TacTrax arrow_backBack to Home
// LEGAL · COMPLIANCE

Legal & Policies

TacTrax by K-Labs · Queensland, Australia

EFFECTIVE: 2026-05-26
// TABLE OF CONTENTS
  1. Terms of Servicearrow_forward
  2. Privacy Policyarrow_forward
  3. Acceptable Use Policyarrow_forward
  4. Data Processing Agreementarrow_forward
  5. Data Residencyarrow_forward
  6. Securityarrow_forward
// 01 · TERMS OF SERVICE

Terms of Service

infoKey Notice

By accessing or using TacTrax (the "Service"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to all of these Terms, you must not access or use the Service. These Terms constitute a legally binding agreement between you ("User", "you") and K-Labs ABN [pending registration], operating as TacTrax ("TacTrax", "we", "us", "our"), a company registered in Queensland, Australia.

1.1 Acceptance of Terms

These Terms govern your access to and use of the TacTrax mobile application, the TacTrax web portal, and all associated services, APIs, and data feeds (collectively, the "Service"). By creating an account, downloading the application, or accessing any part of the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms, our Privacy Policy, and our Acceptable Use Policy. We reserve the right to modify these Terms at any time. Material changes will be communicated via in-app notification or email at least thirty (30) days prior to taking effect. Your continued use of the Service after such notice constitutes acceptance of the revised Terms.

1.2 Eligibility

You must be at least thirteen (13) years of age to use the Service. If you are between the ages of 13 and 18, you represent that your parent or legal guardian has reviewed and agreed to these Terms on your behalf. By using the Service, you represent and warrant that you meet the applicable age requirement and have the legal capacity to enter into a binding agreement. If you are accessing the Service on behalf of an organisation, you represent that you have the authority to bind that organisation to these Terms.

1.3 Account Responsibilities

To access certain features of the Service, you must create an account using Firebase Authentication. You may register using your email address and password, or via Apple Sign-In (on iOS devices). You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You agree to immediately notify TacTrax at hello@tactrax.app if you suspect any unauthorised access to or use of your account. TacTrax will not be liable for any loss or damage arising from your failure to maintain the security of your account credentials.

1.4 Subscription Tiers and Payment Terms

The Service is offered in two tiers:

  • Free Tier: Provides access to all 42 map layers, live GPS tracking, all seven operational modes, and local-only annotations and missions. The Free Tier includes banner advertisements served via Google AdMob. Cloud sync and web portal access are not included.
  • Pro Tier: Includes everything in the Free Tier, plus cloud synchronisation across all devices, full web portal access, unlimited offline region packs, no advertisements, priority support, and access to Custom Mode (when available). Pro pricing starts from AUD $19.99 per month (or regional equivalent), billed as a recurring subscription.

All payments for the Pro Tier are processed exclusively through Apple App Store (via In-App Purchase) or Google Play Store (via Google Play Billing), as managed by our billing partner RevenueCat. TacTrax does not directly collect, process, or store any payment card information. Subscription pricing, billing cycles, free trial eligibility, cancellation, and refund policies are governed by the terms of the applicable app store. You may cancel your subscription at any time through the subscription management settings of your Apple ID or Google Play account. Cancellation takes effect at the end of the current billing period, and you will retain access to Pro features until that date.

1.5 Intellectual Property

The Service, including but not limited to the TacTrax software, user interface designs, logos, trademarks, the TacTrax design system, data aggregation pipeline, documentation, and all other proprietary materials (collectively, the "TacTrax IP"), is and shall remain the exclusive property of K-Labs. These Terms do not grant you any right, title, or interest in the TacTrax IP, except for the limited, non-exclusive, non-transferable, revocable licence to use the Service in accordance with these Terms. All rights not expressly granted herein are reserved by K-Labs.

1.6 User-Generated Content

The Service allows you to create, upload, and share certain content, including but not limited to map annotations (polygons and points of interest), mission definitions, GPS recordings, and tags (collectively, "User Content"). You retain all ownership rights in your User Content. By submitting User Content to the Service, you grant TacTrax a non-exclusive, worldwide, royalty-free licence to host, store, transmit, display, and reproduce your User Content solely for the purposes of providing, maintaining, and improving the Service. You represent and warrant that you have all necessary rights to submit your User Content and that it does not infringe upon any third-party rights or violate any applicable law.

