Legal

Privacy policy

Last updated: 26 April 2026

Pre-launch placeholder. This is the plain-English summary we intend to publish at public launch. The final, lawyer-reviewed version replaces this page before the first paying café signs. Email trust@ihospo.com.au for the draft.

1. What we collect

Workers: name, date of birth, photo ID (held by Stripe Identity, deleted after verification), right-to-work status, ABN if provided, bank account or PayID alias for payouts, ratings from venues.

Cafés: business name, ABN, director name, registered address, primary contact email, card on file (held by Stripe — we never see the PAN), shifts posted, ratings from workers.

2. How we use it

To match workers with shifts, charge cafés for matched shifts, release wages to workers via PayID, run KYC, surface ratings to both sides, and respond to disputes. We do not sell personal data and do not share it with third parties except as needed to operate the service (Supabase for hosting, Stripe for payments, Resend for email, Inngest for jobs).

3. Where data is stored

All Australian customer data is stored in Supabase's ap-southeast-2 region (Sydney). Bank account numbers are encrypted at rest, displayed masked, and never logged. KYC documents are stored encrypted by Stripe Identity and deleted after verification — we keep the verification result, not the document.

4. Your rights

Under the Privacy Act 1988 you have the right to access, correct, or request deletion of your personal information. Email privacy@ihospo.com.au and we'll respond within 30 days. We comply with the Notifiable Data Breach scheme — if a breach affects you, we'll notify you and the OAIC within 30 days.

5. Cookies & analytics

We use Vercel Analytics (privacy-friendly, no fingerprinting, no third-party cookies) to understand which pages convert and which don't. We do not use Google Analytics, Meta pixels, or any cross-site tracking.

6. Retention

Active account data is kept while the account is active. After account closure we retain financial transaction records for 7 years (ATO requirement) and delete everything else within 90 days.

7. Contact

Privacy questions or complaints: privacy@ihospo.com.au. If you're not satisfied with our response you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.