Privacy Policy

This Privacy Policy explains how Crowdify Pty Ltd (ABN 47 692 719 305) ("Crowdify", "we", "us", "our") collects, uses, holds, discloses, and protects your personal information when you use our website, mobile applications, and related services (the "Platform").

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in Schedule 1 to that Act. We are committed to handling your personal information in accordance with the Privacy Act, the Notifiable Data Breaches scheme, the Spam Act 2003 (Cth), and other applicable Australian law.

This policy applies whether you use the Platform through the web, our iOS app, or our Android app. By using the Platform, you confirm that you have read and understood this policy.

Account information you provide:
• Full name and display name
• Email address
• Phone number (where you choose to provide one or where required to make a contribution)
• Date of birth (to confirm you are 18 or over and for age-restricted Events)
• Password (stored as a salted hash by Supabase Auth; we never see your plaintext password)
• Profile photo, bio, website, and social media handles
• Address details (only where required for tax or vendor purposes; not collected from ordinary Attendees)

Event and community data:
• Events you create, attend, contribute to, or interact with
• Communities you create, join, post to, or interact with
• Direct messages and community posts you send through the Platform
• Comments, reactions, and other interactions

Payment information:
• Last four digits of your card, card brand, country, expiry, and Stripe customer/payment-intent identifiers (Crowdify receives this metadata from Stripe)
• Full card number, CVV, and authentication data are collected directly by Stripe via Stripe Elements / Stripe Checkout and are not transmitted to or stored on Crowdify servers
• For Organisers receiving payouts: name on bank account, country, last four digits of bank account, and Stripe Connect account identifiers (full bank-account details and identity documents are collected and held by Stripe under its own privacy policy)

Location information:
• Event locations you provide when creating Events
• Where you grant the in-app "Near me" permission, your approximate location (city / region) to surface nearby Events
• IP address (used for fraud prevention and service operation; geolocated to country only)

Device and usage information:
• Device type, operating system, browser type, and language
• IP address
• Pages visited, features used, and interactions on the Platform
• Crash reports and performance data
• Mobile push notification token (where you have granted permission)

Anti-fraud information:
• Device fingerprint / "visitor ID" generated by FingerprintJS Pro (see section 5)

Communications:
• Emails to and from our support team
• Records of in-app reports, complaints, and moderation actions

Identity information for Organisers:
• Where you onboard as an Organiser, Stripe collects identity-verification documents (such as government-issued photo ID, address, and date of birth) directly through Stripe Connect Express onboarding for AML/KYC purposes. Crowdify does not see, store, or process these identity documents — they are held by Stripe Payments Australia Pty Ltd under Stripe's privacy policy.

We use your personal information for the following purposes:

To provide the Platform:
• create and manage your Account
• facilitate Event creation, discovery, ticketing, and attendance
• process payments and payouts through Stripe
• operate community features and direct messaging
• issue receipts, refunds, and tax records

To communicate with you:
• send transactional emails and in-app notifications (ticket confirmations, Event updates, payout notifications, refund alerts, security alerts, policy changes)
• send mobile push notifications (transactional and, where you have opted in, occasional service marketing)
• respond to support enquiries
• send marketing communications only where you have opted in

To protect the Platform:
• detect, investigate, and prevent fraud, abuse, scalping, multi-account abuse, and money laundering
• maintain the Crowdify trust system, which scores Organisers based on their delivery history (see section 9 for the lawful basis and section 12 for your rights to query a score)
• enforce these Terms and our other policies
• comply with our legal and regulatory obligations under Australian law

To improve the Platform:
• analyse aggregate usage to identify what's working, find bugs, and prioritise development
• run product analytics using PostHog (events only — no session replay; see section 5)

Lawful bases for processing under the Privacy Act and APPs:
• Performance of contract (your use of the Platform)
• Compliance with legal obligation (tax, AML/CTF, court orders)
• Our legitimate interests (fraud prevention, platform security, product improvement)
• Your consent (marketing communications, optional location, optional push notifications)

Where you withdraw a consent, we will stop the corresponding processing as soon as reasonably possible.

