Privacy Policy

2.1 Personal Information You Provide. When you register for an account or use our Service, we may collect the following personal information:

• Identity Data: Full name, job title, company name
• Contact Data: Email address, phone number, postal address
• Account Data: Username, password (stored in hashed form), account preferences
• Financial Data: Billing address, payment card details (processed and stored by Stripe; we do not store full card numbers)
• Transaction Data: Subscription history, payment records, invoices
• Property Data: Room listings, rental rates, property details that you enter into the platform
• Guest/Tenant Data: Information about your guests or tenants that you enter into the platform (name, contact details, booking records, payment history)

2.2 Information Collected Automatically. When you access the Service, we automatically collect certain information, including:

• Usage Data: Pages viewed, features used, actions taken, time spent on pages, click patterns
• Device Data: Device type, operating system, browser type and version, screen resolution
• Network Data: IP address, internet service provider, approximate geographic location
• Log Data: Access times, error logs, referring URLs, pages viewed before and after visiting our Service

2.3 Cookies and Similar Technologies. We use cookies, web beacons, pixel tags, and similar tracking technologies to collect information about your browsing activity. See Section 8 for more details on our use of cookies.

2.4 Information from Third Parties. We may receive information about you from third-party services you connect to our platform, including:

• Accounting data from Xero or MYOB when you enable these integrations
• Payment confirmation data from Stripe or GoCardless
• Authentication data if you sign in using a third-party provider

3.1 We use the information we collect for the following purposes:

3.1.1 Service Delivery

• To create and manage your account
• To provide and maintain the Service
• To process transactions and send related information (e.g., invoices, receipts)
• To enable integrations with third-party services you connect

3.1.2 Communication

• To respond to your enquiries and support requests
• To send you service-related notices, updates, and security alerts
• To send you marketing communications (with your consent, where required)

3.1.3 Improvement and Analytics

• To analyse usage patterns and improve the Service
• To monitor and prevent technical issues
• To develop new features and functionality
• To conduct research and analysis for business planning

3.1.4 Legal and Compliance

• To comply with legal obligations and regulatory requirements
• To enforce our Terms of Service and other agreements
• To protect our rights, privacy, safety, or property
• To detect, prevent, and address fraud or security issues

3.2 Legal Bases for Processing (GDPR). For users in the EEA, our legal bases for processing personal data include:

• Contract: Processing necessary for the performance of our contract with you (providing the Service)
• Consent: Where you have given explicit consent (e.g., marketing emails)
• Legitimate Interest: Processing necessary for our legitimate interests (e.g., analytics, security, fraud prevention)
• Legal Obligation: Processing necessary to comply with applicable laws

4.1 We do not sell your personal information to third parties. We may share your information in the following circumstances:

4.2 Service Providers. We share data with third-party service providers who assist us in operating our Service:

4.3 Data Processor Role. When our customers input their guest or tenant data into the platform, we act as a data processor on their behalf. Our customers remain the data controllers for this data and are responsible for obtaining appropriate consents from their guests and tenants.

4.4 Legal Requirements. We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, court order, or government request
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users or the public

4.5 Business Transfers. If we are involved in a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

4.6 Aggregated Data. We may share aggregated, de-identified information that cannot reasonably be used to identify you, for industry analysis, benchmarking, marketing, and other business purposes.

5.1 We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

5.2 Retention Periods. The following general retention periods apply:

• Account Data: Retained for the duration of your account and for 30 days after account deletion to allow data export
• Transaction Data: Retained for 7 years after the transaction date, as required by Australian tax law
• Usage Data: Retained for 24 months in identifiable form, then aggregated and anonymised
• Support Correspondence: Retained for 3 years after the date of the last communication
• Marketing Preferences: Retained until you withdraw consent or delete your account
• Cookie Data: Retention periods vary by cookie type (see Section 8)

5.3 When the retention period expires, we will securely delete or anonymise your personal information so that it can no longer be associated with you.