1.7 Data Accuracy Disclaimer

warningImportant Disclaimer

Map data displayed within TacTrax is aggregated from government sources including Queensland Open Data (CKAN), NSW Spatial Services, Geoscience Australia (ArcGIS REST), DCCEEW (Australian Marine Parks), CAPAD 2024, and OpenStreetMap. Satellite imagery is sourced from MapTiler and ESRI. TacTrax does not guarantee the accuracy, completeness, currency, or reliability of any map data, cadastral boundaries, maritime boundaries, marine park zones, or geospatial information displayed within the Service. This data is provided on an "as-is" basis and may contain errors, omissions, or be out of date. You must not rely solely on TacTrax data for navigation, boundary compliance, legal determinations, or any activity where inaccurate data could result in property damage, personal injury, or death. Always verify boundaries and spatial data independently with the relevant government authority.

1.8 Limitation of Liability

To the maximum extent permitted by applicable law, including the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)), TacTrax and K-Labs shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, goodwill, or business opportunity, arising out of or in connection with your use of or inability to use the Service, regardless of the cause of action or the theory of liability (whether in contract, tort, strict liability, or otherwise), even if TacTrax has been advised of the possibility of such damages.

TacTrax's total aggregate liability to you for any and all claims arising out of or relating to these Terms or the Service shall not exceed the amount you have paid to TacTrax for the Service during the twelve (12) months immediately preceding the event giving rise to the claim, or one hundred Australian dollars (AUD $100), whichever is greater.

Nothing in these Terms excludes, restricts, or modifies any consumer guarantee, right, or remedy conferred on you by the Australian Consumer Law or any other applicable law that cannot be excluded, restricted, or modified by agreement.

1.9 Termination

You may terminate your account at any time by contacting us at hello@tactrax.app or by deleting your account through the application settings. TacTrax reserves the right to suspend or terminate your access to the Service at any time, with or without cause, and with or without notice, including but not limited to circumstances where you have violated these Terms or the Acceptable Use Policy. Upon termination, your right to use the Service will immediately cease. We will retain your data for a period consistent with our Privacy Policy before permanent deletion, unless otherwise required by law.

1.10 Governing Law and Dispute Resolution

These Terms shall be governed by and construed in accordance with the laws of the State of Queensland, Australia, without regard to its conflict-of-law principles. You agree to submit to the exclusive jurisdiction of the courts of Queensland, Australia, for any dispute arising out of or relating to these Terms or the Service. Before initiating any formal legal proceedings, you agree to first attempt to resolve any dispute informally by contacting us at hello@tactrax.app. Both parties agree to engage in good-faith negotiations for a period of at least thirty (30) days before commencing court proceedings.

1.11 General Provisions

If any provision of these Terms is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. TacTrax's failure to enforce any right or provision of these Terms shall not constitute a waiver of that right or provision. These Terms, together with the Privacy Policy, Acceptable Use Policy, and any other policies referenced herein, constitute the entire agreement between you and TacTrax regarding the Service and supersede all prior agreements and understandings.

// 02 · PRIVACY POLICY

Privacy Policy

TacTrax by K-Labs ("TacTrax", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the TacTrax mobile application, web portal, and related services (the "Service"). This policy complies with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and, where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2.1 Information We Collect

We collect the following categories of information:

  • Account Information: Email address, display name, and authentication provider details (email/password or Apple Sign-In). Collected during account registration via Firebase Authentication.
  • GPS Location Data: Real-time GPS coordinates, heading, speed, altitude, and accuracy metrics. This data is collected at up to 5 Hz when the application is in active tracking mode. Location data is essential to the core functionality of the Service.
  • Device Information: Device model, operating system and version, unique device identifier (for telemetry and push notifications), screen resolution, and locale.
  • Usage Analytics: Feature usage patterns, session duration, operational mode selections, map layer interactions, offline pack downloads, and crash reports. Collected to improve service quality and user experience.
  • User-Generated Content: Annotations (polygons, POIs), mission definitions, GPS recordings, tags, and associated metadata that you create within the Service.
  • Subscription Information: Subscription tier, billing status, and transaction identifiers. Payment processing is handled entirely by Apple, Google, and RevenueCat; we do not collect or store payment card details.

