Privacy Policy

Poppi Social Pty Ltd (we, us, or our) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our website, consulting services, and any related products or platforms.

This policy complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), the EU General Data Protection Regulation (GDPR), and relevant US privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), where applicable.

By using our services, you consent to the collection and use of information in accordance with this policy.

Information We Collect

We collect information that you provide directly to us and information that is automatically collected when you use our services.

Personal information you provide

We may collect the following types of personal information when you interact with us:

• Name and contact details (email address, phone number, mailing address)
• Business information (company name, job title, industry)
• Payment information (processed securely through Stripe — see below)
• Communications you send us (emails, messages, support requests)
• Any other information you choose to provide

Usage and technical information

We automatically collect certain information when you access our services:

• IP address and device information
• Browser type and version
• Operating system
• Pages visited and links clicked
• Time and date of visits
• Referral source

Cookies and tracking technologies

We use cookies and similar tracking technologies to collect information about your browsing activities, including cookies that support advertising. You can control cookie preferences through your browser settings and, where required, through our cookie consent banner. For more detail, see the Cookies and Tracking Technologies section below.

Payment information

Payment transactions are processed by Stripe, our third-party payment processor. We do not store your full credit card information on our servers. Stripe collects and processes payment data in accordance with their privacy policy and PCI-DSS standards. You can review Stripe's privacy practices at stripe.com/privacy.

How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve our services
• To process transactions and send related information
• To respond to your enquiries and provide customer support
• To send administrative information, updates, and security alerts
• To communicate with you about services, offers, and promotions (with your consent where required)
• To deliver and measure advertising, including through third-party advertising platforms
• To analyse usage patterns and improve user experience
• To detect, prevent, and address fraud, security issues, and technical problems
• To comply with legal obligations and protect our rights

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contractual necessity: Processing is necessary to perform our contract with you or to take steps at your request before entering into a contract.
• Legitimate interests: Processing is necessary for our legitimate interests, such as improving our services, preventing fraud, and ensuring security.
• Consent: You have given consent for processing (for example, marketing communications and advertising cookies).
• Legal obligation: Processing is necessary to comply with legal requirements.

How We Share Your Information

We do not sell your personal information for money. We may share your information in the circumstances below, including sharing with advertising partners as described in the California section.

Service providers

We may share information with third-party service providers who perform services on our behalf, including:

• Payment processing (Stripe)
• Email service providers
• Customer relationship management (CRM) platforms
• Analytics providers
• Advertising platforms (such as Meta and Google)
• Hosting and cloud storage providers

These service providers are contractually obligated to use your information only as necessary to provide their services and to protect your information.

Business transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

Legal requirements

We may disclose your information if required to do so by law or in response to legal processes, government or regulatory requests, or situations involving potential threats to safety, fraud investigation, or protection of our rights.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data from the EEA to countries outside the EEA, we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or we rely on adequacy decisions. For Australian users, we take reasonable steps to ensure overseas recipients handle your personal information in accordance with the Australian Privacy Principles.

Data Security

We implement appropriate technical and organisational security measures to protect your personal information, including encryption of data in transit and at rest, secure server infrastructure, regular security assessments, access controls and authentication, and employee training on data protection. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

Data Retention

We retain your personal information for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account information: Retained for the duration of your account plus a reasonable period afterwards.
• Transaction records: Retained for tax and accounting purposes (typically 7 years in Australia).
• Marketing data: Retained until you withdraw consent or request deletion.
• Analytics data: Retained for 14 months or until no longer needed for business purposes.

Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyse usage, and deliver and measure advertising.

Types of cookies we use

• Essential cookies: Necessary for the website to function properly.
• Analytics cookies: Help us understand how visitors use our site.
• Functional cookies: Remember your preferences and settings.
• Marketing cookies: Used by us and advertising partners (such as Meta and Google) to deliver and measure relevant advertisements.

Managing cookies

You can control and manage cookies through your browser settings and, where offered, our cookie consent banner. For EEA visitors, advertising and analytics cookies are not set until you consent. Disabling certain cookies may impact the functionality of our services.

Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information.

Australian privacy rights

Under the Australian Privacy Principles, you have the right to access your personal information, correct inaccurate or incomplete information, request deletion in certain circumstances, and make a complaint to the Office of the Australian Information Commissioner (OAIC).

GDPR rights (EEA residents)

If you are in the European Economic Area, you have the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, withdrawal of consent at any time, and the right to lodge a complaint with your local data protection authority.

California privacy rights (CCPA/CPRA)

California residents have the right to:

• Know what personal information we collect, use, share, or sell;
• Request deletion of personal information;
• Correct inaccurate personal information;
• Opt out of the "sale" or "sharing" of personal information, including sharing for cross-context behavioural advertising;
• Limit the use of sensitive personal information; and
• Not be discriminated against for exercising these rights.

Because we use advertising cookies that share identifiers with platforms such as Meta and Google, this activity may be considered a "sale" or "share" under California law. You can opt out at any time via our cookie consent controls or by contacting us using the details below. Where supported, we honour Global Privacy Control (GPC) browser signals as a valid opt-out request.

Exercising your rights

To exercise any of these rights, contact us using the details in the Contact Information section below. We will respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity first. In some cases we may be unable to fulfil a request due to legal obligations or legitimate business reasons, in which case we will explain why.

Marketing Communications

With your consent, we may send you marketing communications about our services, promotions, and updates. You can opt out at any time by clicking the unsubscribe link in any marketing email or contacting us directly. Even if you opt out of marketing, we may still send transactional or administrative messages related to your use of our services.

Third-Party Links and Services

Our services may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties, and we encourage you to review their privacy policies.

Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

EU and UK Representatives (GDPR)

Under Article 27 of the GDPR (and the UK GDPR), organisations outside the EEA and UK that offer services to individuals there may be required to appoint a local representative. We are currently reviewing our position on appointing an EU/UK representative and will update this policy with their details if and when one is appointed. In the meantime, EEA and UK residents may contact us directly using the details below, and may lodge a complaint with their local data protection authority.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website, updating the "Last updated" date, and sending an email notification where appropriate. Your continued use of our services after changes indicates acceptance of the updated policy.

Governing Law and Dispute Resolution

This Privacy Policy is governed by the laws of New South Wales, Australia. Australian residents may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. EEA and UK residents may lodge a complaint with their local supervisory authority.