SECURITY & COMPLIANCE

How we handle your data

A plain-language look at the technical and legal side of data protection on RepairOTG. For the full legal text, see our Privacy Policy.

What's actually in place

Encrypted sensitive data

Sensitive fields are encrypted at rest using AES-256-GCM, not stored as plain text.

Passwords are hashed, never stored

Account passwords are hashed with bcrypt — RepairOTG staff cannot see your actual password, ever.

CSRF & session protection

Dashboard sessions use httpOnly cookies with CSRF double-submit protection and database-backed refresh token rotation, so sessions can be revoked server-side.

Optional two-factor authentication

Shop owner accounts can enable TOTP-based two-factor authentication (the same standard used by Google Authenticator and similar apps).

We haven’t pursued formal third-party certifications like SOC 2 or ISO 27001 at this stage \u2014 we’d rather tell you plainly what technical measures are actually in place than claim a badge we don’t hold.

Where this applies

RepairOTG operates primarily in New Zealand and Australia. In New Zealand, we handle personal information in line with the Privacy Act 2020 \u2014 including its principles around collecting only what's needed, keeping it secure, and letting you access or correct information held about you.

For Australian users, we aim to align with the Australian Privacy Principles (APP) under the Privacy Act 1988. If you have a specific question about how your information is handled in your region, contact us directly \u2014 we’d rather give you a precise answer than a generic one.

How your data is actually used