Privacy Policy


Privacy Policy

The following terms are used regularly throughout this Privacy Policy and have a particular meaning:

  • (a) ABN means Australian Business Number.
  • (b) Account means an account created with the Platform and includes both Customer and Vendor accounts.
  • (c) Business Day means a day (other than a Saturday, Sunday or public holiday) on which banks are open for general banking business in New South Wales, Australia.
  • (d) Company means ApyApp Pty Ltd ABN 57 648 712 476.
  • (e) Corporations Act means the Corporations Act 2001 (Cth).
  • (f) Customer means a person with an account on the Platform who uses the features associated with their Customer Account and purchases Products.
  • (g) Customer Content means any images, information, documents or other data that is uploaded or input into the Platform by the User or that forms part of the User’s Intellectual Property.
  • (h) Financial Services Provider means any bank, money services business, payment network, or other financial intermediary.
  • (i) GST has the meaning given by the A New Tax System (Goods and Services Tax) Act 1999 (Cth).
  • (j) Intellectual Property means all copyright, patents, inventions, trade secrets, know-how, product formulations, designs, circuit layouts, databases, registered or unregistered trademarks, brand names, business names, domain names and other forms of intellectual property.
  • (k) Mobile Application Marketplace means an online marketplace for access to the Platform and other applications for mobile devices, such as the App Store.
  • (l) Payment Gateway means Stripe or such other payment system the Company may adopt within the Platform from time-to-time.
  • (m) Platform means the “ApyApp” digital platform for checkoutless shopping owned and operated by the Company, accessible at a Mobile Application Marketplace.
  • (n) Privacy Act means the Privacy Act 1988 (Cth).
  • (o) Privacy Policy means the Company’s privacy policy, as updated from time-to-time, published on the Site.
  • (p) Product means items offered for sale by a Vendor via the Platform.
  • (q) Product Code means the unique QR code or barcode for each Product.
  • (r) Promotion means any promotion made available to Customers by the Company or Vendors through the Platform from time-to-time.
  • (s) Purchase Order means a Customer’s order to purchase selected Products from a Store.
  • (t) Purchase Price means the price paid by the Customer to complete a Purchase Order.
  • (u) Put Beyond Use means information is not deleted, but the Company is not able, or will not attempt, to use the Personal Information to inform any decision in respect of any individual or in a manner that affects the individual in any way; does not give any other organisation access to the Personal Information; surrounds the Personal Information with appropriate technical and organisational security; and commits to permanent deletion of the information if, or when, this becomes possible.
  • (v) Site means and any other URL the Company may adopt from time-to-time.
  • (w) Store means a Vendor’s checkoutless store offering Products for sale via the Platform.
  • (x) Stripe means the cloud payments platform accessible at
  • (y) Tax Invoice has the meaning given by the A New Tax System (Goods and Services Tax) Act 1999 (Cth).
  • (z) Third Party Service Provider means any third-party service provider which is used by the Company to deliver the Platform to Customers.
  • (aa) User means any user of the Platform, including Customers and Vendors.
  • (bb) User Code of Conduct means the Company’s policy regarding use of the Platform and ApyDollars, as updated from time-to-time and published on the Site.
  • (cc) Vendor means a person with an account on the Platform that uses the features associated with a Vendor Account, manages Stores and may also be a Customer.


1.1 ApyApp Pty Ltd ACN 648 712 476 (we, us or our) has adopted this Privacy Policy to ensure that we have standards in place to protect the Personal Information that we collect about individuals (user, you, your) that is necessary and incidental to:

  • (a) Providing the Platform, Site, your Account and ApyDollars; and
  • (b) The normal day-to-day operations of our business.

1.2 This Privacy Policy follows the standards of both:

  • (a) The Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy Act 1988 (Cth) (Privacy Act); and
  • (b) The regulations and principles set by the European Union’s General Data Protection Regulation (GDPR) for the handling of Personal Data.

