Privacy Policy

incomn Pty Ltd (ACN 697 733 270)

Effective: 11 June 2026

1. Introduction

This document sets out the privacy policy of incomn Pty Ltd (ACN 697 733 270) (referred to in this privacy policy as "we", "us" or "our").

We operate a mobile application that helps people discover, follow and book local businesses, including restaurants, cafes, salons, fitness studios, sporting clubs, markets and food trucks. We refer to that application, our website at incomn.app and any related services in this policy as the Platform.

We take our privacy obligations seriously. This privacy policy explains how we collect, hold, use and disclose personal information when you access or use the Platform.

We are bound by the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act), as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth). This policy is intended to comply with APP 1.

By providing personal information to us, you consent to our collection, storage, use and disclosure of that information in accordance with this policy.

We may update this policy from time to time. The current version is always available at incomn.app/privacy. We encourage you to check the Platform regularly to ensure you are aware of our most current privacy policy.

2. The personal information we collect

We collect personal information from two types of users: consumers who use the Platform to find and book services and business operators who list services on the Platform.

The personal information we may collect about you includes:

(a) name, username and profile photo;

(b) email address and mobile phone number;

(c) precise and approximate location (including latitude and longitude and suburb);

(d) booking details, party size, dietary preferences and any notes you provide;

(e) the usernames of friends and connections you add within the Platform for group bookings;

(f) payment confirmation data and Stripe customer identifiers (we do not collect or store credit card numbers or bank account details);

(g) device identity and type, IP address, operating system, app version and push notification tokens;

(h) information about how you use the Platform, including pages viewed, features used and session data;

(i) messages you send through our support channels and any feedback or complaints you provide; and

(j) any other information you provide when communicating with us or otherwise required by us or provided by you.

If you register as a business operator, we also collect your business name, ABN, business address, business location (latitude and longitude), contact details, business hours, service descriptions, images, pricing and your Stripe Connect account identifier, together with details of any team members you authorise to access the business dashboard.

We collect only limited health information, being any dietary requirements, allergies or similar information you choose to provide in connection with a booking and, where you book with a salon, wellness or similar business, any consultation or health-intake information you provide to that business through the Platform. We collect that information with your consent and use it only to facilitate your booking and the service you have requested. We do not otherwise collect sensitive information as defined in section 6 of the Privacy Act, including biometric information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation or criminal record.

We do not collect or adopt government related identifiers such as Tax File Numbers, Medicare numbers or Centrelink Reference Numbers, and we do not use or adopt any government related identifier as our own identifier for you. Where you register as a business operator, we may collect identity and verification documents for you and for the owners and directors of the business, which may include a driver licence or passport, for the limited purpose of verifying identity and eligibility to operate on the Platform. We use those documents only for that purpose and retain them only for as long as necessary (see section 12).

3. How we collect personal information

We collect personal information directly from you when you:

(a) create an account;

(b) make, modify or cancel a booking;

(c) update your profile;

(d) invite or add other users for group bookings;

(e) communicate with us or with a business through the Platform; or

(f) contact our support team or otherwise interact with us.

We also collect information automatically when you use the Platform, including device data, usage data, push notification tokens and anonymous analytics data. We use PostHog for anonymous product analytics, configured to collect only anonymous, aggregated data.

In limited circumstances, we may also collect personal information about you from third parties, including:

(a) from Stripe, in the form of payment confirmation status and transaction metadata;

(b) from a business you have booked with, where they provide us with updated booking information; and

(c) from another user, where they add you as a guest to a group booking.

If we receive personal information about you that we did not solicit and could not have collected under APP 3, we will destroy or de-identify the information as soon as practicable, where it is lawful and reasonable to do so.

4. Anonymity and pseudonymity

Under APP 2, you have the right to deal with us anonymously or under a pseudonym where it is lawful and practicable to do so.

Because of the nature of the Platform, we require your real name and valid contact details (email address and mobile phone number) to process bookings, facilitate group bookings, confirm payments through Stripe and send important service notifications.

You may browse publicly listed business information without creating an account. To make bookings or use coordination features, however, you must provide your real identity.

5. How we use your personal information

We only use your personal information for the purpose for which it was collected, or for a related purpose you would reasonably expect.

