YarraBiz

Back to home

Privacy Policy

Last updated: 2026-04-29

This document is provided in English. Translated summaries may be added in future, but the English version is authoritative.

This Privacy Policy explains how YarraBiz ("we", "us", "our") handles personal information when you use the website at https://www.yarrabiz.com and any related subdomains (the "Site").

We are bound by the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth). This Policy describes how we collect, hold, use, disclose, and protect personal information in line with those obligations.

This Policy forms part of our Terms and Conditions. If you do not agree with how we handle your personal information, please do not register or continue using the Site.

1. What is "personal information"?

"Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not, and whether it is recorded in a material form or not. It does not include de-identified or aggregated information.

2. What we collect

2.1 Information you give us directly

When you register and use the Site, you may give us:

  • Account details — your email address, display name, and password (stored only as a salted bcrypt hash; never in plain text).
  • Profile details — bio, phone number, WeChat ID, suburb, and any contact information you choose to add.
  • Visibility settings — your choices about which fields are public, registered-only, club-only, or private.
  • Business listing details — the name, description, category, addresses, phone, email, website, and trading hours of any business you list.
  • Invite chain data — the invite code you used to register, and the codes you issue to others. We retain the link between inviter and invitee (the "referral chain") for as long as both accounts exist on the Site.
  • Club data — the clubs you create or join and any messages you submit with a join request.
  • Communications — the content of any email or other message you send us, including support enquiries.

2.2 Information we collect automatically

When you visit the Site we automatically collect technical information including:

  • your IP address;
  • the date, time, and timezone of your visit;
  • the URL you visited and the page that referred you to us;
  • your browser user-agent string and language preference;
  • session and locale cookies (see clause 6);
  • standard server log data needed to operate the Site, detect abuse, and debug errors.

We do not use third-party analytics, advertising, or tracking pixels at present. If we add any in future, we will update this Policy and, where required by law, ask for your consent.

2.3 Information from third parties

If you choose to sign in with Google (OAuth), Google sends us your verified email address, your Google subject ID (a stable identifier), and your name. We do not receive your Google password or other Google data. You can disconnect Google at any time from your profile page, provided you have a password set on the Site.

2.4 Sensitive information

We do not ask for, and ask that you do not submit, any sensitive information as defined in the Privacy Act (for example: health information, racial or ethnic origin, political opinions, religious beliefs, criminal history). The free-text fields (bio, business description) are visible to other Members or the public depending on your visibility settings — please don't include sensitive information there.

3. Why we collect it

  1. To provide the service — creating and authenticating your account, displaying your profile and Listings to the audience you have chosen, sending password resets, and showing search and category results to other Members and Visitors.
  2. To maintain trust — verifying that registrations come from a valid invite chain, enforcing the per-role invite-cap, investigating misuse, and applying our acceptable-use rules.
  3. To communicate with you — sending email verification, password resets, account-status changes, and important notices about the Site or these policies.
  4. To improve the Site — debugging issues, fixing bugs, monitoring performance, and understanding how the Site is used in aggregate.
  5. To comply with the law — responding to lawful requests from government agencies and courts, and to protect our rights and the rights of others.

We will not use your personal information for any other purpose unless you would reasonably expect us to, you have consented, or we are required or authorised to by law.

4. Who we share it with

We do not sell your personal information. We do not share your personal information with third parties for their own marketing.

4.1 With other users, according to your visibility settings

  • public — anyone visiting the Site, including non-Members and search engines. Treat any field set to public as fully public.
  • registered — only signed-in Members.
  • club:<id> — only Members of the named Club.
  • private — only you and our administrators.

4.2 With our service providers

We use a small number of trusted service providers to run the Site:

ProviderPurposeWhere data is processed
Amazon Web Services (AWS)Cloud hosting (EC2 instances, networking)Sydney (ap-southeast-2)
Amazon Simple Email Service (SES)Outbound email delivery (smart-host)Sydney (ap-southeast-2)
Self-hosted Maddy mail server (on AWS EC2)Inbound email and DKIM signingSydney (ap-southeast-2)
Google LLCOptional Google sign-in (OAuth) — only triggered if you click "Continue with Google"Google's regions per its own privacy policy
Let's Encrypt / ISRGTLS certificate issuance (no personal data shared)Worldwide

These providers are bound by their own contractual and legal obligations. We share with them only what is needed to operate the Site.

4.3 With law enforcement and others, where required

We may disclose personal information if we are required to do so by law (for example, in response to a court order or a valid law-enforcement request), or where disclosure is reasonably necessary to:

  • enforce our Terms and Conditions;
  • protect the rights, property, or safety of YarraBiz, our Members, or others;
  • detect, prevent, or address fraud, security, or technical issues; or
  • defend a legal claim.

4.4 In a business transfer

If YarraBiz is sold, merged, or transferred, your personal information may transfer to the acquirer as part of that transaction. We will require the acquirer to honour this Privacy Policy or to give you a reasonable opportunity to delete your account before any change of practice.

5. Cross-border disclosure

Most personal information is stored in Australia (Sydney region). However:

  • If you sign in with Google, the Google sign-in process involves data flows to Google's data centres, which may be outside Australia.
  • AWS SES and other AWS support services may, in some circumstances, route metadata through other AWS regions for the purposes of fault tolerance and abuse prevention.

