Privacy Policy Draft

# BragMate Customer Privacy Policy Draft

Status: draft only. This is not legal advice. Human review is required before publishing. Legal review is recommended before accepting paying customers.

Last updated: 12 June 2026

OAIC reference used for drafting: https://www.oaic.gov.au/privacy/australian-privacy-principles

## 1. Who We Are

BragMate is operated by SoDutch Pty Ltd or the final legal operating entity confirmed before launch.

Contact:

```text
support@bragmate.com.au
```

## 2. What This Policy Covers

This policy explains how BragMate handles personal information for:

- trade businesses using BragMate;
- staff or account users of those businesses;
- customers who receive BragMate-powered rating links;
- people shown in approved job photos or portfolio content.

## 3. Personal Information We Collect

From businesses and account users, we may collect:

- name;
- business name;
- email address;
- billing details handled by the payment provider;
- ServiceM8 account identifiers;
- Google Business Profile connection details;
- logo, branding, trade type, and settings;
- support messages.

From ServiceM8-connected jobs, we may collect:

- customer first name;
- customer last initial;
- customer mobile or phone number;
- customer email if available;
- job suburb or city;
- job completion date;
- job description or job metadata;
- job photos and attachment metadata.

From customer rating flows, we may collect:

- rating value;
- private feedback text;
- whether the customer chose the Google review path;
- opt-out status;
- timestamps needed for audit, throttling, and support.

## 4. How We Collect Information

We collect information when:

- a business creates or configures a BragMate account;
- a business connects ServiceM8, Google, Stripe, SMS, or email providers;
- ServiceM8 sends completed-job data or webhook events;
- a customer opens a rating link, chooses an option, or submits private feedback;
- a business approves photos or portfolio content;
- someone contacts support.

## 5. Why We Use Information

We use personal information to:

- provide BragMate;
- send customer rating requests;
- record private feedback;
- prevent duplicate or excessive review requests;
- publish only approved portfolio and Google Business Profile content;
- prepare monthly reports;
- manage billing and account status;
- troubleshoot jobs, integrations, and support requests;
- improve security and prevent misuse;
- comply with legal, platform, tax, and operational requirements.

## 6. Customer Contact And Consent

The trade business using BragMate is responsible for its customer relationship and for making sure it can lawfully contact customers.

BragMate provides opt-out handling for review request SMS. Customers can opt out of future review texts from the business.

## 7. Review And Feedback Handling

BragMate does not hide Google review access based on rating.

After any rating, customers are offered both:

- a Google review option;
- a private feedback option.

Private feedback is sent to the business owner or made available to the business so they can respond.

## 8. Photos And Public Pages

Job photos are private by default.

Photos are only published to portfolio pages or Google Business Profile after the business owner approves them.

Portfolio pages should not include customer mobile numbers, email addresses, full surnames, or full street addresses.

## 9. Disclosure To Service Providers

We may disclose or process information through providers used to operate BragMate, including:

- hosting providers;
- database and storage providers;
- SMS providers;
- email providers;
- payment providers;
- Google Business Profile APIs;
- ServiceM8 APIs;
- error logging, security, and infrastructure monitoring providers.

We do not sell personal information.

## 10. Overseas Disclosure

Some providers may store or process data outside Australia.

Before production launch, the final provider list and data regions must be confirmed and reflected in the published policy.

## 11. Security

BragMate uses technical and organisational controls designed to protect personal information, including:

- encryption for customer mobile numbers and email addresses where practical;
- encrypted OAuth tokens;
- tenant-scoped database records;
- secret manager storage for production credentials;
- access limits for production systems;
- private-by-default photo handling.

No internet service can guarantee perfect security.

## 12. Retention

We keep information while needed to provide BragMate and for legitimate business, legal, security, billing, or support purposes.

Recommended MVP defaults before legal review:

- OAuth tokens deleted immediately on disconnect.
- Customer contact data deleted or anonymised within 30 days of account closure unless legally required.
- Private feedback deleted or anonymised within 30 days of account closure unless the business asks to retain it.
- Public portfolio pages removed on account closure unless the business separately agrees to keep them published.
- Billing and security records retained only as long as needed.

Final retention periods must be confirmed before publishing.

## 13. Access, Correction, And Deletion

Businesses can contact BragMate to request access, correction, disconnection, or deletion.

End customers can also contact BragMate. Because the trade business owns the customer relationship, BragMate may need to verify the request or coordinate with that business before acting.

## 14. Complaints

Privacy questions or complaints can be sent to:

```text
support@bragmate.com.au
```

We will review the issue and respond within a reasonable time.

If you are not satisfied, you may be able to contact the Office of the Australian Information Commissioner.

## 15. Changes To This Policy

We may update this policy as BragMate changes or as providers are selected. The published version should show the latest update date.