Privacy Policy
Last updated: 20 February 2026
1. Introduction
VenueShield ("we", "us", "our") is an Australian venue compliance software-as-a-service (SaaS) platform that helps hospitality venues track staff certifications, licence expiry dates, and compliance records. We are committed to protecting the privacy and security of the personal information we collect and handle.
This Privacy Policy explains how we collect, use, disclose, store, and otherwise handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also comply with the European Union General Data Protection Regulation (GDPR) for any users located in the European Economic Area (EEA) or the United Kingdom.
By accessing or using VenueShield at venueshield.au, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Privacy Policy, please do not use our services.
2. Who We Are
VenueShield is operated by VenueShield, an Australian business. For the purposes of this Privacy Policy and applicable data protection laws, VenueShield is the data controller responsible for your personal information.
If you have any questions about this Privacy Policy or our privacy practices, you can contact us at:
- Email: support@venueshield.au
- Website: venueshield.au
3. Information We Collect
We collect personal information that is reasonably necessary for, or directly related to, the provision of our services. The types of information we collect depend on your interaction with VenueShield and fall into the following categories:
3.1 Account and Organisation Information
When you create an account or register your organisation with VenueShield, we collect:
- Full name
- Email address
- Phone number (if provided)
- Organisation name and details
- Authentication credentials (managed securely by our authentication provider, Clerk)
- Role within the organisation (e.g., administrator, manager)
3.2 Staff and Employee Information
When venue managers add staff members to VenueShield, the following personal information may be collected about those staff members:
- Full name
- Email address
- Phone number
- Date of birth (where relevant to credential requirements)
- Employment details (position, venue assignments)
3.3 Credential and Licence Information
The core function of VenueShield involves tracking staff credentials and licences. This includes:
- Credential type (e.g., RSA, RMLV, RSG, Food Safety Supervisor, First Aid, Security Licence, Working With Children Check)
- Credential or licence number
- Issue date and expiry date
- Issuing authority and state/territory
- Credential status (valid, expiring, expired)
3.4 Right to Work and Identity Verification Information
Where venues use VenueShield to verify a staff member's right to work in Australia, we may collect:
- Passport details (passport number, country of issue, expiry date)
- Visa type and visa grant number
- Visa conditions and expiry date
- Copies of identity documents (passport photo pages, visa grant notices)
This information is classified as sensitive information under the Australian Privacy Act 1988 and is handled with additional safeguards. We only collect this information with the consent of the organisation and in accordance with applicable employment and immigration laws.
3.5 Uploaded Documents
VenueShield allows users to upload documentary evidence of credentials and compliance records, including:
- Scanned or photographed certificates (e.g., RSA certificates, Statements of Attainment)
- Identity documents (e.g., photo ID, passport pages)
- Licence cards or letters from issuing authorities
- Venue compliance documents (e.g., liquor licence certificates, council permits)
Uploaded files are stored securely using Cloudflare R2 storage. Files are never served directly to end users; access is controlled through time-limited signed URLs.
3.6 Payment Information
When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not collect, store, or have access to your full credit card number. Stripe provides us with:
- Last four digits of your payment card
- Card brand (e.g., Visa, Mastercard)
- Billing address
- Payment status and transaction history
- Stripe customer ID
3.7 Technical and Usage Information
When you use VenueShield, we automatically collect certain technical information, including:
- IP address
- Browser type and version
- Operating system
- Device type
- Pages visited and features used
- Date and time of access
- Referring URL
- Error logs and performance data
3.8 Communication Data
When you contact us via email or our support channels, we collect:
- Your name and email address
- The content of your messages
- Any attachments you provide
- Metadata associated with the communication
4. How We Collect Information
We collect personal information through the following means:
- Directly from you: When you create an account, fill out forms, upload documents, subscribe to a plan, or contact us.
- From your organisation's administrator: Venue managers and administrators may enter staff information on behalf of their employees when adding them to the platform.
- From CSV imports: When organisations bulk-import staff records via CSV file upload.
- Automatically: Through cookies, server logs, and analytics tools when you interact with our website and platform.
