Privacy Policy

Last updated: 2026-04-24

Draft — pending legal review. This policy is a good-faith first draft intended for legal review before public launch. If you notice anything misleading or incomplete, please let us know.

TradieCerts ("we", "us", "our") operates tradiecerts.com.au, a comparison marketplace for Australian trade certification courses. We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. What we collect

Aggregate site analytics (always on): Cloudflare Web Analytics provides anonymous, cookieless pageview counts, top pages, referrer domains, and approximate region. No personal information is collected and no cookies are set.
Custom analytics events (only after you consent): if enabled, goal-level events such as searches and click-throughs would be sent to Plausible Analytics, which also does not set cross-site tracking cookies. Currently inactive.
Form submissions: name, email, phone (optional), organisation details (if submitted via the training-provider form), and the content of your message.
Click-out attribution: when you click through to a training provider, we record the course, provider, originating page, and a timestamp. This is attached to an anonymous session ID — not to your name or email.
Consent state: your cookie and tracking choices are stored in your browser's localStorage with a 12-month expiry.

2. How we use it

To respond to enquiries and deliver requested information
To understand which courses, cities, and pages are useful — so we can improve coverage
To attribute click-outs to Registered Training Organisations (RTOs) for referral billing — in aggregate, never by user identity
To comply with legal obligations

3. Who we share it with

Training providers: aggregated click-through volumes only. We do not share your name, email, or browsing history with RTOs.
Service providers: Cloudflare (hosting + CDN), Plausible (analytics), and our email/form provider (Formspree or MailerLite). Each is bound by their own privacy obligations.
Law enforcement: if legally required under Australian law.

We never sell your personal information.

4. Cross-border disclosure

Our hosting (Cloudflare) uses a global edge network. Your data is served from the nearest edge (typically Sydney or Melbourne for Australian visitors). Analytics are processed by Plausible (EU). Form submissions may be processed in the United States (Formspree) or the EU (MailerLite), depending on provider. We rely on contractual safeguards and the providers' compliance with GDPR and equivalent frameworks.

5. Cookies and tracking

We use the minimum tracking necessary to run the site:

Strictly necessary (always on): your consent choice itself, session integrity, and anti-CSRF tokens.
Aggregate site analytics (Cloudflare Web Analytics, always on): anonymous, cookieless pageview counts, top pages, and referring domains. No personal information is collected, no cookies are set, and the data never leaves Cloudflare's privacy-preserving aggregate counters. Under the Privacy Act 1988 / APP 3 this is not personal information and does not require consent.
Custom events (opt-in, currently inactive): goal-level metrics like search submissions and click-throughs, intended for Plausible Analytics. Code is in place but disabled — nothing fires until we enable it and you opt in.
Marketing (opt-in): reserved for future campaign attribution; nothing loads today.

Change your choice any time via in the footer.

How your consent is recorded. Your cookie and tracking choices live entirely in your browser's localStorage under the key tc_consent, alongside a version number, the categories you accepted, the timestamp of your decision, and a 12-month expiry. We do not transmit your consent decision to a server, and we do not maintain a server-side audit log of consent. The reason: under the Australian Privacy Act 1988 and APP 3, a consent decision is not "personal information" on its own (we don't have a user account to bind it to), and a privacy-by-design system that doesn't need to collect data shouldn't collect it. If you clear your browser storage your choice resets and the banner reappears on your next visit. If you'd like a written record of your consent for your own files, take a screenshot of the Cookie settings panel — that's the authoritative state.

6. Data retention

Form submissions: kept for 24 months, then deleted or anonymised.
Click-out attribution events: kept for 12 months in identifiable form (session ID), then aggregated.
Analytics data: Plausible retains 24 months of aggregated data.

7. Your rights

Under the Australian Privacy Principles you can:

Request access to the personal information we hold about you (APP 12)
Request correction of inaccurate information (APP 13)
Withdraw consent for analytics at any time — and have it take effect immediately
Complain to us, and if unsatisfied, to the Office of the Australian Information Commissioner (oaic.gov.au)

8. Security

All traffic is encrypted with HTTPS and HSTS. We rely on Cloudflare's WAF and DDoS protection. Access to form submissions is limited to the site operator. We keep no payment information.

9. Children

TradieCerts is not directed at children under 16 and we do not knowingly collect information from them. If you believe a child has submitted information, contact us and we will delete it.

10. Changes to this policy

We'll update the "Last updated" date at the top when this policy changes. Material changes will be flagged in a site-wide notice.

11. Contact

Privacy enquiries: contact form, subject "Privacy".