2.2 How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and operate the Service, including map rendering, GPS tracking, mission management, cloud synchronisation, and offline capabilities.
  • Analytics and Improvement: To analyse usage patterns, diagnose technical issues, and improve the performance, reliability, and user experience of the Service.
  • Customer Support: To respond to your enquiries, troubleshoot issues, and provide technical assistance.
  • Communications: To send you service-related notifications, updates, and (with your consent) promotional communications. You may opt out of promotional communications at any time.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

2.3 Firebase Auth and Firestore Storage

Your account data is managed through Google Firebase Authentication. User-generated content (annotations, missions, recordings, tags) for Pro tier subscribers is stored in Google Cloud Firestore, located in the australia-southeast1 (Sydney) region. Free tier users have their data stored locally on-device only. All data in Firestore is protected by Firebase Security Rules that enforce per-user access controls, ensuring that you can only read and write your own data unless explicitly shared via organisation-level access (Org plans).

2.4 RevenueCat Payment Processing

We use RevenueCat as our subscription management and billing orchestration platform. RevenueCat interfaces with Apple App Store and Google Play to manage subscription lifecycles, trial periods, and entitlement verification. RevenueCat receives a limited set of data including your anonymous app user ID, subscription status, product identifiers, and transaction identifiers. RevenueCat does not receive your email address, name, or GPS data. For more information, please refer to RevenueCat's Privacy Policy.

2.5 No Sale of Personal Data

verified_userOur Commitment

TacTrax does not sell, rent, lease, or trade your personal information to any third party for any purpose. We do not share your GPS location data, usage analytics, or any other personal information with advertisers for targeted advertising purposes. Banner advertisements in the Free Tier are served by Google AdMob using contextual (non-personalised) targeting only.

2.6 Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods are as follows:

  • Account data: Retained for the duration of your account, plus 90 days following account deletion to allow for recovery.
  • GPS recordings and annotations: Retained for the duration of your account. Deleted within 30 days of account deletion.
  • Usage analytics: Aggregated and anonymised data may be retained indefinitely. Identifiable analytics data is retained for no longer than 24 months.
  • Support correspondence: Retained for up to 36 months following resolution.

Upon account deletion, we will delete or anonymise your personal information within the timeframes stated above, unless retention is required by law (for example, for tax or accounting purposes).

2.7 Cookies and Local Storage

The TacTrax web portal uses essential cookies and browser local storage for authentication session management and user preferences. We do not use third-party tracking cookies. The mobile application uses on-device local storage (AsyncStorage and Zustand persist) to cache application state, map tiles (up to 250 MB ambient cache via MapLibre), and offline data packs. This data never leaves your device unless you are a Pro subscriber with cloud sync enabled.

2.8 Children's Privacy

TacTrax does not knowingly collect personal information from children under the age of thirteen (13). If we become aware that we have inadvertently collected personal information from a child under 13, we will take reasonable steps to delete that information as promptly as possible. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us at hello@tactrax.app.

2.9 Your Rights Under Australian Privacy Law

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

  • Access: Request access to the personal information we hold about you.
  • Correction: Request that we correct any inaccurate or incomplete personal information.
  • Deletion: Request the deletion of your personal information, subject to any legal obligations requiring us to retain it.
  • Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy rights have been breached.

To exercise any of these rights, please contact us at hello@tactrax.app. We will respond to all access and correction requests within thirty (30) days.

