Privacy Policy

1. Introduction

Haulo Pty Ltd ("Haulo", "we", "us", or "our") operates the Haulo live shopping marketplace, including our website at haulo.shop and our mobile application (collectively, the "Platform").

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Platform. We are committed to protecting your privacy and complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using the Platform:

• Account Information: Name, email address, and profile picture when you create an account via Apple, Google, or Facebook sign-in.
• Seller/Supplier Profile: Business name, bio, tax ID, country, region, and business type if you register as a Seller or Supplier.
• Tax Reporting Information (SERR): Legal name, date of birth, residential address, and Australian Business Number (ABN). This information is required from Sellers and Suppliers for compliance with the Australian Taxation Office (ATO) Sharing Economy Reporting Regime (SERR). See Section 3 for details on how this data is used.
• Content Reports: Report category (e.g., illegal content, misleading claims, harassment, unsafe products, inappropriate content), description, and details of the reported content when you submit a report about a livestream, product, chat message, or another user.
• Shipping Addresses: Full name, street address, city, state, postal code, country, and phone number for order delivery.
• Payment Information: Payment card details are collected and processed by our payment processor, Stripe. We store only a reference ID, card brand, last four digits, and expiry date for your convenience. We never store full card numbers.
• User Content: Product reviews, ratings, review images, chat messages during livestreams, and any other content you submit through the Platform.
• Affiliate Applications: Audience size, social media platforms, niche, and social media links when applying to become an affiliate.
• Communications: Any messages or correspondence you send to us directly.

2.2 Information Collected Automatically

When you use the Platform, we automatically collect certain information:

• Device Information: Device type, operating system, and push notification tokens (APNs) to deliver notifications to your device.
• Usage Data: Livestream viewership counts, products purchased, sellers followed, and general interaction data to improve the Platform experience.
• Authentication Tokens: Securely hashed session tokens to keep you signed in. These are stored in your device's Keychain and on our servers in hashed form.

2.3 Information We Do Not Collect

• We do not collect precise GPS location data.
• We do not access your device contacts or address book.
• We do not collect health, fitness, or biometric data.
• We do not use third-party analytics or advertising SDKs that track you across other apps or websites.
• We do not collect browsing or search history outside the Platform.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and Operate the Platform: Process account registration, facilitate transactions between Buyers, Sellers, and Suppliers, and deliver the core marketplace experience.
• Process Payments: Facilitate purchases, calculate commissions, process payouts to Sellers and Suppliers, and manage refunds and returns.
• Order Fulfillment: Share shipping addresses with Suppliers to deliver your orders, generate shipping labels, and provide tracking information.
• Notifications: Send push notifications about order updates, livestream alerts, payout confirmations, and other Platform activity you have opted into.
• Seller and Supplier Analytics: Provide Sellers and Suppliers with aggregated sales data, performance metrics, and business insights through their dashboards.
• Safety and Security: Detect and prevent fraud, enforce our Terms and Conditions, and protect the rights and safety of our users.
• Tax Reporting (ATO SERR): Report Seller and Supplier transaction data to the Australian Taxation Office as required under the Sharing Economy Reporting Regime (SERR). This includes bi-annual Taxable Payments Reporting System (TPRS) reports. Tax reporting information (legal name, date of birth, residential address, ABN) is used solely for this regulatory purpose and is not used for marketing.
• Content Moderation: Investigate content reports submitted by users, enforce our community standards and Terms of Service, take action against prohibited content (including terminating livestreams), and maintain a moderation audit trail. Reported livestream recordings may be preserved as evidence for regulatory compliance.
• Legal Compliance: Comply with applicable laws, regulations, and legal processes, including tax reporting obligations.
• Platform Improvement: Understand how users interact with the Platform to improve features, fix issues, and develop new services.

4. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

4.1 With Other Users

• Buyers: Your name and profile picture are visible during livestream chats. Your shipping address is shared with the Supplier fulfilling your order.
• Sellers: Your public profile information (business name, bio, ratings) is visible to Buyers and Suppliers.
• Suppliers: Your business information and product listings are visible to Sellers and Buyers. You receive buyer shipping details for order fulfillment.

4.2 With Service Providers

• Stripe: Our payment processor. Stripe processes your payment information in accordance with their own privacy policy at stripe.com/au/privacy.
• Cloudflare: Our infrastructure provider for hosting, content delivery, video streaming, and data storage. Cloudflare processes data in accordance with their privacy policy at cloudflare.com/privacypolicy.
• Apple Push Notification Service (APNs): To deliver push notifications to your iOS device.
• Resend: Our email delivery provider. Resend processes email addresses and message content to deliver transactional and marketing emails on our behalf, in accordance with their privacy policy at resend.com/legal/privacy-policy.

