Privacy policy
FirePrep is a firefighter-recruitment readiness coaching service for candidates in Australia and New Zealand. Recruitment data is sensitive, so we keep this policy specific and short on jargon. It explains what we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it.
1. Scope
This policy covers the FirePrep marketing website (fireprep.app), the FirePrep web application (fireprep.app/app), the admin tools we use internally, and any related emails we send you. It applies to "personal information" as defined in the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and to "personal information" as defined in the NZ Privacy Act 2020.
"FirePrep", "we", "us" and "our" refer to the operator of FirePrep (a sole-trader business operated from Australia; a registered legal entity name and ABN will be published here once finalised). Our Terms of service govern your use of the service.
2. What we collect
We only collect what we need to run the service. Concretely:
- Account identifiers (from Clerk): a Clerk user ID, your email address, and (if you provide them) first name, last name, and profile picture. Your password and federated sign-in tokens are stored by Clerk, not by us.
- Onboarding profile: country (AU/NZ); the fire services you're applying to (primary target plus optional secondary services); your current stage in the recruitment process; your primary goal and preferred focus area; weekly hours you can commit; self-rated fitness and confidence (1–10); full name; date of birth; gender; height and weight; suburb and state; phone number; highest education; current occupation; years in role; prior emergency-services experience and notes; driver's licence class; application or candidate number; prior recruitment attempts and notes; motivations ("why firefighting", "success in 6 months"); injury notes; shift-work tolerance; willingness to relocate; preferred check-in cadence and coaching tone; your target exam date; and your explicit choice to consent (or not) to personalised AI coaching.
- Readiness & practice data: answers to readiness items, practice scenarios, returner / experience proofs you upload, the resulting scores, and any plans we generate for you.
- Coach chat content: the messages you send to the AI coach and the responses we generate, including any reasoning artefacts kept for safety review.
- Subscription & billing metadata (via Stripe): your plan, status, country, billing currency, subscription period, invoice IDs, and the last 4 digits / brand of your card as returned by Stripe. We do not store full card numbers.
- Notifications: the in-app and email notifications we send you, your read state, and your preferences. Email delivery is handled by Resend; we receive webhook events on delivery, bounce, and complaints.
- Analytics & device metadata: high-level page and section views, CTA clicks, screen size, browser language, approximate location derived from IP, and a session identifier. The marketing site uses Plausible (cookieless) by default and Google Analytics 4 only with consent — see section 12 and the Cookies notice.
- Server logs: request paths, response codes, timings, error stack traces, and the user ID associated with the request — kept for security, debugging and abuse detection.
- Support correspondence: emails you send us at hello@fireprep.app.
We do not knowingly collect special-category data beyond what you choose to enter in onboarding (for example, an injury note). Please don't paste sensitive personal information about other people into the coach chat or freeform fields.
3. How we use it
We use your information to:
- Create and secure your account, authenticate you, and prevent abuse.
- Calculate your readiness score, generate practice items and explanations, and tailor coach chats and plans to your situation (only when you have consented to personalised coaching).
- Send transactional emails (sign-in, password reset, billing receipts, refresh and review alerts where applicable, and important service notices).
- Process payments, manage subscriptions and prepaid passes, handle refunds, and meet our financial-record obligations.
- Detect, investigate and prevent fraud, cheating, scraping, abuse of the AI coach, and breaches of our Terms.
- Understand which marketing channels work, in aggregate, so we can spend efficiently.
- Comply with legal obligations (for example, tax, accounting, and lawful requests).
- Reach out about your account and answer support questions.
We do not sell your personal information. We do not run third-party advertising on the in-app experience. We do not use your coach chats to train public third-party AI models.
4. Legal basis
In Australia and New Zealand we rely on a mix of the following bases for handling your information: contract (to provide the service you signed up for), consent (where you have opted in — e.g. personalised AI coaching, GA4 analytics), legitimate interests (e.g. security, debugging, fraud prevention, aggregate analytics), and legal obligation (e.g. financial records, lawful requests). Where a request would require sensitive information, we will tell you and ask for your consent.
5. AI processing
FirePrep uses large language models from third-party providers to generate readiness explanations, practice feedback, coach-chat responses, plans, and reviews. Personalised AI features only run when you have explicitly consented to personalised coaching during onboarding. You can withdraw consent at any time from your profile; future personalised features will then be disabled, while previously generated content may remain in your account until you delete it.
What we send to AI providers is the minimum necessary for the task — usually your prompt, the relevant readiness context, the active question or scenario, and (for coach chat) recent chat turns. We do not send your Stripe payment details, your password, or your full profile if it isn't needed for the request.