1.3 By publishing this Privacy Policy, we aim to make it easy for our users and the public to understand what Personal Information we collect, why we do so, how we receive, obtain and/or use that information, and the rights of control an individual has with respect to their Personal Information in our possession.


2.1 Our Privacy Policy deals with how we handle “personal information” and “personal data” as it is defined in the Privacy Act and the GDPR respectively (Personal Information).

2.2 We handle Personal Information in our own right and also for and on behalf of our users.

2.3 Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information about the people in those businesses or companies.

2.4 The Privacy Policy applies to all forms of information, physical and digital, whether collected electronically or in hardcopy.

2.5 If, at any time, an individual provides Personal Information or other information about someone other than himself or herself, the individual warrants that they have that person’s consent to provide such information for the purpose specified.

2.6 If we learn that Personal Information has been collected from minors without verifiable parental or guardian consent, then we will take the appropriate steps to delete such information.


3.1 Without limitation, the type of information we may collect is:

  • (a) Personal Information. We may collect personal details such as an individual’s name, location, date of birth, nationality, family details and other information defined as “Personal Information” in the Privacy Act that allows us to identify who the individual is;
  • (b) Contact Information. We may collect information such as an individual’s email address, telephone & fax number, third-party usernames, residential, business and postal address and other information that allows us to contact the individual;
  • (c) Financial Information. We may collect financial information related to an individual such as any bank or credit card details used to transact with us and other information that allows us to transact with the individual and/or provide them with our services;
  • (d) Statistical Information. We may collect information relevant to functionality of our Platform and Site and about an individual’s online and offline preferences, habits, movements, location, trends, decisions, associations, memberships, finances, purchases and other information for statistical purposes; and
  • (e) Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities.
  • (f) Marketing information. We may collect information collected from marketing campaigns, product research, customer surveys, your interactions with us including via social media, or publicly available information that you post or publish.
  • (g) Remarketing: We use Facebook, Google Marketing Platform (GMP), Salesforce and other media publishers to advertise our service online. Third-party vendors, including Facebook, GMP, Salesforce and other media publishers, use cookies to display relevant ads based on your past visits to our website(s). Remarketing allows us to tailor our marketing to better suit your needs and display ads that are relevant to you. We respect your privacy and any data collected will be used in accordance with this privacy policy, Google's privacy policy or the privacy policy of other remarketing services that we may use. If you do not wish to participate in our Remarketing, you can opt-out by visiting Google's Ads Preference Manager. You can also opt-out of any third-party vendor's use of cookies by visiting the Network Advertising Initiative opt-out page or by clicking on the “Your AdChoices” symbol within advertisements to opt-out.

3.2 Usage information. We may collect information automatically whenever you use or interact with our service or website. We, as well as any third-party service provider and/or advertiser, may use a variety of technologies that automatically or passively record information about how our service or website is accessed and used (Usage Information). Usage Information may include your IP address or other unique identifiers for the device used to access our services (Device Identifier), browser type, Device type (computer, mobile phone, tablet or other devices), operation system, application version, date and time of visit, pages viewed, preceding page views and your use of features or applications on our service. Usage Information helps us keep our service and website relevant to users and allows us to tailor content to a user’s interests. Usage Information is generally non-identifying, but if we associate it with you as a specific and identifiable person, we will treat it as personal information. We may use Device Identifiers to help us administer our service or website, diagnose problems with our servers, analyse trends, observe service or website usage and activity over time, help identify you and your shopping cart, and gather broad demographic information for aggregate use. We may collect other Personal Information about an individual, which we will maintain in accordance with this Privacy Policy.

3.3 We may also collect non-Personal Information about an individual such as information regarding their computer, network and browser. Where non-Personal Information is collected the Australian Privacy Principles and the GDPR do not apply.