4.3 For Legal Reasons

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Haulo, our users, or the public. This includes, but is not limited to:

• Reporting Seller and Supplier transaction data to the Australian Taxation Office under the Sharing Economy Reporting Regime (SERR)
• Responding to removal notices or information requests from the eSafety Commissioner under the Online Safety Act 2021 (Cth)
• Cooperating with the Australian Competition and Consumer Commission (ACCC) on product recalls, safety notices, and consumer protection matters
• Complying with court orders, subpoenas, or other lawful government requests

4.4 Business Transfers

If Haulo is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

5. Data Storage and Security

5.1 Where We Store Your Data

Your data is stored on Cloudflare's global edge network, which may include servers located outside of Australia. By using the Platform, you consent to the transfer of your data to these locations. Cloudflare maintains appropriate security measures and complies with applicable data protection requirements.

5.2 Security Measures

We implement appropriate technical and organisational measures to protect your personal information, including:

• Authentication tokens are stored as SHA-256 hashes, never in plaintext
• All data transmission uses HTTPS/TLS encryption
• Payment card data is handled entirely by Stripe (PCI DSS Level 1 certified) and never touches our servers
• iOS Keychain is used for secure on-device credential storage
• Database queries use parameterised statements to prevent injection attacks
• All sensitive API endpoints require authentication

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfil the purposes described in this Privacy Policy. Specifically:

• Account Data: Retained while your account is active. You may request deletion at any time (see Section 9).
• Transaction Records: Retained for a minimum of 7 years to comply with Australian tax and financial reporting requirements.
• Authentication Tokens: Automatically expire after 7 days and are removed from our systems.
• Chat Messages: Livestream chat messages are ephemeral and are not stored permanently. They exist only during the live broadcast.
• Push Notification Tokens: Retained while your account is active. Removed when you log out or delete your account.
• Content Reports: Retained for a minimum of 3 years from the date of the report to comply with regulatory requirements, including the Online Safety Act 2021 (Cth). Reported livestream recordings preserved as evidence are retained for the same period.
• Tax Reporting Information (SERR): Legal name, date of birth, residential address, and ABN are retained for a minimum of 7 years in accordance with ATO record-keeping requirements.

7. Cookies and Tracking

Our mobile application does not use cookies. Our website (haulo.shop) may use essential cookies for basic functionality such as session management. We do not use advertising cookies, tracking pixels, or third-party analytics tools that track your activity across websites or apps.

8. Notification Preferences

We comply with the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth) in all our communications.

8.1 Transactional Communications

We send transactional emails and push notifications for essential Platform activity, including order confirmations, shipping updates, payout confirmations, and account security alerts. These communications are sent without requiring opt-in consent, as permitted by the Spam Act for messages that are directly related to a transaction or service you have requested.

8.2 Marketing Communications

We may send marketing emails and push notifications about new features, promotions, livestream recommendations, and other Platform updates. You may opt in or opt out of marketing communications at any time. We will only send marketing communications to users who have provided their consent.

8.3 Managing Your Preferences

You can manage your notification preferences at any time through the app under Profile > Notification Settings. You may separately control email notifications and push notifications. All marketing emails include an unsubscribe link, and all emails from Haulo include our sender identification (Haulo Pty Ltd), ABN, physical address, and a functional unsubscribe mechanism, as required by the Spam Act 2003.

9. Your Rights

Under the Australian Privacy Act and the Australian Privacy Principles, you have the following rights:

9.1 Access

You may request access to the personal information we hold about you. We will respond to your request within 30 days.

9.2 Correction

You may request that we correct any inaccurate or incomplete personal information. You can update most information directly through your account settings.

9.3 Deletion

You may request deletion of your account and associated personal information by contacting us at privacy@haulo.shop. Upon receiving your request, we will delete your data within 30 days, except where retention is required by law (e.g., financial transaction records, SERR tax reporting data, content moderation records).

9.4 Opt-Out of Marketing

You can opt out of marketing emails and push notifications at any time by managing your preferences in the app under Profile > Notification Settings, or by using the unsubscribe link included in every marketing email. You may also opt out of push notifications through your device settings. Opting out of marketing communications will not affect transactional notifications related to your orders, payouts, or account security. See Section 8 for full details on notification preferences.

9.5 Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us at privacy@haulo.shop. We will investigate and respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Children's Privacy

The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@haulo.shop.

11. Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you visit.

12. International Data Transfers

As we use Cloudflare and Stripe, your data may be processed in countries outside Australia, including the United States. These providers maintain appropriate safeguards for the protection of your personal information in compliance with applicable privacy laws.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform and updating the "Last updated" date. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

• Email: privacy@haulo.shop
• Website: haulo.shop
• Postal Address: Haulo Pty Ltd (ABN 14 696 190 897), Sydney, NSW, Australia