2.10 GDPR Rights for EU Users

If you are located in the European Economic Area (EEA) or the United Kingdom, the following additional rights apply under the GDPR:

  • Lawful Basis: We process your personal data on the basis of contractual necessity (to provide the Service), legitimate interest (analytics and service improvement), and consent (promotional communications).
  • Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON export).
  • Right to Erasure: You may request the deletion of your personal data ("right to be forgotten").
  • Right to Restrict Processing: You may request that we restrict the processing of your data in certain circumstances.
  • Right to Object: You may object to the processing of your data where we rely on legitimate interest as the legal basis.
  • Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

International data transfers from the EEA to Australia are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission. See our Data Processing Agreement for further detail.

2.11 Contact for Privacy Enquiries

For any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact:

TacTrax Privacy Team
K-Labs, Queensland, Australia
Email: hello@tactrax.app

// 03 · ACCEPTABLE USE POLICY

Acceptable Use Policy

This Acceptable Use Policy ("AUP") sets out the rules and standards governing your use of the TacTrax Service. This policy supplements our Terms of Service and applies to all users of the Service, including Free and Pro tier subscribers. Violation of this AUP may result in immediate suspension or termination of your account.

3.1 Prohibited Uses

You agree not to use the Service for any of the following purposes:

  • Illegal Activities: Any use that violates any applicable federal, state, territory, or local law or regulation, including but not limited to wildlife protection laws, firearms regulations, aviation regulations, trespass laws, and maritime zone regulations.
  • Harassment and Threats: Using the Service to stalk, harass, threaten, intimidate, or cause harm to any person, including using GPS tracking or annotation features to monitor individuals without their knowledge and consent.
  • Surveillance and Stalking: Misusing the geospatial capabilities of the Service — including GPS recordings, real-time location tracking, annotations, or map overlays — to conduct unauthorised surveillance of individuals, properties, or activities. This includes tracking another person's movements, creating annotations that identify private residences with the intent to target or monitor individuals, or sharing location data that could facilitate stalking or domestic violence.
  • Reverse Engineering: Decompiling, disassembling, reverse engineering, or otherwise attempting to derive the source code, algorithms, data structures, or underlying architecture of the TacTrax software, data aggregation pipeline, or any other component of the Service.
  • Scraping and Data Extraction: Using automated tools, scripts, bots, web crawlers, or any other automated means to access, scrape, extract, download, or index the Service, map tiles, geospatial data, or any other content from the Service, including the vector tile data served from our Martin tile server.
  • Service Interference: Attempting to disrupt, overwhelm, or interfere with the operation of the Service, including denial-of-service attacks, exploitation of vulnerabilities, injection of malicious code, or any activity that degrades performance for other users.
  • Impersonation: Misrepresenting your identity, affiliation, or authority, including impersonating another user, a TacTrax employee, or a government official.
  • Circumvention: Attempting to bypass, disable, or circumvent any access controls, subscription restrictions, rate limits, security features, or digital rights management measures implemented within the Service.

3.2 Content Standards for User-Generated Annotations

When creating annotations, missions, tags, or any other user-generated content within the Service, you agree that your content must not:

  • Contain defamatory, obscene, offensive, or discriminatory material.
  • Infringe upon the intellectual property rights of any third party, including copyright, trademarks, and trade secrets.
  • Contain personally identifiable information of third parties without their explicit consent.
  • Include false or misleading geographic data that could endanger the safety of other users or the public (for example, marking non-existent landing zones, incorrectly tagging hazards, or misrepresenting property boundaries).
  • Facilitate illegal hunting, poaching, or taking of protected species by marking habitats, nesting sites, or protected areas for the purpose of unlawful harvest.
  • Violate any applicable government data licensing terms for data that originated from government portals or open-data feeds.

3.3 Consequences of Violation

TacTrax reserves the right to take any of the following actions, at our sole discretion, if we determine that you have violated this AUP:

  • Warning: Issue a written warning specifying the nature of the violation and requiring immediate corrective action.
  • Content Removal: Remove, disable, or restrict access to any user-generated content that violates this AUP.
  • Account Suspension: Temporarily suspend your access to the Service pending investigation.
  • Account Termination: Permanently terminate your account and delete all associated data. Where an account is terminated for AUP violations, no refund of subscription fees will be provided.
  • Legal Action: Report violations to law enforcement authorities and cooperate with their investigations, including providing relevant account data as required by applicable law.

