SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Policy. You can find more details about any of these topics by clicking the link following each key point or by using our table of contents below.

Want to learn more? Review the full Privacy Policy below.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. SENSITIVE INFORMATION AND HEALTH DATA
3. INFORMATION FROM THIRD PARTIES
4. HOW DO WE USE YOUR INFORMATION?
5. LEGAL BASIS FOR PROCESSING
6. OUR ROLE AS CONTROLLER AND PROCESSOR
7. WHO DO WE SHARE YOUR INFORMATION WITH?
8. WHERE IS YOUR DATA STORED?
9. HOW LONG DO WE KEEP YOUR INFORMATION?
10. HOW DO WE KEEP YOUR INFORMATION SAFE?
11. PRIVACY BREACH NOTIFICATION
12. AUTOMATED DECISION-MAKING AND AI
13. DIRECT MARKETING
14. ANONYMITY AND PSEUDONYMITY
15. COOKIES AND TRACKING TECHNOLOGIES
16. CHILDREN'S PRIVACY
17. YOUR PRIVACY RIGHTS (NEW ZEALAND)
18. YOUR PRIVACY RIGHTS (AUSTRALIA)
19. UPDATES TO THIS POLICY
20. HOW TO CONTACT US

1. WHAT INFORMATION DO WE COLLECT?

In Short: We collect personal information that you provide directly to us and information collected automatically when you use our Services.

Information You Provide Directly

We collect personal information when you register for an account, use our Services, contact us, or interact with our platform. This may include:

For Business Customers (using Receptioner to manage their business):

• Business name and contact details
• Account holder name, email address, and phone number
• Staff member names, contact details, and work schedules
• Billing and payment information
• Business address and location details

For End Users (booking through businesses that use Receptioner):

• Name, email address, and phone number
• Appointment and booking details
• Service preferences and history
• Information provided through intake or consultation forms (which may include health information - see Section 2)
• Payment information for bookings

Payment Data: We use Stripe to process payments. When you make a payment, your payment card details are collected and processed directly by Stripe. We do not store your full card details on our servers. Stripe's privacy policy is available at: https://stripe.com/privacy

Information Collected Automatically

When you use our Services, we automatically collect certain information, including:

• Device Information: Device type, operating system, unique device identifiers, browser type
• Usage Information: Pages visited, features used, actions taken within the platform
• Log Data: IP address, access times, referring URLs, error logs

Mobile Application Data

If you use our mobile applications, we may request access to:

• Calendar: To sync appointments with your device calendar
• Camera: To upload photos or scan documents
• Push Notifications: To send you booking reminders and updates

You can manage these permissions through your device settings at any time.

All personal information that you provide to us must be true, complete, and accurate. Please notify us of any changes to your personal information.

2. SENSITIVE INFORMATION AND HEALTH DATA

In Short: Businesses using our platform may collect health information from their clients through intake forms. This information is processed securely and in accordance with applicable privacy laws.

Receptioner provides tools that allow service businesses (such as massage therapists, spas, beauty salons, and clinics) to collect information from their clients through customisable intake and consultation forms.

Types of Health Information That May Be Collected

Depending on the business and the services they provide, intake forms may collect:

• Medical history and current health conditions
• Allergies and sensitivities
• Current medications
• Previous injuries or surgeries
• Pregnancy status
• Skin conditions or contraindications
• Emergency contact information
• Other health-related information relevant to the service being provided

How Health Information is Handled

Collection: Health information is collected by the business (our customer) directly from their clients. The business determines what information to collect based on their professional requirements.

Storage: All health information is stored securely on encrypted servers hosted by Amazon Web Services (AWS) in Australia and the European Union (Stockholm). Access is strictly controlled and limited to authorised personnel.

Processing: We process health information solely to provide the Services to our business customers. We do not use health information for marketing purposes and we do not use it to train artificial intelligence or machine-learning models. We do not share health information with third parties except as described in this policy.

Consent: Businesses are responsible for obtaining appropriate consent from their clients before collecting health information through our platform.

Photos and images: Where photos or images uploaded by businesses or their clients capture identifiable individuals, they are treated as personal information. We do not perform facial recognition or any biometric identification on uploaded photos.

Health Information Privacy Code 2020 (New Zealand)

Where a New Zealand business using our platform is a "health agency" as defined under the Health Information Privacy Code 2020 (HIPC 2020), the business remains the agency responsible for compliance with HIPC 2020 in respect of health information collected through Receptioner. Receptioner acts as an agent and data processor in respect of that information. On reasonable request we will provide information and assistance to enable the business to meet its obligations under HIPC 2020, including responses to requests under Rule 6 (access) and Rule 7 (correction).

