How we handle your data.

1. What we collect

When you create an account, we collect your email address, display name, and avatar image via Supabase Auth (magic link) or Google OAuth. For Premium features, we also collect saved places (precise latitude/longitude for home, work, and custom locations used for alerts and trip cost calculations), vehicle details (make, model, year, registration plate, fuel type), fill-up records (station, litres, price, odometer reading, timestamp), price reports you submit (station ID and timestamp — no GPS beyond the station you selected), bug reports (free text, your email, page URL, and user agent), price alert preferences (radius, fuel type), push notification subscriptions, and Stripe billing customer and subscription IDs (we never see your card number — Stripe handles card data).

Fleet subscribers who enable GPS trip tracking consent to vehicle location pings at intervals while driving. This data is used for fleet reporting and trip-cost analysis, and is automatically deleted after 90 days. GPS trip tracking is strictly opt-in and can be disabled at any time.

We use Sentry for error monitoring. Sentry may capture partial request context from error events; we strip PII before transmission where possible and retain events for 90 days (Sentry default). We use a first-party theme-preference cookie and a service worker cache for offline support. With your consent, we load Meta Pixel for marketing analytics — see Section 3 and our cookie banner for details.

2. How we use it

Your data is used solely to operate and improve Refuelr. Specifically: your email is used to send price alerts you have opted into, transactional messages (sign-in links), and occasional product updates (you can unsubscribe at any time). Saved places and vehicle data personalise the map, alerts, and trip cost calculations. Fill-up records power your fuel economy history. Community price reports improve pricing accuracy for all users. Aggregated, anonymised usage data informs feature development.

We do not use your data to build advertising profiles, sell or license it to third parties, make automated decisions that have legal or significant effects on you, or train machine-learning models on identifiable personal data.

3. Tracking technologies

Essential: Supabase Auth cookies (first-party, required for sign-in), a theme-preference cookie (stores light/dark/auto setting, not linked to your identity), and a service worker cache (offline support and performance). These are always active and do not require consent.

Analytics (consent required): Meta Pixel and Vercel Analytics/Speed Insights load only after you click "Accept all" in the cookie banner. Meta Pixel tracks page views and conversion events for marketing measurement. Vercel Analytics and Speed Insights collect aggregated page-performance and usage metrics. You can withdraw consent at any time via Settings → Disable analytics tracking. The consent choice is stored in localStorage under the key refuelr-consent.

Error monitoring: Sentry receives error events with PII stripped. This is classified as a necessary operational tool; it does not track user behaviour and does not require separate consent.

4. Where your data is processed

Refuelr uses a number of third-party processors to operate the service. Some are located outside Australia, which means your personal information may be transferred internationally as permitted under Australian Privacy Principle 8. The processors we engage are: Supabase (database and authentication — Australia, ap-southeast-2 region); Cloudflare Workers (edge compute and CDN — global, data in transit only); Vercel (build infrastructure plus consent-gated analytics and performance measurement — United States); Upstash Redis (session cache and rate limiting — United States or Australia depending on region configuration); Stripe (payment processing — United States and Ireland, subject to Stripe's Privacy Policy); Sentry (error monitoring — United States or European Union); Resend (transactional email delivery — United States); Meta (analytics pixel, only after consent — United States, subject to Meta's Data Policy); Mapbox (map tile rendering — United States, viewport coordinates sent to load tiles, not stored by us); Google (OAuth sign-in — United States, subject to Google's Privacy Policy; only your name, email, and profile photo are exchanged).

Each processor is engaged under a data processing agreement that prohibits them from using your data for their own purposes. We do not sell data to brokers or share data with advertisers.

5. How long we keep it

Active account data is retained until you delete your account. Vehicle GPS trails (Fleet only) are automatically deleted after 90 days. Push notification log entries are deleted after 12 months. Billing and payment audit records are retained for 7 years to meet Australian Tax Office requirements. Sentry error events are retained for 90 days (Sentry's default). Community price reports are retained indefinitely in anonymised form to maintain historical price accuracy — they are not linked to your identity after account deletion. Bug reports retain the description field (which may have operational value) but all personal fields (email, name, user agent, user ID) are cleared when your account is deleted.

If you unsubscribe from commercial emails, we retain your email address on a suppression list so we can honour that request. Transactional account, billing, security, and requested alert emails may still be sent.

6. Your rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) you have the right to: access a copy of the personal information we hold about you; request correction of inaccurate or out-of-date data; request deletion of your account and all associated personal data (actioned within 30 days); withdraw consent for non-essential data processing (including analytics) at any time; request data portability — use the "Export my data" function in Settings to download a structured JSON file of all data linked to your account; and lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have mishandled your information.

To exercise any right, email us at privacy@refuelr.au or use the account settings page. We will respond within 30 days.

7. Children

Refuelr is not intended for use by persons under 16 years of age. We require users to confirm they are 16 or older at sign-up. If we discover that a user under 16 has created an account, we will delete it promptly. If you believe a child has registered without parental consent, contact us at privacy@refuelr.au.

8. Contact

If you have questions about this policy or how we handle your data, please contact us at privacy@refuelr.au. We aim to respond to all privacy enquiries within 5 business days.

This policy was last updated on 27 April 2026. We may update it from time to time. If we make material changes — particularly any that expand the types of data we collect or the parties we share it with — we will notify you by email at least 14 days before the change takes effect.