Privacy Policy

Last updated: 30 May 2026

This Privacy Policy explains how BuyForMe ("we", "us") collects, uses, and protects your personal information when you use the BuyForMe mobile application and related services (the "Service"). We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

Information we collect
How we use your information
Sharing & service providers
Where your data is stored
Your rights
Security
Retention
Children
Changes
Contact

1. Information we collect

Account information: name, email, profile photo, and authentication identifiers (Google or Apple Sign-In).

Profile & verification data: selfie images, government-issued ID images (for identity verification), and flight ticket images (for traveller verification). These are processed for trust and safety, including AI-assisted analysis.

Transaction data: requests, bids, matches, messages, and metadata about payments. Card details are never received or stored by us — they are handled directly by Stripe.

Location: general location (city/country) when needed for matching and meet-up. We do not collect background location.

Device & usage: device model, OS version, app version, language preference, push notification tokens, and basic usage logs for debugging and analytics.

Crash diagnostics (Firebase Crashlytics): stack traces and device state at the time of a crash. Used solely to fix bugs. Does not contain personally identifying information.

Anonymized usage events (Firebase Analytics): feature interaction events (e.g. request_created, review_submitted) with non-identifying parameters such as category or amount range. Used to measure funnel and prioritise improvements.

2. How we use your information

Operate the Service — create accounts, match Buyers and Travellers, process payments, deliver notifications;
Verify identity, prevent fraud, and enforce our Terms;
Compute trust signals (e.g. Flight Tier) shown on profiles;
Communicate with you about your account, transactions, and important changes;
Improve the Service through aggregated analytics and bug fixes.

We do not sell your personal information.

3. Sharing & service providers

We share data with the following providers, each contractually bound to protect it:

Firebase (Google LLC) — authentication, push notifications, crash diagnostics (Firebase Crashlytics), and anonymized in-app analytics (Firebase Analytics) used to understand feature usage and funnel drop-off. We do not link analytics events to your identity for marketing. Firebase Privacy.
Supabase (Supabase Inc.) — primary database and file storage, Sydney (Australia) region. Supabase Privacy.
Stripe (Stripe, Inc.) — payment processing, escrow, payouts. Stripe Privacy.
Anthropic (Anthropic PBC) — AI-assisted analysis of verification images and uploaded documents. Images sent for analysis are not used to train Anthropic's models. Anthropic Privacy.
Google Maps (Google LLC) — map display and location-based features (e.g. meet-up point selection). Google Privacy.
Cloudflare (Cloudflare, Inc.) — website hosting and email forwarding for our support address.

We may also disclose information when required by law, in response to lawful requests by public authorities, or to protect our rights and the safety of users.

4. Where your data is stored

Your primary data (profile, requests, messages, files) is stored on Supabase infrastructure in Sydney, Australia. Some metadata may be processed by Firebase and Stripe in their global infrastructure, which may include locations outside Australia. By using the Service, you consent to these international transfers, subject to safeguards required by the Australian Privacy Principles.

5. Your rights

You have the right to:

Access — request a copy of the personal information we hold about you;
Correct — update inaccurate information through the app or by contacting us;
Delete — close your account and request deletion through Settings → Account → Delete Account, or by emailing us;
Object / restrict — ask us to stop or limit certain processing;
Complain — contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have breached the Australian Privacy Principles.

6. Security

We use industry-standard safeguards, including encryption in transit (HTTPS, TLS), encryption at rest (managed by Supabase and Stripe), row-level security on our database, and strict access controls for our team. No system is perfectly secure, however, and we cannot guarantee absolute security.

7. Retention

We keep account and transaction data while your account is active and for a reasonable period afterwards to comply with legal obligations (e.g. tax, dispute resolution). When you delete your account through Settings → Account → Delete Account, your profile, messages, and uploaded files are deleted immediately. Financial and transaction records may be retained longer where required by Australian tax and consumer protection law (typically up to 7 years), and anonymised aggregated data may be retained for analytics.

8. Children

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe we may have collected such information, please contact us so we can delete it.

9. Changes

We may update this Privacy Policy from time to time. Material changes will be notified through the app or by email at least 14 days before they take effect.

10. Contact

Questions, requests, or concerns about your privacy? Contact us at support@getbuyforme.app.