Privacy.

Home Owners Club (HOC) is operated by Home Owners Club Pty Ltd, an Australian company. We respect your privacy and handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. What we collect

• Account data: email address, age verification status (we don't accept under-18s), display name.
• Payment data: handled by Stripe — we never see your card details. We see only your customer ID + subscription status.
• Planning data you upload: property addresses you query, documents you upload (survey, architectural plans, consultant reports), drafts we generate for you, saved checklist progress.
• Engagement data: tasks completed in checklists, snapshots run, friend invites, draw entries earned.
• Technical data: IP address (logged on auth requests + abuse-detection), user agent, session timestamps.

2. Why we collect it

• To run your account and deliver the planning services you've purchased.
• To draft planning documents — your inputs become the source of the cited compliance map we return.
• To calculate draw entries and confirm prize-winner identity if you win.
• To contact you about the draws you're entered into and material regulatory changes affecting your saved addresses.
• To meet our statutory obligations under the NSW Liquor & Gaming Trade-Promotion Lottery permit conditions.

3. Who can see your data (and where)

We use a small number of vetted processors. Each has a contract with us governing how they handle your data:

• Stripe (United States): payment processing under PCI-DSS and Australian Financial Services Licence (AFSL).
• AWS — Sydney region (ap-southeast-2): primary data storage and document upload storage. Pinned to Australia.
• Anthropic Claude API (United States): AI drafting + extraction. We de-identify personal information from documents before sending to Claude where reasonably practicable.
• Google (United States): Google Places autocomplete for property addresses; queries pass through Google's servers.
• Paubox (United States): transactional email delivery.
• Authorised HOC staff: small team operating under written confidentiality + privacy obligations.
• NSW Liquor & Gaming and equivalent state gaming regulators: on audit demand only.

Cross-border disclosure: by submitting personal information you consent to disclosure to the overseas recipients listed above. We take reasonable steps to ensure they handle your information in compliance with the APPs.

4. How long we keep it

• Active accounts: for as long as you remain a member, plus 7 years of audit-log retention as required under gaming permit conditions.
• Project documents: 12 months after project completion, then deleted unless you ask us to keep them longer for ongoing reference.
• Draw entries: 7 years after the relevant draw closes (statutory record).
• Snapshot lookups: 90 days, then anonymised.
• Marketing-consent log: until you opt out, then 7 years to evidence the opt-out for the Spam Act.

5. AI and automated decision-making

We use AI (Anthropic's Claude) to draft planning documents, summarise consultant reports, and identify gaps against applicable regulations. AI output is presented as a draft for your review — it does not make binding decisions about you. We document which prompts produced which sections of which documents (the "AI-usage audit trail") so the output is defensible if you choose to lodge it. You can request a copy of the audit trail at any time.

6. Your rights

• Access: request a copy of the personal information we hold about you (free, within 30 days).
• Correction: ask us to correct any inaccurate information.
• Deletion: close your account from /me/account. We'll retain the statutory minimum (gaming-permit audit logs) and delete the rest.
• Marketing opt-out: unsubscribe link in every marketing email; granular controls in /me/preferences.
• Property suppression: if you have a safety reason to suppress a property from our records, contact us directly.
• Complaints: email [email protected]. If you're not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

7. Data breach notification

We comply with the Notifiable Data Breaches scheme under the Privacy Act. If a breach is likely to cause serious harm, we will notify you and the OAIC within the 30-day statutory assessment window.

8. Cookies + tracking

We use a small number of essential cookies (session, CSRF protection). For analytics we use PostHog with IP truncation. You can decline non-essential cookies via our consent banner. We don't use third-party advertising trackers.

9. Contact

Privacy Officer: [email protected]
Home Owners Club Pty Ltd
ABN: TBA (to be added on incorporation completion)
Registered office: Australia

This policy may be updated from time to time. Material changes will be communicated by email and in-app notice.