3.4 Reporting Violations

If you become aware of any conduct or content that violates this Acceptable Use Policy, we encourage you to report it promptly. Please email hello@tactrax.app with a detailed description of the violation, including screenshots or other evidence where possible. All reports are reviewed within 48 hours by a member of the TacTrax team. We take all reports seriously and will take appropriate action in accordance with this policy. Reports may be submitted anonymously.

// 04 · DATA PROCESSING AGREEMENT

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TacTrax by K-Labs ("Processor", "we") and you ("Controller", "you") and governs the processing of personal data in connection with the TacTrax Service. This DPA is provided in accordance with Article 28 of the GDPR and the Australian Privacy Principles, and applies to all personal data processed on your behalf through the Service.

4.1 Definitions

  • "Controller" means you, the user or organisation that determines the purposes and means of processing personal data through the Service.
  • "Processor" means TacTrax by K-Labs, which processes personal data on behalf of the Controller through the provision of the Service.
  • "Sub-processor" means a third-party service provider engaged by the Processor to assist in the processing of personal data.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the GDPR and/or the Privacy Act 1988 (Cth).
  • "Data Subject" means the individual to whom the personal data relates.
  • "Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, transmission, and deletion.

4.2 Scope and Purpose of Processing

The Processor shall process personal data solely for the purpose of providing, maintaining, and improving the TacTrax Service as described in the Terms of Service. Processing activities include: account authentication and management, GPS location tracking and recording, map data rendering, cloud synchronisation of user-generated content, subscription management, and usage analytics.

4.3 Data Subject Categories

The categories of data subjects whose personal data may be processed include:

  • Registered TacTrax users (both Free and Pro tier)
  • Organisation members (Org plan users)
  • Web portal users
  • Individuals whose information may be contained within user-generated annotations (for example, property owners identified in mission notes)

4.4 Types of Personal Data Processed

Data Category Specific Data Elements
Identity Data Email address, display name, authentication provider (email/Apple Sign-In)
Location Data GPS coordinates (lat/lon), heading (degrees), speed (m/s), altitude (m AMSL), accuracy (m), satellite count
Device Data Device model, OS version, unique device identifier, locale, screen resolution
Usage Data Feature interactions, session duration, mode selections, layer usage, crash reports
Content Data Annotations, missions, recordings, tags, and associated metadata
Billing Data Subscription tier, billing status, transaction identifiers (via RevenueCat)

4.5 Sub-processors

The Processor engages the following sub-processors for the delivery of the Service. The Controller consents to the use of these sub-processors as listed below:

Sub-processor Purpose Data Location
Google Cloud / Firebase Authentication, Firestore database, Cloud Storage, Hosting, Analytics australia-southeast1 (Sydney, AU)
RevenueCat Subscription management, billing orchestration, entitlement verification United States (AWS us-east-1)
MapTiler Satellite and vector base map tile serving European Union (multiple regions)
Google AdMob Non-personalised contextual advertising (Free Tier only) United States / Global CDN

The Processor shall notify the Controller of any intended changes to sub-processors at least thirty (30) days prior to the change taking effect. If the Controller reasonably objects to a new sub-processor, TacTrax will make commercially reasonable efforts to address the objection.

4.6 Data Security Measures

The Processor shall implement and maintain appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit using TLS 1.3 for all API and data communications.
  • Encryption at rest using AES-256 for all data stored in Firestore and Cloud Storage.
  • Firebase Security Rules enforcing per-user access controls.
  • Role-based access control for internal administrative access.
  • Regular security audits and vulnerability assessments.

4.7 Data Breach Notification

notification_importantBreach Response

In the event of a confirmed personal data breach, the Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach. The notification shall include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to mitigate the effects. The Processor shall cooperate fully with the Controller in investigating and remediating the breach and in meeting any regulatory notification obligations.

4.8 Data Subject Rights Assistance

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, portability, restriction, and objection. The Processor shall promptly forward any data subject requests received directly to the Controller and shall implement technical measures to facilitate the fulfilment of such requests.

