S
Subhood

Privacy Policy

Last updated: 1 June 2026

1. Who we are

Jaivika Innovations Pty Ltd (trading as Subhood) ("Subhood", "we", "us") operates the Subhood mobile app and website at subhood.com.au. We are committed to protecting your personal information and complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What we collect

We collect only what we need to operate the service:

  • Customers: email address and name only.
  • Vendors: email address, business name, ABN, business address, phone number.
  • Usage data: QR scan events (timestamp, GPS coordinates, vendor ID) and loyalty card state.

We do not collect payment card details — all payments are processed by Stripe.

3. How we use it

  • To operate the loyalty stamp system and deals feed.
  • To send you one-time login codes (OTP) via email, SMS (for mobile numbers), or automated voice call (for landline numbers).
  • To verify vendor businesses via the Australian Business Register.
  • To detect fraudulent scan patterns and protect the platform.

4. How we store and protect it

All data is stored on AWS servers in Sydney, Australia (ap-southeast-2 region). Data is encrypted at rest (AWS KMS) and in transit (TLS). We use AWS Secrets Manager to protect all credentials — no passwords or API keys are stored in application code.

5. Sharing your data

We do not sell your personal information. We share data only with:

  • Stripe (payment processing) — vendor billing only
  • AWS (cloud infrastructure)
  • Resend (transactional email delivery)
  • Amazon Web Services Simple Notification Service (AWS SNS) — used to deliver SMS OTP codes to mobile phone numbers in Australia.
  • Amazon Pinpoint SMS Voice V2 — used to deliver voice OTP calls to landline phone numbers in Australia.
  • Firebase (push notifications)

6. Your rights

  • Access (APP 12): Tap Profile → Request my data in the app. We'll email a secure download link to the address on file. The link is valid for 7 days and downloads a machine-readable JSON file containing your profile, loyalty cards and stamp history, scan history, promotion redemptions, referrals, and any reports you've filed. Identity is verified via your inbox — anyone who can read the email can access the link, so treat the link like a password and don't forward it. Need an alternate format? Email support@subhood.com.au and we'll respond within 30 days as required by the Privacy Act.
  • Correction (APP 13): Update your name or suburb in Profile. For other corrections, contact support.
  • Deletion (APP 11.2): Profile → Delete my account. We confirm via a 6-digit code sent to your email. After confirmation your account is soft-deleted and enters a 30-day grace period — sign back in during that window to cancel. After 30 days a daily job hard-deletes personal information.
    What we retain after deletion (Australian law mandates this):
    • Scan/visit transaction records — 5 years (Australian Taxation Office record-keeping rule). User reference replaced with a one-way tombstone hash; no personal information recoverable.
    • Billing & payment receipts — 7 years (Corporations Act 2001).
    • De-identified audit-log events — for breach forensics under the NDB scheme.
  • Loyalty cards: You can remove individual cards from My Cards at any time without deleting your account. Cards with no stamps are removed immediately. Cards with progress are archived — your stamps are preserved so you can re-follow the program later without losing them. Use Delete my account if you want everything gone.

7. Notifiable Data Breaches

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days as required by law.

8. Contact us

For privacy enquiries: support@subhood.com.au