Privacy Policy
Privacy Policy
Last updated: 6 May 2026
Draft pending legal review. Sections marked with bracketed placeholders ([LEGAL ENTITY], [ACN], etc.) are not yet final.
Introduction
Lhoop is operated by [LEGAL ENTITY] Pty Ltd (ACN [ACN]). This Privacy Policy explains how we collect, hold, use, disclose, and protect your personal information.
We comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).
Beyond the legal minimum. Lhoop operates only in Australia. We are not subject to overseas privacy regimes such as the EU GDPR or the UK Data Protection Act, but we have voluntarily borrowed several of their transparency principles where they exceed the APPs — including stating retention periods in months/years, listing each subprocessor with country and purpose, and committing to faster eligible-data-breach notifications than the law requires. Where this Policy commits to something stronger than the APPs, that is a Lhoop commitment, not a legal obligation we can be sued for.
What we collect, why, and what happens if you don't provide it (APP 5)
| Category | What | Why we collect it | If you don't provide it |
|---|---|---|---|
| Account basics | Email, username, password (hashed), display name, optional first name | Create your account; sign-in | You can't create an account |
| Profile | Optional avatar, bio, suburb, city, state, postcode | Profile display; listing location; marketplace personalisation | Profile is sparser; you can't publish listings without a suburb |
| Identity verification (sellers only) | Government ID image, selfie, date of birth, full legal name, full address — collected by Stripe Identity on our behalf | Stripe Connect KYC; AML/CTF compliance; fraud prevention | You can list items but can't receive payouts |
| Phone (optional) | Mobile number | SMS multi-factor authentication; Stripe Connect verification | You can use TOTP MFA instead; if needed by Stripe Connect, payouts are blocked |
| Listings | Photos, descriptions, prices, sizes, conditions, brand tags | List items for sale; power search and personalisation | You can't publish a listing |
| Transactions | Amount, item references, shipping addresses, tracking numbers, dispute evidence (photos, messages) | Process payments, run escrow, ship, resolve disputes | You can't buy or sell |
| Payment instruments | Card details for buyers; bank account / BSB for sellers. Stored by Stripe, not Lhoop. We see only the last 4 digits and a token | Buyer purchases; seller payouts | You can't transact |
| Messages | Buyer-seller messages, including any photos you attach | Communication; dispute evidence | You can't message other members |
| MFA | TOTP secret, backup codes, OTP timestamps | Account security | MFA is optional; without it your account is less protected |
| Audit logs | Admin actions and your MFA toggles: action, actor, timestamp, before/after state | Accountability, security, compliance | n/a — recorded whenever the action occurs |
| Device & usage data | IP address, browser, OS, pages visited, timestamps | Security, fraud detection, platform improvement | You can't disable this without leaving the platform |
| Approximate location | City-level location derived from IP | Marketplace personalisation; fraud detection | Less personalised feed |
Analytics and tracking
Google Analytics
We use Google Analytics 4 to understand how visitors use the site. GA4 collects pseudonymous identifiers, page views, referral source, device and browser info, and approximate (city-level) geographic location. Data is processed by Google in the US. We do not link GA data to your name or email. See the Google Privacy Policy for how Google handles this data.
Microsoft Clarity (session replay)
We use Microsoft Clarity to record how people interact with the site, including mouse movement, clicks, scrolling, and a replay of pages as you saw them. Clarity is configured to mask form inputs (passwords, payment fields), but session replay can incidentally capture text you type into other fields. Clarity also uses cookies. You can opt out of Microsoft's collection at choice.microsoft.com. See the Microsoft Privacy Statement.
Cookies we use
| Cookie | Type | Why | Lifespan |
|---|---|---|---|
| Session cookie (NextAuth) | Strictly necessary | Keeps you signed in | Session / 7 days |
| CSRF token | Strictly necessary | Security | Session |
| Personalisation prompt dismissal | Functional | Avoids re-prompting | 30 days |
Google Analytics (_ga, _ga_*) | Analytics | Usage analytics | 2 years |
Microsoft Clarity (_clck, _clsk, MUID) | Analytics | Session replay; heatmaps | Up to 1 year |
Strictly-necessary cookies cannot be turned off without breaking core platform functionality. You can disable analytics cookies via your browser settings or by opting out at the analytics provider links above.
How we use your information
- Run the marketplace: account, listings, search, messaging, checkout, escrow, payouts.
- Process transactions and send transactional notifications (order confirmation, shipping, payouts).
- Verify seller identity and process payouts via Stripe and Stripe Identity.
- Detect, investigate, and respond to fraud, abuse, and breaches of our Terms (including by maintaining audit logs of admin and high-risk user actions).
- Respond to support requests and resolve disputes.
- Notify you of material changes to terms, privacy, or services that affect you.
- Generate AI-assisted listing descriptions when you opt in to that feature.
- Comply with legal obligations (tax reporting, anti-money-laundering, lawful requests from authorities).
- Send marketing emails — only if you've opted in. Every marketing email has a one-click unsubscribe link, and unsubscribing takes effect immediately.
Who we share information with
We do not sell your personal information. Ever. We share information only in these specific circumstances:
- With other members: your @username, avatar, listing details, public reviews, and messages you send are visible to the people you're trading with.
- Service providers (subprocessors): see the table below.
- Legal requirements: if a valid Australian court order, subpoena, or law-enforcement request compels disclosure.
- Business transfer: in a sale, merger, or restructure, your information transfers to the new entity. We'll notify you in advance and the same Privacy Policy commitments will apply or you can delete your data.
