Privacy Policy

Last updated: 2026-06-08

1. Who we are

This booking platform (the "Platform") is operated by Active Web Solutions ("AWS", "we", "us", "our"), a sole-trader web agency based in New South Wales, Australia.

AWS is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, hold, use, disclose, and protect personal information when you use the Platform — whether as a member of the public booking an appointment, as a merchant business owner using AWS to take bookings, or as a staff member of such a business.

2. The two roles we play

Many of the businesses you book with (each a "Merchant") use AWS to host their booking page. That gives us two distinct privacy roles:

  • Platform controller. For your own AWS account (if you are a Merchant), for platform audit logs, for payment audit metadata, and for the integrity / security of the Platform overall, AWS is the data controller.
  • Processor for Merchants. When you book an appointment with a Merchant, the personal information you submit (name, contact details, service selection, appointment time) is collected on behalf of that Merchant. The Merchant is the primary controller of that booking record; AWS processes it to deliver the service. Each Merchant is responsible for its own customer-facing privacy practices.

3. Information we collect

3.1 From members of the public booking an appointment

  • Your name.
  • Your email address (optional but recommended for confirmations and reminders).
  • Your phone number (optional, used by the Merchant to contact you about the appointment).
  • The service, staff member (if applicable), and time you select.
  • Any free-text note you add to the booking.
  • Payment details where the Merchant has enabled card payments. Card details are entered directly into a Stripe-hosted Payment Element and are never seen, stored, or processed by AWS. We only store a payment intent identifier, the charge id, the card brand, the last four digits of the card, and the amount paid (in cents).
  • Your IP address and browser user agent (for security, anti-abuse, and audit purposes).

3.2 From Merchants and their staff

  • Business name, contact email, business address, ABN.
  • Login credentials (your password is stored only as an Argon2id hash — we never see the cleartext).
  • Staff names, roles, working hours.
  • Bank account, ABN, identity-verification documents collected by Stripe Express for the merchant's own Stripe Connect account. Those details are submitted directly to Stripe; AWS does not see or store them.

4. Why we collect it

Under APP 3, we only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions. We use the information described above to:

  • Confirm and manage your booking with the Merchant.
  • Send transactional emails — booking confirmations, calendar attachments, payment receipts, reminders, cancellations.
  • Allow the Merchant to view, reschedule, or cancel your booking from their admin dashboard.
  • Process payments via Stripe Connect (direct-charge model — funds flow from your card straight to the Merchant's Stripe account; AWS does not take, hold, or route the money).
  • Keep an audit trail of payment events for the Merchant's tax records and dispute resolution.
  • Operate, secure, and improve the Platform.
  • Meet our legal obligations (e.g. responding to lawful requests from regulators).

5. How we notify you (APP 5)

This Privacy Policy is the primary notice of collection. The collection form on the booking page also identifies the Merchant you are booking with and links back here. If you do not wish to provide information that is marked optional (such as email or phone), you may leave those fields blank — your booking will still be accepted, but the Merchant may have no way to contact you and we cannot send you a confirmation email or reminders.

6. Disclosure to third parties

We share personal information only with the following service providers, and only to the extent necessary to operate the Platform:

  • Stripe, Inc. (payment processing, Stripe Connect, Stripe Express onboarding). Stripe is based in the United States; some Stripe processing occurs in the US. This is a cross-border disclosure under APP 8.
  • Google LLC (Gmail / Google Workspace, used as the SMTP transport for our outbound transactional emails). Email metadata and message bodies pass through Google servers, which may be located outside Australia.
  • Cloudflare, Inc. (R2 object storage, used for nightly encrypted database backups). We configure backups to use Cloudflare's Asia-Pacific (Sydney and Melbourne) regions so backups remain on Australian soil.
  • Fly.io, Inc. (Platform hosting). The Platform runs in Fly's Sydney (SYD) region; the SQLite database file lives on a Sydney-region volume.
  • The Merchant you book with. Booking records you submit are visible to that Merchant's owner, managers, and rostered staff within the Platform's admin surface.
  • Law-enforcement and regulators, where disclosure is required or authorised by Australian law.