4.1 Most information will be collected in association with a user’s use of our Platform, an enquiry about ApyApp or generally dealing with us. In particular, information is likely to be collected as follows:

  • (a) Registrations/Subscriptions. When an individual registers or subscribes for an account or other process whereby they enter Personal Information details in order to receive or access something, including our Site or Platform;
  • (b) Supply. When an individual supplies us with goods or services;
  • (c) Contact. When an individual contacts us in any way;
  • (d) Access. When an individual accesses us through the internet we may collect information using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services. Cookies are data files placed on a computer, mobile phone, tablet or other devices (Device) when it is used to visit our Platform or Site. Cookies may be used to associate you with media platforms like Facebook, GMP, Salesforce and other media, and, if you so choose, enable interaction between your activities on our Platform or Site and those social media platforms. We or our vendors may place cookies on your Device for security purposes, to facilitate site navigation and personalise your experience while visiting our Platform or Site (such as allowing us to select which ads or offers are most likely to appeal to you, based on your interests, preferences, location or demographic information). To learn how you may manage cookies, or delete cookies that have already been installed, please refer to your browser’s help menu or instructions. If you disable or opt-out of receiving cookies, some features and functions on our Platform or Site or website may not work properly or fully because we may not be able to recognise and associate you with your ApyApp account. In addition, the offers we provide may not be as relevant to you or tailored to your interests.; and/or
  • (e) Pixel Tags. Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has been opened.
  • (f) Cookies. The Platform may use cookies (a small electronic tracking code) to improve a User’s experience while browsing, while also sending browsing information back to the Company. The User may manage how it handles cookies in its own browser settings.

4.2 As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of when their Personal Information is being collected.

4.3 Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a user), we will either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Australian Privacy Principles and the GDPR.


5.1 In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was collected other than with the individual’s permission. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.

5.2 We will only process Personal Information when we can identify a lawful basis to do so. It is always our responsibility to ensure that we can demonstrate which lawful basis applies to the particular processing purpose.

5.3 The most common lawful bases relied upon are:

  • (a) Consent: we will only rely upon express, clear and informed consent. Any consent provided may specify and/or restrict the purpose and can be withdrawn at any time without penalty. We will keep a record of when and how we got consent from an individual.
  • (b) Legitimate interests: we will only rely upon an identifiable legitimate interest where we can demonstrate that the processing of Personal Information is necessary to achieve it by balancing it against the individual’s interests, rights and freedoms. We will keep a record of our legitimate interests’ assessments.

5.4 We will retain Personal Information for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.

5.5 If it is necessary for us to disclose an individual’s Personal Information to third parties in a manner compliant with the Australian Privacy Principles and the GDPR in the course of our business, we will inform you that we intend to do so, or have done so, as soon as practical.

5.6 We will not disclose or sell an individual’s Personal Information to unrelated third parties under any circumstances, unless the prior written consent of the individual is obtained. For clarity, where we work with third party service providers to provide the Platform or Site to you, you expressly consent to our provision of your Personal Information to our service providers by continuing to use the Platform or visit our Site.

5.7 Information is used to enable us to operate our business, especially as it relates to an individual. This may include:

  • (a) The provision of the Platform or Site or the provision of Products between users of the Platform (i.e. customers and vendors);
  • (b) Providing you with an integrated user experience;
  • (c) Any purpose which we notify you about when we collect your information or to which you have provided consent;
  • (d) Considering and assessing your application for an account;
  • (e) Providing user assistance and support, including support in relation to account recovery;
  • (f) Administering and managing our relationship with you, including by verifying your identity in order to provide a requested service;
  • (g) Informing you about products, services, special offers and/or events from the us (for more on Direct Marketing, see the section below);
  • (h) Improving your customer experience and our marketing, including through data analytics, product planning, product development and research;
  • (i) Verifying your identity;
  • (j) Communicating with an individual about:
    1. Their relationship with us;
    2. Our goods and services;
    3. Our own marketing and promotions to customers and prospects;
    4. Enquiries, concerns or complaints; and/or
    5. Competitions, surveys and questionnaires;
  • (k) Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our Terms of Service or that an individual is or has been otherwise engaged in any unlawful activity;
  • (l) As required or permitted by any law (including the Privacy Act), or where government and law enforcement agencies, bodies and regulators, or a dispute resolution body of which we are a member (for example, the Financial Ombudsman Service) require us to disclose your information;
  • (m) Disclosing information to our related bodies corporate;
  • (n) Disclosing information to our entities overseas who support the provision of the Platform or Site;
  • (o) Disclosing information to suppliers of third party services who provide payment services and other third parties where you have consented to us sharing information with them;
  • (p) Disclosing information to our agents or contractors which perform a particular function or service on our behalf, which may include Third Party Service Providers or Financial Services Providers or other, organisations that assist us to conduct promotions or market research, customer support providers, information technology service providers, accountants, lawyers or other professional advisors; and
  • (q) If you consent, we may also disclose your information to selected third parties to help you obtain discounts or services from those third parties. We will not disclose your information for this purpose without your consent, and you can opt-out at any time.

5.8 Direct Marketing. We (or any of the entities which comprise our related bodies corporate, including the agents and contractors if any acting on our, or our related bodies corporate behalf) may send you direct marketing to inform you about products or services, special offers, promotions and events that may be of interest to you. These marketing communications may include joint promotions with other promotion partners and may be sent to you using any contact details provided by you, such as post, phone, email or SMS.

5.9 Your consent to receive direct marketing communications from us in the above ways will be deemed if you do not opt-out when you are offered the opportunity to do so and will remain current on an ongoing basis unless and until you advise otherwise.

5.10 If the law requires us to provide you with information about our products or services, we will provide that information even if you have elected not to receive information about our products and services generally.

5.11 You have the right to object at any time to the processing of your Personal Information for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

5.12 If you do not wish to receive any marketing communications from us, you can let us know using the contact details provided in section 11 “Contacting us” below, or by utilising the “unsubscribe” function in electronic communications from us. In some circumstances, we may need to contact you to obtain additional information, verify your identity or to clarify your request, in order to action it.

5.13 If you do not wish to receive marketing communications and surveys from our related bodies corporate you can let our related bodies corporate know at any time using the contact details in the respective privacy policies or utilising the “unsubscribe” feature.

5.14 There are some circumstances in which we must disclose an individual’s information:

  • (a) Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;
  • (b) As required by any law (including the Privacy Act) or where government and law enforcement agencies, bodies and regulators, or a dispute resolution body of which we are a member (for example, the Financial Ombudsman Service) require us to disclose your information; and/or
  • (c) In order to sell our business (in that we may need to transfer Personal Information to a new owner).

5.15 We will not disclose an individual’s Personal Information to any entity outside of Australia that is in a jurisdiction that does not have a similar regime to the Australian Privacy Principles or an implemented and enforceable privacy policy similar to this Privacy Policy. We will take reasonable steps to ensure that any disclosure to an entity outside of Australia will not be made until that entity has agreed in writing with us to safeguard Personal Information as we do.

5.16 We may utilise third-party service providers to communicate with an individual and to store contact details about an individual. These service providers may be located outside of Australia.

5.17 An individual who uses ULAMAPP may be sending information (including Personal Information) to overseas jurisdictions where our servers may be located from time-to-time. In such circumstances, that information may then be transferred within their resident jurisdiction or back out to other countries outside of the individual’s country of residence, depending on the type of information and how it is stored by us. These countries may not necessarily have data protection laws as comprehensive or protective as those in your country of residence, however our collection, storage and use of Personal Information will at all times continue to be governed by this Privacy Policy.


6.1 An individual may opt to not have us collect and/or process their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:

  • (a) Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us (for clarity, consent must involve an unambiguous positive action to opt in); or
  • (b) Opt Out. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us.