4.9 International Data Transfers

Where personal data is transferred from the EEA, United Kingdom, or Switzerland to Australia or to sub-processors located outside these jurisdictions, such transfers shall be protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission (Implementing Decision (EU) 2021/914), or by other legally recognised transfer mechanisms. Australia has been recognised by the European Commission as providing an adequate level of data protection for certain categories of data processing.

4.10 Audit Rights

The Controller, or a mandated independent auditor, shall have the right to conduct audits and inspections to verify the Processor's compliance with this DPA, subject to reasonable notice (no less than thirty (30) days) and during normal business hours. Audits shall be conducted at the Controller's expense and shall not unreasonably interfere with the Processor's business operations. The Processor shall make available all information necessary to demonstrate compliance and shall cooperate with any audit or inspection.

4.11 Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination of the Service agreement, the Processor shall, at the Controller's election, either return all personal data to the Controller in a structured, commonly used format (JSON export) or securely delete all personal data within ninety (90) days, except where retention is required by applicable law. The Processor shall provide written certification of deletion upon request.

// 05 · DATA RESIDENCY

Data Residency

TacTrax is built for the Australian market and is engineered to keep your data within Australian borders wherever technically feasible. This section describes where your data is stored, how it is served, and the mechanisms in place to ensure compliance with Australian data sovereignty requirements.

5.1 Primary Data Storage — Google Cloud Australia

All primary user data — including account information, user-generated annotations, missions, GPS recordings, tags, and associated metadata — is stored in Google Cloud's australia-southeast1 region (Sydney, New South Wales). This applies to both Firebase Firestore (document database) and Firebase Cloud Storage (file and media storage). By hosting in the Sydney region, data remains within Australian jurisdiction and is subject to Australian privacy and data protection laws.

Service Google Cloud Region Physical Location
Firebase Firestore australia-southeast1 Sydney, NSW, Australia
Firebase Cloud Storage australia-southeast1 Sydney, NSW, Australia
Firebase Authentication Global (Google-managed) Multi-region (Google infrastructure)
Firebase Hosting Global CDN (origin: AU) Served from nearest edge; origin in Australia
publicNote on Firebase Authentication

Firebase Authentication is a globally distributed service managed by Google. Authentication tokens and session data may be processed in data centres outside Australia as part of Google's global infrastructure. However, authentication data is limited to email addresses, hashed credentials, and session tokens — it does not include GPS location data, user-generated content, or other substantive personal data.

5.2 Tile Data and CDN

Vector tile data (PMTiles archives) generated by the TacTrax data aggregation pipeline are hosted on Australian infrastructure and served via our Martin tile server. Where a content delivery network (CDN) is used for performance optimisation, tile data is cached at edge locations globally, but the canonical data source remains within Australia. Tile data is derived from publicly available government datasets and does not contain personal information.

5.3 Offline Data — On-Device Storage

When you download offline region packs or use the ambient map cache (up to 250 MB via MapLibre), this data is stored exclusively on your device in the application's local sandbox. On-device data is not transmitted to any server unless you are a Pro subscriber with cloud sync enabled, in which case only user-generated content (annotations, missions, recordings) is synchronised — cached map tiles remain local. If the application is uninstalled, all locally stored data is deleted by the operating system.

5.4 Backup and Disaster Recovery

Google Cloud Firestore provides automatic, continuous backups with point-in-time recovery capability within the australia-southeast1 region. Backups are stored in the same Google Cloud region as the primary data and do not leave Australian jurisdiction. Firebase Cloud Storage utilises redundant storage within the same region, ensuring data durability. In the event of a regional outage, Google's disaster recovery procedures apply, and data recovery is performed within the same geographic region. TacTrax does not replicate data to non-Australian regions for backup purposes.

