AUTARA PTY LTD PRIVACY POLICY
Version 1.1 | Effective Date: Platform Launch
1. About This Policy
Autara (ABN 46 299 200 791) ("Autara", "we", "us", "our") operates a two-sided digital marketplace that connects customers with professional car care and detailing merchants across Australia. Our platform is accessible via our mobile applications (iOS and Android) and web interfaces.
This Privacy Policy explains what personal information we collect, why we collect it, how we hold it securely, who we share it with, and the rights you have in relation to that information.
This Policy applies to:
- customers who use the Autara platform to discover, book, and pay for car care services;
- merchants (independent service providers) who register and offer services on the Autara platform; and
- any other individuals who interact with Autara, including visitors to our website or anyone who contacts us.
By using our platform, creating an account, or otherwise providing us with your personal information, you acknowledge that you have read and understood this Privacy Policy.
This Policy should be read alongside our Terms and Conditions. If there is any inconsistency between this Policy and our Terms and Conditions on a privacy matter, this Policy prevails.
2. About Autara
Autara is an Australian sole trader. We operate a marketplace that enables customers to search for, compare, and book car detailing and car care services provided by independent merchant businesses. Merchants on the Autara platform are independent service providers and not employees of Autara.
3. What Personal Information We Collect
3.1 Customers
When you register and use the Autara platform as a customer, we collect:
- Identity information: your first name, last name, and profile photo (if you choose to provide one);
- Contact information: email address and mobile phone number;
- Account credentials: your authentication details, which are managed through our secure identity and access management systems;
- Vehicle information: details of your vehicle(s), including make, model, year, colour, registration, and relevant condition notes you choose to share;
- Booking information: details of services booked, dates, times, the location of the service, any special instructions or notes, and your booking history;
- Payment information: we do not collect or store your full credit card details. Card data is processed entirely by our contracted payment processor. We retain only a secure, tokenised reference to your saved payment method and your transaction status;
- Communications: messages sent through our in-app chat system with merchants;
- Reviews and ratings: star ratings and written reviews you submit about merchants, which display your first name alongside the review (see Section 8);
- Device and usage information: device identifiers, push notification tokens, operating system, app version, and in-app activity logs; and
- Location information: the service address you provide for mobile detailing appointments. We do not continuously track your device location.
3.2 Merchants
When you register and use the Autara platform as a merchant, we collect:
- Identity information: owner first name, last name, and owner email address;
- Business information: trading name, business address, Australian Business Number (ABN) — which we verify against the relevant government register — public liability insurance details, and other verification documents;
- Sensitive information — Photo Identity Document: as part of our merchant verification process, we collect a government-issued photo ID (such as a driver's licence or passport). This constitutes sensitive information under the Privacy Act 1988. We collect it only with your express consent, via a dedicated consent screen before upload. See Section 4 for full details;
- Contact information: business address, owner phone number, and owner email;
- Service catalogue information: descriptions, pricing, duration, and add-ons for the services you offer, along with portfolio images;
- Location information: your business address and the geographic area in which you operate. This location data is used to enable proximity-based searches by customers;
- Financial information: your linked payment processor account identifier and onboarding status. We do not store your bank account or payout details directly;
- Availability and scheduling information: your nominated business hours and concurrent job capacity;
- Operational data: booking history, earnings data, average rating, and customer reviews received;
- Communications: messages exchanged with customers via in-app chat;
- Device and usage information: device identifiers, push notification tokens, operating system, and app version; and
- Marketing preferences: whether you have opted in to receive marketing communications from Autara.
3.3 Website and App Visitors
If you visit our website or app without creating an account, we may collect:
- Technical data: IP address, browser type and version, device type, operating system, and referral URL;
- Usage data: pages visited, time on page, navigation paths, and session duration; and
- Cookie data: as described in Section 13.
3.4 Unsolicited Personal Information
If we receive personal information about you that we did not solicit (for example, through an in-app chat message that contains details about a third party), we will assess whether we could have lawfully collected that information. If we could not have, we will destroy or de-identify it as soon as practicable, provided it is lawful and reasonable to do so.