Subprocessor table
| Recipient | Country | What we share | Why |
|---|---|---|---|
| Stripe Payments Australia Pty Ltd | Australia (with US affiliates) | Buyer card data; seller payout details; transaction metadata | Process payments and seller payouts |
| Stripe Identity | United States | Seller-only: government ID image, selfie, DOB, name | KYC verification (mandatory for sellers receiving payouts) |
| Microsoft Azure (Australia East / Australia Southeast) | Australia | Hosting; database; blob storage (listing photos) | Run the platform |
| Microsoft Clarity | United States | Session replay, click data, IP address | Product analytics |
| Google Analytics 4 | United States | Pseudonymous usage data, IP, device | Product analytics |
| Email delivery (SendGrid / Azure Communication Services) | United States / Australia | Email address, name, message content | Sending transactional and marketing emails |
| Australia Post | Australia | Recipient name and address; tracking number | Shipping fulfilment |
We review this list before adding new subprocessors. If we add one that materially changes how your data is handled, we'll update this page and tell you in advance.
Cross-border disclosure (APP 8)
Some of our subprocessors process data outside Australia — primarily the United States. Before sending personal information overseas, we take reasonable steps under APP 8 to ensure the overseas recipient handles it consistently with the APPs. We do this by relying on the recipient's contractual privacy commitments (Stripe, Microsoft, Google all publish data-processing agreements covering APP-equivalent obligations). Note: this means APP 8.1 applies but we have notobtained your separate consent to overseas disclosure, so we remain accountable for the overseas recipient's handling under APP 8.1.
Data security
We use standard security controls under APP 11:
- HTTPS / TLS encryption in transit
- Encryption at rest for the database and image storage
- Hashed passwords (we never store plaintext passwords)
- Optional multi-factor authentication (MFA) on your account
- Role-based access controls and audit logging on admin tools
- Regular dependency and security review
No system is 100% secure. If we become aware of a breach affecting your personal information, we'll handle it under our breach response commitment below.
Eligible Data Breach response
Australia's Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988) requires us to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable when an eligible data breach is likely to result in serious harm. We follow that standard. The notification will explain what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.
Your rights and choices
Your legal rights under the Privacy Act
- Access (APP 12). You can ask for a copy of the personal information we hold about you. We'll respond within 30 days. Most account information is also visible directly in your Settings.
- Correction (APP 13). You can ask us to correct inaccurate or out-of-date information. Most fields are editable from Settings. For fields we collect via Stripe (e.g. ID-verified name), corrections may need to go through Stripe's flow.
- Complaint. You can complain to us first via our contact form. If you're not satisfied, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au).
Voluntary commitments (above what the APPs require)
- Deletion. You can delete your account in Settings. When you confirm, we anonymise your profile and revoke service connections straight away, and the action cannot be undone. Some records are retained anonymised for fraud prevention, audit logs, and tax/financial-records compliance — see Data retention below.
- Data portability. On request, we'll export the personal information you provided in a structured, commonly-used format (JSON or CSV). Allow up to 30 days.
- Withdraw marketing consent. Use the unsubscribe link in any marketing email or toggle "Marketing emails" off in Settings → Notifications. We will stop sending marketing within 7 days. Service messages still apply (see Terms).
How to exercise these rights. Use our contact form. We may need to verify your identity before acting on a request.
Children's privacy
Lhoopis for adults (18+). We don't knowingly collect personal information from anyone under 18. If we find out we have, we'll delete it.
How long we keep your data
| Data | How long we keep it |
|---|---|
| Active account profile | While your account is open |
| Closed account profile | Anonymised immediately when you confirm closure; after that, the row is retained anonymised |
| Listings | While active or saved as draft. Sold/archived listings are retained for 7 years to support tax records and dispute history |
| Orders, payments, payouts | 7 years (Australian Taxation Office record-keeping requirement under the Taxation Administration Act 1953) |
| Disputes & evidence | 7 years after resolution |
| Identity-verification records (ID images, selfies) | Retained by Stripe under their AML/CTF retention rules (typically 7 years from account closure). Lhoop does not store the ID images itself |
| Messages between members | While both members' accounts are active; deleted on the later of either party's account anonymisation, except where attached to a dispute |
| Audit logs | 7 years (compliance/forensic) |
| Marketing consent records | Until you withdraw consent + 2 years (proof of consent under Spam Act 2003) |
| Server access logs | 90 days unless flagged for security investigation |
| Analytics data (Google Analytics, Clarity) | Per the provider's retention settings — currently 14 months (GA4) and 12 months (Clarity) |
When the retention period ends, we either delete the data or anonymise it so it can no longer identify you.
How we make decisions about you
Personalisation and ranking.We rank listings on your home feed using your declared preferences (categories, sizes, brands you follow), and — if you haven't set any preferences — by inferring them from your last 30 listing views in the past 90 days. You can clear this at any time by signing out, by clearing browsing history, or by setting explicit preferences in Settings → Personalisation.
Fraud and abuse detection.We use signals (device fingerprints, transaction patterns, message content patterns) to flag suspicious behaviour for human review. We do not make automated final decisions to suspend or close your account — a human reviews flagged cases.
Changes to this policy
We'll update this policy as the product and law evolve. Material changes will be notified by email and by an in-app banner before they take effect; minor changes will appear here with a new "Last updated" date. Continued use of Lhoop after a material change takes effect means you accept it.
Privacy contact
For access, correction, deletion requests, marketing opt-out issues, or any other privacy concerns:
[LEGAL ENTITY] Pty Ltd
Attn: Privacy Officer
[REGISTERED OFFICE ADDRESS]
Use the contact form to reach our Privacy Officer.
If you're not satisfied with our response, you can complain to:
Office of the Australian Information Commissioner (OAIC)
GPO Box 5288, Sydney NSW 2001
oaic.gov.au · 1300 363 992