SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Policy. You can find more details about any of these topics by clicking the link following each key point or by using our table of contents below.

Want to learn more? Review the full Privacy Policy below.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. SENSITIVE INFORMATION AND HEALTH DATA
3. INFORMATION FROM THIRD PARTIES
4. HOW DO WE USE YOUR INFORMATION?
5. LEGAL BASIS FOR PROCESSING
6. OUR ROLE AS CONTROLLER AND PROCESSOR
7. WHO DO WE SHARE YOUR INFORMATION WITH?
8. WHERE IS YOUR DATA STORED?
9. HOW LONG DO WE KEEP YOUR INFORMATION?
10. HOW DO WE KEEP YOUR INFORMATION SAFE?
11. COOKIES AND TRACKING TECHNOLOGIES
12. CHILDREN'S PRIVACY
13. YOUR PRIVACY RIGHTS (NEW ZEALAND)
14. YOUR PRIVACY RIGHTS (AUSTRALIA)
15. UPDATES TO THIS POLICY
16. HOW TO CONTACT US

1. WHAT INFORMATION DO WE COLLECT?

In Short: We collect personal information that you provide directly to us and information collected automatically when you use our Services.

Information You Provide Directly

We collect personal information when you register for an account, use our Services, contact us, or interact with our platform. This may include:

For Business Customers (using Receptioner to manage their business):

• Business name and contact details
• Account holder name, email address, and phone number
• Staff member names, contact details, and work schedules
• Billing and payment information
• Business address and location details

For End Users (booking through businesses that use Receptioner):

• Name, email address, and phone number
• Appointment and booking details
• Service preferences and history
• Information provided through intake or consultation forms (which may include health information - see Section 2)
• Payment information for bookings

Payment Data: We use Stripe to process payments. When you make a payment, your payment card details are collected and processed directly by Stripe. We do not store your full card details on our servers. Stripe's privacy policy is available at: https://stripe.com/privacy

Information Collected Automatically

When you use our Services, we automatically collect certain information, including:

• Device Information: Device type, operating system, unique device identifiers, browser type
• Usage Information: Pages visited, features used, actions taken within the platform
• Log Data: IP address, access times, referring URLs, error logs

Mobile Application Data

If you use our mobile applications, we may request access to:

• Calendar: To sync appointments with your device calendar
• Camera: To upload photos or scan documents
• Push Notifications: To send you booking reminders and updates

You can manage these permissions through your device settings at any time.

All personal information that you provide to us must be true, complete, and accurate. Please notify us of any changes to your personal information.

2. SENSITIVE INFORMATION AND HEALTH DATA

In Short: Businesses using our platform may collect health information from their clients through intake forms. This information is processed securely and in accordance with applicable privacy laws.

Receptioner provides tools that allow service businesses (such as massage therapists, spas, beauty salons, and clinics) to collect information from their clients through customisable intake and consultation forms.

Types of Health Information That May Be Collected

Depending on the business and the services they provide, intake forms may collect:

• Medical history and current health conditions
• Allergies and sensitivities
• Current medications
• Previous injuries or surgeries
• Pregnancy status
• Skin conditions or contraindications
• Emergency contact information
• Other health-related information relevant to the service being provided

How Health Information is Handled

Collection: Health information is collected by the business (our customer) directly from their clients. The business determines what information to collect based on their professional requirements.

Storage: All health information is stored securely on encrypted servers hosted by Amazon Web Services (AWS) in Australia and the European Union (Stockholm). Access is strictly controlled and limited to authorised personnel.

Processing: We process health information solely to provide the Services to our business customers. We do not use health information for marketing purposes or share it with third parties except as described in this policy.

Consent: Businesses are responsible for obtaining appropriate consent from their clients before collecting health information through our platform.

Your Rights Regarding Health Information

Under New Zealand and Australian privacy laws, health information receives additional protection. You have the right to:

• Know what health information is held about you
• Access your health information
• Request correction of inaccurate information
• Request deletion of your information (subject to legal retention requirements)

To exercise these rights, contact the business that collected your information directly, or contact us at support@receptionerapp.com.

3. INFORMATION FROM THIRD PARTIES

In Short: We receive limited information from third-party services that integrate with our platform.

We may receive personal information from the following third-party sources:

Payment Processors (Stripe)

When payments are processed through our platform, Stripe may share transaction confirmations and limited customer information necessary to complete and record the transaction. This may include:

• Transaction status and confirmation details
• Last four digits of payment card
• Billing address (if provided)

Booking Integrations (Google Reserve)

If a business enables Google Reserve integration, booking information may be received from Google when customers book appointments through Google Search or Maps. This may include:

• Customer name and contact details
• Requested service and appointment time
• Any notes provided during booking

4. HOW DO WE USE YOUR INFORMATION?

In Short: We use your information to provide and improve our Services, communicate with you, ensure security, and comply with legal obligations.

