Privacy Policy

ReceiptWave Pty Ltd (ABN pending) ("ReceiptWave", "we", "us") operates a digital receipt platform that enables merchants to issue paperless receipts to consumers. This Privacy Policy explains how we collect, use, store, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

---

1. Information We Collect

Merchant Business Information

When a business signs up for ReceiptWave, we collect:

• Business name, ABN, and registered address
• Contact name, email address, and phone number
• Store locations and trading names
• Payment and billing information (processed securely by Stripe)
• POS system integration credentials

Receipt Transaction Data

When a receipt is generated through our platform, we process:

• Transaction date, time, and amount
• Line items, quantities, and prices
• Payment method type (e.g. "Visa ending in 4242") — we do not store full card numbers
• GST amounts and tax invoice details
• Store location identifier

Consumer Data

ReceiptWave does not collect personal data from consumers without explicit opt-in. When a consumer taps an NFC tag or scans a QR code to view a receipt, we do not require registration, login, or any personal information. If a consumer chooses to save a receipt to their device or create an account, we collect only the information they explicitly provide (such as an email address).

---

2. How We Use Your Data

• Receipt delivery: Generating and delivering digital receipts to consumers via NFC, QR code, or direct link
• Business analytics: Providing merchants with transaction insights, sustainability metrics, and reporting dashboards
• ATO GST compliance: Ensuring receipts meet Australian Taxation Office requirements for tax invoices and GST reporting
• Billing and account management: Processing subscription payments and managing merchant accounts
• Service improvement: Monitoring platform performance, troubleshooting issues, and improving our services
• Legal compliance: Meeting our obligations under Australian law

---

3. Data Storage and Security

All ReceiptWave data is stored in Microsoft Azure's Australia East region (Sydney). We implement the following security measures:

• HTTPS/TLS encryption for all data in transit
• AES-256 encryption for data at rest
• API key and JWT-based authentication
• Role-based access controls for all user types
• Regular security audits and vulnerability assessments
• Rate limiting on authentication and sensitive endpoints

---

4. Merchant Data vs Consumer Data Separation

ReceiptWave maintains strict separation between merchant and consumer data:

• Merchant data (business details, analytics, billing) is accessible only to authenticated merchant users and ReceiptWave administrators
• Consumer receipt data is accessible only via unique, time-limited claim links and is not associated with any consumer identity unless the consumer explicitly opts in
• Merchants cannot access consumer personal information through the ReceiptWave platform
• Consumer receipt views do not set tracking cookies and do not track consumers across websites

---

5. Data Retention

• Receipt data: Retained for 7 years from the transaction date to comply with ATO record-keeping requirements under the Taxation Administration Act 1953
• Receipt claim links: Active for 48 hours after generation; receipt data remains accessible to the merchant for the retention period
• Business accounts: Retained while the account is active; deleted within 30 days of account closure upon request
• Consumer data: Deleted promptly upon request where no legal retention obligation applies
• Audit and security logs: Retained for 90 days

---

6. Third-Party Service Providers

We share data only with the following service providers under appropriate data processing agreements:

• Microsoft Azure (Sydney region) — cloud hosting, database, and storage
• Stripe — payment processing for merchant subscriptions
• Square, Shopify, Xero — POS and accounting integrations (only when connected by the merchant)
• SendGrid — transactional email delivery
• Sentry — error monitoring (anonymised data only)

We do not sell, rent, or trade personal information to any third party.

---

7. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you
• Correct any inaccurate or incomplete information
• Request deletion of your personal information (subject to legal retention requirements such as ATO compliance)
• Withdraw consent for any optional data processing
• Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC)

8. How to Request Data Deletion

To request deletion of your personal information, please email privacy@receiptwave.com.au with the subject line "Data Deletion Request". We will respond within 30 days. Please note that some data may need to be retained to comply with ATO record-keeping requirements (7-year retention for tax records).

---

9. Cookies and Tracking

Our merchant portal uses essential cookies for authentication and session management only. We do not use advertising cookies, third-party tracking pixels, or analytics trackers.

Anonymous Device Tokens

When you view a digital receipt, we generate and store a random anonymous device token in your browser's local storage. This token contains no personal information — it is a randomly generated identifier (UUID) that cannot be linked to your identity, name, email, or any other personal data.

We use these anonymous tokens solely to provide merchants with aggregate repeat-visit analytics (e.g. "40% of receipt viewers are returning customers"). No individual browsing history or personal data is collected or shared.

You can clear this token at any time by clearing your browser's local storage or site data for this website. The token key is rw_device_token.

10. Children's Privacy

ReceiptWave is a business-to-business service and is not directed at children under 16. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered merchant users. The "last updated" date at the top of this page indicates the most recent revision.

---

12. Governing Law

This Privacy Policy is governed by the Privacy Act 1988 (Cth) and the laws of New South Wales, Australia. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts of New South Wales.

13. Contact Us

For privacy enquiries, data access requests, or complaints:

• Email: privacy@receiptwave.com.au
• Security issues: security@receiptwave.com.au

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.