Servicing Manager for ServiceM8 - Privacy Policy.

Also known as

• Servicing Manager Privacy Policy
• Servicing Manager for ServiceM8 Privacy Policy
• ServiceM8 add-on Privacy Policy

About this policy

Servicing Manager is an add-on for the ServiceM8 platform, published by Computer Consultant Professionals Pty Ltd (trading as CCP Australia, ABN 19 128 752 607). It helps ServiceM8 customers manage recurring service contracts, maintenance plans, equipment rentals, and periodic site visits.

This policy explains what information the add-on collects from your ServiceM8 account, what it stores, where it is hosted, and how it is kept secure. It applies in addition to our general CCP Australia privacy policy, which governs everything else (the ccp.com.au website, our service engagements, and our handling of personal information generally).

If anything in this policy conflicts with the general policy in the context of the add-on, this policy takes priority.

Who you are dealing with

• Publisher: Computer Consultant Professionals Pty Ltd, trading as CCP Australia.
• Address: Unit 18, 8 Tomlinson Road, Welshpool WA 6106.
• Privacy contact: [email protected].

CCP Australia is an “APP entity” under the Privacy Act 1988 (Cth) and complies with the 13 Australian Privacy Principles.

ServiceM8 itself is operated by ServiceM8 Pty Ltd, a separate company. ServiceM8’s handling of your data is governed by their own terms and privacy policy, available at servicem8.com.

What the add-on accesses

When you install Servicing Manager from the ServiceM8 add-on directory and activate it, you authorise the add-on, via ServiceM8’s OAuth flow, to access a defined set of data and actions inside your ServiceM8 account. The current set of permissions is declared in the add-on’s manifest and shown to you on the consent screen at install time.

In practice, the add-on reads and writes the following kinds of records inside your ServiceM8 account:

• Companies (your customers). Read access, so the add-on can list customers, attach service schedules to them, and show their servicing history.
• Jobs. Read and write access, so the add-on can find Completed Service jobs that bump a schedule forward, surface upcoming work that is due, and create or update jobs related to scheduled services.
• Job activities, notes, and categories. Read and write access, so the add-on can post audit notes when a schedule is bumped and recognise the right category of work.
• Staff (users in your ServiceM8 account). Read access, so the add-on can attribute audit notes to the staff member who performed the action.
• Account settings. Read access, limited to the metadata required to identify your account and present account-appropriate options.

The add-on does not request or use access to financial records, payment details, invoices, quotes, attachments, photographs, customer signatures, or location tracking data. It does not read or modify any data outside the ServiceM8 records listed above.

What the add-on stores, and where

The add-on stores a small set of operational data in Amazon Web Services, hosted in the Sydney, Australia region (ap-southeast-2). Data does not leave Australia.

The following items are stored in our AWS DynamoDB database, keyed against your ServiceM8 account UUID so that your data is strictly separated from every other customer’s:

• OAuth tokens. The access token and refresh token issued by ServiceM8 when you activated the add-on. These are how the add-on talks to ServiceM8 on your behalf. They are stored at rest in an AWS-managed encrypted database and are never exposed to the browser or to anyone outside CCP. You can revoke them at any time by uninstalling the add-on from your ServiceM8 account.
• Schedules and contracts you create. Records you set up inside the add-on (for example, “service this air-conditioner every six months for this customer”) are stored as the add-on’s own records. Each one references the ServiceM8 Company UUID and any related Job UUIDs it concerns; we do not duplicate your customer’s name, address, phone number, or other personal details into our database.
• CSV import progress. When you bulk-import schedules from a CSV file, the add-on stores a short-lived checkpoint so the import can resume if interrupted. The checkpoint contains the schedule rows being imported and is removed when the import completes.
• Settings. Per-account preferences for the add-on (for example, default reminder windows or default categories).
• Orphan-triage dismissals. A small bookkeeping record indicating that you have dismissed a particular Job from the add-on’s “orphan” view.

In short: the add-on stores what it needs to do its own job. It does not store a shadow copy of your ServiceM8 customer database. When the add-on needs to display a customer name or a job address, it fetches it live from ServiceM8 using the OAuth token.