We do not sell your personal information. We share personal information only as described below.

With Event Organisers:
When you purchase a ticket or contribute to an Event, the Organiser receives your name, email address, and any answers you provided to the Organiser's buyer questions. This is the minimum information they need to manage attendance. Organisers must not use this information for any purpose beyond Event management unless you give them clear, specific consent (for example by ticking the Organiser's own marketing checkbox). The Organiser Agreement binds Organisers to comply with the Privacy Act and Spam Act in respect of any communications they send you.

With other Users (where you choose to interact):
• Your public profile (display name, profile photo, bio, host badge) is visible to other Users
• Posts, comments, and reactions in public communities are visible to other community members
• Direct messages are visible to the recipient

With Service Providers (subprocessors) — listed in section 5.

For legal compliance:
• Where required by Australian law, regulation, court order, subpoena, search warrant, or other lawful demand
• Where we reasonably believe disclosure is necessary to protect the safety of any person, prevent fraud or other illegal activity, or defend our legal rights
• Where required to cooperate with regulators (including the OAIC, ACCC, ATO, AUSTRAC, and eSafety Commissioner)

In a business transfer:
If Crowdify is involved in a merger, acquisition, sale of assets, or similar transaction, personal information may be transferred as part of that transaction. We will notify you and any relevant regulator if your personal information is involved in such a transfer.

We use the following subprocessors to operate the Platform. Each subprocessor is bound by a written agreement (or its published equivalent) and is required to keep your personal information confidential and to use it only for the purposes for which we disclose it.

Infrastructure and hosting:
• Vercel Inc. (United States) — hosting and content delivery for the Crowdify web application
• Supabase Inc. (United States, with data residency in the AWS ap-southeast-2 Sydney region by default) — managed database, authentication, file storage, and realtime services

Payment processing:
• Stripe Payments Australia Pty Ltd (Australia, with infrastructure in the United States and Ireland) — card processing, payouts, identity verification for Organisers under AFSL #500105; PCI-DSS Level 1 certified

Email:
• Sendinblue SAS, trading as Brevo (France / European Union, with infrastructure also in Germany) — transactional and (where consented) marketing email delivery

Anti-fraud and identity:
• FingerprintJS, Inc. (United States) — device and browser fingerprinting for fraud prevention. The "visitor ID" we receive is a pseudonymous identifier used to detect multi-account abuse, self-funding of Crowdfunded Events, and other forms of payment fraud. We treat the visitor ID as personal information.
• Twilio Inc. (United States) — phone-number lookup and validation when you add or verify a phone number; SMS one-time-codes where applicable

Analytics:
• PostHog Inc. (United States and European Union) — product analytics. We use PostHog for events and pageview analytics only. Session replay is disabled. PostHog does not receive your password, card data, or government-issued ID.

Mobile push notifications:
• Apple Push Notification Service ("APNs", Apple Inc., United States) — delivery of push notifications to the iOS app
• Firebase Cloud Messaging ("FCM", Google LLC, United States) — delivery of push notifications to the Android app

Authentication and account-recovery emails:
• Routed via Supabase Auth and Brevo as above

We maintain a complete and up-to-date list of subprocessors at https://crowdify.com.au/subprocessors. We will notify you of material changes to this list with reasonable notice.

When you make a payment, your full card number, expiry, and CVV are collected directly by Stripe via Stripe Elements / Stripe Checkout running in your browser or app. This card data is never transmitted to or stored by Crowdify.

We receive from Stripe limited transaction metadata:
• the last four digits of your card, card brand, expiry, and country
• whether the transaction succeeded, failed, was declined, or was refunded
• Stripe customer, PaymentIntent, and transfer identifiers

Stripe is the regulated payment service provider (AFSL #500105) and is PCI-DSS Level 1 certified. Stripe processes payment information both as our processor and as an independent controller for fraud prevention and regulatory reporting under its own privacy policy at https://stripe.com/privacy.