We use your personal information to:

(a) provide the Platform and our services, including to create and manage your account, process bookings and coordinate with businesses on your behalf;

(b) work with Stripe to confirm payment status for bookings (Stripe processes the actual payment between you and the business);

(c) send you booking confirmations, reminders, changes, cancellations and other transactional communications;

(d) deliver push notifications you have opted into, including alerts from businesses you follow;

(e) respond to your enquiries, complaints and support requests;

(f) analyse anonymous, aggregated usage data to understand how the Platform is used and improve it;

(g) detect and prevent fraud, abuse and security incidents;

(h) comply with our legal obligations and respond to lawful requests from regulators, law enforcement or courts; and

(i) handle disputes, chargebacks and complaints related to bookings or payments.

We will not sell your personal information to any third party. We will not use your personal information for behavioural advertising, profiling or targeted advertising, and we will not share your personal information with third parties for their own marketing purposes.

6. Who we disclose your personal information to

We may disclose your personal information to:

(a) businesses you book with, in order to fulfil your booking, including your name, contact details, party size and any booking notes you provide;

(b) other members of a group booking, for coordination purposes, including your name and booking status;

(c) our third party service providers that process information on our behalf (as described below);

(d) our professional advisers, including our lawyers, accountants, auditors and insurers, where necessary for them to provide their services to us;

(e) law enforcement agencies, regulators or courts where required or authorised by law, including to comply with a court order, subpoena or lawful request; and

(f) an acquirer or successor entity if we are involved in a merger, acquisition or sale of all or part of our business, in which case we will notify you before your personal information is transferred and becomes subject to a different privacy policy.

The third party service providers we use, and the information shared with them, are set out below:

Provider Purpose Information shared Location
Supabase (hosted on AWS) Database hosting and backend services for the Platform. All account, profile, booking and message data stored in our database. Sydney, Australia (AWS ap-southeast-2).
Stripe Payments Australia Pty Ltd (ACN 160 180 343, AFSL 500105) Payment processing via Stripe and Stripe Connect. Name, email, payment amounts and Stripe customer identifier. We do not share full payment card numbers or bank account details. Australia and the United States.
Expo and Firebase Cloud Messaging (Google) Push notification delivery to your device. Push notification tokens and notification content. United States.
PostHog Anonymous product analytics for the Platform. Anonymous, aggregated usage data only. No personally identifying information. European Union (Frankfurt) or the United States.
Resend Email delivery for the Platform. Your email address and the booking or account details included in the email. United States.
Twilio SMS delivery for the Platform. Your mobile number and the content of the SMS message. United States.
Sentry Error monitoring and diagnostics for the Platform. Technical diagnostic data and an opaque identifier for the affected user. No directly identifying information. United States.
Google Places Address lookup and location search for the Platform. Address text and location coordinates you enter or select. United States.

We use Stripe Connect to facilitate payments between you and the businesses you book with. We never hold, pool or control customer funds at any time.

7. Overseas disclosure of your personal information

Some of our third party service providers listed in section 6 are located overseas. Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles your information in accordance with the APPs, or is subject to a substantially similar privacy regime.

Your core personal data (including your name, email, phone number, location and booking history) is stored in Australia on Supabase servers in the Sydney region. We have chosen Australian hosting to keep your data within Australian jurisdiction wherever practicable.

8. Direct marketing and communications

We may send you the following types of communications, by push notification, in-app message, SMS or email:

(a) booking related notifications, including confirmations, reminders, changes and cancellations. These communications are transactional and necessary for service delivery;

(b) business alerts, including updates, specials or announcements from businesses you have chosen to follow within the Platform; and

(c) Platform updates, including information about new features, changes to the Platform or important service announcements.

You can manage your notification preferences at any time in the Platform (Profile > Notification Preferences) and revoke push notification permission entirely through your device settings.

Some communications cannot be disabled, including booking confirmations, payment receipts and security alerts, because they are essential to the safe use of the Platform.

You may opt out of marketing communications at any time through in-app settings, device settings, the unsubscribe link in any marketing email or, for marketing SMS, by replying STOP to the message. We comply with the Spam Act 2003 (Cth) and will action your opt-out request within 5 business days. Opting out of marketing will not affect transactional communications necessary for the services you have requested.

