Privacy policy

Scannable is a product of IDP Solutions Pty Ltd, a company incorporated in Australia. In this policy, “we”, “us”, and “our” refer to IDP Solutions Pty Ltd. “You” refers to the person or organisation using Scannable or visiting our websites.

You can contact our privacy officer at info@idpsolutions.com.au.

This policy applies to:

• The scannable.au marketing website.
• The Scannable customer portal at portal.scannable.au.
• QR redirect domains that you connect to your Scannable tenant (including custom domains you own).
• The Scannable API and MCP (Model Context Protocol) connector used by AI assistants you authorise.

We only collect personal information that we need to deliver the service to you. This generally falls into the following categories.

Account and billing information

Your name, email address, organisation name, and billing details required to create and run your account. Payment card details are captured directly by our payment processor and are not stored on our servers.

QR code content you create

The destination URLs, labels, logos, and other content you upload or configure in your tenant. This content belongs to you; we process it to provide the service.

Scan telemetry

When someone scans one of your QR codes, we log the timestamp, a coarse location derived from the IP address (typically country or region), the user agent, and the referrer. We do not attempt to identify individual scanners or build profiles of them, and we do not sell this data.

Support and communications

If you email us or contact support, we keep a record of that correspondence so we can help you and improve the service.

Cookies and similar technologies

We use a small number of cookies for login sessions, your theme preference, and privacy-respecting analytics. See section 10 below.

Under APP 6, we use personal information for the primary purpose of providing the Scannable service, and for related secondary purposes you would reasonably expect, including:

• Creating and managing your account, and authenticating you.
• Generating QR codes, redirecting scans, and reporting scan analytics to you.
• Issuing invoices and processing payments.
• Keeping the service secure, detecting abuse, and investigating incidents.
• Improving and developing features, using aggregated or de-identified data where possible.
• Sending service communications (for example, outages, security notices, or important account changes).
• Meeting our legal and regulatory obligations in Australia.

We only send marketing emails to people who have consented, as required by the Spam Act 2003 (Cth). Every marketing email includes a working unsubscribe link, and you can also email info@idpsolutions.com.au at any time to opt out. Service and billing communications are not marketing and cannot be unsubscribed from while your account is active.

We do not sell personal information. We share it only with service providers who help us run Scannable, and only to the extent they need to perform their service. These include:

• Hosting: our primary application and database are hosted in Australian regions of reputable cloud providers.
• Payments: Stripe processes payments and stores cardholder data on our behalf. Stripe operates in Australia and the United States.
• Email delivery: a transactional email provider is used to send sign-in, billing, and service emails.
• AI assistants and MCP: if you connect an AI assistant (for example, Claude or ChatGPT) to your tenant, that assistant receives only the data you authorise it to access, using credentials you can revoke at any time.
• Professional advisers and authorities: we may disclose information where required by Australian law, a court order, or to protect our rights.

Under APP 8, where a service provider is located outside Australia, we take reasonable steps to ensure they handle your information consistently with the APPs, through contractual terms and recognised privacy frameworks.

Your tenant data, QR codes, and scan logs are stored in Australia. We encrypt data in transit using TLS and at rest on our database and object storage. Access to production systems is limited to authorised personnel and protected by multi-factor authentication and role-based access control.

We follow the Notifiable Data Breaches (NDB) scheme. If a data breach is likely to result in serious harm to affected individuals, we will notify those individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

We keep personal information only for as long as we need it:

• Account data is retained while your account is active.
• After you cancel, we keep account and billing records for a reasonable period to meet Australian tax and accounting obligations (typically up to seven years).
• Raw scan telemetry is kept for a limited rolling window and then deleted or aggregated into non-identifying statistics.
• Backup copies are retained on a short, rotating schedule and then overwritten.

You can request earlier deletion of your account data at any time by emailing info@idpsolutions.com.au, subject to any legal records we are required to keep.

Under APPs 12 and 13, you can ask us to:

• Confirm what personal information we hold about you and give you a copy.
• Correct information that is inaccurate, out of date, incomplete, or misleading.
• Delete your account and associated personal information, subject to legal retention requirements.
• Explain how we have handled your information.

To make a request, email info@idpsolutions.com.au. We will respond within 30 days. There is no charge for making a request, though we may charge a reasonable fee for unusually large or complex access requests.

Scannable uses a small number of cookies and similar technologies to:

• Keep you signed in to the customer portal.
• Remember preferences such as your light or dark theme.
• Understand how the marketing site is used, in aggregate, so we can improve it.

You can clear or block cookies using your browser settings. Blocking cookies may affect your ability to sign in to the portal.

Scannable is a business tool and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this policy from time to time. When we do, we will update the effective date at the top of this page. If the changes are significant, we will take reasonable steps to tell account holders by email or through the portal before they take effect.

If you have a privacy question or complaint, please email us first at info@idpsolutions.com.au. We aim to acknowledge complaints within 7 days and to resolve them within 30 days.

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.