Privacy Statement
This statement explains how Ivy Bookings handles personal information for business users, staff, and booking customers in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988.
1. Information We Collect
We collect and hold the following categories of personal information:
| Category | Data Collected | Purpose |
|---|---|---|
| Account | Name, email, password (hashed) | Authentication and account management |
| Business | Business name, address, phone, ABN | Service delivery and billing |
| Customer | Name, email, phone, booking notes | Appointment management and reminders |
| Staff | Name, email, phone, role, bio | Scheduling and employment records |
| Health/Forms | Medical history, treatment notes, consent forms | Treatment delivery and legal compliance |
| Payment | Stripe customer/account IDs, transaction references | Payment processing and ATO compliance |
| Security | IP address, device info, login events | Fraud prevention and audit |
2. How We Use Information
- Deliver bookings, reminders, customer communications, and business operations.
- Process payments, payouts, wallet top-ups, and billing settlements.
- Detect fraud, protect users, and enforce platform and payment terms.
- Meet legal, tax, accounting, and regulatory obligations.
- Send marketing communications only where explicit consent has been given.
3. Data Access and Export (APP 12)
You may request a copy of your personal data at any time. Business owners and managers can request customer data exports through Settings > Privacy. Individual users can request their own data export from the same location.
Export requests are processed within 30 days and delivered as a downloadable JSON file available for 24 hours.
4. Data Correction (APP 13)
You may request correction of any personal information we hold about you. Business managers can submit correction requests for customer data through the data request system. All corrections are logged in our audit trail.
Contact us at privacy@ivybookings.com.au if you cannot access the self-service correction tools.
5. Data Deletion (APP 11.2)
You may request deletion of your account or customer data through Settings > Privacy. Deletion requests include a 30-day grace period during which you can cancel the request. After the grace period, personal information is scrubbed from our systems.
Certain records are retained beyond deletion as required by law:
- Financial/payment records: 5 years (Australian Taxation Office requirements)
- Employment/staff records: 7 years (Fair Work Act)
- Health and treatment records: 7 years (health records legislation)
- Audit events: 7 years (security and compliance)
6. Data Retention Periods
- User accounts: 90 days post-deletion request
- Customer records: 90 days post-deletion request
- Staff records: 7 years (Fair Work Act)
- Audit events: 7 years (metadata retained, PII scrubbed)
- Session data: 90 days
- Form submissions: 7 years (health records)
- Notifications: 365 days (content scrubbed after)
- Payment records: 5 years (ATO)
- Walk-in records: 90 days post-completion
- Verification codes: 30 days
7. Overseas Transfers (APP 8)
Your data may be transferred to the following overseas services:
- Stripe (United States) — for payment processing. Stripe is certified under PCI DSS Level 1 and maintains appropriate data protection measures.
- AWS (ap-southeast-2, Sydney) — our primary infrastructure region. Data is stored and processed in Australia by default.
We take reasonable steps to ensure overseas recipients handle your information in accordance with the Australian Privacy Principles.
8. Payment Processing
Ivy uses Stripe for card processing and related payment services. Ivy does not store raw card details. Payment data is processed according to Stripe's security and compliance framework.
9. Security (APP 11.1)
Ivy uses technical and organisational safeguards including:
- AES-256-GCM encryption for sensitive fields (health data, TOTP secrets)
- AWS KMS envelope encryption for key management
- Multi-factor authentication (TOTP) with encrypted secret storage
- Step-up authentication for sensitive operations
- Comprehensive audit logging with tamper-evident records
- Role-based access control with principle of least privilege
- Automated data retention enforcement with legal hold support
10. Automated Decision-Making
Ivy does not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Waitlist prioritisation uses first-come-first-served or broadcast strategies configured by the business owner.
11. Notifiable Data Breaches
In the event of an eligible data breach, we will assess the breach within 30 days as required by the Notifiable Data Breaches scheme. If the breach is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.
12. Complaints
If you believe we have breached your privacy, contact us at privacy@ivybookings.com.au. We will investigate and respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
13. Related Terms
This statement should be read together with the Terms and Conditions.