9. Cookies and analytics

The incomn mobile application does not use cookies. We use the following technologies in the Platform:

(a) PostHog for anonymous product analytics, configured to collect only anonymous, aggregated data. PostHog does not track you across other apps or websites; and

(b) Firebase Cloud Messaging to deliver push notifications, which requires a device token but does not track your activity.

Our website at incomn.app uses cookies and similar technologies. The table below sets out the types of cookies we may use on our website:

Cookie type Purpose Duration
Essential / session cookies Maintaining your login session and enabling core Platform functionality. These cannot be disabled because the Platform will not function without them. Session (expire on browser close).
Preference cookies Remembering your display settings and language preferences. These can be disabled through your browser settings. Up to 12 months.
Analytics cookies Understanding how users navigate the website (including page views, session duration and referral sources). These can be disabled through your browser settings. Up to 26 months.

We do not use advertising, remarketing or cross-site tracking cookies.

You can control cookies through the cookie consent banner on our website, your browser settings or your device settings. Blocking or removing cookies may negatively impact your experience of the website and you may not be able to access all parts of it.

10. Automated decision-making

The Privacy Act, as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth), introduces transparency obligations for automated decisions that significantly affect individuals, commencing on 10 December 2026.

We do not currently use automated decision-making that would have a significant effect on you for the purposes of those provisions. Some processes that operate within the Platform are partly automated, including fraud screening and risk scoring undertaken by Stripe in connection with payment processing, and the ranking of business listings. These processes do not, on their own, determine outcomes that significantly affect your legal rights, finances or access to essential services.

If we introduce any automated decision-making process that would significantly affect you, we will update this policy and disclose the categories of decisions involved, the kinds of information used, and the steps you can take to seek human review of an automated decision.

11. Security of your personal information

We take reasonable technical and organisational steps to protect your personal information from misuse, interference, loss, unauthorised access, modification and disclosure. These steps include:

(a) encryption of data in transit using Transport Layer Security (TLS);

(b) encryption of stored data at rest;

(c) row-level security policies in our database to ensure users can only access their own data;

(d) secure authentication with email and phone verification;

(e) role-based access controls within incomn applied on a need-to-know basis;

(f) payment processing handled by Stripe, which is PCI-DSS Level 1 certified, so we never store credit card numbers on our systems; and

(g) confidentiality obligations on staff and contractors with access to personal information.

Despite these measures, we cannot guarantee the security of your personal information.

In the event of an eligible data breach as defined in Part IIIC of the Privacy Act, we will:

(a) take immediate steps to contain the breach and mitigate any harm;

(b) assess whether the breach is likely to result in serious harm to affected individuals; and

(c) if serious harm is likely, notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable, including a description of the breach, the types of information involved and recommendations for steps individuals can take to protect themselves.

12. Government related identifiers

We do not collect, use or disclose government related identifiers such as Tax File Numbers, Medicare numbers or Centrelink Reference Numbers, and we do not use or adopt any government related identifier as our own identifier for you. Where you register as a business operator, we may collect identity and verification documents for the business and for its owners and directors, which may include a driver licence or passport. We collect those documents only to verify identity and eligibility, do not use or disclose them for any other purpose, and retain them only for as long as necessary for that purpose.

13. Access and correction

You have the right under APP 12 and APP 13 to request access to and correction of the personal information we hold about you.

You can access and correct most of your personal information directly through the Platform by viewing and updating your profile, booking history and account settings.

For other requests, contact us using the details in section 20 with the subject line "Privacy Access Request" or "Privacy Correction Request", including your full name, the email address associated with your account and a description of the information you are seeking. We will respond within 30 days.

Before providing access or making a correction, we may need to verify your identity to protect against unauthorised access.

We may refuse access in the limited circumstances permitted by the Privacy Act, including where giving access would pose a serious threat to safety, would have an unreasonable impact on the privacy of others or is required or authorised by law. If we refuse, we will give you a written notice setting out our reasons and the mechanisms available to you to make a complaint.

