KAR3N is a parking-enforcement product for residential strata schemes in Australia. We're operated by Croucher Consulting Pty Ltd (ABN 53 669 444 419), trading as Karen Group. We're based in Brisbane, Queensland.
This Privacy Policy explains:
This policy applies to anyone whose information passes through KAR3N — including building residents, visitors, strata managers, building managers, body-corporate committee members, and anyone who submits a privacy request through our form.
If you are a paying customer of KAR3N (i.e. a strata management company or a body-corporate that has signed up a scheme), this policy applies alongside the contract between us. The contract — not this policy — governs the commercial relationship.
We use plain English in this policy. Where Australian Privacy Principles ("APPs") or other laws use specific terms, we say so.
We collect different categories of information depending on how you interact with KAR3N.
When the Operator (a building-manager or body-corporate volunteer) walks the car park and captures a plate, we collect:
We do not collect or store the names of residents. Residents are identified to KAR3N only by plate (and optionally by a unit identifier such as "14B" if your strata scheme has chosen to record that).
If you sign up a scheme as an Account Owner, we collect:
KAR3N's scans of vehicles in scheme car parks may capture data linked to you in your capacity as a resident or visitor — see §1.1 for the plate / photo / timestamp / classification we collect. KAR3N does not send emails or SMS directly to residents; any communication you receive about a parking matter at your scheme comes from your strata Manager (the Account Owner using KAR3N). They are the entity responsible for resident-facing communications under their by-laws.
If your strata Manager has shared a KAR3N-hosted link with you to view
violation details, clicking that link records an
audit-log entry (the date + technical record described
in §1.5). The viewing page itself does not capture any
contact information from you. If you wish to query a record, submit a
privacy or correction request, or contest a classification, use our
public form at karenparking.com/privacy/submit — see §1.4
for what we collect there.
If you submit a privacy request through our public form at
karenparking.com/privacy/submit, we collect what the APP 5
collection notice on that form describes — your name,
email, request type, and the
message you write. See the
APP 5 collection notice
for the full detail of that flow.
When you use the KAR3N web app or our public website, we automatically collect:
We do not use third-party analytics on the KAR3N app.
The public marketing site at karenparking.com uses a
privacy-respecting web-analytics service (no cookies,
no fingerprinting, no cross-site tracking).
We collect personal information for the following purposes only:
We do not sell your information. We do not use it for marketing to anyone other than our existing customers. We do not profile you for advertising.
We rely on the Australian Privacy Principles under the Privacy Act 1988 (Cth):
/privacy/submit + this Privacy
Policy together discharge our APP 5 obligations)
Where a strata scheme must keep records of enforcement actions under state strata legislation, we retain the relevant records so the scheme can meet those duties. We do not keep personal information longer than it is needed for these purposes.
If you are in the EU or UK and KAR3N processes your personal information (for example, because you own a unit in an Australian scheme but live in Europe), we rely on the lawful bases in GDPR Article 6:
We provide the information that GDPR
Article 13 requires through this Privacy Policy and the
APP 5 collection notice. You can exercise your GDPR
Article 15 (access),
Article 16 (rectification),
Article 17 (erasure where applicable), and
Article 22 (no fully-automated decisions with legal
effects — KAR3N's classification + actioning workflow has a human in the
loop, by design) rights via the same /privacy/submit form
or by emailing
privacy@karenparking.com.
We do not sell personal information for the purposes of California or other US state privacy laws.
We share personal information only with:
The Account Owner (the strata manager or building manager) at your scheme can see scan records, violations, and any resident contact information that has been provided to them. This is the core of the service — they are the entity responsible for enforcing by-laws under state strata legislation.
The Account Owner can invite building managers and operators as additional users — those users see only the specific schemes they have been granted access to. (We enforce this at the API layer with role-based access controls.)