- From third-party services: We may receive information from our authentication provider (Clerk) and payment processor (Stripe) as part of the service delivery.
5. How We Use Your Information
We use personal information for the following purposes:
5.1 Service Delivery
- To provide, operate, and maintain the VenueShield platform
- To track and manage staff credentials, licences, and compliance records
- To send automated expiry alerts and compliance notifications via email and SMS
- To generate compliance reports and gap analysis for your organisation
- To process document uploads and store credential evidence
- To manage venue and staff assignments
5.2 Account Management
- To create, manage, and secure your account
- To authenticate your identity when you sign in
- To manage organisation membership and user roles (administrator, manager)
- To process subscription payments and manage billing
5.3 Communication
- To send transactional emails (account confirmation, password resets, payment receipts)
- To send credential expiry alerts and daily digest emails
- To send SMS notifications for critical compliance alerts (Enterprise plan)
- To respond to your enquiries and support requests
- To send service announcements and product updates (you may opt out at any time)
5.4 Platform Improvement
- To analyse usage patterns and improve the functionality and user experience of VenueShield
- To identify and fix bugs, errors, and performance issues
- To develop new features and services based on aggregated, anonymised usage data
5.5 Legal and Compliance
- To comply with applicable laws, regulations, and legal processes
- To enforce our Terms of Service and protect our legal rights
- To detect, prevent, and address fraud, security breaches, or technical issues
6. Legal Basis for Processing (GDPR)
For users located in the European Economic Area (EEA) or the United Kingdom, we process personal information under the following legal bases as required by the GDPR:
- Performance of a contract: Processing necessary to deliver the VenueShield service as per your subscription agreement.
- Legitimate interests: Processing necessary for our legitimate business interests, such as improving our platform, preventing fraud, and ensuring security, where these interests are not overridden by your data protection rights.
- Consent: Where you have provided explicit consent for specific processing activities, such as receiving marketing communications. You may withdraw consent at any time.
- Legal obligation: Processing necessary to comply with a legal obligation to which we are subject.
7. How We Share Your Information
We do not sell, rent, or trade your personal information. We share personal information only in the following circumstances:
7.1 Within Your Organisation
Personal information about staff members is accessible to authorised administrators and managers within your organisation on VenueShield. This is necessary for the core compliance tracking functionality of the platform. Each organisation's data is strictly isolated from other organisations.
7.2 Third-Party Service Providers
We engage trusted third-party service providers to help us deliver and improve VenueShield. These providers process personal information on our behalf and are contractually obligated to protect your data. Our service providers include:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database hosting (PostgreSQL) | Australia |
| Clerk | Authentication and user management | United States |
| Stripe | Payment processing and subscription billing | United States |
| Resend | Transactional and notification emails | United States |
| Twilio | SMS notifications | United States |
| Cloudflare R2 | File storage for uploaded documents | Cloudflare global network (encrypted) |
| Sentry | Error monitoring and performance | United States |
| Inngest | Background job processing (e.g., scheduled expiry alerts) | United States |
Each of these providers maintains their own privacy policies and security practices. We select providers that offer appropriate security measures and contractual data protection commitments.
7.3 Legal Requirements
We may disclose personal information where required or permitted by law, including:
- In response to a lawful request by a court, tribunal, or government authority
- To comply with applicable laws, regulations, or legal processes
- To protect the rights, property, or safety of VenueShield, our users, or the public
- To enforce our Terms of Service or investigate potential violations
7.4 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your personal information is transferred and becomes subject to a different privacy policy.
8. International Data Transfers
Your primary data, including staff records, credentials, and compliance information, is stored in Australia via Supabase. However, some of our third-party service providers are located outside of Australia, primarily in the United States (see Section 7.2 above).
