Privacy Policy

Last updated: June 2026

1. About This Policy

LodgeHQ (“we”, “us”, “our”) is operated by LodgeHQ Pty Ltd (ABN 52 696 192 677), founded by Awais Nisar, a Registered Migration Agent (MARN 2318017). We are committed to protecting the privacy of our users and their clients in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

This policy explains how we collect, use, store, and disclose personal information through the LodgeHQ platform at app.lodgehq.com.au.

2. Information We Collect

We collect the following categories of personal information:

  • Account information: Name, email address, phone number, business name, business address, MARN (for migration agents).
  • Client data: Information entered by migration agents about their clients, including names, dates of birth, passport numbers, visa application details, and other immigration-related data.
  • Documents: Files uploaded by agents or their clients, including identity documents, qualifications, and supporting evidence.
  • Payment information: Billing details processed securely through Stripe. We do not store credit card numbers on our servers.
  • Usage data: Log data, IP addresses, browser type, and interaction patterns for security and service improvement.

3. How We Use Your Information

We use personal information to:

  • Provide and maintain the LodgeHQ platform and its features.
  • Process subscription payments and manage billing.
  • Send transactional emails (verification codes, signature requests, questionnaire invitations).
  • Respond to support enquiries.
  • Ensure platform security, detect fraud, and prevent unauthorised access.
  • Comply with legal obligations, including OMARA regulatory requirements.

4. Data Security

We implement industry-standard security measures including:

  • AES-256-GCM encryption for sensitive personal identifiers (passport numbers, TRN numbers, DHA file numbers).
  • HMAC-signed session tokens and CSRF protection.
  • Two-factor authentication (2FA) support.
  • Content Security Policy headers and rate limiting.
  • All data transmitted over HTTPS/TLS.
  • Regular automated security audits of dependencies.

5. Data Storage & Retention

Your data is hosted on secure, enterprise-grade cloud infrastructure certified to ISO 27001 and SOC 2. This infrastructure may be located outside Australia. We take reasonable steps to ensure overseas providers handle your information consistently with the Australian Privacy Principles, and all data is encrypted in transit and at rest. Database backups are performed daily and retained for 30 days.

We retain your data for as long as your account is active. Upon account closure, your data remains available for export for 30 days, after which it is removed from our active systems; residual copies held in backups are purged within a further 30 days. Some information may be retained longer where required by law or for legitimate business purposes.

Migration agents are reminded of their independent obligations under the Migration Agents Regulations 1998 to maintain client records for a minimum of 7 years.

6. Disclosure of Information

We may share personal information with:

  • Stripe: For payment processing.
  • Resend: For transactional email delivery.
  • Google LLC & Microsoft Corporation: Where you connect your own Gmail or Outlook / Microsoft 365 mailbox, we access it through Google and Microsoft APIs to send and file your client correspondence on your behalf (see Section 7).
  • Service providers: Infrastructure and hosting providers who process data on our behalf under strict confidentiality agreements.
  • Law enforcement: Where required by law, court order, or regulatory authority.

Some of our service providers — including our hosting, payment, and email providers — are located overseas (see Section 5). Where we disclose information to an overseas recipient, we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles.

We do not sell personal information to third parties.

7. Connected Email Accounts (Google & Microsoft)

LodgeHQ lets a migration agent optionally connect their own Gmail (Google) or Outlook / Microsoft 365 (Microsoft)mailbox, so that client correspondence can be sent from, and automatically filed against, the agent’s own email address. This feature is optional and is only ever activated when the agent explicitly connects a mailbox and grants consent on the provider’s own permission screen.

Google account data we access, and why:

  • gmail.send — to send emails (questionnaire invitations, document requests, letters and client correspondence) from the agent’s own connected address instead of a generic platform address.
  • gmail.readonly — to read messages in the connected mailbox so that emails to and from the agent’s clients can be matched and filed against the correct client matter (“email filing”).
  • userinfo.email — to identify which email address has been connected.

Microsoft account data we access, and why: the equivalent Mail.Send, Mail.Read and offline_accesspermissions, used for the same send and email-filing features on Outlook / Microsoft 365.

How this mailbox data is handled:

  • OAuth access and refresh tokens are stored encrypted (AES-256-GCM) and are used solely to provide the send and email-filing features the agent enabled.
  • Messages identified as correspondence with the agent’s clients are stored within the agent’s own LodgeHQ account and linked to the relevant client matter, so the case file is complete.
  • We do not use Google or Microsoft mailbox data for advertising; we do not sell or transfer it to third parties; and we do not use it to develop, improve, or train generalised artificial-intelligence or machine-learning models.
  • Mailbox content is not read by any human at LodgeHQ except where strictly necessary to provide support the agent has specifically requested, to maintain security or investigate abuse, or to comply with applicable law.
  • An agent can disconnect a mailbox at any time from Settings → Email, which stops all further access, revokes our tokens with the provider, removes the stored connection credentials from our systems, and deletes synced mailbox content that has not been filed to a client matter. Correspondence filed to a client matter is retained as part of that client’s case record, consistent with agents’ record-keeping obligations under the Migration Agents Regulations 1998. Access can also be revoked directly at myaccount.google.com/permissions (Google) or account.microsoft.com (Microsoft) — revocation is detected and triggers the same clean-up.

LodgeHQ’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your data (subject to legal retention requirements).
  • Export your data in a portable format.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

9. LodgeHQ eLodge Chrome Extension

LodgeHQ also publishes an optional Chrome browser extension called LodgeHQ eLodge, which allows registered migration agents to auto-fill Australian Department of Home Affairs ImmiAccount visa application forms using client data they have previously entered into their LodgeHQ account.

What the extension accesses:

  • The currently open tab on online.immi.gov.au — only to read the form field structure and write the user’s selected client data into those fields. The extension does not activate on any other website.
  • The user’s LodgeHQ account at app.lodgehq.com.au — to fetch the list of the user’s clients, their completed questionnaire answers, and the user’s agent profile (via the same authenticated session that the user has already signed into).
  • Chrome local storage — to remember the selected client and server URL between side-panel sessions.

How extension data is handled:

  • Client data fetched from LodgeHQ is held in memory inside the side panel only for the duration of the browser session. It is cached in Chrome local storage for convenience but never transmitted to any third party.
  • The extension communicates only with app.lodgehq.com.au (the user’s own LodgeHQ account) and online.immi.gov.au (the active visa form being filled). There are no analytics, tracking pixels, or third-party SDKs.
  • No data is collected by LodgeHQ Pty Ltd purely as a result of the extension being installed. All data handled by the extension is data the user already owns inside their own LodgeHQ account.
  • The extension does not sell, rent, or share user data. It is provided as a productivity feature of the LodgeHQ subscription.

Uninstalling the extension removes all locally cached data from the browser. No data is retained by LodgeHQ specifically as a consequence of extension use.

10. Cookies & Tracking

LodgeHQ uses essential cookies for authentication and session management. We do not use third-party advertising cookies or tracking pixels. Usage analytics are collected in aggregate form only.

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of LodgeHQ after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this privacy policy or wish to make a privacy-related request, contact us at:

LodgeHQ Pty Ltd

Email: support@lodgehq.com.au

Geelong, Victoria, Australia