We use a small set of third-party services to run KAR3N. All of them are
bound by contractual privacy obligations and we have reviewed each one
against our internal vendor-risk policy. We describe them here by
the role they perform; a current list of the
specific providers is available on written request to
privacy@karenparking.com.
| Service role | Region |
|---|---|
| Cloud hosting + scan-image storage | Australia |
| Managed database | Australia |
| SMS delivery (tow-operator dispatch) | Australia |
| Payment processing | Global |
| Email delivery (account + action emails) | Japan |
| Edge network / CDN + security | Global |
Where a service is listed as Australia, your data is stored and processed inside Australia. Our payment processor handles payment cards on its global infrastructure (we never see your card details). Our email-delivery provider sends KAR3N's account and enforcement-action emails (to scheme Account Owners / Managers — never to residents directly) from infrastructure in Japan; this is the one routine flow in which limited personal data (a recipient email address, and any plate reference contained in the message) is handled outside Australia. Our edge / CDN provider handles request metadata only (IP, user-agent, path) on its global edge network for content delivery + security; no payload data is shared.
Plate recognition runs on our own infrastructure inside Australia — there is no third-party plate-recognition service, and your scan images are never sent to an outside provider to be read.
We do not use any other sub-processors. Any addition is a material change to this policy — see §11 below for how we notify you.
We will disclose personal information if legally required to — for example, in response to a court order, a regulator's lawful notice, or a clear legal obligation. We do not voluntarily disclose to law enforcement.
If you submit a complaint about KAR3N to the Office of the Australian Information Commissioner (OAIC), or to an EU/UK data protection authority, we will cooperate with that authority and provide records as required.
A small number of our own staff can access scheme data — including resident information — where they need to in order to run, support, and secure the service. For example, when an Account Owner asks us for help, an authorised staff member can open a read-only "view-as" support session to see what that user sees and help fix the problem; they cannot change anything in that mode. We also access data to investigate security issues and to keep audit records.
This access is limited to what is necessary, role-based, and logged — we record who accessed what, when, and why — and our staff are bound by confidentiality obligations. We do not use your information for any purpose other than running, supporting, and securing the service.
Your personal information is stored and processed inside Australia, apart from a few clearly-identified support services that operate globally. Our database, scan-image storage, plate recognition, and SMS handling all sit within Australia. A small number of support services — payment processing, transactional email delivery (hosted in Japan), and our edge / CDN network — use providers that operate outside Australia; we set these out in §7. The service roles we use are listed in §4.2 above.
Unlike most automated plate-recognition products — which send scan images to overseas cloud services for processing — we process your scan images on our own infrastructure, inside Australia. Your scan images do not leave Australia at any stage.
We follow ISO 27001 practices for protecting your information. Our controls include encryption in transit and at rest, role-based access control with per-scheme isolation, audit logging with write-once-read-many archival, multi-factor authentication for all users, regular key rotation per our internal ISMS, and continuous vulnerability management across dependencies, source code, infrastructure, and operational secrets.
We do not claim our system is invulnerable. No system is. We aim to detect, respond to, and notify you of any incident within the 30-day window the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act requires.
If we discover an eligible data breach under the NDB scheme (one likely to cause serious harm to you), we will notify:
Our internal incident-response policy documents the detection, containment, eradication, and notification process.
We keep personal information only as long as we need it. Different categories have different retention periods, governed by our internal data-classification policy:
| Category | Retention period |
|---|---|
| Scans of vehicles not breaking any rule (whether a registered resident or a visitor) | Kept up to 48 hours so an overstay can be detected, then deleted. After that we keep only an anonymous daily count, never the plate or image (APP 11.2, data-minimisation) |
| A breach the scheme does not act on | Kept 30 days, then deleted — if no action is taken, the record is no longer needed (APP 11.2) |
| A breach the scheme acts on (a warning, a breach notice, or a tow) | Kept 7 years — this is the record the scheme may need for its own record-keeping and as evidence if the matter is disputed at a tribunal |
| Audit-log entries — our internal record of deletions, configuration changes and data imports (these hold no plate or personal data) | 7 years — Privacy Act recordkeeping obligations + ISO 27001 A.8.15 |
| Scheme settings + by-laws + sub-processor configuration | Retained while the scheme is an active KAR3N customer + 30 days after handback (then archived to cold-storage for 90 days, then deleted) |
| Account Owner / Manager / Operator user records | Retained while the user is active + 90 days after deactivation |
Privacy request records (your submissions to
/privacy/submit)
|
2 years after the request is closed — kept only so we can show we handled your request, and any related complaint, properly; then deleted |
| Identity-verification documents (if you email any in support of a request) | Deleted within 30 days after we verify your identity |
| Action-record comms (emails KAR3N sends to the Account Owner / Manager who took an action; SMS KAR3N sends to a tow operator when a tow is recorded) | 7 years after sent — kept as part of the scheme's enforcement-action record (and, for a tow SMS, the 7-year tow record) |
| Anonymised aggregate statistics (request type counts, scan volume) | May be retained indefinitely; no identifying information retained |
If you ask us to delete information we hold about you under APP 12 / GDPR Art. 17, we will assess whether the law lets us. Some records — particularly enforcement records under state strata legislation — are subject to retention obligations that override deletion requests. In that case we will explain why we cannot delete, and what we can do instead (for example, restrict further use of the record).