When personal information is transferred overseas, we take reasonable steps to ensure that the recipients of your information comply with the Australian Privacy Principles and that your information is protected to a standard comparable to Australian law. This includes:
- Selecting service providers that are subject to enforceable data protection laws or binding contractual obligations
- Using providers that participate in recognised data protection frameworks
- Implementing Standard Contractual Clauses (SCCs) where required under the GDPR for transfers from the EEA
- Ensuring all data transfers are encrypted in transit using TLS/SSL
Under APP 8, by consenting to this Privacy Policy, you acknowledge that your information may be disclosed to overseas recipients as described above, and that VenueShield may not be able to ensure that overseas recipients handle your information in accordance with the APPs.
9. Data Storage and Security
We take the security of your personal information seriously and implement a range of technical and organisational measures to protect it from unauthorised access, modification, disclosure, or destruction.
9.1 Technical Safeguards
- Encryption at rest: All database records are encrypted at rest using AES-256 encryption via Supabase
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
- Authentication security: User authentication is managed by Clerk, which provides enterprise-grade security including multi-factor authentication (MFA), session management, and brute-force protection
- File storage security: Uploaded documents are stored in Cloudflare R2 with access controlled via time-limited signed URLs. Files are never publicly accessible
- Data isolation: Each organisation's data is logically isolated. All database queries are filtered by organisation ID to prevent cross-tenant data access
- Access controls: Role-based access controls ensure that users can only access data within their organisation and according to their assigned role
9.2 Organisational Safeguards
- Access to production systems and personal data is restricted to authorised personnel only
- We conduct regular reviews of our security practices and third-party provider security postures
- We maintain an incident response process for promptly addressing any data breaches
- We implement the principle of least privilege for all system access
9.3 Data Breach Notification
In the event of an eligible data breach as defined under the Notifiable Data Breaches (NDB) scheme of the Privacy Act 1988, we will:
- Promptly assess whether the breach is likely to result in serious harm to any individual
- Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable if the breach is assessed as an eligible data breach
- Notify affected individuals as soon as practicable, including details of the breach and recommended steps they should take
For users subject to the GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, as required.
10. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention practices are as follows:
- Active account data: Retained for the duration of your subscription and for a reasonable period thereafter to allow for reactivation.
- Staff and credential records: Retained for the duration of the organisation's subscription. Historical credential records are maintained to provide a compliance audit trail.
- Uploaded documents: Retained for the duration of the organisation's subscription. Upon account cancellation, documents will be retained for 90 days before permanent deletion, during which time you may request an export of your data.
- Payment records: Retained for a minimum of 7 years as required by Australian tax law.
- Communication records: Support correspondence is retained for 2 years from the date of the last communication.
- Technical logs: Server logs and error monitoring data are retained for up to 90 days and then automatically purged.
- Cancelled accounts: When you cancel your subscription, your data is retained in a read-only state for 90 days. After 90 days, personal information is permanently deleted from our active systems. Backup copies may persist for up to an additional 30 days before being purged.
You may request earlier deletion of your data at any time by contacting us at support@venueshield.au. Please note that we may retain certain information as required by law or for legitimate business purposes (e.g., fraud prevention, resolving disputes).
11. Cookies and Tracking Technologies
VenueShield uses cookies and similar tracking technologies to provide, secure, and improve our services.
11.1 Types of Cookies We Use
- Strictly necessary cookies: These cookies are essential for the operation of VenueShield. They include session cookies for authentication (managed by Clerk), CSRF protection tokens, and security cookies. These cannot be disabled as the service will not function without them.
- Functional cookies: These cookies remember your preferences and settings, such as your preferred theme (light/dark mode) and dashboard layout preferences. They enhance your experience but are not strictly required.
- Analytics cookies: We may use analytics tools to understand how users interact with VenueShield, including which features are most used and where users encounter issues. Analytics data is aggregated and does not identify individual users.
11.2 Managing Cookies
You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. However, please note that blocking strictly necessary cookies will prevent VenueShield from functioning correctly.
We do not use cookies for advertising or third-party tracking purposes.
12. Your Rights
12.1 Rights Under the Australian Privacy Act
Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the following rights:
- Right of access (APP 12): You have the right to request access to the personal information we hold about you. We will respond to your request within 30 days.
- Right of correction (APP 13): You have the right to request correction of any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading.