We process your personal information for the following purposes:

• Providing our Services: To create and manage accounts, process bookings, handle payments, and deliver the core functionality of our platform.
• Communications: To send booking confirmations, reminders, and notifications; respond to inquiries and support requests; and send administrative messages about your account or our Services.
• Payments: To process transactions, manage refunds, and maintain payment records.
• Security: To protect our Services, detect and prevent fraud, and ensure the safety and integrity of our platform.
• Improvement: To analyse usage patterns, troubleshoot issues, and improve our Services.
• Marketing: With your consent, to send promotional communications about our Services. You can opt out at any time.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

5. LEGAL BASIS FOR PROCESSING

In Short: We process your personal information only when we have a lawful basis to do so under New Zealand and Australian privacy laws.

Under the New Zealand Privacy Act 2020 and Australian Privacy Act 1988, we must have a lawful basis for collecting and processing your personal information. We rely on the following bases:

• Consent: Where you have given us clear consent to process your personal information for a specific purpose. You can withdraw consent at any time by contacting us.
• Contractual Necessity: Where processing is necessary to perform our contract with you or to take steps at your request before entering into a contract (e.g., providing our booking platform services).
• Legal Obligation: Where processing is necessary to comply with our legal obligations (e.g., tax records, responding to lawful requests from authorities).
• Legitimate Interests: Where processing is necessary for our legitimate business interests, provided these do not override your rights and interests. This includes improving our Services, preventing fraud, and ensuring platform security.

Health Information

For health information (a type of sensitive information under both NZ and AU law), we rely on:

• Consent provided by the individual to the business collecting the information
• The information being necessary for the provision of a health service or treatment

6. OUR ROLE AS CONTROLLER AND PROCESSOR

In Short: We act as both a data controller and a data processor depending on the context.

When We Are the Data Controller

We are the data controller (the party that determines why and how personal information is processed) for:

• Information about our business customers (the businesses that sign up for Receptioner)
• Information collected through our marketing website
• Information collected when you contact us directly
• Account and billing information

As data controller, we are responsible for ensuring your information is processed lawfully and in accordance with this Privacy Policy.

When We Are the Data Processor

We are a data processor (processing data on behalf of another party) for:

• End-user customer data that businesses store and manage using our platform
• Booking and appointment information entered by business customers about their clients
• Health and intake form information collected by businesses from their clients

When acting as a processor, the business using our platform is the data controller. They determine what information to collect and are responsible for having appropriate consent and legal basis. We process this information solely according to their instructions and to provide our Services.

Contacting the Right Party

If you are an end-user (customer of a business using Receptioner) and have questions about how your data is used, you should first contact the business directly. If the business is unable to assist, or if your inquiry relates to how we handle data as a processor, please contact us at support@receptionerapp.com.

7. WHO DO WE SHARE YOUR INFORMATION WITH?

In Short: We share information with third-party service providers who help us operate our platform, and in certain other limited circumstances.

Third-Party Service Providers

We use the following third-party services to operate our platform. These providers only have access to the information necessary to perform their specific functions:

App Store Providers

Our mobile applications are distributed through:

• Apple App Store - for iOS devices
• Google Play Store - for Android devices
• Microsoft Store - for Windows devices

These platforms may collect information about app downloads and usage in accordance with their own privacy policies.

Other Disclosures

We may also share your information in the following circumstances:

• Legal Requirements: When required by law, court order, or government request.
• Protection of Rights: To protect our rights, privacy, safety, or property, or that of our users or others.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• With Your Consent: When you have given us explicit consent to share your information.

8. WHERE IS YOUR DATA STORED?

In Short: Your data is stored securely on servers in Australia and the European Union.

We use Amazon Web Services (AWS) to host our platform and store data. Your information is stored in the following regions:

• Australia (Sydney region) - Primary data storage for Australian and New Zealand users
• European Union (Stockholm region) - Redundant storage for data resilience and backup

International Data Transfers

Some of our third-party service providers (such as Sentry and New Relic) are based in the United States. When your information is transferred to these providers, we ensure appropriate safeguards are in place, including:

• Contractual obligations requiring the provider to protect your information
• Using providers that maintain appropriate security certifications
• Limiting the data shared to what is necessary for the service

Data Sovereignty

We understand the importance of data sovereignty for New Zealand and Australian users. Our primary platform data (including customer records, bookings, and health information) is stored within the Australia/EU regions and is not routinely transferred to other jurisdictions.

9. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We retain your information for as long as necessary to provide our Services and comply with legal obligations, with specific retention periods for different types of data.

Retention Periods

We retain different types of information for different periods:

• Active Account Data: Retained for as long as your account remains active and you continue to use our Services.
• Inactive Business Accounts: Business accounts and associated dynamic data (bookings, customer records, etc.) are deleted 3 months after the account becomes inactive.
• Documents and Files: PDF documents, signed forms, and uploaded files are retained indefinitely unless you request deletion, to ensure businesses can access historical records for compliance purposes.
• Transaction Records: Payment and billing records are retained for 7 years to comply with tax and accounting requirements in New Zealand and Australia.
• System Logs: Technical logs and error reports are typically retained for 90 days for troubleshooting and security purposes.

