This Privacy Policy describes how Arboriculture Australia ("we", "us") collects, uses and stores personal information through Arboriculture Australia Reader (the "Service") — the website at reader.trees.org.au and the Arboriculture Australia Reader iOS and Android apps. We are committed to handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
What We Collect
We only collect information needed to operate the Service:
- Account details: your email address, name, and (if entered at checkout) phone number, company / organisation, state and country. These are used to sign you in, deliver your publications, and produce tax-compliant invoices.
- Payment details: credit-card and billing information for purchases is collected and stored by our payment processor, Stripe — we never see your full card number. We retain the Stripe customer and subscription identifiers so we can manage your subscription, renewals and refunds.
- Reading activity: when you open a publication we record the publication, the time you opened it, and the device type (desktop web, mobile web, iOS app, Android app). We use this to show you the most-recently-read titles and to help the editorial team understand which publications are being used.
- Member-created content: the bookmarks, page notes and annotations (highlights, drawings, text overlays) you make while reading. These are stored on the server so they follow you across devices.
- Session metadata: for each active sign-in we store an IP address, browser/user-agent string, and a last-active timestamp so you can see and revoke individual sessions from your Account page.
- Email-send records: a 30-day audit log of operational emails sent to your address (login codes, renewal reminders, account notifications) — kept so we can troubleshoot delivery issues. The full message body is not stored.
If you do not provide required account or payment details, we may not be able to create your account, process purchases, or provide access to the Service.
How We Use Your Information
- To authenticate you (we email you a six-digit code each time you sign in).
- To grant and renew access to the publications you've purchased or been granted.
- To process payments and produce invoices via Stripe.
- To send transactional emails — login codes, renewal reminders, payment notifications, account-deletion confirmations.
- To improve the reader and the editorial programme using aggregated usage statistics. We do not build advertising profiles of you and we do not sell your data.
Third Parties We Share Data With
We use a small set of service providers, each chosen because they meet equivalent privacy and security standards. Each provider only processes the information needed for their specific function:
- Stripe (Stripe Payments Australia Pty Ltd): processes payments. Stripe receives your name, email, billing address and card details directly; we receive only the customer identifier and a record of completed transactions. See Stripe's privacy notice.
- Resend (Resend, Inc.): delivers our transactional emails (login codes, notifications). Resend receives your email address and the message contents. See Resend's privacy notice.
- Cloudflare, Inc.: hosts our application, database and publication storage, and protects the service from network attack. See Cloudflare's privacy notice.
- Google (Generative Language API — Gemini): used by our editorial team during publication uploads to extract a table of contents from each PDF. This processing happens before publication and only involves the editorial team's PDFs — no member data, reading history, annotations or account information is sent to Google.
Some of our service providers may process or store personal information outside Australia. Where practicable, the countries in which recipients are likely to be located are:
- Stripe — Australia and the United States.
- Resend — Japan.
- Cloudflare — global edge network including the United States and the European Union.
- Google (Gemini API) — the United States.
We take reasonable steps, including contractual, security and due diligence measures where appropriate, to ensure overseas recipients handle personal information consistently with the Australian Privacy Principles.
How We Store and Protect Your Data
- Account credentials are protected by short-lived JWT session tokens stored in an http-only secure cookie (web) or device secure storage (mobile app).
- You never set a password — sign-in is via a single-use six-digit code emailed to your address.
- Database, application and storage are operated on Cloudflare's edge network with encryption in transit (HTTPS) and at rest.
- Page images are served only after a per-request entitlement check — you cannot share a publication link with someone who hasn't purchased it.
Data Breaches
If we become aware of a data breach involving your personal information, we will assess it and, where required under the Notifiable Data Breaches scheme, notify affected individuals and the Office of the Australian Information Commissioner.
How Long We Keep It, and How to Delete Your Account
You can delete your account at any time from the My Account screen of the app or the website. When you delete your account:
- Your bookmarks, page notes, annotations and shopping cart are deleted.
- You are signed out on every device.
- Your name, email, phone number, organisation, address and other personal identifiers are removed from our database.
- If you have an active subscription, you can choose to have the deletion run at the end of the paid period (so you keep access to what you've paid for), or to cancel and delete immediately.
We retain personal information only for as long as needed for the purposes described in this policy, unless a longer period is required or permitted by law — including taxation, accounting, fraud-prevention, dispute-resolution or other legal obligations. Where we retain past purchases, subscription history and Stripe webhook events to meet Australian financial-record obligations (typically five years), we remove or de-identify personal identifiers where practicable, except where we must retain them for the purposes above.
Your Rights
Under the Privacy Act 1988 (Cth) you may request access to the personal information we hold about you, or ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading. You may also delete your account at any time from the My Account screen — see How Long We Keep It above for what happens to your data.
To make an access or correction request, email enquiries@trees.org.au. We may need to verify your identity before responding. There is no fee for correction requests. We aim to respond within 30 days of receiving your request. If we refuse a request, we will explain why and tell you how to complain.
Complaints
If you believe we have breached the Australian Privacy Principles or mishandled your personal information, please contact us at enquiries@trees.org.au. We will acknowledge your complaint within a reasonable time, investigate it, and aim to provide a written response within 30 days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (oaic.gov.au).
Cookies and Similar Technologies
The website uses a single essential cookie to keep you signed in
(member_token) and a short-lived cookie for cart state. We do not
use advertising cookies, third-party tracking pixels or analytics scripts that
build a profile of you. The mobile app does not use cookies at all —
authentication is via a token in secure device storage.
Children
The platform is intended for adult arboriculture professionals. We do not knowingly collect information from children under 16.
Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email and shown on this page with a new "Last updated" date.
Contact
For any privacy question, correction request, or to ask about the data we hold, contact us at enquiries@trees.org.au.
Terms of use · Support · Home