Card statements for Crowdify transactions display a "CROWDIFY" prefixed descriptor. Crowdify is the merchant of record for all paid Event transactions.

For Crowdfunded Events, your card is pre-authorised (a temporary hold) but not charged until the Event reaches its funding goal. The hold typically lasts up to 7 days under card scheme rules. If the goal is not reached, the hold is released automatically. See the Refund Policy for full mechanics.

We use cookies and similar storage technologies to:
• keep you logged in (essential session cookies)
• protect against cross-site request forgery and other attacks
• remember your settings and preferences
• understand aggregate usage of the Platform (analytics, where you have not opted out)

Categories:
• Strictly necessary cookies — always on; required to operate the Platform
• Functional cookies — preferences such as cookie consent state and UI settings
• Analytics cookies — set by PostHog where you have consented; you can opt out via the cookie banner or at any time in the footer "Cookie Settings"

We do not use third-party advertising cookies and we do not participate in any cross-site advertising network.

A full Cookie Policy is available at https://crowdify.com.au/cookie-policy. Browser settings can be used to refuse cookies, but disabling essential cookies will prevent the Platform from functioning correctly.

We comply with the Spam Act 2003 (Cth) and the Australian Privacy Principles in respect of all marketing communications.

We will only send you marketing communications (event recommendations, newsletters, promotional offers, feature announcements that are not security-related) where:
• you have ticked the "Send me Crowdify updates" checkbox during signup or in your Account settings, or
• you are an Organiser and we are contacting you about platform updates relevant to your operations (a soft "inferred consent" relationship under the Spam Act, which you may opt out of at any time)

Every marketing message will:
• identify Crowdify as the sender (with our ABN)
• include a working unsubscribe link
• be honoured within 5 business days of an unsubscribe request

You may withdraw marketing consent at any time without affecting any other use of the Platform.

Transactional and security-related communications (ticket confirmations, refund notifications, Event updates from Organisers you have a ticket with, payout notifications, password resets, breach notifications, policy changes) are not marketing and cannot be opted out of while you have an active Account.

Crowdify operates a number of anti-fraud and platform-integrity measures, each of which involves processing personal information for a legitimate-interest purpose.

Device fingerprinting (FingerprintJS Pro):
• We generate a pseudonymous device/browser identifier (the "visitor ID") when you use the Platform
• We use the visitor ID to detect duplicate accounts, prevent self-funding of Crowdfunded Events, and identify coordinated abuse
• The visitor ID is treated as personal information and is held for as long as the underlying Account exists, plus retention periods set out in section 14
• Because fingerprinting is a security measure, it cannot be turned off through the cookie banner — but the data is not used for advertising, sold, or shared with marketing partners

Trust system:
• Organisers are assigned a tier (New Host, Trusted Host, or Top Host) based on their delivery history, identity verification status, dispute history, and other signals
• Some inputs are visible to the Organiser on a transparency page at /account/trust
• Some inputs (raw trust score, specific weights, chargeback counts) are not publicly disclosed to reduce gaming
• A negative trust outcome (for example, suspension of payouts or tier demotion) may be appealed by emailing privacy@crowdify.com.au; we will explain the basis of the decision and review on request

Manual review:
• Where automated signals flag an Account for review, a Crowdify staff member may manually examine the relevant transactions, communications, and metadata
• We do not make solely automated decisions that have a legal or similarly significant effect without a human in the loop

You have the right to request access to the personal information we hold about you in the trust system and to request correction of inaccurate inputs — see section 12.

