RewardLoop is a product of The Trustee for Broad & Co. Family Trust (ABN 89 687 217 914), trading as RewardLoop, located in Australia. This Privacy Policy explains how we collect, use, store, and disclose personal information in line with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

1. What information we collect

We collect the following categories of personal information:

Account information you provide when you sign up: email address, business name, and a password (stored as a salted hash).
Billing information processed by Stripe on our behalf: name, billing address, and card details. We do not store full card numbers on our infrastructure.
Referrer and referee contact details you upload to run your referral programs: email addresses, names, and any reward notes you choose to store.
Usage information automatically collected when you use the service: IP address, browser type, pages viewed, and event timestamps.
Communications you send us by email, support form, or in-app messaging.

2. How we use your information

We use your information to:

Provide, operate, and improve the RewardLoop service.
Send transactional emails on your behalf to your referrers and referees, when you initiate them.
Process payments and manage subscriptions.
Send service notifications, security alerts, and support replies.
Detect, prevent, and respond to fraud and abuse.
Comply with legal obligations.

We do not sell your personal information. We do not share contact lists between RewardLoop tenants. Tenants are isolated from one another at the database level using row-level security.

3. Service providers and data location

We use a small set of trusted service providers to deliver RewardLoop. Each is bound by their own privacy obligations and processes data only on instructions from us.

Supabase (database and authentication) - hosted in Sydney, Australia.
Vercel (application hosting) - serves Australian customers from the Sydney edge region.
Stripe (payments) - data may be processed in Australia, the United States, and other Stripe regions per their privacy policy.
Resend (transactional email) - data may be processed in the United States and the European Union per their privacy policy.
Upstash (rate-limit token store) - Sydney region.
Cloudflare (DNS only).

Where personal information is sent outside Australia (for example, to Stripe or Resend), we take reasonable steps to ensure that the overseas recipient handles your information in line with the APPs.

4. How we protect your information

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Tenant-level isolation is enforced through row-level security policies in our database. Service-role credentials are held in secure environment storage and never committed to source code. We review access logs regularly and apply security patches promptly.

No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify you and the Office of the Australian Information Commissioner as required under the Notifiable Data Breaches scheme.

5. Your rights

Under the Australian Privacy Principles, you have the right to:

Access the personal information we hold about you.
Request correction of inaccurate personal information.
Request deletion of your account and associated data, subject to record-keeping obligations.
Make a complaint about how we handle your personal information.

To exercise any of these rights, email privacy@rewardloop.com.au. We will respond within 30 days. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

6. Marketing and unsubscribing

We send transactional emails (account confirmations, billing receipts, security notifications) to all account holders. These messages are necessary for the service and cannot be opted out of while you have an active account. Every commercial electronic message we send complies with the Spam Act 2003 (Cth) and includes a functioning unsubscribe option.

7. Cookies

We use a small number of first-party cookies that are essential for the service to function: session cookies for authentication, an A/B testing cookie to keep landing-page variants stable for the same visitor, and a short-lived attribution cookie for tracking marketing campaigns. We do not use third-party advertising or tracking cookies on the marketing site.

8. Changes to this policy

We will update this policy from time to time. If we make a material change, we will email account holders and update the "Last updated" date above. Continued use of the service after a change indicates acceptance of the updated policy.

9. Contact

Privacy questions: privacy@rewardloop.com.au
General support: hello@rewardloop.com.au
Legal entity: The Trustee for Broad & Co. Family Trust (ABN 89 687 217 914)

This privacy policy is the working version drafted by the RewardLoop team. We recommend you seek independent legal advice before relying on this document in a dispute.