TableMate Privacy Policy
This document is a draft. Lawyer review is recommended before public launch.
This Privacy Policy is prepared in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). It explains how TableMate collects, uses, stores, and discloses your personal information.
1. What We Collect (APP 3 — Collection of solicited personal information)
To make the App function, we collect the following information:
- Registration information: mobile number or email, password hash, date of birth, display name, preferred language.
- Profile: avatar and profile bio (the bio is optional).
- Location data: only after you have granted permission, and only to display nearby meetups. Location is not persisted server-side; it is used on the client device only.
- Meetup data: information about meetups you create or join, RSVP messages, and host approval decisions.
- Reviews: star ratings, comments, and tags you give and receive.
- Device information: push token, device type (iOS / Android), App version.
- Usage logs: sign-in times and error logs (used for troubleshooting). We do not perform behavioural tracking.
We do not collect: KYC identity-verification data (unless you voluntarily verify), bank-account details, credit-card details, IP addresses for advertising profiling, biometric data, or chat-message content (the Platform does not currently offer private messaging).
2. How We Use Your Information (APP 6 — Use or disclosure)
- To provide the App's core features (creating meetups, RSVP, map).
- To send you push or email notifications about important events (your application has been reviewed; a meetup is about to start).
- To prevent fraud, abuse, and spam.
- To improve the product (aggregated, anonymised statistics that do not identify individuals).
- To comply with legal obligations or compliance requirements.
We do not sell your data to third parties for advertising, and we do not share it with unrelated parties.
3. Where We Store Your Data (APP 8 — Cross-border disclosure)
Your data is stored primarily in the Supabase Sydney, Australia region (ap-southeast-2). Backups may briefly transit to other regions but are archived and purged within 30 days.
This means your data is not transferred cross-border to mainland China, the continental United States, or other regions, except where you actively use a feature provided by a third-party service based outside Australia (see Section 4 below).
4. Third-Party Services We Use (APP 8)
- Supabase (backend, authentication, database, storage) — Australian data centre.
- Mapbox (map rendering, address autocomplete) — based in the United States; your address-search queries are sent to Mapbox's servers. Mapbox Privacy Policy: https://www.mapbox.com/legal/privacy
- Twilio (SMS verification codes, when enabled) — based in the United States. We transmit only your mobile number and the verification code.
- Apple / Expo (push notifications) — we transmit only the push token and the notification text.
5. Your Rights (APP 12 — Access; APP 13 — Correction)
You may at any time:
- Access your data (review it inside the App's profile section, or request a complete copy by email).
- Correct inaccurate information in your profile (via "Settings → Account Profile").
- Delete your account ("Settings → Account Actions → Delete Account", or by email request). Data is removed from the primary database within 30 days.
- Withdraw consent (turn off notification or location permissions in iOS system settings).
- Lodge a complaint: if you believe we have breached your privacy, you may complain to the Office of the Australian Information Commissioner (OAIC).
6. Data Retention
Unless required by law, our general approach is:
- Active accounts: data is retained while the account is active.
- Closed accounts: removed from the primary database within 30 days; backups purged within 90 days.
- Completed meetups: retained for 12 months after the meetup ends, to support reviews and dispute resolution; thereafter archived and de-identified.
- Self-exclusion records: must be retained for the duration of the exclusion period (compliance), and retained for a further 90 days before archival.
- Abuse-report records: may be retained long-term in de-identified form for safety investigations.
7. Security Measures (APP 11 — Security of personal information)
- HTTPS / TLS 1.2+ encryption in transit, end to end.
- Database Row-Level Security: every SQL query verifies that the caller may only access data they are authorised to see.
- Passwords are stored as one-way bcrypt hashes; the server never stores plaintext passwords.
- Server-side administrative credentials follow the principle of least privilege and are accessible only to the operator.
8. Minors
The Platform is for users aged 18 or older only. We enforce date-of-birth verification at registration, and the database has a hard constraint on the minimum birth year. If we discover an account belonging to a minor, we will delete it immediately and notify a guardian where contact details are available.
9. Cookies / Local Storage
The App uses on-device storage (AsyncStorage, SecureStore) to keep:
- Your login session token (so you stay signed in next time).
- A cached last-known coordinate (so the map starts faster).
- Your preferred language.
This data is stored only on your device and is not uploaded. It is removed when you uninstall the App.
10. Changes to This Policy
Material changes to our privacy practices will be notified to you via in-app notification and email at least 7 days in advance.
11. Privacy Contact
For data requests, complaints, or any privacy question:
If you are not satisfied with our response, you may lodge a complaint with the OAIC:
https://www.oaic.gov.au/privacy/privacy-complaints