4. Sensitive Information
4.1 Merchant Photo Identity Document
We only collect this information with your express consent and for the sole purpose of verifying your identity before you are approved as an active merchant on the platform.
Our photo ID handling practices include:
- Collection method: photo ID is uploaded directly by you via a secure, encrypted upload link and stored in a private, access-controlled environment that is not accessible to the public or to other platform users;
- Review: Authorized personnel will review your photo ID
- Audit trail: all access to your photo ID is logged and audited. Access is restricted to authorized personnel on a strict need-to-know basis;
- Retention: once you become an active merchant on the platform, your photo ID document will be automatically deleted as soon as reasonably practicable after your merchant status becoming active.
- No further disclosure: your photo ID will not be shared with customers, third parties, or other merchants. It is accessed internally solely for identity verification purposes.
4.2 Location Data
Geographic location coordinates are used in connection with our proximity-based search feature. When a customer searches for nearby merchants, our platform queries merchant service areas based on the business address provided during onboarding. This location is used solely to surface relevant search results to customers. We do not continuously track the GPS location of any user's device.
5. How We Collect Personal Information
5.1 Directly from You
Most of the personal information we collect is provided directly by you when you:
- create an account on the Autara platform;
- complete the merchant onboarding process (including business number submission, document upload, and availability setup);
- make or manage a booking;
- complete your customer profile, including saving vehicle details;
- communicate with merchants or Autara support through in-app chat or email;
- submit a review or rating;
- contact us with a query or complaint; or
- subscribe to or interact with our marketing communications.
5.2 Automatically
We automatically collect certain information when you use our app or website, including:
- device information and push notification registration tokens when you enable notifications;
- in-app activity logs (for example, which screens you visit, which services you view, and booking actions you take);
- cookies and similar technologies — see Section 13; and
- IP address and browser or device metadata when you access our web services.
5.3 From Third Parties
We may receive personal information from third parties in the following circumstances:
- Government business registers: we query the relevant Australian government register to verify business number details provided by merchants during onboarding;
- Payment processors: when you connect your merchant payout account, our contracted payment processor provides us with your account status and payout enablement information;
- Social login providers: if you choose to sign in using a supported third-party identity provider (such as Google or Apple), that provider shares a name, email address, and unique identifier with us for authentication purposes; and
- Other users: customers may provide information about a third party (for example, a vehicle owner's contact details) through the booking process. We collect and handle that information in accordance with this Policy.
6. Why We Collect, Hold, Use, and Disclose Personal Information
6.1 Customers
We use customer personal information to:
- create and manage your account on the platform;
- process and manage your bookings, including communicating booking status updates;
- facilitate in-app chat between you and your chosen merchant;
- process payments for services through our contracted payment processor;
- display your first name alongside any reviews you submit (with a 24-hour publication delay — see Section 8);
- provide customer support and respond to complaints or queries;
- send you transactional notifications (booking confirmations, status updates, payment receipts) via push notification, email, and SMS;
- send you marketing communications about Autara's services and offers, where you have provided consent (see Section 12);
- improve the platform through aggregate analytics and usage data;
- comply with applicable laws and regulations, including tax obligations; and
- detect, investigate, and prevent fraud, security incidents, or misuse of the platform.
6.2 Merchants
We use merchant personal information to:
- create, verify, and manage your merchant account and business profile;
- verify your identity, business number, and public liability insurance;
- display your public profile, services, portfolio, ratings, and operating area to customers searching the platform;
- process bookings and manage your booking calendar;
- facilitate in-app chat with customers regarding bookings;
- process earnings and facilitate payouts through your connected payment processor account;
- generate invoices (auto-generated on booking completion, and merchant-initiated manual invoices);
- provide you with an earnings dashboard and booking analytics;
- maintain an aggregated view of your customer relationships — for example, repeat booking counts and service history — which is visible to you within your merchant dashboard;
- send you transactional notifications (new bookings, status changes, payout confirmations);
- send you marketing communications where you have opted in;
- screen user-uploaded images using automated content moderation tools to ensure platform safety;
- comply with applicable legal obligations including tax record keeping; and
- detect, investigate, and prevent fraud or misuse of the platform.