6.2 If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us using the details as set out below.


7.1 We may appoint a Data Protection Officer to oversee the management of this Privacy Policy and compliance with the Australian Privacy Principles, the Privacy Act and the GDPR. This officer may have other duties within our business and also be assisted by internal and external professionals and advisors.

7.2 We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.

7.3 Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.

7.4 We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws), unless otherwise required by the Privacy Act and the GDPR. The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.

7.5 If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.

7.6 We are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were authorised to provide that person with the Personal Information.

7.7 Where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information, then:

  • (a) We will immediately establish the likelihood and severity of the resulting risk to wider rights and freedoms of natural persons;
  • (b) If we determine there is a risk from the security breach, then we will immediately notify the relevant supervisory authority and provide all relevant information on the particular breach, and by no later than 72 hours after having first become aware of the breach;
  • (c) If we determine there is a high risk from the security breach (a higher threshold than set for notifying supervisory authorities), we will immediately notify the affected individuals and provide all relevant information on the particular breach without undue delay.

7.8 We will document the facts relating to any security breach, its effects and the remedial action taken, and investigate the cause of the breach and how to prevent similar situations in the future.


8.1 Subject to the Australian Privacy Principles and the GDPR, an individual has the right to request from us the Personal Information that we have about them, and we have an obligation to provide them with such information as soon as practicable, and by no later than 28 days of receiving the written request. The individual is free to retain and reuse their Personal Information for their own purposes. We may be required to transmit the Personal Information directly to another organisation if this is technically feasible.

8.2 If an individual cannot update their own information, we will correct any errors in the Personal Information we hold about an individual within 28 days of receiving written notice from them about those errors, or two months where the request for rectification is complex.

8.3 It is an individual’s responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.

8.4 Where a request to access Personal Information is manifestly unfounded, excessive and/or repetitive, we may refuse to respond or charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal Information we hold about them. Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within 28 days.

8.5 We may be required to delete or remove all Personal Information we have on an individual upon request in the following circumstances:

  • (a) Where the Personal Information is no longer necessary in relation to the purpose for which it was originally collected and/or processed;
  • (b) When the individual withdraws consent;
  • (c) When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
  • (d) The processing of the Personal Information was otherwise in breach of the GDPR;
  • (e) The Personal Information has to be erased in order to comply with a legal obligation; and/or
  • (f) The Personal Information is in relation to a child.

8.6 We may refuse to delete or remove all Personal Information we have on an individual where the Personal Information was processed for the following reasons:

  • (a) To exercise the right of freedom of expression and information;
  • (b) To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • (c) For public health purposes in the public interest;
  • (d) Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • (e) The exercise or defence of legal claims.

8.7 The Company undertakes to de-identify, destroy or Put Beyond Use an individual’s Personal Information in accordance with the Company’s legal obligations.


9.1 If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the details below.

9.2 If we have a dispute regarding an individual’s Personal Information, you undertake to first attempt to resolve the issue directly with us, in accordance with our Complaints Handling Procedure set out in our Terms of Service. We will acknowledge your complaint within 3 days and provide you with a response within 30 days.

9.3 An individual shall have the right to seek a judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her Personal Information in non-compliance with the GDPR. Any proceedings should be commenced in Victoria, Australia, where we are established.

9.4 If we become aware of any unauthorised access to an individual’s Personal Information we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.


From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies. Where such information is materially important to the individual’s interaction with us, they may not opt out of receiving these communications.


11.1 All correspondence with regards to privacy should be addressed to:

  • The Privacy Officer
  • ApyApp Pty Ltd
  • You may contact the Data Protection Offer via email in the first instance.


12.1 If we decide to change this Privacy Policy, we will post the changes on our website at Please refer back to this Privacy Policy to review any amendments.

12.2 We may do things in addition to what is stated in this Privacy Policy to comply with the Australian Privacy Principles and the GDPR, and nothing in this Privacy Policy shall deem us to have not complied with the Australian Privacy Principles and the GDPR.