) insurance information for the purposes of matching you with a restoration contractor and enabling the contractor to contact you and liaise with your insurer. Collection is from you directly. Providing this information is voluntary, but without it we cannot match your claim.
IPP 12 cross-border disclosure. Your personal information is transferred to Australia for storage and processing and may be disclosed to contractors, insurers, and service providers located in Australia and overseas as set out above. We take reasonable steps to ensure overseas recipients handle your information consistently with the Privacy Act 2020.
Access, correction, and complaints. You may request access to or correction of your personal information at any time. If you are dissatisfied with our response, you may complain to the Office of the Privacy Commissioner at privacy.org.nz.
We take reasonable steps to protect the personal information we hold from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:
Data retention: We retain personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Claim records are typically retained for 7 years following completion of work to satisfy insurance and warranty obligations. You may request deletion of your personal information where we have no ongoing legal obligation to retain it (see "Your Rights" below).
Notifiable Data Breaches: We comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act. If we become aware of an eligible data breach that is likely to result in serious harm to affected individuals, we will notify the OAIC and affected individuals as required.
You have the right to:
To exercise any of these rights, contact us through our contact form. We will respond to access and correction requests within 30 days. There is no charge for making a request, though we may charge a reasonable fee to cover the cost of providing access where permitted by law.
If we refuse an access or correction request, we will provide you with written reasons and information about how to complain to the OAIC.
If you believe we have handled your personal information in breach of the Australian Privacy Principles, you may lodge a complaint with us by using our contact form. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.
Our website uses cookies and similar technologies to support site functionality and understand how visitors use the site. For detailed information about the cookies we use and how to manage them, see our Cookie Policy.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
This policy was last reviewed and updated on 23 April 2026 to add a New Zealand Privacy Act 2020 section (IPP 3 collection notice and IPP 12 cross-border disclosure) for consumers submitting claims from New Zealand. Earlier updates addressed the removal of the Privacy Act small business exemption effective 1 July 2026 and the OAIC's 2026 privacy compliance sweep.