Privacy Policy

Last updated: 2026-05-10

1. Who we are

Popora (“we”, “us”, “our”) operates the website popora.app and the related Service.

Data controller: Popora Limited
Contact: privacy@popora.app

2. What information we collect

2.1 Information you provide

Account information: name, email, password, role (vendor/organizer/admin), language preference.
Profile information: business name, ABN/NZBN, address, phone, business type, menu items (for vendors), event details (for organizers).
Documents: insurance certificates, licenses, ABN registration, identity proofs uploaded for verification.
Payment information: processed and stored by Stripe (PCI-DSS compliant). We never store full card numbers.
Communications: messages exchanged between vendors and organizers, support tickets.

2.2 Information collected automatically

Usage data: pages visited, actions performed, IP address, browser, device type.
Cookies: see our Cookie Policy for details.

3. How we use your information

We process personal data for the following purposes:

Operate and improve the Service.
Verify documents (manually or via AI-assisted analysis using Anthropic Claude).
Process payments via Stripe.
Send transactional emails (welcome, application updates, payment receipts) via Resend.
Send marketing emails — only with your explicit consent and only until you opt out.
Comply with legal obligations.
Prevent fraud and abuse.

4. Legal basis (GDPR & Australian Privacy Principles)

We rely on the following legal bases:

Performance of a contract — to provide the Service you signed up for.
Legitimate interest — to improve the Service and prevent fraud.
Consent — for marketing emails and non-essential cookies (analytics, advertising).
Legal obligation — to comply with tax, accounting and law-enforcement requirements.

5. Sharing of information

We share data with the following categories of recipients:

Other users — when you apply to an event, the organizer sees your profile and documents. When you receive a vendor application, you see their profile.
Service providers (sub-processors):
- Supabase (database & authentication, EU/AU regions).
- Stripe (payment processing).
- Anthropic (AI document verification — only document content is sent, no account data).
- Resend (transactional emails).
- Vercel (hosting).
- Google Analytics, Meta Pixel (analytics — only with your consent).
Legal authorities — when required by law or to protect rights.

We never sell your personal data to third parties.

6. International transfers

Some of our service providers operate outside Australia (notably in the EU and US). When we transfer personal data internationally, we use Standard Contractual Clauses or rely on adequacy decisions where applicable.

7. Retention

Account data: kept while your account is active, then up to 30 days after deletion request.
Transactional data (payments, contracts): kept for 7 years for tax and accounting reasons.
Communications: kept while your account is active.
Marketing consent: kept until you withdraw it.

8. Your rights

You have the right to:

Access your personal data.
Rectify inaccurate data.
Request deletion (“right to be forgotten”) — available in Settings → Delete account.
Restrict or object to processing.
Receive your data in a portable format.
Withdraw consent at any time.
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local data protection authority.

To exercise these rights, contact privacy@popora.app.

9. Security

We use encryption in transit (TLS), encryption at rest (Supabase managed Postgres), row-level security, rate limiting and regular dependency audits. No system is 100% secure, but we strive to follow industry best practices.

10. Children

The Service is not intended for users under 18. We do not knowingly collect data from minors.

11. Changes to this Policy

We may update this Policy. The updated version will be posted with a new “Last updated” date. Material changes will be communicated by email.

12. Contact

For any privacy-related question: privacy@popora.app