Privacy Policy

Effective from: [DATE]

1. What information we collect

We collect Personal Information when you interact with the Service, including:

1.1 If you are a Seller (stall owner)

• Identity information: name, date of birth, business name, ABN.
• Contact information: email address, phone number, business address.
• Financial information: bank account details (collected by Stripe, not by us directly); subscription billing details (collected by Stripe).
• Identity verification information shared with Stripe to satisfy KYC requirements (Stripe is the primary handler; we receive a verification status only).
• Usage information: login times, IP addresses, dashboard activity, support communications.
• Content you upload: product listings, descriptions, photos, stall branding.

1.2 If you are a Customer (paying at a stall)

• Limited information necessary to process your transaction: order details (items, total), payment method, and any order notes you choose to enter.
• Payment information: card details are collected directly by Stripe through Stripe Checkout and are never transmitted to or stored by Mantis Checkout.
• Technical information: IP address, device type, browser type, timestamps.
• If you sign in for any feature requiring authentication: name and email address.

1.3 General website visitors

• Technical information about your visit: pages viewed, referring sites, IP address, browser type, session duration.
• Information you voluntarily provide if you contact us, including support enquiries and feedback.

2. How we collect Personal Information

We collect Personal Information directly from you when you sign up, use the Service, or communicate with us. We also receive information from third parties that help us provide the Service — most importantly Stripe, which provides payment processing and identity verification.

Where it is practical to do so, we will collect Personal Information directly from you. If we collect information about you from a third party (for example, fraud-detection services), we will let you know.

3. Why we collect and use Personal Information

We use Personal Information to:

• Operate, maintain, and provide features of the Service.
• Verify your identity and the eligibility of your business to use the Service.
• Process payments through Stripe.
• Send transactional notifications (receipts, billing notices, account updates).
• Send marketing communications, but only with your consent and where the law permits.
• Respond to enquiries, complaints, and feedback.
• Detect and prevent fraud, abuse, and unlawful activity.
• Comply with legal and regulatory obligations including those under the Privacy Act, AML/CTF laws (via our payment provider Stripe), and tax laws.
• Improve and develop the Service through analysis of aggregated usage data.
• Where required, exercise or defend legal claims.

4. Who we share Personal Information with

We share Personal Information with:

4.1 Service providers

• Stripe — for payment processing, identity verification, and fraud detection. Stripe is the Australian-licensed payments provider that handles card and wallet transactions. Stripe's privacy policy is at stripe.com/privacy.
• Google (Firebase) — for hosting, database, and authentication infrastructure.
• Email service providers — for transactional and marketing email delivery.
• Analytics providers — to understand how the Service is used.
• Customer support tools — to handle enquiries and complaints.
• Professional advisors — accountants, lawyers, and similar advisors where required and under confidentiality obligations.

4.2 With your direction

If you, as a Seller, direct us to share information with a third party (e.g., an accounting integration you have authorised), we will do so.

4.3 As legally required

We may disclose Personal Information where required to do so by law, in response to lawful requests from public authorities (including for national security or law enforcement requirements), or where we reasonably believe disclosure is necessary to protect our rights or others' safety.

4.4 In a business transaction

If we are involved in a merger, acquisition, sale of all or part of our business, or insolvency, Personal Information may be transferred to the acquirer or new operator. We will give notice before such a transfer if reasonably practicable.

5. Overseas transfers

Some of our service providers — including Stripe, Google, and email providers — may store or process Personal Information outside Australia. In particular:

• Stripe processes data in Australia and other countries where Stripe operates.
• Google's Firebase services may store data in data centres in the United States and other locations.
• Some email and customer-support tools process data in the United States or European Union.

Before transferring Personal Information overseas, we take reasonable steps to ensure that the overseas recipient handles Personal Information in a way consistent with the Australian Privacy Principles, except where you have consented or it is otherwise permitted by law.

6. How long we keep Personal Information

We keep Personal Information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:

• Active account information: for the life of the account plus seven years from closure (to meet tax-record retention requirements).
• Transaction records: seven years from the date of the transaction.
• Marketing email subscriber lists: until you unsubscribe.
• Aggregated and de-identified data: indefinitely.
• Support tickets: three years from resolution.

If you ask us to delete your Personal Information, we will do so to the extent we are not required to retain it by law.

7. Cookies and tracking

We use cookies and similar technologies for:

• Authentication (keeping you signed in).
• Functionality (remembering your preferences).
• Analytics (understanding aggregate use of the Service).
• Security (detecting suspicious activity).

You can disable cookies in your browser settings, but parts of the Service may not function properly without them.

8. Children

The Service is not directed to children under 18, and we do not knowingly collect Personal Information from children. If you believe a child has provided Personal Information to us, please contact us so we can delete it.

9. Your rights

Under the Privacy Act and the Australian Privacy Principles, you have the right to:

• Access the Personal Information we hold about you.
• Request correction of inaccurate or out-of-date information.
• Request deletion of your Personal Information, subject to our legal obligations.
• Withdraw consent for marketing communications at any time (via the unsubscribe link in every email or by contacting us).
• Complain to us about how we have handled your Personal Information.
• Complain to the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response.

To exercise these rights, contact us at [PRIVACY@COMPANY.COM]. We will respond within 30 days.

10. Security

We take reasonable steps to protect Personal Information from misuse, interference, loss, unauthorised access, modification, or disclosure. Measures include:

• Encrypted transmission of data (HTTPS / TLS).
• Storage in secure cloud infrastructure with access controls.
• Use of Stripe (a PCI-DSS Level 1 compliant payment processor) for all card data.
• Limiting employee access to Personal Information on a need-to-know basis.
• Regular review of security practices.

No system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches scheme.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email (to account holders) and through a notice on the Service. The effective date at the top of this policy will be updated.

12. Contacting us

If you have any questions, concerns, or complaints about this policy or our handling of Personal Information:

• Email: [PRIVACY@COMPANY.COM]
• Mail: [Company Name] Pty Ltd, [REGISTERED OFFICE ADDRESS]

If you remain dissatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner: oaic.gov.au or 1300 363 992.