Legal

Privacy Policy

Last updated: April 2026 · Effective: April 2026

1. Who We Are

Madbay Holdings Pty Ltd, trading as WashSignal (ACN 696 719 785, ABN 90 696 719 785) ("WashSignal", "we", "us", "our") operates the WashSignal desktop application ("Software") and the WashSignal cloud dashboard ("Dashboard") at dashboard.washsignal.com. We are committed to protecting your privacy in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

2. Information We Collect

2.1 Account Information

When you register for a WashSignal account or activate a licence, we collect:

Name and business name
Email address
Password (stored as a salted hash — we never store plaintext passwords)
Role within your organisation (Owner, Admin, Staff, or Technician)
Two-factor authentication (2FA) enrolment status and TOTP seed (encrypted)

2.2 Equipment and Operational Data

When you connect car wash equipment to WashSignal, the Software collects operational data from your equipment, including:

Wash counts, package types, and service statistics
Machine status (idle, washing, error, maintenance mode)
Error and warning codes with timestamps
Wash timing and duration data
Bay configuration (number of bays, bay names)
Abort logs and fault diagnostic data (when fetched via the Software)

            We do not collect personal information about your car wash customers. WashSignal only collects operational data from your equipment. No customer names, payment details, licence plates, or vehicle information is collected, transmitted, or stored.
        

2.3 Maintenance and Support Data

Maintenance log entries you create (description, category, equipment, date, author)
Support tickets you submit via the Dashboard (subject, description, attachments)

2.4 Usage and Technical Data

Software version and licence tier (Basic or Pro)
Hardware fingerprint (used for licence activation — a one-way hash, not raw hardware details)
IP address and approximate location (country/region, derived from IP)
Dashboard login timestamps and session duration
HMI Remote Access session logs (user, site, start time, duration)

2.5 Information We Do NOT Collect

Car wash customer personal data (names, payments, vehicles)
GPS or precise geolocation data
Browser history or activity outside of WashSignal
Microphone, camera, or biometric data

3. How We Use Your Information

Providing the service: operating the Software and Dashboard, displaying equipment status, delivering features, and processing your support requests
Licence management: validating licences, managing activations, enforcing tier restrictions, and preventing unauthorised use
Security: detecting fraud, preventing abuse, enforcing rate limits, and maintaining audit logs for HMI remote access
Communications: sending transactional emails (team invitations, password resets, support ticket updates, licence renewal reminders)
Product improvement: analysing aggregated, anonymised usage patterns to improve features and fix issues

We do not use your data for advertising, profiling, or sale to third parties.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in these limited circumstances:

4.1 Within Your Organisation

If you use team features, your account information and equipment data may be visible to other authorised users within your organisation based on role permissions (Owner, Admin, Staff). Technicians with access grants see only bay status and HMI access for granted sites.

4.2 Third-Party Service Providers

We use a small number of third-party providers to operate WashSignal. These providers process data on our behalf under contractual obligations to protect your information:

Provider	Purpose	Data Shared	Location
Hetzner Online	Server hosting and database	All server-side data	Germany (EU)
Cloudflare	DNS, CDN, and DDoS protection	IP addresses, request metadata	Global (edge network)
Brevo (Sendinblue)	Transactional email delivery	Email address, name	EU
Google Analytics	Marketing website traffic analysis	IP address, page views, device info	United States

Stripe — We use Stripe to process subscription payments. When you subscribe, your payment card details are collected directly by Stripe and are never stored on our servers. Stripe may collect your name, email, billing address, and payment method. Stripe's use of your data is governed by their Privacy Policy. We receive only a confirmation of payment status, subscription ID, and billing period — never your full card number.

4.3 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

If WashSignal is acquired, merges with another company, or sells substantially all of its assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your information.

5. Data Ownership

You retain ownership of all data collected from your equipment ("Your Data"). WashSignal does not claim ownership of Your Data. We process it solely for the purpose of providing the service to you.

You grant WashSignal a limited licence to use Your Data to provide and improve the service, and to generate anonymised, aggregated statistics where no individual customer or site can be identified.

6. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

TLS/SSL encryption for all data in transit (API, Dashboard, HMI tunnels)
Passwords stored using salted bcrypt hashing
Two-factor authentication (TOTP) available for all Dashboard accounts
Role-based access controls with principle of least privilege
Rate limiting and account lockout after failed login attempts
Daily automated database backups with 14-day retention
Server hardened with SSH key-only access, firewall rules, and fail2ban
Regular security audits of the codebase and infrastructure
HMI Remote Access sessions are fully logged with audit trail

No system is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security of your data.

7. Data Retention

Account data: retained while your account is active, then for 30 days after account termination
Equipment and wash data: retained while your licence is active, then for 30 days after termination
Maintenance logs: retained while your account is active
Support tickets: retained for 12 months after resolution
HMI session audit logs: retained for 12 months
Anonymised aggregate data: may be retained indefinitely
Server access logs: retained for 14 days

We may retain certain information longer if required by law or to resolve disputes.

8. Cookies and Local Storage

The WashSignal Dashboard uses the following browser storage:

Authentication token: stored in localStorage to maintain your login session. Cleared on logout.
Dashboard preferences: stored in localStorage (e.g., collapsed sections, selected filters). No personal data.

We do not use tracking cookies, advertising cookies, or analytics tools within the Dashboard or Software.

8.1 Marketing Website Analytics

Our marketing website at washsignal.com uses Google Analytics to understand visitor traffic, such as which pages are visited and how visitors find our site. Google Analytics uses cookies and collects anonymised usage data including IP address (anonymised), pages visited, time on site, browser and device type, and referring website.

Google Analytics is used only on washsignal.com — it is not present on the Dashboard (dashboard.washsignal.com) or within the desktop Software. You can opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on.

9. Your Rights

Under Australian Privacy Law and the Australian Privacy Principles, you have the right to:

Access: request a copy of the personal information we hold about you
Correction: request correction of inaccurate or incomplete information
Deletion: request deletion of your personal information (subject to legal retention requirements and active licence obligations)
Data export: request a copy of your equipment data in a commonly used format
Withdraw consent: withdraw consent for optional data processing at any time
Complaint: lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. International Data Transfers

Our servers are hosted by Hetzner Online GmbH in Nuremberg, Germany (European Union). Your data is stored within the EU, which provides strong data protection under the General Data Protection Regulation (GDPR).

Cloudflare processes request metadata at edge locations globally but does not persistently store your personal data. Brevo processes transactional emails within the EU.

By using WashSignal from Australia or any other location, you consent to your data being transferred to and processed in the European Union.

11. Children's Privacy

WashSignal is a business-to-business service designed for car wash operators. It is not directed at children under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected such information, we will delete it promptly.

12. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988
Notify affected individuals as soon as practicable, including a description of the breach, the type of information involved, and recommended steps to mitigate potential harm
Take reasonable steps to contain the breach and prevent further unauthorised access

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website with a revised "Last updated" date
Sending an email notification to registered users for significant changes
Displaying a notice within the Dashboard

Continued use of the Software or Dashboard after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Madbay Holdings Pty Ltd, trading as WashSignal
ACN: 696 719 785
ABN: 90 696 719 785
Email: [email protected]
Website: washsignal.com
Western Australia, Australia

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992