Privacy Policy

1. Introduction

Billabong Contacts ("we", "our", or "us") is an online directory system designed for residents of retirement villages. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service, including our website and Facebook Messenger integration.

We are committed to protecting your privacy and ensuring you understand how your personal information is handled. By using Billabong Contacts, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

When you use Billabong Contacts, we collect the following information that you provide:

• Contact Information: Name (first name, last name, preferred name), mobile phone number, email address
• Residence Information: House/unit number, village name
• Profile Information: Birthday (day and month only, not year), move-in date, ownership status, profile photo
• Privacy Preferences: Visibility settings for your contact information, absence status
• Messenger Information: Facebook Messenger ID (PSID) if you link your Messenger account

2.2 Information Collected Automatically

• Usage Data: How you interact with the service, features you use, pages you visit
• Device Information: Browser type, operating system, device identifiers
• Analytics Data: Anonymous usage statistics collected via PostHog analytics
• Log Data: IP addresses, access times, error logs for system maintenance and security
• AI Interaction Data: Messages sent via SMS or Facebook Messenger to our AI assistant, including conversation history and detected intents

2.3 Information from Third Parties

• Facebook: When you interact with us via Facebook Messenger, we receive your Page-Scoped ID (PSID) and message content
• SMS Provider: Message delivery status and metadata from our SMS service provider

3. How We Use Your Information

We use your information for the following purposes:

• Provide the Directory Service: Display your information to other residents according to your privacy settings
• Authentication: Verify your identity via SMS one-time passwords (OTP)
• AI Assistant: Process your queries via SMS or Facebook Messenger to help you find resident contact information, check absence status, and other directory-related questions
• Communication: Send you verification codes, system notifications, and important updates
• Service Improvement: Analyze usage patterns to improve features and user experience
• Security and Fraud Prevention: Detect and prevent unauthorized access, abuse, or violations of our terms
• Legal Compliance: Comply with applicable laws and regulations
• Rate Limiting: Enforce usage limits (e.g., 50 AI queries per hour) to ensure fair access

4. How We Share Your Information

4.1 Within the Community

Your information is shared with other residents of your village who are logged into the system. You control what information is visible through your privacy settings:

• You can hide your mobile number and/or email address from other residents
• You can mark your entire profile as hidden
• You can set absence status to let others know when you're away

4.2 Service Providers

We share information with trusted third-party service providers who assist us in operating our service:

• AWS (Amazon Web Services): Cloud hosting, database storage, file storage (S3), and email delivery (SES)
• Mobile Message Australia: SMS delivery for verification codes and optional SMS queries
• Anthropic: AI processing for natural language understanding of queries sent to our assistant
• Facebook/Meta: Message delivery via Facebook Messenger platform
• PostHog: Anonymous analytics for service quality monitoring and bug detection
• Square: Payment processing for village activities and services (if applicable)

These service providers are contractually obligated to keep your information secure and may only use it for the specific purposes we authorize.

4.3 Village Administrators

Designated village administrators have access to resident information for management purposes, including viewing all profiles, managing user accounts, and accessing system logs.

4.4 We Do Not Sell Your Data

We never sell, rent, or trade your personal information to marketers, data brokers, or any third parties for their commercial purposes.

5. Facebook Messenger Integration

When you use our Facebook Messenger bot:

• You must link your Messenger account to your resident profile via SMS verification
• We store your Page-Scoped ID (PSID) to identify you in future conversations
• Message content is processed by our AI service (Anthropic Claude) to understand your intent
• All messages and responses are logged for quality assurance and debugging
• The last 5 messages are used as conversation context for better responses
• You can unlink your Messenger account at any time by contacting an administrator

Note: Messages sent via Facebook Messenger are also subject to Facebook's Privacy Policy.

6. Data Retention

We retain your information as follows:

• Active Residents: Your profile data is retained while you are an active resident
• Inactive Residents: When you leave the village, your account is marked inactive but retained for historical records
• AI Interaction Logs: SMS and Messenger conversations are retained indefinitely for service improvement and audit purposes
• Verification Codes: One-time passwords expire after 10 minutes
• Rate Limit Records: Automatically deleted after 2 hours
• Deleted Accounts: Upon account deletion, your data is permanently removed from our systems (excluding logs required for legal compliance)

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data transmitted between your device and our servers is encrypted using HTTPS/TLS
• Database Security: Data at rest is stored in secure, access-controlled databases
• Authentication: SMS-based one-time password verification for resident access
• Access Controls: Role-based access restrictions limit who can view sensitive data
• Regular Backups: Automated daily backups to prevent data loss
• Webhook Verification: Facebook webhook signatures are verified to prevent unauthorized requests

While we take reasonable precautions, no system is 100% secure. We recommend using secure internet connections and keeping your mobile device protected.

8. Your Privacy Rights

You have the following rights regarding your personal information:

• Access: View and download your personal information from your profile page
• Correction: Update inaccurate or incomplete information in your profile
• Control Visibility: Choose which information is visible to other residents
• Deletion: Request deletion of your account and associated data (contact your village administrator)
• Opt-Out: Disable SMS or Messenger AI features by not using them
• Data Portability: Export your directory information to PDF or Excel format

To exercise these rights, update your profile settings or contact your village administrator.

9. Cookies and Tracking

We use cookies and similar technologies for:

• Authentication: Maintaining your logged-in session
• Preferences: Remembering your settings and preferences
• Analytics: Understanding how you use the service (via PostHog)

Most browsers allow you to control cookies through settings. However, disabling cookies may limit your ability to use certain features.

10. Children's Privacy

Billabong Contacts is designed for residents of retirement villages and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

11. International Data Transfers

Your information may be transferred to and processed in countries other than Australia, including the United States, where our cloud infrastructure and service providers are located. These countries may have different data protection laws. By using our service, you consent to such transfers.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes via:

• Email to your registered email address
• Notice on the login screen
• Updated "Last Updated" date at the top of this policy

Your continued use of Billabong Contacts after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

14. Australian Privacy Principles

Billabong Contacts is committed to complying with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This policy is designed to meet our obligations under Australian privacy law.