5.4 In some cases, we may retain certain data for longer periods where required by law (such as for tax, legal, or regulatory purposes) or where necessary to resolve disputes or enforce our agreements.

6.1 We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction.

6.2 Our security measures include:

• Encryption: All data in transit is encrypted using TLS 1.3. Sensitive data at rest is encrypted using AES-256
• Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege
• Infrastructure: Hosted on secure Australian cloud infrastructure with industry-standard security controls
• Monitoring: Continuous security monitoring, intrusion detection, and vulnerability scanning
• Employee Training: Regular security awareness training for all staff who handle personal data
• Incident Response: Documented incident response procedures with defined notification timelines

6.3 While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

6.4 Breach Notification. In the event of a data breach that is likely to result in serious harm to individuals, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme. For EEA users, we will notify the relevant supervisory authority within 72 hours as required by the GDPR.

7.1 Australian Privacy Act Rights. Under the Australian Privacy Act 1988, you have the right to:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of any inaccurate or incomplete personal information
• Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached your privacy

7.2 GDPR Rights (EEA Users). If you are located in the European Economic Area, you have additional rights under the GDPR, including:

• Right of Access: Obtain confirmation of whether your personal data is being processed and, if so, access to that data
• Right to Rectification: Have inaccurate personal data corrected
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain circumstances
• Right to Restriction: Request restriction of processing under certain circumstances
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: Lodge a complaint with your local data protection authority

7.3 Exercising Your Rights. To exercise any of these rights, please contact our Data Protection Officer at privacy@lodgekit.com. We will respond to your request within 30 days (or within the time period required by applicable law).

7.4 Identity Verification. We may request specific information from you to confirm your identity before processing your request. This is to ensure that personal data is not disclosed to unauthorised persons.

7.5 No Fee Usually Required. You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

8.1 We use cookies and similar tracking technologies to collect and track information about your activity on our Service.

8.2 Types of Cookies We Use:

8.3 Managing Cookies. You can control and manage cookies in several ways:

• Cookie Consent Banner: Use our cookie consent banner to accept or reject non-essential cookies
• Browser Settings: Most browsers allow you to block or delete cookies through their settings
• Opt-Out Links: Some third-party services provide their own opt-out mechanisms

Please note that blocking essential cookies may affect the functionality of the Service.

8.4 Do Not Track. We currently do not respond to "Do Not Track" (DNT) browser signals, as there is no industry standard for how to interpret such signals. We will update this policy if a standard is established.

8.5 Local Storage. In addition to cookies, we may use HTML5 local storage to store certain preferences and data on your device for performance and functionality purposes.

9.1 Our Service is not directed to individuals under the age of 18 ("Children"). We do not knowingly collect personal information from children.

9.2 If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us at privacy@lodgekit.com. If we become aware that we have collected personal information from a child without verification of parental consent, we will take steps to remove that information from our servers.

9.3 While our platform may be used to manage student accommodation, account holders must be at least 18 years of age. Tenant or guest records for minors may only be entered by an authorised adult with appropriate parental or guardian consent.

10.1 Lodgekit is based in Australia. If you are accessing the Service from outside Australia, please be aware that your information may be transferred to, stored, and processed in Australia.

10.2 For users in the EEA, transfers of personal data to Australia or other countries outside the EEA will be conducted using appropriate safeguards as required by the GDPR, including:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries with an adequacy decision from the European Commission
• Binding Corporate Rules, where applicable

10.3 Some of our third-party service providers may process data in countries other than Australia (e.g., the United States). We ensure that appropriate data transfer mechanisms are in place with these providers.

10.4 Under the Australian Privacy Act, we take reasonable steps to ensure that overseas recipients of personal information comply with the APPs or are bound by a substantially similar privacy framework.

11.1 We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page with a revised "Last Updated" date.

11.2 For material changes that significantly affect the way we process your personal information, we will provide at least 30 days' notice via email to the address associated with your account before the changes take effect.

11.3 We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

11.4 If you do not agree with the revised Privacy Policy, you must stop using the Service and may request deletion of your account and personal data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: