KAR3N is a parking-enforcement product for residential strata schemes in Australia. We're operated by Croucher Consulting Pty Ltd (ABN 53 669 444 419), trading as KAR3N. We're based in Brisbane, Queensland.
This Privacy Policy explains:
This policy applies to anyone whose information passes through KAR3N — including building residents, visitors, strata managers, building managers, body-corporate committee members, and anyone who submits a privacy request through our form.
If you are a paying customer of KAR3N (i.e. a strata management company or a body-corporate that has signed up a scheme), this policy applies alongside the contract between us. The contract — not this policy — governs the commercial relationship.
We use plain English in this policy. Where Australian Privacy Principles ("APPs") or other laws use specific terms, we say so.
We collect different categories of information depending on how you interact with KAR3N.
When the Operator (a building-manager or body-corporate volunteer) walks the car park and captures a plate, we collect:
We do not collect or store the names of residents. Residents are identified to KAR3N only by plate (and optionally by a unit identifier such as "14B" if your strata scheme has chosen to record that).
If you sign up a scheme as an Account Owner, we collect:
If you click a link in a warning or breach notice (e.g., "I'm not a resident — this isn't my unit"), we collect:
If you submit a privacy request through our public form at carparkmonitor.com/privacy/submit, we collect what the APP 5 collection notice on that form describes — your name, email, request type, and the message you write. See the APP 5 collection notice for the full detail of that flow.
When you use the KAR3N web app or our public website, we automatically collect:
We do not use third-party analytics on the KAR3N app. The public marketing site at carparkmonitor.com uses Cloudflare Web Analytics, which is privacy-respecting (no cookies, no fingerprinting, no cross-site tracking).
We collect personal information for the following purposes only:
We do not sell your information. We do not use it for marketing to anyone other than our existing customers. We do not profile you for advertising.
We rely on the Australian Privacy Principles under the Privacy Act 1988 (Cth):
/privacy/submit + this Privacy Policy together discharge our APP 5 obligations)State strata legislation creates additional retention obligations that apply alongside the Privacy Act. We comply with both.
If you are in the EU or UK and KAR3N processes your personal information (for example, because you own a unit in an Australian scheme but live in Europe), we rely on the lawful bases in GDPR Article 6:
We provide the information that GDPR Article 13 requires through this Privacy Policy and the APP 5 collection notice. You can exercise your GDPR Article 15 (access), Article 16 (rectification), Article 17 (erasure where applicable), and Article 22 (no fully-automated decisions with legal effects — KAR3N's classification + actioning workflow has a human in the loop, by design) rights via the same /privacy/submit form or by emailing privacy@carparkmonitor.com.
We do not sell personal information for the purposes of California or other US state privacy laws.
We share personal information only with:
The Account Owner (the strata manager or building manager) at your scheme can see scan records, violations, and any resident contact information that has been provided to them. This is the core of the service — they are the entity responsible for enforcing by-laws under state strata legislation.
The Account Owner can invite building managers and operators as additional users — those users see only the specific schemes they have been granted access to. (We enforce this at the API layer with role-based access controls.)
We use the following third-party services to run KAR3N. All of them are bound by contractual privacy obligations and we have reviewed each one against our internal vendor-risk policy.
| Sub-processor | Region |
|---|---|
| Amazon Web Services (AWS) | Australia |
| MongoDB Atlas | Australia |
| Plate Recognizer | Australia |
| Stripe | Global |
| Cloudflare | Global |
Where a sub-processor is listed as Australia, your data is stored and processed inside Australia. Stripe processes payment cards on its global infrastructure (we never see your card details). Cloudflare handles request metadata only (IP, user-agent, path) on its global edge network for content delivery + security; no payload data is shared.
We do not use any other sub-processors. Any addition is a material change to this policy — see §11 below for how we notify you.
We will disclose personal information if legally required to — for example, in response to a court order, a regulator's lawful notice, or a clear legal obligation. We do not voluntarily disclose to law enforcement.
If you submit a complaint about KAR3N to the Office of the Australian Information Commissioner (OAIC), or to an EU/UK data protection authority, we will cooperate with that authority and provide records as required.
Your personal information is stored and processed inside Australia. Our database, scan-image storage, email handling, and SMS handling all sit within Australia. The vendors we use to deliver these services are listed in §4.2 above.
Unlike most automated plate-recognition products — which send scan images to overseas cloud services for processing — we process your scan images inside Australia. Your scan images do not leave Australia at any stage.
We follow ISO 27001 practices for protecting your information. Our controls include encryption in transit and at rest, role-based access control with per-scheme isolation, audit logging with write-once-read-many archival, multi-factor authentication for all users, regular key rotation per our internal ISMS, and continuous vulnerability management across dependencies, source code, infrastructure, and operational secrets.
We do not claim our system is invulnerable. No system is. We aim to detect, respond to, and notify you of any incident within the 30-day window the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act requires.
If we discover an eligible data breach under the NDB scheme (one likely to cause serious harm to you), we will notify:
Our internal incident-response policy documents the detection, containment, eradication, and notification process.
We keep personal information only as long as we need it. Different categories have different retention periods, governed by our internal data-classification policy:
| Category | Retention period |
|---|---|
| Scan records + violation records + audit log entries | 7 years after the record is created — state strata legislation (NSW SSMA s180 / VIC OC Act ss144-145 / QLD BCCM Act) + Privacy Act recordkeeping obligations + ISO 27001 A.8.15 |
| Scheme settings + by-laws + sub-processor configuration | Retained while the scheme is an active KAR3N customer + 30 days after handback (then archived to cold-storage for 90 days, then deleted) |
| Account Owner / Manager / Operator user records | Retained while the user is active + 90 days after deactivation |
Privacy request records (your submissions to /privacy/submit) |
7 years after the request is closed — Privacy Act audit-record obligation |
| Identity-verification documents (if you email any in support of a request) | Deleted within 30 days after we verify your identity |
| Resident notice records (sent emails / SMS) | 7 years after sent — same retention basis as the underlying violation |
| Anonymised aggregate statistics (request type counts, scan volume) | May be retained indefinitely; no identifying information retained |
If you ask us to delete information we hold about you under APP 12 / GDPR Art. 17, we will assess whether the law lets us. Some records — particularly enforcement records under state strata legislation — are subject to retention obligations that override deletion requests. In that case we will explain why we cannot delete, and what we can do instead (for example, restrict further use of the record).
We do not transfer personal information overseas in the ordinary course of providing KAR3N.
Exceptions:
stripe.com/au/privacy governs)This is a deliberate design choice — KAR3N is built to keep Australian strata data inside Australia. If we ever change this, it is a material change and we will notify you in advance (see §11).
You can ask us what personal information we hold about you. We will respond within 30 days with either the information or an explanation of why we cannot provide it (the exceptions are limited and we will cite the specific exception).
To request access, submit a privacy request at carparkmonitor.com/privacy/submit or email privacy@carparkmonitor.com.
We may ask you to verify your identity before releasing personal information — typically by replying from the email address we have on file, or by emailing a photo of an identity document to support@carparkmonitor.com (which we delete within 30 days of verifying).
If anything we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you can ask us to correct it. We will fix it within 30 days, or explain why we cannot.
If a record cannot be corrected (e.g., because an enforcement decision has already been made and an audit trail must remain immutable), we will attach your correction as an annotation to the record so anyone who looks at it later sees your version.
You can ask us to delete personal information we hold about you. We will assess your request against:
If we can delete, we will. If we cannot, we will explain why and tell you what we can do instead (typically restrict further use to the audit-only purpose the law requires).
When we send a deletion certificate, it confirms what we deleted, when, and what (if anything) we retained on legal grounds.
You can complain to us by submitting a privacy request at carparkmonitor.com/privacy/submit (request type: Complaint) or by emailing privacy@carparkmonitor.com. We will respond within 30 days.
If you're not satisfied with our response, you can complain to:
oaic.gov.au1300 363 992ico.org.uk)KAR3N's classification of a parking event (resident-in-visitor-bay, time-exceeded, etc.) is automated. However, the action taken on that classification — warn, breach, tow — requires a human decision by an authorised user (a Manager or Account Owner). This means no fully-automated decision with legal effect is made by KAR3N alone. If you nevertheless want to object to the automated classification component, contact privacy@carparkmonitor.com.
The KAR3N app uses first-party cookies / local storage only — to keep you logged in, remember your preferences, and run the application. We do not use third-party analytics cookies, advertising cookies, or fingerprinting.
carparkmonitor.com)The marketing site uses Cloudflare Web Analytics, which is privacy-respecting:
Cloudflare's privacy practices for Web Analytics: www.cloudflare.com/web-analytics/.
KAR3N is not intended for use by anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@carparkmonitor.com and we will delete it.
A child whose vehicle is captured by an operator (rare but possible — e.g., a teenager driving a parent's car) is treated like any other plate-only record: we hold the plate, not any name or age.
This is a living document. We will update it when:
When we make a material change (one that affects how we use or share your information), we will:
Non-material changes (e.g., fixing a typo, clarifying wording) can be made without notice but will appear in the changelog.
The current version of this policy is always at carparkmonitor.com/privacy.
Questions about your privacy or this policy:
privacy@carparkmonitor.comcarparkmonitor.com/privacy/submitsupport@carparkmonitor.comPrivacy Officer / Data Protection Officer:
The KAR3N Chief Information Security Officer (CISO) is the responsible person for this policy and for handling privacy questions. Contact via privacy@carparkmonitor.com.
Entity registration details:
We are Croucher Consulting Pty Ltd, trading as KAR3N. Our ABN is 53 669 444 419. Our company registration details are publicly searchable via the Australian Securities and Investments Commission (ASIC) at asic.gov.au if you need to verify our entity.