Deletion Requests

You can request deletion of your personal information at any time by contacting us. We will process your request in accordance with applicable law, though some information may need to be retained for legal or legitimate business purposes.

Data After Account Closure

When a business account is closed or becomes inactive:

• We notify the account holder before deletion occurs
• Active data is deleted after the 3-month inactive period
• Backup copies may be retained for a limited additional period for disaster recovery
• Once fully deleted, data cannot be recovered

10. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use industry-standard security measures to protect your personal information.

We take the security of your information seriously and have implemented appropriate technical and organisational measures to protect it, including:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256 encryption)
• Access Controls: Strict access controls limit who can access personal information within our organisation
• Secure Infrastructure: Our platform is hosted on AWS, which maintains industry-leading security certifications
• Regular Security Reviews: We regularly review and update our security practices
• Payment Security: Payment processing is handled by Stripe, which is PCI-DSS compliant

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at support@receptionerapp.com.

11. COOKIES AND TRACKING TECHNOLOGIES

In Short: We use cookies and similar technologies to improve your experience on our Services.

We use cookies and similar tracking technologies to collect and store information when you use our Services. Cookies are small text files stored on your device that help us:

• Remember your preferences and settings
• Understand how you use our Services
• Improve your experience
• Keep you logged in

Types of Cookies We Use

• Essential Cookies: Required for the platform to function properly (e.g., authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our Services so we can improve them

Managing Cookies

Most web browsers allow you to control cookies through their settings. However, disabling certain cookies may affect the functionality of our Services.

For more detailed information about our use of cookies, please see our Cookie Policy.

12. CHILDREN'S PRIVACY

In Short: Our Services are intended for users aged 18 and over. We do not knowingly collect information from children.

Receptioner is a business-to-business service designed for use by businesses and their adult customers. Our Services are not intended for children under 18 years of age, and we do not knowingly collect personal information from children.

To register a business account with Receptioner, you must be at least 18 years old. By using our Services, you represent that you meet this age requirement.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible. If you believe we may have collected information from a child under 18, please contact us at support@receptionerapp.com.

13. YOUR PRIVACY RIGHTS (NEW ZEALAND)

In Short: Under the New Zealand Privacy Act 2020, you have specific rights regarding your personal information.

If you are located in New Zealand, you have the following rights under the Privacy Act 2020:

Your Rights

• Right to Access: You can request access to the personal information we hold about you (Information Privacy Principle 6).
• Right to Correction: You can request that we correct any inaccurate or incomplete personal information (Information Privacy Principle 7).
• Right to Know: You can ask whether we hold personal information about you and how we use it.

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@receptionerapp.com. We will respond to your request within 20 working days, as required by the Privacy Act 2020.

We may need to verify your identity before processing your request. There is generally no fee for accessing your personal information, though we may charge a reasonable fee for requests that are manifestly unfounded or excessive.

Complaints

If you are not satisfied with how we handle your personal information or your privacy request, you have the right to lodge a complaint with the Office of the Privacy Commissioner:

Office of the Privacy Commissioner
PO Box 10094, Wellington 6143
Phone: 0800 803 909
Website: www.privacy.org.nz

14. YOUR PRIVACY RIGHTS (AUSTRALIA)

In Short: If you are located in Australia, you have rights under the Privacy Act 1988 and Australian Privacy Principles (APPs).

If you are located in Australia, the following rights apply to you under the Privacy Act 1988:

Your Rights Under the Australian Privacy Principles

• Right to Access: You can request access to the personal information we hold about you (APP 12).
• Right to Correction: You can request that we correct any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
• Right to Anonymity: Where practicable, you have the option to interact with us anonymously or using a pseudonym.
• Right to Know: You can ask us what personal information we hold about you and how we use it.

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@receptionerapp.com. We will respond to your request within 30 days, as required by the Privacy Act 1988.

Access to your personal information is generally provided free of charge, though we may charge a reasonable fee to cover administrative costs in some circumstances.

Complaints

If you believe we have breached the Australian Privacy Principles or are not satisfied with how we have handled your personal information, you can lodge a complaint with us first. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner
GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992
Website: www.oaic.gov.au

15. UPDATES TO THIS POLICY

In Short: We may update this policy from time to time to reflect changes in our practices or legal requirements.

We may update this Privacy Policy periodically to reflect:

• Changes to our Services or data practices
• Changes in applicable laws or regulations
• Feedback from users and regulators

When we make changes, we will update the "Last updated" date at the top of this policy. For significant changes, we may also notify you by email or through a notice on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. HOW TO CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Redium Limited
Trading as Receptioner
NZBN: 9429046707000
New Zealand

Email: support@receptionerapp.com

Website: https://receptionerapp.com/contact

Privacy Requests

For requests to access, correct, or delete your personal information, please email us at support@receptionerapp.com with the subject line "Privacy Request". Please include:

• Your name and contact details
• A description of your request
• Any information that will help us identify you in our systems

We will respond to your request within the timeframes required by applicable law (20 working days for New Zealand, 30 days for Australia).