Privacy Policy

1. Introduction

1.1 Purpose

This Privacy Policy explains how we collect, use, store, and disclose information when you use the platform. Our goal is to ensure you understand what data we access, how it is processed, and the rights and choices available to your organisation.

1.2 Scope

This Policy applies to all data collected through:

• the platform's web interface and associated tools;
• integrations with external systems such as accounting platforms, POS systems, and supplier ordering systems;
• any communications or support interactions with our team.

This Policy does not apply to:

• data practices of third-party systems you choose to integrate (e.g. Xero, POS vendors, ordering platforms);
• any websites or services not controlled by us.

1.3 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in features, integrations, regulatory requirements, or internal practices.

• Material updates will be communicated via email or in-platform notifications.
• The updated Policy will apply from the effective date stated.
• Continued use of the platform after updates constitutes acceptance of the revised Policy.

---

2. Data We Collect

2.1 Account Information

We collect information required to create and manage organisational accounts, including:

• business name and contact details;
• user names, emails, and role assignments;
• authentication details and account permissions.

We do not collect personal information unrelated to platform access.

2.2 POS Data (Sales, Transactions, Products)

If you connect a POS integration, we may collect:

• sales transactions and timestamps;
• product names, categories, SKUs, and pricing;
• historical sales data (subject to POS retention);
• modifiers, add-ons, discounts, or refunds (where supported).

This data is used solely to generate sales insights, forecasting, and related analytics.

2.3 Accounting Data (Invoices, Suppliers, Chart of Accounts)

If you connect Xero or another accounting platform, we may collect:

• invoices, invoice line items, and credit notes;
• supplier names, IDs, and contact references;
• product descriptions and SKU-level entries;
• tax amounts, account codes, and chart of accounts structures;
• historical invoice data where available.

This data is used to analyse supplier costs, price changes, and spending patterns.

2.4 Supplier and Order Management Data

If you connect supplier ordering systems, we may collect:

• purchase orders and associated line items;
• supplier-specific pricing, costs, and product catalogues;
• SKU lists, pack sizes, and product availability;
• order frequency, delivery dates, and statuses (where supported).

This data supports the supplier dashboard, price tracking, and cost analysis features.

2.5 Usage Analytics and Logs

We may collect certain usage information, including:

• device type, browser information, and IP address;
• pages viewed, features used, and session durations;
• error logs, diagnostics, and performance metrics.

This data helps improve platform stability and usability.

2.6 Communications and Support Interactions

If you contact support or interact with us through the platform, we may collect:

• messages, attachments, screenshots, or explanations of issues;
• email communications or chat logs;
• metadata related to your request.

This information is used to provide customer support and service improvements.

2.7 Optional File Uploads (CSV, Product Lists)

You may upload files such as:

• product lists or pricing sheets;
• supplier catalogues;
• historical data exports.

These files are processed solely to populate dashboards, improve accuracy, and enhance insights.

---

3. How We Collect Data

3.1 Direct User Inputs

We collect data you or your authorised users provide directly, including:

• account setup information;
• manual product lists or CSV uploads;
• data entered into configuration settings;
• support messages and feedback.

3.2 OAuth Integrations

When you connect third-party services such as Xero, POS systems, or supplier platforms, we collect data through secure OAuth flows or API credentials.

• You choose which integrations to activate.
• We only access data authorised through the integration permissions.
• You may revoke access at any time.

3.3 Automated Syncing

After an integration is authorised, data may be collected automatically on a scheduled basis or in real-time depending on the capabilities of the connected service.

• Sync frequency may vary between integrations.
• Data updates may occur when triggered by user action or third-party notifications.

3.4 Cookies and Tracking (If Used)

We may use cookies or similar technologies to:

• keep you logged in;
• maintain session integrity;
• understand how the platform is being used.

We do not use cookies for targeted advertising or cross-site tracking.

---

4. How We Use Data

4.1 To Operate the Supplier Dashboard

We use your accounting, POS, and supplier ordering data to display core dashboard information such as:

• supplier spend;
• invoice history and trends;
• product-level costs and usage;
• supplier performance insights.