We do not sell personal information. We do not share data with marketing partners, advertising networks, or data brokers. We do not run Google Analytics or any other third-party analytics tracker on the booking pages.

7. Cross-border disclosure (APP 8)

As noted above, Stripe and Google process some data in the United States, and Cloudflare R2 is a global service (we choose Australian regions but the underlying provider is a US company). By using the Platform you acknowledge and consent to those overseas disclosures. We take reasonable steps to ensure that overseas recipients handle your information in a manner consistent with the APPs, including by using providers that publish their own equivalent privacy programs and (where available) standard contractual clauses.

8. Security (APP 11)

  • All traffic to the Platform is served over HTTPS / TLS.
  • Owner passwords are hashed with Argon2id — we never store or log the cleartext.
  • Session tokens stored in the database are themselves hashed; the cookie value is the only place the raw token exists.
  • The admin surface is gated by either operator HTTP Basic Authentication or an owner session cookie.
  • Card payment data is handled entirely by Stripe's Payment Element — we are out of scope for PCI-DSS storage requirements because we never receive the card number.
  • The production database lives on a Sydney-region encrypted volume; nightly backups are encrypted at rest in Cloudflare R2.

9. Retention

We do not currently operate an automatic data-retention purge. Booking records, account records, and payment audit entries are retained for the life of the Platform unless deletion is requested in writing under section 11 below. If a Merchant deactivates their profile, their booking data is soft-deleted (hidden from public surfaces) but retained in the database for record-keeping and potential reactivation; we will purge on request.

10. Email communications (Spam Act 2003)

Emails we send you about a specific booking — confirmations, calendar attachments, payment receipts, reminders, cancellation notices — are transactional messages and are not commercial electronic messages under the Spam Act 2003 (Cth). They do not carry an unsubscribe link by design. To stop receiving them you can cancel the underlying appointment using the link in the confirmation email, or contact the Merchant directly. AWS does not send marketing emails to the public through this Platform.

11. Access and correction (APP 12 & APP 13)

You have a right to ask for a copy of the personal information we hold about you, and to ask us to correct anything that is inaccurate, out of date, incomplete, irrelevant, or misleading. Please contact us at Brett@activewebsolutions.com.au. We may need to verify your identity before responding. We aim to respond within 30 days.

If your request relates to information a Merchant collected from you (i.e. a booking record), we will work with that Merchant to action your request, since the Merchant is the primary controller of that record.

12. Data breach notification

AWS complies with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of an eligible data breach involving the personal information of identifiable individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable, and in any event within 30 days, in accordance with the scheme.

13. Cookies

We use only the minimum cookies needed for the Platform to function. There are no tracking, advertising, or analytics cookies. The cookies we set are:

  • __bookings_owner_session — your signed-in owner session token. HttpOnly, SameSite=Lax, Secure in production.
  • __bookings_op_mode — a short-lived marker used by the operator entry flow. 60-second lifetime.
  • aws_book_return — remembers the website URL you came from, so the confirmation page can show a "Return to (Business)" button. Scoped to a single booking path; 1-hour lifetime.
  • One localStorage entry (aws_cookie_ack_v1) used to remember that you have dismissed the cookie notice. Not a cookie strictly, but worth disclosing.

14. Children

The Platform is intended for adults. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided personal information to us, please contact us and we will delete the record.

15. Changes to this policy

We may update this policy from time to time — for example, when we introduce a new service provider or a new regulatory requirement applies. Material changes will be reflected in the "Last updated" date at the top of this page. Continued use of the Platform after a change constitutes acceptance of the updated policy.

16. Complaints

If you believe AWS has breached the APPs in handling your personal information, please contact us first at Brett@activewebsolutions.com.au so we can try to resolve the issue. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):

17. Contact

Privacy questions, access requests, correction requests, and complaints should be addressed to: Brett@activewebsolutions.com.au.