Webhooks

The add-on subscribes to ServiceM8’s webhook for job status changes so that completing a service job can automatically advance the matching schedule. When ServiceM8 delivers a webhook to the add-on, the payload (which contains the affected Job UUID and status) is processed in memory and used to update the related schedule record in our database. The webhook payload itself is not stored as a separate record.

Logs

Our AWS Lambda function writes operational logs (Amazon CloudWatch Logs) so that we can diagnose errors and verify the add-on is behaving correctly. These logs may contain:

• Your ServiceM8 account UUID;
• Identifiers for Companies, Jobs, schedules, and contracts touched by a request;
• The name of the operation being performed;
• Error messages and stack traces when something goes wrong.

Logs are kept in AWS in the Sydney region. We do not log OAuth tokens, full webhook payloads, or any unrelated personal information. CloudWatch Logs are retained for a limited period for diagnostic purposes and are then automatically removed in line with our retention configuration.

Who can access your data

• You and the ServiceM8 users in your account. You see your own data through the add-on interface inside ServiceM8.
• CCP Australia engineering and support staff. Access is role-based, audited, and used only for maintaining the add-on, supporting customers, and investigating incidents.
• AWS. As our hosting provider. AWS is bound by their own security and privacy obligations and does not access the contents of your database.
• ServiceM8. ServiceM8 sees the API calls the add-on makes against your account, because they operate the platform the add-on plugs into. This is governed by your relationship with ServiceM8.

We do not sell, rent, or share your data with any other third party. We do not use your data for advertising and we do not use it to train machine-learning models.

Security

• All traffic between your browser, ServiceM8, and the add-on is encrypted in transit (HTTPS / TLS).
• OAuth tokens and all add-on data are encrypted at rest in AWS DynamoDB using AWS-managed keys.
• Every request from the ServiceM8 platform into the add-on is verified using a signed token (JWT) issued by ServiceM8, and the account UUID inside that token is what we use to look up your data; this prevents one ServiceM8 customer from seeing or modifying another’s records.
• OAuth callback parameters are protected with an HMAC signature to prevent tampering.
• The database has Point-in-Time Recovery enabled so we can recover from accidental data loss.
• Staff multifactor authentication, endpoint detection and response, central password management, and 24x7 security monitoring apply to the engineering team that maintains the add-on. These are the same controls described in our general privacy policy.

Retention and uninstall

The add-on retains the records described above for as long as the add-on is installed in your ServiceM8 account.

When you uninstall the add-on from ServiceM8:

• The OAuth tokens stop working (ServiceM8 revokes them).
• The add-on stops receiving webhooks for your account.
• The schedules, contracts, settings, and other records described above remain in our database in case you reinstall, unless you ask us to delete them.

To request deletion of all data the add-on holds for your ServiceM8 account, email [email protected] from a verifiable address associated with the account. We will verify your identity, delete the records (or de-identify them where deletion is technically impractical), and confirm in writing. There is no fee for a reasonable request.

Overseas disclosures

All add-on data is stored and processed in Australia (AWS Sydney region). We do not transfer add-on data overseas.

The add-on does not load third-party trackers, analytics, advertising pixels, or cross-site identifiers inside the ServiceM8 interface. The user-interface assets (JavaScript, CSS, fonts) are served from our own CDN.

Access, correction, and complaints

You can:

• Access your data directly through the add-on interface inside ServiceM8, or by emailing [email protected] for a copy.
• Correct your data through the add-on interface, or by emailing the same address.
• Complain about how we have handled your data by emailing [email protected]. We will acknowledge within 7 days and give a substantive response within 30 days. If you are not satisfied with our response you can escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

Children

The add-on is a business-to-business tool used by trade businesses and their staff. It is not directed at children and we do not knowingly collect information about children through it.

Changes to this policy

We may update this policy from time to time. The current version lives at this page, with the date it was last updated. If a change is material, we will notify active add-on customers through the add-on interface or by email.