1. Who We Are
TreatTracker is a location-based mobile web application that connects customers with nearby ice cream and coffee vans operating in Western Australia. References to "we", "us" or "our" refer to TreatTracker and its operators. By creating an account or using TreatTracker, you acknowledge that you have read and agree to this Privacy Policy.
2. Information We Collect
Vendor accounts: When applying to become a vendor, we collect your contact email address (stored encrypted), a hashed password (one-way cryptographic hash — never readable), your van/business name, and your Australian Business Number (ABN) for identity verification. Vendor profile information you choose to provide (van type, description, banner photo, menu image, specials boards) is stored and displayed publicly within the app. Vendor GPS coordinates are collected only while you have manually activated live tracking.
Customer accounts: We collect your email address and a hashed password for authentication. No other personal identifying information is required to create a customer account.
Customer ping location: When you choose to ping a driver, your device GPS coordinates are collected with your explicit permission and
temporarily transmitted to and stored on our servers for the duration of that interaction only. These coordinates are used solely to display your location to the vendor you have pinged. They are automatically deleted from our servers when the serve is completed or within 5 minutes, whichever comes first — and coordinate fields are nulled immediately when you stop the ping.
Usage data: Anonymous interaction counts (profile views, likes, customers served) are collected to provide vendors with performance metrics. These counts are not linked to individual customer identities.
3. Notice of Collection (APP 5)
In accordance with Australian Privacy Principle 5, we notify you that:
• The primary purpose of collecting your email is to authenticate your account and send transactional emails (confirmation, password reset)
• Providing your email is required to create an account; you may browse public vendor information without an account
• Vendor ABN collection is required to verify business identity as part of the vendor approval process
• Customer GPS collection during pinging is voluntary — you may use the app to find vans without pinging
• We do not collect information from third-party sources or use your data for automated decision-making
4. How We Use Your Information
We collect and use personal information only for the purposes for which it was provided:
• To authenticate your account and maintain your session
• To display live van locations to nearby customers
• To allow vendors to manage their listing, GPS broadcasting, and customer interactions
• To send transactional emails (account confirmation, password reset, vendor approval notifications)
• To verify vendor identity via ABN as part of the approval process
• To enable the customer ping and proximity-serve feature
• To provide vendors with anonymised performance analytics
5. Legal Basis & Compliance
TreatTracker operates in accordance with the
Privacy Act 1988 (Cth) and the
Australian Privacy Principles (APPs), as amended by the Privacy and Other Legislation Amendment Act 2024. Location data and email addresses are treated as personal information under Australian law and are handled accordingly. We do not rely on the small business exemption for the handling of location data or sensitive account information.
6. GPS & Location Data
Vendor location: Vendor GPS coordinates are broadcast in real time to all users of the app while the vendor has live tracking enabled. Vendors provide consent to this broadcast by activating tracking. Only the vendor's current position is stored — no historical route data is retained.
Customer ping location: When a customer initiates a ping, their GPS coordinates are accessed with explicit device permission and are temporarily stored in our database solely to communicate their location to the pinged vendor. These coordinates are not used for any other purpose, are not shared with any other party, and are permanently deleted upon completion of the serve or after a maximum of 5 minutes. Coordinate fields are cleared from the database immediately when the customer ends their ping session.
Map display: Your GPS position as a blue dot on the customer map is processed locally on your device and is never transmitted to our servers.
7. Data Storage & Security
All personal data is stored on servers located in
Australia (Supabase / AWS ap-southeast-2, Sydney). We employ the following security measures:
• Passwords: one-way hashing (never reversible or readable)
• Email addresses: encrypted at rest
• All data in transit: TLS encryption
• API credentials: stored in secure environment vaults, never in source code
• Access controls: role-based with least-privilege principles applied
• Vendor profile media (photos, menus): stored in access-controlled cloud storage buckets
8. Data Retention
•
Vendor account data (email, van name, ABN, profile) is retained for the life of the account. Upon account deletion, all account data, vendor application history, location records, and metrics are permanently deleted immediately.
•
Customer account data (email, password hash) is retained for the life of the account and deleted upon account deletion.
•
Customer ping location data is automatically deleted from our servers within 5 minutes of being created, or immediately upon the serve being completed — whichever is sooner.
•
Anonymous usage metrics (view counts, like counts, serve counts) are retained for up to 24 months.
•
Vendor profile media (uploaded photos) is deleted from storage upon account deletion.
9. Disclosure to Third Parties
We do not sell, trade, or rent personal information to third parties. Data may be disclosed to or processed by:
•
Supabase Inc. — cloud database and authentication infrastructure (data stored in AWS ap-southeast-2, Sydney)
•
Transactional email providers — solely for sending account-related emails; email addresses are shared only for delivery and not retained by the provider beyond the sending event
•
Cloudflare Turnstile — anti-bot verification on account creation, sign-in, and password reset forms; Turnstile is operated by Cloudflare Inc., who also provide our hosting and DNS. Turnstile does not use cookies or track users across sites. See cloudflare.com/privacypolicy
•
Regulatory bodies or law enforcement where required by Australian law
We take reasonable steps to ensure that any third-party providers handle personal information consistently with the Australian Privacy Principles.
10. Your Rights
Under the Privacy Act 1988, you have the right to:
•
Access the personal information we hold about you — contact us at the address below
•
Correct inaccurate or outdated information — update your profile in-app or contact us
•
Request deletion of your personal information — use the "Delete Account" option in the app or contact us
•
Withdraw consent for location access at any time via your device browser settings
•
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at
oaic.gov.au or 1300 363 992 if you believe your privacy rights have been breached
11. Data Breach Notification
In the event of a data breach likely to result in serious harm to any individual, we will notify affected individuals and the OAIC as required under the Notifiable Data Breaches (NDB) scheme (Part IIIC, Privacy Act 1988) within the timeframes prescribed by law.
12. Children's Privacy
TreatTracker is intended for use by individuals aged 13 and over. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe a child under 13 has created an account, please contact us at info@treattracker.com.au and we will promptly delete the account and associated data.
13. Overseas Disclosure
Our infrastructure and third-party service providers (Supabase, email delivery) operate primarily within Australia (AWS ap-southeast-2). Cloudflare Inc. (USA) provides our hosting, DNS, and Turnstile anti-bot verification — Cloudflare operates a global edge network and may process request data outside Australia. We take reasonable steps to ensure overseas recipients handle personal information consistently with the APPs.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. Material changes will be notified via an in-app notice at least 14 days before taking effect. The date at the top of this policy indicates when it was last revised. Continued use of the app after the effective date of a revised policy constitutes acceptance of the changes.
15. Contact Us
For privacy enquiries, access requests, correction requests, or complaints:
📧 info@treattracker.com.au
We aim to respond to all privacy requests within 30 days as required under the Privacy Act 1988.
This policy is intended to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs 1–13), as amended by the Privacy and Other Legislation Amendment Act 2024. For independent privacy advice, contact the OAIC at oaic.gov.au or 1300 363 992.