By using the Site you agree to this cross-border handling. We take reasonable steps to ensure overseas recipients handle your personal information consistently with the APPs.

6. Cookies and similar technologies

We use a small number of cookies and similar storage mechanisms that are strictly necessary for the Site to work:

Cookie / storagePurposeLifetime
yarrabiz_sessionIdentifies your logged-in session on the server. httpOnly, sameSite=lax, secure in production.30 days (rolling)
NEXT_LOCALE (next-intl)Remembers your chosen language.1 year
Short-lived Google OAuth cookies (state, code verifier, mode, next, signup-token)Used during the Google sign-in flow only.10 minutes

We do not currently use marketing, advertising, or third-party analytics cookies. If we add any, we will update this Policy and request consent where required.

7. How we secure your information

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our measures include:

  • Hashing — passwords are hashed with bcrypt at cost 12; we never store or log the plain password.
  • Encryption in transit — all traffic is served over HTTPS (TLS) using certificates from Let's Encrypt.
  • Server-side authorisation — every list and detail query is filtered by visibility on the server before any data is returned. The browser never receives a row it isn't allowed to see.
  • Tokens — email verification tokens are 32-byte random values with a 24-hour TTL; password reset tokens are 32-byte random values with a 1-hour TTL and limited to one active token per account.
  • Access controls — only site administrators can view all profile data, and only superadmins can permanently purge a deleted account's snapshot.
  • No public bucket exposure — at present we do not host any user-uploaded files in a public storage bucket. (Photo upload is deferred to a later phase.)

No system is perfectly secure. If you suspect your account has been compromised, contact support@yarrabiz.com immediately.

8. How long we keep it

We keep personal information only for as long as we need it.

DataRetention
Active account profile and ListingsUntil you delete the account or we close it.
Anonymised "deleted" account rowKept indefinitely so the referral chain is not orphaned. The row holds no personal information.
Account snapshot (after self-delete or admin delete)Kept until a superadmin purges it. Used only for recovery.
Used invite codesKept indefinitely — they are part of the referral chain.
Unused / revoked invite codesHard-deleted 3 days after they expire or are revoked.
Email verification tokensHard-deleted on use, or pruned shortly after their 24h expiry.
Password reset tokensHard-deleted on use, or pruned shortly after their 1h expiry.
Server logsRetained for a short rolling window (typically 30 days) for debugging and abuse investigation.
Email correspondence with usRetained for as long as needed to handle the matter and to comply with our legal obligations.

When we no longer need personal information, we destroy or de-identify it, except where law requires us to retain it.

9. Your rights

9.1 Access and correction

You can:

  • view and edit most of your personal information directly from your profile page, including your display name, bio, phone, WeChat, suburb, visibility settings, and any Listings;
  • contact us at support@yarrabiz.com to request access to other personal information we hold about you, or to ask us to correct it.

We will respond within a reasonable time — usually within 30 days. We may need to verify your identity before responding. There is normally no fee for access; if a request is unusually time-consuming, we will tell you the cost in advance.

If we refuse access or correction, we will give you written reasons and tell you how to complain.

9.2 Email address changes

You cannot change your email address yourself in the current version of the Site. To change the email on your account, contact support@yarrabiz.com and we will help you.

9.3 Deletion

You can delete your own account at any time from the dashboard. See clause 9 of the Terms and Conditions for what happens when you do.

If you have a deleted account that you would like permanently purged from our snapshot store, contact support@yarrabiz.com and we will arrange for a superadmin to do so. Once purged, recovery is not possible.

9.4 Anonymity and pseudonymity

The Site is invite-only and identifies Members by email address, so genuinely anonymous use is not practical. You may use a pseudonym as your display name, provided you do not use it to impersonate another person or business.

9.5 Withdrawing consent

Where we rely on your consent to handle personal information (for example, optional newsletter emails), you can withdraw your consent at any time. Withdrawing consent does not affect handling that occurred before withdrawal.

10. How to make a complaint

If you think we have breached the APPs or mishandled your personal information, please contact us first at support@yarrabiz.com with a description of your concern. We will:

  1. acknowledge your complaint within a reasonable time;
  2. investigate it; and
  3. give you a written response, normally within 30 days.

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):

11. Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we have reasonable grounds to believe an "eligible data breach" has occurred — that is, an unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm — we will:

  1. promptly assess the situation;
  2. take reasonable steps to contain and remediate; and
  3. notify the affected individuals and the OAIC as required by the scheme.

12. Children

The Site is not directed to people under 18. Members must be at least 18, or have legal capacity to enter into a binding agreement under Australian law, before they register (see clause 2 of the Terms and Conditions). If you believe a child has registered, please contact support@yarrabiz.com and we will investigate.

13. Changes to this Policy

We may update this Policy from time to time. If we make a material change, we will:

  1. update the "Last updated" date at the top; and
  2. give you reasonable notice by email and/or by an in-Site notice before the change takes effect, except where the change is required for legal, regulatory, or security reasons.

Your continued use of the Site after a change takes effect means you accept the updated Policy.

14. Contact us

If you have any questions about this Policy or about how we handle your personal information:

YarraBiz
Email: support@yarrabiz.com
Web: https://www.yarrabiz.com

Privacy Policy · YarraBiz