6.3 Basis for Collection, Use, and Disclosure
We collect, use, and disclose personal information in accordance with the Australian Privacy Principles. In particular:
- we only collect personal information that is reasonably necessary for our functions or activities (APP 3.2), such as operating the marketplace, processing bookings, and facilitating payments;
- we use and disclose personal information for the primary purpose for which it was collected, or for a related secondary purpose that you would reasonably expect (APP 6.2(a));
- where we collect sensitive information (such as your photo ID), we do so only with your express consent and for the specific purpose disclosed at the time of collection (APP 3.3);
- we obtain your consent before using your personal information for direct marketing purposes (APP 7.1); and
- we collect, use, or disclose personal information where required or authorised by or under an Australian law or a court or tribunal order (APP 6.2(b)).
7. How We Hold and Protect Personal Information
7.1 Storage and Infrastructure
Autara's data is stored within secure cloud hosting facilities located primarily in Australia. Our platform infrastructure includes:
- Secure cloud hosting: our services are deployed within enterprise-grade cloud infrastructure with physical and logical security controls;
- Database management: customer and merchant data is stored in a managed, access-controlled relational database with role-based access permissions;
- File storage: documents and media are stored in private, access-controlled cloud storage. Only media approved for public display is served via a content delivery network; and
- Identity and access management: separate, isolated authentication environments are maintained for customers, merchants, and administrators.
7.2 Security Measures
We implement industry-standard security measures appropriate to the nature and sensitivity of the information we hold, including:
- Encryption in transit: all data transmitted between our applications, APIs, and storage systems is protected using industry-standard TLS encryption;
- Encryption at rest: data stored within our cloud infrastructure is encrypted at rest using industry-standard encryption;
- Access controls: all platform APIs require authenticated access. Administrative access to sensitive data is subject to strict access controls and audit logging;
- Audit logging: all access to sensitive documents and records is logged and monitored;
- Principle of least privilege: each system component is granted only the minimum permissions necessary for its specific function; and
- Content moderation: user-generated images are screened by automated content moderation tools before being approved for display on the platform (see Section 9).
7.3 Data Retention
We keep your personal data only for as long as we need it to fulfill the reasons it was collected, to meet our legal obligations, or to protect our legal rights.
To determine the appropriate retention period, we consider:
- Legal and regulatory requirements
- Time limits for legal action
- Our need to defend against potential disputes
- Industry best practices
- Our operational business needs
Once your data is no longer needed, we will securely delete, destroy, or anonymize it in accordance with applicable laws.
8. Reviews and User-Generated Content
When you submit a review and star rating about a merchant's service, the following applies:
- Your first name will be displayed publicly alongside your review. Your last name and other contact details will not be displayed;
- Reviews may be subject to a publication delay before appearing on the merchant's public profile. This delay allows time for moderation if required;
- Reviews are retained for the life of the merchant's active profile. If you request deletion of your account, your review content will be de-identified (your first name removed) but the rating and review text may remain;
- You should not include personal information about yourself or others in your review text; and
- Autara reserves the right to moderate or remove reviews that violate our Community Guidelines.
9. Automated Content Moderation
To maintain a safe and trustworthy marketplace environment, Autara uses automated third-party content moderation tools to scan user-uploaded images for inappropriate content. This applies to all images submitted to the platform, including merchant profile images, cover images, service gallery photographs, and portfolio media.
When you upload an image, it is automatically analysed by our content moderation service to detect potentially inappropriate or harmful content. Images that are identified as containing such content may be automatically rejected or flagged for review by an Autara administrator before being published on the platform. Images that pass moderation without flags are approved and published.
We retain metadata about moderation outcomes (including any detected content categories) for audit and platform safety purposes. We do not use moderation data for any purpose other than maintaining platform safety and reviewing appeals.
If you believe an image has been incorrectly rejected or moderated, you may contact us to request a manual review.
