Privacy Policy

1. What Personal Information We Collect

Depending on how you use Spesh, we may collect:

Members (consumers)

• Name and email address (collected at registration)
• Password (stored as a one-way cryptographic hash — we cannot read it)
• Wishlist items and saved specials
• Approximate location (used to show nearby specials — see section 5)
• Which specials you view and how often (stored as anonymous view counts — no device or browser data is retained by us)
• IP address — held temporarily in server memory for login rate-limiting only, never written to our database

Business owners

• Business name, address, suburb, state, and postcode
• Business phone number
• Owner name and email address
• Special/promotion details and uploaded images
• Geographic coordinates derived from your business address (for mapping)

2. How We Collect Information

We collect information:

• Directly from you — when you register, update your profile, or list a business or special.
• Automatically — Google Analytics 4 and Google Tag Manager collect device type, browser, and session data on our behalf when you use the platform. We do not collect this data directly into our own systems.
• From your device — location data, when you grant browser permission.
• From third parties — address geocoding via Geoapify to convert a business address into map coordinates.

3. Why We Collect and Use Your Information

We collect and use personal information to:

• create and manage your account;
• display relevant local specials based on your location;
• allow business owners to list, manage, and promote their specials;
• send transactional emails (e.g. password reset links) via our email provider, Resend;
• analyse platform usage and improve our service;
• detect and prevent fraud, abuse, and security incidents; and
• comply with our legal obligations.

We will not use your personal information for a purpose other than those listed above without your consent, unless required or authorised by law (APP 6).

4. Cookies and Analytics

Spesh uses cookies and similar technologies for session management and analytics. Specifically:

• Session cookie — a secure, HTTP-only JWT cookie used to keep you logged in.
• CSRF token — a security cookie that protects against cross-site request forgery.
• Google Analytics 4 (GA4) — we use GA4 to understand how users interact with the platform. GA4 may set its own cookies. Data is processed by Google in accordance with their privacy policy. You can opt out via Google's opt-out tool.
• Google Tag Manager — used to manage analytics and tracking tags.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of Spesh.

5. Location Data

Spesh requests access to your device's location to show you specials near you. Location access is:

• requested via your browser's standard permission prompt — you can deny or revoke it at any time;
• used only to filter specials to your area; and
• not stored on our servers in identifiable form.

For business listings, we convert the business street address into geographic coordinates using Geoapify. These coordinates are stored to enable location-based search.

6. Disclosure of Personal Information

We do not sell your personal information. We may disclose it to:

• Service providers — including MongoDB Atlas (database hosting), Cloudflare R2 (image storage), Resend (transactional email), and Geoapify (geocoding), each engaged under contractual obligations to protect your data;
• Google — for analytics via GA4 and Google Tag Manager;
• Law enforcement or regulators — where required or authorised by Australian law; and
• Successors — in the event of a merger, acquisition, or sale of the business, subject to equivalent privacy protections.

Some of these third-party providers may be located outside Australia (including the United States). Where we disclose personal information overseas, we take reasonable steps to ensure the recipient handles it in a manner consistent with the APPs (APP 8).

7. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11), including:

• encrypted HTTPS connections across the platform;
• passwords stored using bcrypt hashing — never in plain text;
• HTTP-only, same-site cookies for authentication tokens;
• rate limiting and account lockout on login to prevent brute-force attacks;
• CSRF token validation on all form submissions; and
• access controls limiting database access to authorised services only.

No method of transmission over the internet is completely secure. If you become aware of a security issue, please contact us immediately at support@speshoffers.com.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the service. If you close your account, we will delete or de-identify your personal information within a reasonable time, unless we are required to retain it by law (for example, for taxation or regulatory purposes).

9. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access — request a copy of the personal information we hold about you (APP 12);
• Correction — request that we correct inaccurate, out-of-date, or incomplete information (APP 13);
• Anonymity — where lawful and practicable, interact with us without identifying yourself; and
• Complaint — lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

To exercise any of these rights, contact us at support@speshoffers.com. We will respond within 30 days.

10. Children's Privacy

Spesh is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or via an in-app notification. The updated policy will take effect from the date shown at the top of this page. We encourage you to review this policy periodically.

12. Complaints

If you have a complaint about how we have handled your personal information, please contact us first at support@speshoffers.com. We will acknowledge your complaint within 5 business days and respond substantively within 30 days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

13. Contact Us