Compliance — Trust Centre — Compass IoT
Overview

Trust Centre

Compliance

Our regulatory position across the jurisdictions we operate in, including data protection, privacy, and camera-derived data compliance.

Last updated May 2026

Anti-bribery and corruption policy
Our zero-tolerance position on bribery and corruption, aligned with AU, UK, and US legislation.
View policy →
Modern slavery and anti-slavery statement
Our voluntary statement under the Australian Modern Slavery Act 2018 and our supply chain commitments.
View statement →

Australian law

Australian Privacy Act 1988

Aligned

Compass IoT operates in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The APPs govern how we collect, use, disclose, store, and provide access to personal information.

Connected vehicle data processed by Compass IoT is anonymised at the point of ingestion — individual drivers are not identified, and we do not hold data in a form that would allow re-identification under standard conditions. Where personal information is collected directly (such as contact details from platform users), it is handled in accordance with our Privacy Policy.

  • We collect only the personal information necessary to provide the platform and fulfil our contractual obligations.
  • Personal information is not disclosed to third parties except where required to operate the service (see Subprocessors) or where required by law.
  • Individuals have the right to access, correct, or request deletion of their personal information. Requests are handled within 30 days.
  • We maintain a Privacy Policy that is publicly available and updated to reflect our current practices.
  • Data breaches that meet the notifiable threshold are reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days of becoming aware.

United Kingdom

UK GDPR

Aligned

Compass IoT's UK operations are aligned with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The UK GDPR applies to the processing of personal data relating to individuals in the United Kingdom.

Where Compass IoT processes personal data of UK residents, we do so on a lawful basis as defined under UK GDPR Article 6. Data processed in connection with UK customers is stored in UK or EU-equivalent regions and is not transferred outside of the UK without appropriate safeguards.

Lawful basis
Contract performance; legitimate interests; legal obligation
Data storage
UK / EU-equivalent regions via Google Cloud
Data transfers
Only with appropriate safeguards (standard contractual clauses)
Subject rights
Access, rectification, erasure, portability, objection — handled within 30 days
DPA available
Yes — Data Processing Addendum available on request (email-verified)

United States — California

CCPA

Aligned

Compass IoT's operations are aligned with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). The CCPA grants California residents rights over their personal information held by businesses operating in or serving residents of California.

Compass IoT does not sell personal information. We do not share personal information for cross-context behavioural advertising. California residents may exercise their rights by contacting us at the address below.

  • Right to know what personal information is collected and how it is used.
  • Right to delete personal information (subject to certain exceptions).
  • Right to opt out of the sale or sharing of personal information — note that Compass IoT does not sell or share personal information.
  • Right to non-discrimination for exercising CCPA rights.
  • Right to correct inaccurate personal information.

Data sharing

Subprocessors

Compass IoT uses a limited number of third-party subprocessors to deliver the platform. A subprocessor is any third party that processes personal data on our behalf. We conduct due diligence on all subprocessors before engagement and contractually require them to maintain appropriate data protection standards.

We do not sell personal data to any third party. Data shared with subprocessors is limited to what is necessary to provide the service.

Google Cloud Platform
Cloud infrastructure, data storage, and compute. Data stored in region of origin.
HubSpot
CRM and customer communication. Contact data only.
MailerLite
Email marketing. Subscriber contact data only.

Subprocessor changes

We will provide notice of material changes to our subprocessor list with reasonable advance notice. Customers with data processing agreements in place will be notified directly.

Camera data

Camera-derived and biometric data

Anonymisation-first approach

Compass IoT receives camera-derived data from third-party vehicle data sources. Where that data contains potentially identifying information — including facial geometry, driver images, or licence plate data — it is anonymised by Compass IoT before it enters our platform. We do not store, process, or transmit raw biometric identifiers. This anonymisation-first approach is the foundation of our compliance posture on biometric data law across all jurisdictions.

Biometric data laws vary significantly across the jurisdictions we operate in. The following reflects our current position across each relevant framework.

  • Australia — Privacy Act 1988 — Biometric information and biometric templates are classified as sensitive information under the APPs. Compass IoT does not collect, store, or process biometric identifiers in their raw form.
  • Illinois — BIPA (Biometric Information Privacy Act) — BIPA imposes strict consent and data handling requirements on entities collecting biometric identifiers. Camera-derived data entering the Compass IoT platform is anonymised prior to ingestion, such that no biometric identifiers are retained within our systems.
  • Texas — CUBI (Capture or Use of Biometric Identifier) — Texas law prohibits the capture of a biometric identifier without prior informed consent. Our anonymisation approach means Compass IoT does not capture biometric identifiers as defined under CUBI.
  • California — CCPA (sensitive personal information) — Biometric data is classified as sensitive personal information under the CPRA. Compass IoT does not collect biometric data that would trigger CCPA sensitive PI obligations.
  • UK — UK GDPR (special category data) — Biometric data processed for the purpose of uniquely identifying a natural person constitutes special category data under UK GDPR. Compass IoT's anonymisation-first design means we do not process data at this level of identification.

Vendor obligations

Compass IoT provides guidance and education on notice standards to all vendors, applicable local laws and GDPR. We and our partners ensure compliance with your rights and update our terms regularly to ensure best practice is privacy, compliance and security.

Documentation

Compliance documents

The following documents are available depending on your access tier. Email-verified documents require a business email address. On-request documents are available to qualified customers and prospects.

Privacy Policy
Public · No verification required
View →
Activity & Training Records
On request · Logs and certificates showing employees have completed mandatory training, including cybersecurity and compliance programmes
Request via email →
Penetration Test Results
On request · Executive summary and findings from our most recent independent penetration test
Request via email →
Assessment & Incident Reports
On request · Audit trails, testing reports, and records of compliance issues and how they were resolved
Request via email →

Questions

Talk to the team