For clarity your Verification documents (ABN, Insurance certificates, Photo IDs and professional certifications) are excluded from this automated moderation.
9.1 Automated Decision-Making Transparency
In accordance with the Privacy Act 1988 (Cth), Autara discloses the following information about decisions that are made, or substantially assisted, by computer programs using personal information.
Decisions made solely by a computer program:
Image moderation — when you upload an image to the platform (such as a profile photo, service gallery image, or portfolio media), it is automatically analyzed by our content moderation service. Images that exceed the moderation confidence threshold for inappropriate or harmful content are automatically rejected without human intervention. This decision directly affects your ability to publish content on the platform.
Decisions substantially assisted by a computer program:
Flagged image review — images that are identified by the content moderation service as potentially inappropriate, but fall below the automatic rejection threshold, are flagged and routed to an Autara administrator for manual review. The administrator makes the final decision to approve or reject the image, informed by the automated analysis.
Types of personal information used:
User-uploaded images, together with associated metadata.
10. Disclosure of Personal Information
10.1 Within the Platform
Certain personal information is shared between platform participants as a necessary part of the marketplace experience:
- When a customer books a service, the merchant receives the customer's first name, last name, vehicle details, service address (for mobile services), booking notes, and contact information necessary to perform the service;
- When a merchant's profile is listed publicly, customers can view the merchant's business name, trading area, services, portfolio images, aggregate ratings, and reviews; and
- In-app chat messages are visible to both the customer and the merchant involved in the booking.
10.2 Third-Party Service Providers
We engage trusted third-party service providers to assist us in operating the platform. These providers are engaged on terms that require them to protect your information and use it only for the purposes for which it was shared. Our service providers operate within the following categories:
| Service Category | Purpose |
|---|---|
| Payment processing | Our contracted payment processor handles the collection of payment card details directly from customers and the disbursement of merchant earnings. We do not receive or store your full card number. The identity of our payment processor is Stripe, Inc. (USA), which is separately disclosed as a named processor given the direct financial relationship it has with platform users. |
| Cloud infrastructure and hosting | Secure hosting of our platform infrastructure, including compute, access management, file storage, and content delivery, within cloud facilities located primarily in Australia. |
| Database management services | Managed storage of platform data within a secure, access-controlled relational database environment hosted in Australia. |
| Push notification services | Delivery of transactional and service notifications to your mobile device. |
| Address and geolocation services | Address autocomplete and geographic validation during onboarding and booking flows. |
| Email and SMS communications | Delivery of account-related email and SMS messages, including authentication codes, booking confirmations, and system notifications. |
| Automated content moderation services | Screening of user-uploaded images for inappropriate content to maintain platform safety. |
| Business number verification services | Verification of merchant Australian Business Numbers against the relevant government register. |
10.3 Payment Information
All payments on the Autara platform are processed by Stripe, Inc., our contracted payment processor. When you make a payment, your card details are entered directly into Stripe's secure payment interface — they are not transmitted to or stored on Autara's systems. Autara receives only a tokenized reference to your saved payment method and your transaction status.
Merchant payouts are processed by Stripe directly to the merchant's nominated bank account. Autara receives payout status and earnings totals, but does not hold merchant bank account details.
10.4 Legal and Regulatory Disclosures
We may disclose personal information where required or permitted by law, including:
- to comply with a court order, subpoena, or other legal process;
- to a regulatory body or law enforcement agency, including the Office of the Australian Information Commissioner (OAIC), the Australian Taxation Office, or the Australian Securities and Investments Commission;
- to prevent or investigate suspected fraud, illegal activity, or a serious threat to the safety of any person; or
- where otherwise permitted by the Privacy Act 1988 (Cth).
10.5 Business Transfers
In the event that Autara enters into a merger, acquisition, asset sale, or restructure, personal information may be disclosed to the relevant counterparties as part of due diligence, and transferred to the successor entity. We will notify affected users of any material changes to how their information is handled in that context.