Our iOS and Android applications collect certain information that is specific to mobile devices:
• Approximate device location (only when you grant the in-app location permission, used for "Near me" Event discovery; we never store precise GPS coordinates)
• Push-notification tokens (collected only after you grant the operating-system push permission)
• Device identifiers (Android Advertising ID, iOS Identifier-for-Vendor; we do not use them for advertising)
• Crash reports and performance telemetry

Push notifications:
• Transactional push notifications (ticket reminders, Event updates from Organisers, security alerts) are sent based on your active Account
• Marketing push notifications (event recommendations, newsletters, feature announcements) are sent only where you have opted in to marketing push, separately from email marketing
• You can disable all push notifications via your device's operating-system settings, or fine-tune them in the Crowdify Account settings

iOS Privacy Manifest:
The Crowdify iOS application ships with a Privacy Manifest declaring the data types we collect and the required-reason APIs we (or our third-party SDKs) use. The manifest is published as part of the app binary and can be inspected in the App Store privacy nutrition label.

Google Play Data Safety:
The Crowdify Android application's Data Safety form on Google Play discloses all data types we collect, the purposes for collection, and whether data is shared with third parties.

Some of our subprocessors are based in jurisdictions outside Australia (see section 5). In particular, personal information may be transferred to or processed in:
• The United States (Vercel, Stripe, FingerprintJS, Twilio, PostHog, APNs, FCM)
• The European Union and the United Kingdom (Brevo)
• Other jurisdictions where these providers operate data centres

Before transferring personal information overseas, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to that information. Where APP 8 applies, we rely on the recipient's published privacy program, contractual commitments, and (where available) certifications such as PCI-DSS, SOC 2, or ISO 27001.

You consent to these international transfers by using the Platform. By using a third-party service that transmits payment data to Stripe (in the United States and Ireland), you also consent to that transfer.

Where we receive a data-rights request from a person ordinarily resident outside Australia (for example a person who has used a VPN to access the Platform), we will respond as a courtesy on the same terms as for Australian residents. The Platform is not held out as compliant with the GDPR, UK GDPR, CCPA/CPRA, or any other non-Australian regime, and Crowdify has not appointed an EU representative under Article 27 of the GDPR.

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the following rights.

Right to access:
You may request a copy of the personal information we hold about you. We will normally respond within 30 days. The first such request in any 12-month period is free; we may charge a reasonable cost-recovery fee for repeated or unusually broad requests.

Right to correction:
You may request that we correct any inaccurate, incomplete, or out-of-date personal information. Most personal information can be updated directly from your Account settings.

Right to deletion:
You may delete your Account at any time through your Account settings or by emailing privacy@crowdify.com.au. When you delete your Account:
• Your profile, posts, comments, direct messages, and other User-generated content are anonymised (the content remains visible to other Users who interacted with it, but your name is replaced with "deleted user")
• Personal information that is no longer needed is deleted within 30 days
• Some personal information must be retained — see section 14
• Some integrations (for example, your record in Brevo) will be suppressed rather than deleted, to comply with the Spam Act unsubscribe-suppression rule

Right to withdraw consent:
You may withdraw any consent you have given at any time. Withdrawing marketing consent does not affect your active Account; we will continue to send you transactional messages.

Right to complain:
You may complain about any aspect of our handling of your personal information by emailing privacy@crowdify.com.au. We will acknowledge your complaint within 2 business days and respond substantively within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au or call 1300 363 992.

Right to data portability:
You may request a copy of your personal information in a commonly used electronic format (CSV or JSON). We will provide this within 30 days where reasonably possible.

To exercise any of these rights, email privacy@crowdify.com.au.

Courtesy data-subject rights for users outside Australia:
Where you are ordinarily resident in the European Union, United Kingdom, California, or another jurisdiction with statutory data-subject rights, we will respond to lawful access, correction, deletion, restriction, objection, and portability requests on the same terms as Australian residents. This is provided as a courtesy and does not amount to a representation that we are formally compliant with non-Australian privacy regimes.

The Platform is intended for adults aged 18 and over. We do not knowingly collect personal information from any person under the age of 18.

We use a neutral date-of-birth check at signup, and accounts that present a date of birth indicating the holder is under 18 are blocked from completing registration. If we become aware that we have collected personal information from a person under 18 without the consent of a parent or guardian, we will delete that information within 30 days unless retention is required by law.

If you believe we hold personal information about a person under 18, please notify us at privacy@crowdify.com.au.