5.5 Data Sovereignty Compliance

TacTrax is designed to comply with Australian government data sovereignty requirements. All substantive user data (identity, location, content) is stored and processed within Australia. For government agencies, defence contractors, or organisations with specific data sovereignty mandates, TacTrax provides the following assurances:

  • All Firestore and Cloud Storage data resides in the australia-southeast1 (Sydney) region.
  • No substantive personal data is stored in jurisdictions outside Australia (authentication metadata is the sole exception, as noted above).
  • Google Cloud's australia-southeast1 region operates under the Google Cloud Data Processing Terms and is covered by Google's IRAP-assessed cloud services.
  • Data exports are available in JSON format for audit and compliance purposes.

5.6 Region Pinning for Org Plans

Organisations on Org plans may opt in to explicit region-pinning guarantees. Region pinning provides a contractual commitment that all data associated with the organisation's account — including Firestore documents, Cloud Storage objects, and any future backup replicas — will be confined to the specified Google Cloud region (australia-southeast1 by default). Alternative region pinning (for example, australia-southeast2 — Melbourne) may be available upon request. Contact hello@tactrax.app to discuss Org plan data residency requirements.

// 06 · SECURITY

Security

TacTrax handles sensitive geospatial data — real-time GPS positions, mission-critical annotations, and operational recordings. We take security seriously at every layer of our infrastructure. This section describes the technical and organisational measures we implement to protect your data.

6.1 Encryption in Transit

All data transmitted between the TacTrax application (mobile and web portal) and our backend services is encrypted using TLS 1.3 (Transport Layer Security). This includes:

  • All API requests to Firebase Firestore and Cloud Storage.
  • Authentication flows via Firebase Auth (OAuth 2.0 and email/password).
  • Vector tile requests to the Martin tile server.
  • Subscription verification calls to RevenueCat.
  • Web portal traffic served via Firebase Hosting (HTTPS-only).

We enforce HTTPS-only connections and do not support TLS versions below 1.2. HSTS (HTTP Strict Transport Security) headers are configured with a minimum max-age of one year.

6.2 Encryption at Rest

All data stored in Google Cloud Firestore and Firebase Cloud Storage is encrypted at rest using AES-256 (Advanced Encryption Standard with 256-bit keys). Encryption at rest is managed by Google Cloud's default encryption infrastructure, which uses a multi-layered key management system. Encryption keys are automatically rotated and are stored separately from the encrypted data. On-device data (offline map cache, local Zustand stores) is protected by the operating system's native application sandbox and, where available, hardware-backed device encryption.

6.3 Firebase Authentication

User authentication is managed through Firebase Authentication, which supports:

  • Email/Password: Passwords are hashed using scrypt (a memory-hard key derivation function) and are never stored in plaintext. Firebase enforces minimum password strength requirements.
  • Apple Sign-In: Compliant with Apple App Store Guideline 4.8. Uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) for secure token exchange.

Authentication tokens (JWTs) are short-lived (1 hour) and are refreshed automatically. Token validation is performed server-side for all authenticated API requests.

6.4 Firestore Security Rules

Access to Firestore data is governed by Firebase Security Rules, which enforce the following access control policies:

  • Users can only read and write documents within their own user-scoped collections.
  • Organisation-level data sharing (Org plans) is governed by explicit membership lists stored in Firestore, with read/write access granted only to verified organisation members.
  • Administrative access to Firestore is restricted to authorised TacTrax engineering personnel via the Firebase Admin SDK, which authenticates using service account credentials with the principle of least privilege.
  • All Firestore Security Rules are version-controlled and undergo peer review before deployment.

6.5 Role-Based Access Control (RBAC)

Internal access to TacTrax infrastructure is governed by role-based access control:

  • Production Firestore and Cloud Storage access is limited to a restricted set of engineering personnel with a demonstrated need.
  • Google Cloud IAM policies enforce the principle of least privilege across all service accounts and human identities.
  • Access to production systems requires multi-factor authentication (MFA) via hardware security keys or authenticator applications.
  • Access grants are reviewed quarterly and revoked upon role change or separation.