10.6 Third-Party Mapping and Location Services
To enable core platform features, such as searching for nearby Autara merchants, we utilise third-party mapping APIs provided by Google Maps. When you grant Autara permission to access your device's location, your location data (which may include coarse or precise coordinates, depending on your device settings) is transmitted to these providers to render maps and calculate distances.
We do not track your background location when the app is closed.
Your use of these mapping features is subject to the respective providers' privacy policies. For more information, please review the Google Privacy Policy (https://policies.google.com/privacy).
11. Cross-Border Disclosure of Personal Information
Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient handles that information in a manner consistent with the Australian Privacy Principles, including through enforceable contractual arrangements that require the overseas recipient to comply with standards consistent with the APPs and reliance on applicable data protection certifications held by those providers.
| Recipient | Country | Nature of Disclosure |
|---|---|---|
| Payment Processors | United States | Payment card processing and merchant payout facilitation. Separately named as the financial processor given the direct payment relationship with platform users. |
| Cloud infrastructure providers | United States (with primary data hosting in Australia) | Certain cloud platform services, including content moderation and notification delivery, involve processing by or through infrastructure operated by overseas providers. |
| Geolocation and address services | United States | Address geocoding and autocomplete queries during onboarding and booking flows. |
| Push notification services | United States | Routing of push notification messages to customer and merchant mobile devices. |
| Administrative, Development and Support Operations | Sri Lanka | Authorized personnel access for the purposes of platform development, maintenance, database administration, and customer support. |
12. Marketing Communications
Autara may send you marketing communications about our platform, new features, promotions, and related services.
Customers: you will only receive marketing emails and push notifications where you have provided your consent during account registration or subsequently. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by updating your notification preferences in the app.
Merchants: you may opt in to marketing communications during onboarding or via your account settings.
In accordance with the Spam Act 2003 (Cth), Autara will action all unsubscribe requests within 5 business days of receipt. Unsubscribe mechanisms included in marketing messages will remain functional for a minimum of 30 days from the date of sending. We will only send commercial electronic messages to you with your express or inferred consent as defined under the Spam Act 2003 (Cth).
13. Cookies and Tracking Technologies
Our web-based interfaces may use cookies and similar tracking technologies to:
- maintain your session and authentication state;
- remember your preferences and settings;
- analyse usage patterns and improve the platform; and
- support secure authentication flows.
We do not use cookies to display third-party advertising or to sell your information to advertisers.
Most browsers allow you to control cookie settings. Disabling cookies may affect your ability to use certain features of our platform, particularly authentication and session management.
Our mobile applications use device-level notification identifiers for the delivery of push notifications. These identifiers are stored securely and used solely for notification routing purposes.
14. Government Related Identifiers
We collect Australian Business Numbers (ABNs) from merchants for the purpose of verifying that they operate a legitimate business. We use ABNs only for:
- verification against the relevant Australian government business register;
- display on invoices generated by the platform; and
- compliance with applicable tax and financial reporting obligations.
We do not use government-issued identifiers as primary account identifiers within our internal record-keeping systems. We do not share ABNs with any third party other than for verification and legally required tax-related disclosures.
15. Children's Privacy
The Autara platform is a commercial marketplace designed for adult vehicle owners and independent business operators. The platform is not directed at children under the age of 18. We do not knowingly collect personal information from children.
Account registration requires a verified email address, phone number, and the ability to enter into binding payment and service agreements. If we become aware that we have inadvertently collected personal information from a child under 18, we will take reasonable steps to delete that information as soon as practicable.
Parents or guardians who believe a child's information may have been collected should contact our Privacy Officer using the details in Section 24.
16. Quality of Personal Information
We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant, having regard to the purpose for which it is held. You can help us maintain the quality of your information by keeping your account details current and notifying us of any changes.
17. Anonymity and Pseudonymity
Under APP 2, individuals must generally have the option to interact with an APP entity anonymously or using a pseudonym, where lawful and practicable.
Customers: you may browse the Autara platform and view publicly listed merchants and services without creating an account or identifying yourself. However, to create a booking, you must create an account and provide a verified email address and phone number. Anonymous use is not practicable for booking transactions, as we need to identify you to process payments, communicate booking status, and resolve disputes.
