Privacy Policy

Definitions

1What Information We Collect

1. Account Holder information. When an Account Holder registers for the Service, we collect:
   business name, contact name, email address, phone number, and billing information.
2. Invited User (staff) information. When an Account Holder adds staff members to the Service, we collect information provided during onboarding, which may include:
   name, email address, phone number, date of birth, home address, emergency contact details, and bank account details (where provided for payroll integration purposes).

   Bank account details are collected solely to facilitate payroll processing through integrated payroll systems (such as Xero or KeyPay) and are not used for any other purpose. We do not store or transmit bank account details outside of the payroll integration workflow.

3. Automatically collected information. When you use the Service, we automatically collect certain technical information, including:
   IP address, browser type and version, device type and operating system, pages visited, session duration, feature usage patterns, and error logs.

   This information is used to maintain and improve the Service and to diagnose technical issues. It may constitute Personal Information if it can be used to identify you. For more detail on cookies and similar technologies, see our Cookie Policy.

4. Information from third parties. We may receive information about you from your Account Holder (if you are an Invited User) or from integrated third-party services such as POS (sales and transaction data). Where we receive information from a third party, we will take steps to make you aware of what was provided where required by law.

2How We Collect Your Information

1. Directly from you — when you register an account, complete onboarding forms, update your profile, or contact us for support.
2. From your Account Holder — if you are an Invited User, your Account Holder may enter your information into the Service on your behalf as part of staff onboarding.
3. Automatically — through cookies, server logs and usage tracking when you access and use the Service. See our Cookie Policy for details.
4. From integrated systems — where you or your Account Holder have connected third-party systems (such as POS or payroll platforms), data from those systems may flow into the Service as part of normal operation.
5. Sensitive Information. We do not seek to collect Sensitive Information as part of the Service's core functionality. However, emergency contact details entered during staff onboarding may incidentally contain health-related information. Where this occurs, we handle it with the same care as Sensitive Information and use it only for the purpose for which it was provided.

3Why We Collect Your Information

We collect Personal Information only for purposes that are reasonably necessary for our business activities, in accordance with APP 3. The specific purposes for each category of data are:

1. Account and contact information — to create and manage your account, verify your identity, process your subscription, send service notifications, security alerts and administrative communications relating to your account.
2. Staff profile information (name, email, phone, address, date of birth) — to enable rostering, timesheet management, task assignment, staff communication and onboarding workflows within the Service.
3. Bank account details — solely to facilitate the export of payroll data to integrated payroll systems (such as Xero or KeyPay) at the direction of the Account Holder. We do not use bank account details for any other purpose.
4. Emergency contact details — to enable Account Holders to maintain staff emergency contact records as required for workplace health and safety obligations.
5. Technical and usage data — to operate, maintain and improve the Service; to diagnose and fix technical issues; to monitor security and prevent fraud; and to generate anonymised, aggregated analytics about how the Service is used.
6. Service communications — we may contact you with operational notices, security alerts, software update information and account-related messages. These are not marketing communications and cannot be opted out of while your account is active, as they are necessary for the provision of the Service.

4Who We Share Your Information With

We do not sell your Personal Information. We disclose it only in the circumstances described below.

1. Your franchisor. If your Account Holder operates under a franchise agreement, the relevant franchisor may have access to operational data within the Service for the purposes of franchise oversight, compliance monitoring and support. This access is governed by your franchise agreement. The franchisor is an authorised recipient of your operational data, which may include sales figures, production records and staff roster information.
2. Service providers. We engage third-party service providers to operate and support the Service. These providers access Personal Information only as necessary to perform services on our behalf and are required to handle it in accordance with the Privacy Act and our instructions. Our current categories of service providers include:
   Provider

   Purpose

   Location

   Cloud hosting provider
   (enterprise VPS infrastructure)

   Hosts the Service and stores data. Primary servers in Brisbane, QLD; secondary in Sydney, NSW.

   Australia

   POS / payment integration provider(s)
   (varies by Account Holder)

   Sales and transaction data may flow between the Account Holder's connected POS or payment platform and the Service as part of normal operation.

   Varies by provider

   Xero / KeyPay

   Payroll integration. Staff payroll data (including bank account details) is exported to payroll platforms at the Account Holder's direction.

   New Zealand / Australia

   Google Analytics

   Anonymised usage analytics to help us understand how the Service is used and improve it.

   United States

   Google Fonts

   Web font delivery. No Personal Information is associated with font requests beyond IP address.

   United States
3. Legal and regulatory disclosure. We may disclose Personal Information where required or authorised by law, including to law enforcement, courts or regulatory bodies. We will notify you of such requests where we are legally permitted to do so.
4. Business transfers. If PBPB merges with, is acquired by or transfers its business to another entity, your Personal Information may be transferred to the new entity as part of that transaction. We will notify you in accordance with clause 12 before any such transfer takes effect.
5. With your consent. We may share your Personal Information with other third parties where you have given your express consent to do so.

5Security

1. Technical measures. We protect Personal Information using industry-standard security controls, including:
   1. TLS encryption for all data in transit between your device and our servers;
   2. AES-256 encryption for data at rest;
   3. hashed and salted storage of authentication credentials — we do not store passwords in readable form; and
   4. access controls that restrict data access to authorised personnel only.
2. Organisational measures. PBPB staff and contractors who access Personal Information are bound by confidentiality obligations. Access to production data is limited to those who require it to perform their role.
3. Your responsibilities. You are responsible for maintaining the confidentiality of your login credentials and for promptly notifying us at [email protected] if you become aware of any unauthorised access to your account.
4. Limitations. No security system is impenetrable. While we take reasonable steps to protect your information, we cannot guarantee that unauthorised third parties will never be able to defeat our security measures. In the event of a breach, we will act in accordance with clause 8.