This processing is essential for the functioning of the platform.

4.2 To Analyse Supplier Costs and Price Changes

We analyse invoice and order data to:

• identify cost increases or decreases over time;
• detect price fluctuations for individual products or suppliers;
• notify you of unusual cost movements;
• support purchasing visibility and operational awareness.

4.3 To Support Future POS Features

When POS data is connected, we may use it to:

• analyse product sales performance;
• correlate sales and cost information;
• identify trends and seasonality patterns;
• generate future POS-driven insights and dashboards.

4.4 To Generate Insights and Forecasts

We use your combined datasets to produce:

• automated insights and summaries;
• forecasting models and trend predictions;
• comparative analyses;
• recommendations intended to support internal decision-making.

All insights are informational and depend on the completeness of your data.

4.5 To Provide Supplier Benchmarking and Comparisons

We may compare your supplier costs or product prices against:

• anonymised industry averages;
• aggregated benchmarks across similar venues;
• alternative supplier options where available.

These benchmarks never identify any individual venue.

4.6 To Improve Platform Functionality

We may use diagnostic information, usage logs, and performance analytics to:

• maintain system stability;
• develop new features;
• improve prediction accuracy;
• enhance user experience;
• ensure integrations function reliably.

4.7 To Communicate With Users

We may use account and contact information to:

• send important service announcements;
• provide onboarding and training support;
• respond to enquiries;
• notify you of platform updates or changes relevant to your account.

4.8 To Create Aggregated, Anonymised Datasets

We may transform your data into anonymised or aggregated datasets that cannot identify your organisation. These datasets may be used for:

• industry benchmarks;
• internal analytics and research;
• model training and product improvement;
• commercial insights or reports;
• informing suppliers or partners about market trends without identifying any venue.

We do not use identifiable business data for commercial resale or external distribution.

---

5. Sharing and Disclosure

5.1 Internal, to Your Authorised Team Members

Your organisation controls user access. Authorised users may view data, insights, and dashboards depending on the permissions set within your account.

5.2 With Integrated Platforms (Xero, POS, Supplier Systems)

We only share data with integrated platforms when:

• you explicitly enable a feature requiring such sharing;
• the integration requires limited write-back to function (if introduced in future);
• required by the platform's API rules.

By default, integrations are read-only, and we do not modify data in your external systems.

5.3 With Suppliers (Only If You Enable It)

Certain optional features may allow suppliers to access limited insights relating to their own products or pricing. This will only occur if:

• you choose to enable supplier visibility;
• the shared information is clearly disclosed before activation;
• suppliers cannot access your broader business data.

Supplier access can be revoked at any time.

5.4 With Service Providers (Hosting, Analytics)

We may share data with third-party service providers who support:

• hosting and infrastructure;
• database management;
• analytics and performance monitoring;
• security and operational stability.

These providers are contractually restricted to using data only for the services they perform.

5.5 Legal Compliance

We may disclose data where required to comply with:

• applicable laws;
• valid legal requests;
• regulatory obligations.

Where legally permissible, we will notify you before any such disclosure.

5.6 No Data Selling

We do not sell identifiable data to third parties. We may use aggregated or anonymised data for:

• research;
• benchmarking;
• commercial insights;
• industry analysis;
• product improvement.

These uses never identify any individual organisation.

---

6. Storage and Security

6.1 Storage Locations

Data may be stored on secure cloud infrastructure located in Australia or other regions as required for performance and reliability. Storage locations may change based on platform architecture or availability.

6.2 Security Protections

We implement industry-standard security measures including:

• encryption in transit and at rest;
• secure OAuth-based integrations;
• firewalls and intrusion monitoring;
• access logging and auditing;
• ongoing vulnerability assessments and improvements.

6.3 Access Controls

Access to personal and business data is restricted to authorised personnel who require it to operate or support the platform.

• We enforce strict role-based access controls.
• All personnel are bound by confidentiality obligations.
• Access is logged and monitored for security and compliance.