- Right to complain (APP 1): You have the right to complain about our handling of your personal information. We will investigate and respond to your complaint within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
- Right to anonymity (APP 2): Where practicable, you have the option of dealing with us without identifying yourself or by using a pseudonym. However, due to the nature of our service (compliance tracking requires accurate identification), anonymity is generally not practical for core platform use.
12.2 Additional Rights Under the GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following additional rights under the GDPR:
- Right to erasure ("right to be forgotten"): You may request that we delete your personal information, subject to certain legal exceptions.
- Right to data portability: You have the right to receive a copy of your personal information in a structured, commonly used, and machine-readable format (e.g., CSV or JSON).
- Right to restrict processing: You may request that we restrict the processing of your personal information in certain circumstances.
- Right to object: You may object to the processing of your personal information where we are relying on legitimate interests as the legal basis.
- Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
- Right not to be subject to automated decision-making: VenueShield does not make any decisions based solely on automated processing that produce legal or similarly significant effects on you.
To exercise any of these rights, please contact us at support@venueshield.au. We will respond to your request within 30 days (or within one calendar month for GDPR requests). We may ask you to verify your identity before processing your request.
13. Data Processor Obligations (For Organisations)
When an organisation uses VenueShield to manage staff compliance records, the organisation acts as the data controller for the personal information of its staff members, and VenueShield acts as the data processor.
As a data processor, we:
- Process staff personal information only on the instructions of the organisation (the data controller)
- Implement appropriate technical and organisational security measures to protect the data
- Do not use staff personal information for any purpose other than providing the VenueShield service to the organisation
- Assist the organisation in responding to data subject access requests from their staff
- Notify the organisation promptly in the event of a data breach affecting their data
- Delete or return all personal data to the organisation upon termination of the service, subject to our retention policy
Organisations that use VenueShield are responsible for ensuring they have a lawful basis for collecting and sharing their staff's personal information with us, including obtaining any necessary consents and providing appropriate privacy notices to their employees.
14. Third-Party Links
VenueShield may contain links to third-party websites, services, or resources that are not operated by us. These include links to credential issuing authorities, government regulatory bodies, and third-party training providers. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party websites you visit.
15. Young Workers
VenueShield is a business-to-business (B2B) compliance platform designed for use by venue operators and their staff.
In certain Australian jurisdictions (such as Queensland), workers aged 14 to 17 may be lawfully employed. Where an employer engages a worker under 18, the employer is responsible for obtaining any required parental or guardian consent before entering that worker's information into VenueShield.
We collect and process personal information about young workers (aged 14–17) only when it is provided by their employer for legitimate compliance and work-rights verification purposes. We apply the same security safeguards described in this Policy to all personal information, regardless of the individual's age.
If you are a parent or guardian and believe your child's information has been entered into VenueShield without proper consent, please contact us at support@venueshield.au and we will promptly investigate and, if appropriate, remove the information.
16. Do Not Track Signals
Some web browsers transmit "Do Not Track" (DNT) signals to websites. As there is currently no universally accepted standard for how to respond to DNT signals, VenueShield does not currently respond to DNT signals. However, as noted above, we do not engage in advertising-based tracking of our users.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:
- We will update the "Last updated" date at the top of this page.
- For material changes that significantly affect your rights or obligations, we will notify you via email or a prominent notice on the VenueShield platform at least 30 days before the changes take effect.
- Your continued use of VenueShield after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
18. Complaints
If you believe we have breached the Australian Privacy Principles or the GDPR, you may lodge a complaint with us by contacting support@venueshield.au. We will:
- Acknowledge your complaint within 5 business days
- Investigate the complaint and provide a written response within 30 days
- Take appropriate corrective action if we find that a breach has occurred
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant regulatory authority:
- Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au/privacy/privacy-complaints
- European Union: Your local Data Protection Authority (DPA). A list of EU Data Protection Authorities can be found at edpb.europa.eu
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
19. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:
- Email: support@venueshield.au
- Website: venueshield.au
We aim to respond to all privacy-related enquiries within 5 business days.