Merchants: given the nature of the verification requirements (including business number verification, photo ID, and payment onboarding), it is not practicable for merchants to operate on the platform anonymously or pseudonymously.
18. Access to and Correction of Your Personal Information
18.1 Your Right of Access
To submit an access request, please contact us using the details in Section 24.
We will respond to your request within 30 days. In some circumstances, we may be permitted by law to refuse access (for example, where providing access would unreasonably impact the privacy of other individuals, or where the information is subject to legal privilege). If we refuse access, we will provide written reasons.
18.2 Download My Data
Autara provides a self-service "Download My Data" feature within the platform. This allows you to export a structured copy of the personal information we hold about you, including your profile data, booking history, and vehicle records. This feature is accessible from your account settings.
18.3 Your Right to Correction
You have the right to request correction of personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. You may update most of your profile information directly within the app. For information you cannot update yourself, please contact us and we will assist.
To request access or correction, please contact our Privacy Officer using the details provided in Section 24.
19. Account Deletion
You have the right to request the deletion of your Autara account and associated personal data at any time. To accommodate this, we provide the following accessible methods:
In-App Deletion:
You can delete your account directly within the Autara mobile application by navigating to your Account Settings / Profile and selecting "Delete Account".
Web / Support Deletion:
If you no longer have the app installed, you may request account deletion via our web portal or by contacting our Privacy Officer using the details provided in Section 24.
On receipt and confirmation of a valid deletion request:
- Your active profile, login credentials, and identifying personal information will be permanently deleted or de-identified within 30 days;
- Certain information may be retained beyond this period where we are legally required to do so (for example, tax records, completed booking records, and invoices — see Section 7.3);
- Where retained records relate to completed transactions, your personal details will be de-identified at the field level. This ensures the financial transactional record is preserved for tax compliance, but is no longer linked to an identifiable person; and
- Reviews you have submitted will be de-identified (your name will be removed) but may continue to be displayed on the platform as anonymous reviews.
20. How to Make a Privacy Complaint
20.1 Complain to Us First
If you have a concern about how we have handled your personal information, we encourage you to contact us in the first instance. We take all privacy complaints seriously and aim to resolve them promptly and fairly.
To lodge a complaint, please contact our Privacy Officer using the details provided in Section 24.
We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days. If additional time is required, we will keep you informed of progress.
20.2 Escalation to the OAIC
If you are not satisfied with our response, or if you believe we have not resolved the matter within a reasonable time, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
Website: http://www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5218, Sydney NSW 2001
21. Third-Party Links and Services
Our platform may contain links to third-party websites or integrate with third-party services (such as social sign-in via supported identity providers). This Privacy Policy does not apply to those third-party services. We encourage you to read the privacy policies of any third-party services you use in connection with our platform.
22. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our information handling practices, legal obligations, or platform features. The effective date at the top of this document will be updated when changes are made.
If we make material changes to the way we handle your personal information, we will notify you via email or through a prominent notice within the platform before the changes take effect. We encourage you to review this Policy periodically.
Your continued use of the Autara platform after any update to this Policy constitutes your acknowledgement of the updated terms.
23. Governing Law and Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of the Commonwealth of Australia, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs 1–13) as administered by the Office of the Australian Information Commissioner (OAIC).
To the extent that any dispute or claim arises in connection with this Privacy Policy or our handling of your personal information, the parties agree that such dispute or claim is subject to the exclusive jurisdiction of the courts of the State of Victoria, Australia, without prejudice to the right of either party to seek injunctive or other equitable relief in any competent jurisdiction.
Nothing in this clause limits your rights to lodge a complaint with the OAIC or to seek an alternative remedy under applicable Australian privacy legislation.
24. Contact Us
For any questions, requests, or concerns about this Privacy Policy or how we handle your personal information, please contact:
Autara
Privacy Officer:
Email: privacy@autara.au
Address: U24, 234 Warrigal Rd, Camberwell, VIC 3124, Australia
ABN: 46 299 200 791