6.4 Breach Notifications

If a data breach occurs that is likely to result in serious harm, we will:

• notify affected organisations promptly;
• provide details of the nature and scope of the breach;
• outline actions taken to mitigate risk;
• comply with applicable data breach regulations in Australia, the UK, and the US.

---

7. Data Retention

7.1 Active Account Retention

While your organisation's account remains active, we retain:

• all connected integration data (accounting, POS, supplier ordering);
• platform-generated insights, dashboards, and analytics;
• usage logs necessary for stability, audit, and security.

Retention is required to ensure continuous functionality.

7.2 Post-Integration Disconnection Retention

If you disconnect an integration (e.g. Xero or a POS system):

• no new data will be imported;
• previously retrieved data may remain available within the platform;
• disconnected data may continue to be used for historical insights, trend analysis, or aggregated analytics;
• you may request deletion of previously synced data, subject to legal or operational constraints.

7.3 Post-Account Closure Retention

If your organisation's account is closed:

• core business data may be retained for a limited period to comply with legal, security, or audit obligations;
• platform-generated insights may be removed or anonymised;
• backups and logs may persist temporarily for system integrity;
• aggregated and anonymised datasets already produced will not be deleted, as they cannot identify you.

7.4 User-Requested Deletion

You may request deletion of your organisation's identifiable data at any time.

• We will delete the data where legally permissible.
• Some data may be retained to:
  • comply with law;
  • prevent fraud;
  • maintain security;
  • meet audit obligations.
• Aggregated or anonymised datasets cannot be deleted because they contain no identifiable information.

---

8. User Rights

8.1 Access

You may request access to the data we hold about your organisation, including integration data, platform-generated outputs, and account details. We will provide access within reasonable timeframes, subject to applicable laws.

8.2 Correction

If any data held about your organisation is inaccurate, incomplete, or outdated, you may request correction. Where corrections must be made in an external system (e.g. Xero or a POS), you must update those systems directly.

8.3 Export

You may request export of your data in a commonly used format. Exports may include:

• raw integration data previously retrieved;
• platform-generated summaries where practical.

We may exclude proprietary models, algorithms, and internal system structures.

8.4 Deletion

You may request deletion of your identifiable data at any time.

• We will delete data unless retention is required by law or for security purposes.
• Deletion of integration data may affect platform functionality.
• Aggregated or anonymised datasets will not be deleted, as they cannot identify you.

8.5 Marketing Preferences

You may opt out of non-essential communications.

• Service notifications, security alerts, and essential operational messages cannot be opted out of.
• Marketing emails may be unsubscribed from at any time.

---

9. International Transfers

9.1 Australia, UK, US, Europe, New Zealand, Canada, Indonesia, South Africa, and Other Regions

Data may be processed or stored in:

• Australia;
• the United Kingdom;
• the United States;
• the European Union or other European jurisdictions;
• New Zealand;
• Canada;
• Indonesia;
• South Africa;
• or any other region where our secure cloud infrastructure or service providers operate.

By using the platform, you consent to data being transferred to, stored in, or processed in these regions for the purposes of providing the service. All international transfers are conducted in compliance with applicable data protection laws and with appropriate safeguards in place.

9.2 Safeguards Used

To protect data transferred internationally, we implement appropriate safeguards including:

• contractual protections such as data processing agreements;
• secure encryption in transit and at rest;
• compliance with Australian Privacy Principles (APPs), the UK GDPR, and relevant US frameworks;
• limiting access to authorised personnel;
• ensuring service providers adhere to strict confidentiality and security standards.

---

10. Children's Privacy

10.1 Business Use Only

The platform is designed exclusively for use by businesses and commercial organisations.

• We do not offer services to individuals for personal or household use.
• We do not knowingly collect personal information from children under any circumstances.
• If we become aware that information has been collected in violation of this principle, we will delete it promptly.

Access to the platform must be limited to authorised personnel acting on behalf of a business.

---

11. Contact Information