6Data Retention

We retain Personal Information only for as long as is necessary for the purpose for which it was collected, or as required by law. The following retention periods apply:

When we no longer need Personal Information, we take reasonable steps to destroy it securely or de-identify it so it can no longer be associated with you.

7Your Rights

1. Access (APP 12). You have the right to request access to the Personal Information we hold about you. To make a request, contact us in writing at [email protected] with your name, account details and a description of the information you are seeking. We will respond within 30 days. In most cases, access is provided free of charge; where the request is complex or voluminous, we may charge a reasonable fee and will advise you in advance.
2. Correction (APP 13). If you believe Personal Information we hold about you is inaccurate, incomplete or out of date, you may request that we correct it. Submit your correction request in writing to [email protected]. We will either make the correction or, if we decline, provide written reasons within 30 days.
3. Deletion. You may request deletion of your Personal Information where it is no longer needed for the purpose for which it was collected and we have no legal obligation to retain it. Note that some information (particularly employment and financial records) must be retained for legally mandated periods regardless of a deletion request.
4. Data portability. You may request a copy of your Personal Information in a machine-readable format at any time during an active subscription. We will fulfil such requests within 10 Business Days.
5. Limitations. We may refuse access or correction requests in limited circumstances permitted by the APPs, for example where providing access would unreasonably impact the privacy of another individual, or where we are legally required to retain the information. We will always provide written reasons if we decline a request.

8Data Breach Notification

1. Our obligations. PBPB takes its obligations under the Notifiable Data Breaches (NDB) scheme (Privacy Act 1988, Part IIIC) seriously. If we have reasonable grounds to believe an eligible data breach has occurred — that is, a breach that is likely to result in serious harm to one or more affected individuals — we will:
   1. contain the breach and assess its nature and scope as quickly as reasonably practicable;
   2. notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable (and in any event within 30 days of becoming aware of reasonable grounds to believe a breach has occurred); and
   3. notify all individuals whose Personal Information was involved and who are at risk of serious harm — we will contact you using the email address registered to your account.
2. Notification content. Our breach notification will describe the nature of the breach, the kinds of information involved, the steps we have taken in response and the steps you can take to protect yourself.
3. Your obligations. If you become aware of any suspected unauthorised access to your account or any data held within the Service, please notify us immediately at [email protected] so we can investigate promptly.

9Overseas Transfer

1. General principle. We store all primary operational data on servers located within Australia. However, some of our third-party service providers are based overseas or operate infrastructure that may process data outside Australia. These are listed in clause 4.2.
2. Overseas recipients. The following transfers may involve overseas processing, depending on the provider:
   1. POS / payment integration provider(s) — where an Account Holder has connected a POS or payment platform to the Service, sales and transaction data may flow through that provider's infrastructure. Depending on the provider, this may involve processing outside Australia. Each provider is subject to their own privacy obligations. You should review the privacy policy of any POS or payment platform your Account Holder has connected to the Service.
   2. Google (United States) — anonymised usage analytics (Google Analytics) and web font delivery (Google Fonts) may involve data processing on Google's US infrastructure. Google Analytics data is anonymised before transmission. You can review Google's privacy policy at policies.google.com/privacy.
   3. Xero / KeyPay (New Zealand / Australia) — where payroll integration is enabled, payroll data is transmitted to Xero (NZ) or KeyPay (AU) at the Account Holder's direction.
3. Safeguards. Before we disclose Personal Information to any overseas recipient, we take reasonable steps to ensure that the recipient handles the information in a manner consistent with the Australian Privacy Principles, including by reviewing their privacy policies and, where applicable, relying on certified adequacy frameworks or contractual protections.
4. Consent. By using the Service and enabling integrations with third-party systems, you acknowledge and consent to any overseas transfers that may occur in connection with those integrations as described in this clause.

10Direct Marketing

1. We do not send unsolicited marketing. PBPB does not use Personal Information collected through the Service to send marketing or promotional communications without your express opt-in consent.
2. Opt-in only. Where PBPB wishes to send marketing communications (such as product updates or newsletters), we will seek your explicit consent separately from your use of the Service. You are under no obligation to consent, and declining will not affect your access to or use of the Service.
3. Opting out. If you have previously consented to receiving marketing communications from us, you may withdraw your consent at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected]. We will process opt-out requests promptly and within 5 Business Days.
4. Service communications are not marketing. Operational notices, security alerts, invoice notifications and other communications necessary for the provision of the Service are not marketing communications. These will continue to be sent while your account is active regardless of your marketing preferences.

11Complaint Procedure

1. Raising a complaint with us. If you have a complaint about the way PBPB handles your Personal Information, please contact us in writing at [email protected], setting out the nature of your complaint clearly.
2. Our response process:
   1. We will acknowledge receipt of your complaint within 5 Business Days;
   2. we will investigate and provide a substantive response within 30 days of receipt; and
   3. if we need additional time (for example, due to complexity), we will notify you of the delay and the expected resolution date.
3. Escalation to the OAIC. If you are not satisfied with our response, or if we fail to respond within the timeframes above, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC):
   Office of the Australian Information Commissioner
   Website: oaic.gov.au
   Phone: 1300 363 992
   Post: GPO Box 5218, Sydney NSW 2001

12Changes to This Policy

1. PBPB may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law.
2. For material changes — such as changes to the types of information we collect, the purposes for which we use it, or the third parties we share it with — we will provide at least 30 days' written notice to the email address registered to your account before the changes take effect.
3. For minor, non-material changes (such as clarifications or corrections), we will update the "Last revised" date at the top of this page and the changes will take effect on publication.
4. We encourage you to review this policy periodically. Continued use of the Service after the notice period for material changes constitutes your acceptance of the updated policy.