This service is not directed at users in any jurisdiction that has separate child-online-privacy regimes (including COPPA in the United States and the UK Age Appropriate Design Code), and is not designed for users under 18 in any jurisdiction.

We retain personal information for as long as necessary to provide the Platform, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are:

Active Accounts:
• personal information held while your Account is active and for the immediately preceding rolling year

After Account deletion:
• Profile information, photos, bio, social links — anonymised or deleted within 30 days
• User-generated content (posts, comments, DMs) — author-anonymised; content retained where other Users have interacted with it
• Marketing-suppression records — retained until you re-subscribe or for as long as required by the Spam Act
• Authentication records — deleted within 30 days

Retained for legal and financial purposes:
• Ticket purchase, contribution, payout, and refund records — retained for 7 years (Australian Tax Office record-keeping requirements under s 262A of the Income Tax Assessment Act 1936 and the GST Act; PCI-DSS payment audit support)
• Payment ledger and payout ledger entries — retained for 7 years
• Anti-fraud / abuse logs (including bans, fraud flags, manual review notes, device fingerprints associated with banned accounts) — retained for 7 years to prevent ban evasion; longer where required by law

Anonymised and aggregated data:
• Statistics and trends that do not identify any individual may be retained indefinitely

Backups:
• Encrypted backups may include copies of recently-deleted personal information; backups are rotated on a defined schedule and personal information is removed from the live system promptly even where it persists temporarily in backup

We take reasonable steps to protect your personal information against loss, unauthorised access, modification, and disclosure. These steps include:
• encrypted connections (TLS/HTTPS) across all Platform communications
• salted password hashing via Supabase Auth (we never see your plaintext password)
• row-level security policies on our database
• server-side authorisation checks on every protected API route
• multi-factor authentication on staff administrative access
• least-privilege access controls; access to production data is limited to staff members who need it
• regular updates to platform dependencies and infrastructure

No system is perfectly secure. We cannot guarantee absolute security of any information transmitted to or from the Platform.

Notifiable Data Breaches:
If we become aware of a data breach that is likely to result in serious harm to an individual whose personal information is involved, we will notify the individuals and the OAIC as required by Part IIIC of the Privacy Act 1988. We will do so as soon as practicable after the breach is confirmed.

The Platform may contain links to third-party websites, applications, or services (including Stripe Connect onboarding, the websites of Organisers, third-party event venues, social media platforms, and others). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before sharing personal information with them.

Key third-party privacy policies relevant to your Crowdify experience:
• Stripe — https://stripe.com/privacy
• Supabase — https://supabase.com/privacy
• Vercel — https://vercel.com/legal/privacy-policy
• Brevo — https://www.brevo.com/legal/privacypolicy/
• FingerprintJS — https://fingerprint.com/privacy/
• Twilio — https://www.twilio.com/legal/privacy
• PostHog — https://posthog.com/privacy
• Apple (APNs) — https://www.apple.com/legal/privacy/
• Google (FCM, Play) — https://policies.google.com/privacy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. Where the change is material (including a change in the categories of personal information we collect, the purposes for which we use it, or the subprocessors we share it with), we will:
• notify you by email at least 14 days before the change takes effect, or
• post a prominent notice on the Platform at least 14 days before the change takes effect

Minor non-material changes (typos, clarifications, link updates) may be made without notice. The "Last Updated" date at the top of this Policy will be revised in either case.

Continuing to use the Platform after a change is published is acceptance of the updated Policy. If you do not agree with a change, you may delete your Account before it takes effect.

For all privacy-related enquiries, data-rights requests, complaints, or notice of a suspected breach:

Crowdify Pty Ltd
ABN 47 692 719 305
Email: privacy@crowdify.com.au

For complaints that are not resolved to your satisfaction, you may contact the Office of the Australian Information Commissioner:
Website: https://www.oaic.gov.au
Phone: 1300 363 992
Postal: GPO Box 5288, Sydney NSW 2001