6.6 SOC 2 Type II (Google Cloud)

TacTrax's primary infrastructure provider, Google Cloud, maintains SOC 2 Type II certification. This independent audit verifies that Google Cloud's controls for security, availability, processing integrity, confidentiality, and privacy are suitably designed and operating effectively over a continuous audit period. Google Cloud's SOC 2 reports are available under NDA through Google's compliance portal. Additionally, Google Cloud's australia-southeast1 region has been assessed under the Australian Government's IRAP (Information Security Registered Assessors Program) framework.

6.7 Penetration Testing

TacTrax conducts penetration testing of the web portal and API endpoints on an annual basis, at minimum. Penetration tests are performed by qualified, independent third-party security assessors. Testing scope includes:

  • Web application security testing (OWASP Top 10).
  • API endpoint security testing (authentication bypass, injection, broken access control).
  • Firebase Security Rules validation and misconfiguration testing.
  • Mobile application security review (data leakage, insecure storage, certificate pinning).

Identified vulnerabilities are triaged by severity (Critical, High, Medium, Low) and remediated according to the following SLAs: Critical within 24 hours, High within 7 days, Medium within 30 days, Low within 90 days.

6.8 Vulnerability Disclosure Program

bug_reportResponsible Disclosure

If you discover a security vulnerability in TacTrax, we encourage responsible disclosure. Please report vulnerabilities to hello@tactrax.app with the subject line "Security Vulnerability Report". Include a detailed description of the vulnerability, steps to reproduce, and any proof-of-concept code or screenshots. We will acknowledge receipt within 48 hours and provide a remediation timeline within 5 business days. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate. We will not pursue legal action against security researchers who report vulnerabilities in good faith and in compliance with this disclosure policy.

6.9 Incident Response Procedures

TacTrax maintains a documented incident response plan that covers the following phases:

  • Detection and Identification: Automated monitoring and alerting via Google Cloud Monitoring and Firebase Crashlytics for anomalous access patterns, error spikes, and potential security events.
  • Containment: Immediate isolation of affected systems, revocation of compromised credentials, and temporary service restrictions as necessary to prevent further impact.
  • Eradication and Recovery: Root cause analysis, remediation of the vulnerability or attack vector, and restoration of services from verified clean backups.
  • Notification: Affected users and relevant regulatory authorities (including the OAIC) are notified within the timeframes required by applicable law (72 hours for notifiable data breaches under the Notifiable Data Breaches scheme of the Privacy Act 1988).
  • Post-Incident Review: A post-mortem report is produced within 14 days of incident resolution, documenting the timeline, root cause, impact assessment, and corrective actions taken to prevent recurrence.

6.10 Secure Development Practices

TacTrax follows secure software development practices throughout the development lifecycle:

  • All code changes undergo mandatory peer review before merging to production branches.
  • Dependencies are monitored for known vulnerabilities using automated scanning tools.
  • Secrets and API keys are managed via environment variables and Firebase Remote Config — never hardcoded in source code or committed to version control.
  • The application enforces input validation and output encoding to prevent injection attacks.
  • Security-sensitive configuration (Firestore Security Rules, Cloud Functions, IAM policies) is version-controlled and reviewed as code.

6.11 Employee Access Controls

Access to TacTrax systems and data is granted on a need-to-know basis. All personnel with access to production systems are required to:

  • Use multi-factor authentication (MFA) for all access to Google Cloud Console, Firebase Console, and source code repositories.
  • Use company-managed devices with full-disk encryption and up-to-date security patches.
  • Complete annual security awareness training.
  • Sign confidentiality and data protection agreements as a condition of access.

6.12 Third-Party Security Assessments

Our key infrastructure and service providers maintain the following security certifications and assessments:

Provider Certifications
Google Cloud / Firebase SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, IRAP (AU), FedRAMP, PCI DSS
RevenueCat SOC 2 Type II
MapTiler GDPR compliant, ISO 27001 (via infrastructure provider)

TacTrax reviews the security posture and compliance status of all third-party providers on an annual basis. Any material changes to a provider's security posture that could impact TacTrax user data will be communicated to affected users.

ALL SYSTEMS NOMINAL · SYDNEY · AU-SE1 · 2026
© 2026 TacTrax by K-Labs. All rights reserved.