Privacy Policy

1

About This Policy

This Privacy Policy explains how we collect, use, store and protect your personal information when you use our cafe loyalty platform. We are committed to protecting your privacy and complying with the Australian Privacy Act 2022 and the Australian Privacy Principles (APPs).

By using our service, including scanning QR codes at participating cafes, you agree to the collection and use of information as described in this policy.

2

Information We Collect

2.1

Information You Provide

• Name: To personalize your loyalty experience and SMS notifications
• Phone Number: To identify your account, send SMS rewards notifications, prevent fraud, and send marketing communications on behalf of participating cafes (including Google review requests)
• Email Address: For account creation and important service communications (cafe owners only)

2.2

Information We Automatically Collect

• Visit Information: Date, time, and location of cafe visits to track your loyalty progress
• IP Address (Anonymized): Converted to anonymous hash codes immediately for fraud prevention
• Session Data: Technical cookies and session data to keep you logged in

2.3

Information We Do NOT Collect

• Device fingerprinting or detailed device tracking
• Location data beyond the cafe you visit
• Social media profiles or external account information
• Payment information (handled securely by Stripe)
• Browsing history or activity outside our platform

3

Why We Collect This Information

3.1 Primary Purposes

• Loyalty Program Operation: Track your visits and rewards to provide cafe loyalty benefits
• SMS Notifications: Send you reward notifications and confirmations (with your consent)
• Marketing Communications: Send marketing messages on behalf of participating cafes, including Google review requests and promotional offers (with your consent)
• Account Management: Maintain your customer profile and visit history
• Customer Service: Provide support and resolve any loyalty program issues

3.2 Secondary Purposes

• Fraud Prevention: Detect and prevent abuse of loyalty programs using privacy-compliant methods
• Service Improvement: Analyze usage patterns to improve the loyalty system (anonymized data only)
• Legal Compliance: Meet our legal obligations under Australian law

4

How We Protect Your Information

Technical Safeguards

• Encryption: All data is encrypted in transit (HTTPS) and at rest
• IP Anonymization: IP addresses are immediately converted to irreversible hash codes
• Access Controls: Strict database access controls with Row Level Security (RLS)
• Data Isolation: Each cafe's data is completely isolated from other cafes
• Secure Infrastructure: Hosted on enterprise-grade Supabase and Vercel platforms

Privacy-by-Design

• Data minimization - we only collect what's absolutely necessary
• Purpose limitation - data is only used for stated purposes
• Storage limitation - fraud prevention logs automatically deleted after 90 days
• No device fingerprinting or invasive tracking technology

5

SMS Communications

We send SMS messages for the following purposes:

5.1

Transactional Messages (No Consent Required)

• Reward Notifications: When you earn a free reward
• Confirmation Messages: When you redeem a reward

5.2

Marketing Messages (Consent via Terms Acceptance)

• Welcome Messages: When you first join a cafe's loyalty program
• Google Review Requests: Invitations to leave reviews on Google (sent on behalf of participating cafes)
• Promotional Offers: Special deals and promotions from participating cafes
• Loyalty Updates: Information about loyalty program changes or special events

5.3

Your SMS Rights

• Consent: By accepting our Terms of Service when joining a loyalty program, you consent to receiving marketing messages as described above
• Opt-Out: Reply STOP to any SMS to unsubscribe from that cafe's marketing messages
• Selective Opt-Out: You can opt out of marketing messages while still receiving transactional notifications
• Help: Reply HELP to get assistance with SMS services
• Standard Rates: Message and data rates may apply according to your mobile plan

Note: Transactional messages (rewards and confirmations) cannot be opted out of as they are essential for loyalty program operation. Marketing messages can always be stopped by replying STOP.

6

Information Sharing

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6.1

Information We Share

• Cafe Owners: Your visit history and loyalty progress with the specific cafe you visit
• Service Providers: SMS delivery (Twilio), payments (Stripe), hosting (Vercel, Supabase)
• Legal Requirements: If required by Australian law or court order

6.2

Data Isolation

Each cafe can only access their own customer data. Cafe A cannot see customers or data from Cafe B. Your phone number can be used at multiple cafes with separate loyalty programs.

7

Your Privacy Rights

Under the Australian Privacy Act 2022, you have the following rights:

• Access: Request access to your personal information we hold
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal requirements)
• Complaints: Lodge a complaint about how we handle your personal information
• Anonymity: Deal with us anonymously where practical (limited for loyalty programs)

7.1

How to Exercise Your Rights

Contact us at support@mycafeloyalty.com.au or through the cafe where you have a loyalty account. We will respond within 30 days.

8

Data Retention

• Customer Data: Retained while your loyalty account is active
• Visit History: Retained for loyalty program operation and customer service
• Fraud Prevention Logs: Automatically deleted after 90 days
• SMS Logs: Retained for billing and delivery confirmation purposes
• Inactive Accounts: May be deleted after 2 years of inactivity

9

Cookies and Tracking

We use minimal, essential cookies for:

• Keeping cafe owners logged into their dashboard
• Remembering your device for 30 days to avoid re-entering details
• Basic analytics to improve our service (anonymized)

We do not use tracking cookies, advertising cookies, or third-party analytics beyond essential service operation.

10

International Transfers

Your data is primarily stored in Australia. Some service providers (Supabase, Vercel, Twilio, Stripe) may store data overseas with appropriate safeguards. All overseas transfers comply with Australian Privacy Principle 8.

11

Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us immediately.

12

Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

• The "Last Updated" date at the top will be revised
• We will notify cafe owners of significant changes
• Your continued use constitutes acceptance of the changes
• Previous versions are available upon request

13

Contact Us