Privacy Policy

Last updated: 23 February 2026 | Version 2.0

BiteSpaces Pty Ltd (ABN to be registered) ("BiteSpaces", "we", "us", "our") is committed to protecting your privacy in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes how we collect, hold, use, and disclose your personal information.

1. Australian Privacy Principles (APPs) Compliance

This Privacy Policy has been prepared in accordance with the 13 Australian Privacy Principles contained in the Privacy Act 1988 (Cth). We are bound by the APPs and are committed to ensuring compliance with each principle.

2. Information We Collect (APP 3 - Collection)

We only collect personal information that is reasonably necessary for our business functions. We collect the following types of information:

Information You Provide Directly:

• Full name and contact details (email address, phone number)
• Business or organisation name and address
• Account credentials (email and encrypted password)
• Payment information (processed securely via Stripe - we do not store card numbers)
• Listing details for spaces or vendor profiles
• Communications and messages sent through the platform

Information Collected Automatically:

• IP address and browser type
• Device information and operating system
• Pages visited and time spent on the platform
• Referral source

Sensitive Information (APP 3.3):

We do not collect sensitive information as defined under the Privacy Act (such as health information, racial or ethnic origin, political opinions, religious beliefs, or criminal records) unless required by law or with your explicit consent.

3. How We Collect Information (APP 3.5)

We collect personal information directly from you when you:

• Create an account or register on our platform
• List a space or create a vendor profile
• Make or receive a booking
• Process a payment
• Contact us for support
• Subscribe to our communications

We will not collect personal information by unlawful or unfair means.

4. Purpose of Collection and Use (APP 5 & APP 6)

We collect and use your personal information for the following purposes:

• To provide, maintain, and improve our platform services
• To process bookings and facilitate transactions between space owners and vendors
• To process payments securely through our payment provider (Stripe)
• To verify your identity and manage your account
• To communicate with you about your account, bookings, and platform updates
• To respond to your enquiries and provide customer support
• To comply with our legal obligations
• To detect and prevent fraud, security incidents, and illegal activity
• To analyse usage patterns and improve our services (using de-identified data where possible)

We will not use or disclose your personal information for a purpose other than the purpose for which it was collected (the primary purpose), unless you consent, or an exception under APP 6 applies.

5. Notification of Collection (APP 5)

At or before the time of collection, or as soon as practicable afterwards, we will take reasonable steps to notify you of:

• Our identity and contact details
• The purposes of collection
• Whether the collection is required or authorised by law
• The consequences if personal information is not collected
• Any third parties to whom we usually disclose personal information
• How to access or correct your personal information
• How to make a complaint

6. Disclosure of Personal Information (APP 6)

We may disclose your personal information to:

• Other platform users: Limited information is shared between space owners and vendors to facilitate bookings (e.g., name, organisation, contact details relevant to a booking)
• Payment processors: Stripe processes payments on our behalf. See Stripe's Privacy Policy
• Cloud service providers: Google Firebase for secure data storage and authentication
• Professional advisors: Lawyers, accountants, and auditors as necessary
• Law enforcement: When required by law, regulation, or court order

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

7. Cross-Border Disclosure (APP 8)

Your personal information may be stored on servers located outside Australia (including the United States) through our use of Firebase (Google Cloud) and Stripe. Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the overseas recipient complies with the APPs or is subject to a substantially similar privacy regime.

8. Data Security (APP 11)

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

• Encryption of data in transit using TLS/SSL (HTTPS)
• Encrypted storage of passwords (never stored in plain text)
• Secure payment processing through PCI-DSS compliant Stripe
• Rate limiting and brute-force protection on authentication endpoints
• Regular security reviews and updates
• Access controls and authentication for all sensitive data
• Security event logging and monitoring
• Content Security Policy (CSP) headers to prevent cross-site scripting
• Input validation and sanitisation on all user-submitted data

When personal information is no longer needed for any purpose for which it may be used or disclosed, and we are not required by law to retain it, we will take reasonable steps to destroy or de-identify the information.

9. Notifiable Data Breaches (Part IIIC)

In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988, if we become aware of an eligible data breach that is likely to result in serious harm to any individuals whose personal information is involved, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals as soon as practicable
• Include in the notification: a description of the breach, the types of information involved, and recommendations about steps individuals should take

10. Access and Correction (APP 12 & APP 13)

You have the right to:

• Access your personal information: You can request access to the personal information we hold about you. You can also export your data at any time through your account dashboard or by contacting us.
• Correct your personal information: If you believe the information we hold is inaccurate, incomplete, out-of-date, irrelevant, or misleading, you can request correction. You can update most information directly through your account settings.
• Delete your personal information: You can request deletion of your account and all associated data. We will comply with your request unless we are required by law to retain certain information.

We will respond to access and correction requests within 30 days. If we refuse a request, we will provide you with written reasons and information about how to complain.

11. Direct Marketing (APP 7)

We may use your personal information for direct marketing purposes where:

• You have consented to receiving marketing communications
• You would reasonably expect us to use the information for that purpose
• We provide a simple opt-out mechanism in each communication

You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email, or by contacting us directly.

12. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. After account deletion:

• Account data is deleted within 30 days
• Transaction records may be retained for up to 7 years for tax and legal compliance (as required by Australian law)
• Anonymised, aggregated data may be retained for analytics purposes
• Backup data is purged within 90 days

13. Cookies and Tracking

We use essential cookies to:

• Maintain your session and authentication state
• Remember your preferences
• Ensure security of your account

We do not use cookies for advertising or tracking across other websites. You can control cookies through your browser settings, but disabling essential cookies may affect the functionality of the platform.

14. Children's Privacy

BiteSpaces is not intended for use by children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

15. Complaints (APP 1)

If you have a complaint about how we have handled your personal information, please contact our Privacy Officer:

• Email: privacy@bitespaces.com.au
• Address: BiteSpaces Pty Ltd, Australia

We will acknowledge your complaint within 7 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the:

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification for significant changes
• Displaying a notice on our platform

We encourage you to review this policy periodically.

17. Contact Us

For any questions or concerns about this Privacy Policy or our handling of your personal information, please contact:

Privacy Officer
BiteSpaces Pty Ltd
Email: privacy@bitespaces.com.au
General enquiries: contact@bitespaces.com.au