We keep personal information inside Australia wherever we can. A small number of support services operate globally, so limited personal information is handled by an overseas provider in these cases:
For each overseas provider we take reasonable steps, as APP 8.1 requires, to ensure it handles your information consistently with the Australian Privacy Principles (a data-processing agreement is in place with each).
This is a deliberate design choice — KAR3N is built to keep Australian strata data inside Australia. If we ever change this, it is a material change and we will notify you in advance (see §11).
You can ask us what personal information we hold about you. We will respond within 30 days with either the information or an explanation of why we cannot provide it (the exceptions are limited and we will cite the specific exception).
To request access, submit a privacy request at
karenparking.com/privacy/submit or email
privacy@karenparking.com.
We may ask you to verify your identity before releasing personal
information — typically by replying from the email address we have on
file, or by emailing a photo of an identity document to
support@karenparking.com
(which we delete within 30 days of verifying).
If anything we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you can ask us to correct it. We will fix it within 30 days, or explain why we cannot.
If a record cannot be corrected (e.g., because an enforcement decision has already been made and an audit trail must remain immutable), we will attach your correction as an annotation to the record so anyone who looks at it later sees your version.
You can ask us to delete personal information we hold about you. We will assess your request against:
If we can delete, we will. If we cannot, we will explain why and tell you what we can do instead (typically restrict further use to the audit-only purpose the law requires).
When we send a deletion certificate, it confirms what we deleted, when, and what (if anything) we retained on legal grounds.
You can complain to us by submitting a privacy request at
karenparking.com/privacy/submit (request
type: Complaint) or by emailing
privacy@karenparking.com. We will respond within 30 days.
If you're not satisfied with our response, you can complain to:
oaic.gov.au1300 363 992ico.org.uk)
KAR3N's classification of a parking event (resident-in-visitor-bay,
time-exceeded, etc.) is automated. However, the
action taken on that classification — warn, breach, tow
— requires a human decision by an authorised user (a
Manager or Account Owner). This means no fully-automated decision with
legal effect is made by KAR3N alone. If you nevertheless want to object
to the automated classification component, contact
privacy@karenparking.com.
The KAR3N app uses first-party cookies / local storage only — to keep you logged in, remember your preferences, and run the application. We do not use third-party analytics cookies, advertising cookies, or fingerprinting.
karenparking.com)
The marketing site uses a privacy-respecting web-analytics service:
The identity of the analytics provider is available on written request
to
privacy@karenparking.com.
KAR3N is not intended for use by anyone under 16. We do
not knowingly collect personal information from children. If you believe
a child has provided us with personal information, please contact
privacy@karenparking.com
and we will delete it.
A child whose vehicle is captured by an operator (rare but possible — e.g., a teenager driving a parent's car) is treated like any other plate-only record: we hold the plate, not any name or age.
This is a living document. We will update it when:
When we make a material change (one that affects how we use or share your information), we will:
Non-material changes (e.g., fixing a typo, clarifying wording) can be made without notice but will appear in the changelog.
The current version of this policy is always at
karenparking.com/privacy.
Questions about your privacy or this policy:
privacy@karenparking.com
karenparking.com/privacy/submit
support@karenparking.com
Privacy Officer / Data Protection Officer:
The KAR3N Chief Information Security Officer (CISO) is
the responsible person for this policy and for handling privacy
questions. Contact via
privacy@karenparking.com.
Entity registration details:
We are Croucher Consulting Pty Ltd, trading as Karen
Group. Our ABN is 53 669 444 419. Our
company registration details are publicly searchable via the
Australian Securities and Investments Commission (ASIC)
at asic.gov.au if you need to verify our entity.