If we correct personal information that we have previously disclosed to a third party, we will take reasonable steps to notify them of the correction, unless it is impracticable or unlawful to do so.

14. Data retention and deletion

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our typical retention periods are:

Data type Retention period Reason
Account information (name, email, phone number) Duration of your account, plus 7 years after deletion. Australian tax and business record keeping obligations.
Booking history 7 years from the date of the booking. Australian tax and business record keeping obligations.
Payment metadata (Stripe identifiers, transaction amounts) 7 years from the date of the transaction. Australian tax and financial record keeping obligations.
Booking messages 12 months after the booking is completed or cancelled. Dispute resolution.
Location data, dietary preferences and push notification tokens Duration of your account, deleted on account deletion. Not required after account closure.
In-app notification history 90 days. Inbox management.
Anonymous analytics data Retained in aggregated form only. Cannot be linked back to you.
Support communications 3 years from the date of the communication. Dispute resolution and service improvement.
Website session and analytics data Session cookies expire on browser close. Analytics data retained for up to 26 months. Website operation and improvement.

You can request deletion of your account and associated personal information at any time by using the account deletion feature within the Platform (Settings > Delete account) or by emailing us at privacy@incomn.app with the subject line "Account Deletion Request".

On receiving a deletion request, we will confirm your identity, delete or de-identify your personal information within 30 days (except where we are required by law to retain certain records), request deletion from our third party service providers and confirm completion.

Account deletion anonymises your profile information (your name is replaced with "Deleted user" and your email, phone, avatar, location and push tokens are cleared), while historical booking and payment records are retained for legal compliance.

Deletion is permanent and cannot be undone. Information shared with businesses for past bookings may be retained by those businesses under their own privacy policies.

15. Children

The Platform is intended for users who are 18 years of age or older. We do not knowingly collect personal information from a person under 18.

The Platform is not an "age-restricted social media platform" within the meaning of the Online Safety Act 2021 (Cth) as amended by the Online Safety Amendment (Social Media Minimum Age) Act 2024 (Cth). It is designed for adults aged 18 and over and does not target or permit accounts for persons under 18.

If you believe a person under 18 has created an account on the Platform, please contact us at privacy@incomn.app and we will take steps to delete the account and any associated personal information.

16. Third party links

The Platform may contain links to third party websites or services, including business websites and Stripe payment pages. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policy of any third party service you interact with.

17. Complaints

If you believe we have breached your privacy or mishandled your personal information, please contact us using the details in section 20, including:

(a) your full name and contact details;

(b) a description of your complaint; and

(c) the outcome you are seeking.

We will acknowledge your complaint within 5 business days, investigate it and provide a written response within 30 days. If we need more time, we will let you know and explain why.

If you are not satisfied with our response, or if we do not respond within 30 days, you may complain to the OAIC at oaic.gov.au or on 1300 363 992. The OAIC generally requires that you first attempt to resolve your complaint directly with us before lodging a complaint with them.

18. Your right to sue for serious invasions of privacy

From 10 June 2025, Schedule 2 to the Privacy Act (introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth)) gives you a direct right to bring a court action against any person for a serious invasion of your privacy by intrusion upon seclusion or by misuse of your information.

This right is in addition to, and independent of, the OAIC complaint mechanism described in section 17. If you believe a serious invasion of your privacy has occurred, you may seek independent legal advice about whether to bring an action under that Schedule.

Where the alleged invasion involves us, we encourage you to raise the matter with us first using the contact details in section 20 so we can investigate and respond before any further step is taken.

19. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements or for other operational reasons.

For material changes, we will notify you via push notification, email or a prominent notice within the Platform before the changes take effect, and update the version date at the top of this policy.

For minor changes (such as formatting or clarification), we will update the policy and the version date without individual notification.

Your continued use of the Platform after changes are posted constitutes your acknowledgement of the updated policy. If a change materially reduces your rights under this policy, we will seek your consent before implementing the change where required by law.

20. Contact us

For further information about this privacy policy or our privacy practices, or to access or correct your personal information, or to make a complaint, please contact us using the details below:

Name: incomn Pty Ltd

ACN: 697 733 270

Email: privacy@incomn.app

Website: https://incomn.app