We log AI inputs and outputs in our database for safety review, quality improvement, debugging, abuse detection and billing reconciliation. Our AI providers process inputs under their own privacy and data-handling terms; we configure those relationships so that your inputs are not used to train their public models, subject to each provider's contractual commitments and any provider-side abuse-review retention period. Daily caps and circuit-breakers apply to protect both you and us.
AI outputs are advisory only and can be wrong (see Terms section 7). Don't rely on them for safety-critical decisions.
6. Third-party processors
We share information with a small set of vendors who help us deliver the service. Each operates under its own privacy policy:
- Clerk — authentication and account management.
- Stripe — payments, subscriptions, invoices, and tax handling.
- Resend — transactional email delivery and webhook events for delivery / bounce / complaints.
- Plausible Analytics — cookieless website analytics on the marketing site.
- Google Analytics 4 — ad-channel measurement on the marketing site, only loaded with your consent.
- AI model providers — the large-language-model providers powering the coach and explanations.
- Hosting / infrastructure — the cloud provider hosting our application and database.
We may also disclose information to professional advisers under confidentiality, and to law enforcement, regulators, or courts where required by law.
7. Storage & cross-border transfers
Our primary database is hosted in a cloud region close to Australia. Some processors above (notably AI model providers, Stripe, Resend, Clerk and Google) operate globally and may process your information outside Australia and New Zealand, including in the United States and Europe. We pick processors who maintain industry-standard data-protection commitments and we configure their products to keep data inside the regions they advertise where that option exists. By using FirePrep you consent to these cross-border transfers in line with APP 8 and the equivalent NZ provisions.
8. How long we keep data
- Account & onboarding profile: while your account is active, plus a short wind-down period after deletion for backups and abuse review (typically up to 90 days).
- Readiness, practice and coach-chat content: while your account is active. You can archive coach chat sessions inside the app to hide them from your active list. Deleting your account removes this content from active databases, subject to the wind-down period above.
- Subscription & billing records: 7 years to meet Australian tax-and-accounting obligations.
- Server logs: typically 30–90 days, longer for entries flagged as security events.
- Notification delivery metadata: typically 90 days.
- Analytics: Plausible aggregates only; GA4 retention is set to the shortest GA4 supports (currently 14 months) on the GA4 property.
De-identified aggregates (counts, averages, model evaluations) may be retained longer to improve the service.
9. Security
We use HTTPS for all client and API traffic. Secrets are stored in our hosting platform's secret manager, not in the repository. Application access is gated by Clerk authentication and our own authorisation middleware; administrative actions are gated by a separate admin role and audited. Database backups are encrypted at rest by our cloud provider. We follow the principle of least privilege for internal access and rotate credentials when staff change.
No system is perfectly secure. If you spot a vulnerability, please report it to hello@fireprep.app.
10. Your rights
Subject to Australian and NZ privacy law you can:
- Ask us what personal information we hold about you and request a copy.
- Correct information that is wrong or out of date (most onboarding fields are also editable from your profile).
- Delete your account and the personal information we hold for it (subject to the legal-retention items in section 8).
- Withdraw your consent to personalised AI coaching or to GA4 analytics at any time.
- Object to processing based on legitimate interests by telling us why.
- Make a privacy complaint. We will respond within 30 days. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au) or, in New Zealand, the Office of the Privacy Commissioner (privacy.org.nz).
To exercise any of these rights, email hello@fireprep.app from the email address on your account. We may need to verify your identity before acting.
11. Children
FirePrep is intended for users aged 18 and over. If a careers officer or training program registers users on behalf of younger candidates, the careers officer is the account holder and is responsible for the candidate's use of the service. If you believe a child under 18 has registered without supervision, email hello@fireprep.app and we will close the account.
13. Data breach response
If we become aware of a personal-information breach that is likely to cause serious harm, we will assess it under the Notifiable Data Breaches scheme (Australia) and the NZ Privacy Act 2020 and, where required, notify affected users and the relevant regulator without undue delay.
14. Changes to this policy
We may update this policy from time to time. When we make a material change we will update the "Last updated" date at the top and, for active paid users, give reasonable notice by email or in-app banner. Continued use of the service after a change takes effect means you accept the updated policy.
15. Contact us
Questions, requests, or complaints about this policy or your personal information? Email hello@fireprep.app from the email address on your account. We read every message and aim to respond within 7 days.
See also: Terms of service · Cookies & analytics