Retention of health information: Under the Health (Retention of Health Information) Regulations 1996 (NZ), health agencies are generally required to retain health information for at least 10 years. Business customers are solely responsible for ensuring that health information is exported or retained for the periods required by law before any Receptioner-initiated deletion (for example, on account termination or after the 3-month inactivity period described in Section 9).

Your Rights Regarding Health Information

Under New Zealand and Australian privacy laws, health information receives additional protection. You have the right to:

• Know what health information is held about you
• Access your health information
• Request correction of inaccurate information
• Request deletion of your information (subject to legal retention requirements)

To exercise these rights, contact the business that collected your information directly, or contact our Privacy Officer at privacy@receptionerapp.com.

3. INFORMATION FROM THIRD PARTIES

In Short: We receive limited information from third-party services that integrate with our platform.

We may receive personal information from the following third-party sources:

Payment Processors (Stripe)

When payments are processed through our platform, Stripe may share transaction confirmations and limited customer information necessary to complete and record the transaction. This may include:

• Transaction status and confirmation details
• Last four digits of payment card
• Billing address (if provided)

Booking Integrations (Google Reserve)

If a business enables Google Reserve integration, booking information may be received from Google when customers book appointments through Google Search or Maps. This may include:

• Customer name and contact details
• Requested service and appointment time
• Any notes provided during booking

4. HOW DO WE USE YOUR INFORMATION?

In Short: We use your information to provide and improve our Services, communicate with you, ensure security, and comply with legal obligations.

We process your personal information for the following purposes:

• Providing our Services: To create and manage accounts, process bookings, handle payments, and deliver the core functionality of our platform.
• Communications: To send booking confirmations, reminders, and notifications; respond to inquiries and support requests; and send administrative messages about your account or our Services.
• Payments: To process transactions, manage refunds, and maintain payment records.
• Security: To protect our Services, detect and prevent fraud, and ensure the safety and integrity of our platform.
• Improvement: To analyse usage patterns, troubleshoot issues, and improve our Services.
• Marketing: With your consent, to send promotional communications about our Services. You can opt out at any time.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

5. LEGAL BASIS FOR PROCESSING

In Short: We process your personal information only when we have a lawful basis to do so under New Zealand and Australian privacy laws.

Under the New Zealand Privacy Act 2020 and Australian Privacy Act 1988, we must have a lawful basis for collecting and processing your personal information. We rely on the following bases:

• Consent: Where you have given us clear consent to process your personal information for a specific purpose. You can withdraw consent at any time by contacting us.
• Contractual Necessity: Where processing is necessary to perform our contract with you or to take steps at your request before entering into a contract (e.g., providing our booking platform services).
• Legal Obligation: Where processing is necessary to comply with our legal obligations (e.g., tax records, responding to lawful requests from authorities).
• Legitimate Interests: Where processing is necessary for our legitimate business interests, provided these do not override your rights and interests. This includes improving our Services, preventing fraud, and ensuring platform security.

Note: this taxonomy is provided as a convenience reference for readers familiar with international privacy frameworks (such as the EU GDPR). Our binding obligations are those set out in the New Zealand Information Privacy Principles (IPPs) under the Privacy Act 2020 and the Australian Privacy Principles (APPs) under the Privacy Act 1988, which are not structured around the four bases above. Where this section and the IPPs/APPs differ, the IPPs and APPs prevail.

Health Information

For health information (a type of sensitive information under both NZ and AU law), we rely on:

• Consent provided by the individual to the business collecting the information
• The information being necessary for the provision of a health service or treatment

6. OUR ROLE AS CONTROLLER AND PROCESSOR

In Short: We act as both a data controller and a data processor depending on the context.

When We Are the Data Controller

We are the data controller (the party that determines why and how personal information is processed) for:

• Information about our business customers (the businesses that sign up for Receptioner)
• Information collected through our marketing website
• Information collected when you contact us directly
• Account and billing information

As data controller, we are responsible for ensuring your information is processed lawfully and in accordance with this Privacy Policy.

When We Are the Data Processor

We are a data processor (processing data on behalf of another party) for:

• End-user customer data that businesses store and manage using our platform
• Booking and appointment information entered by business customers about their clients
• Health and intake form information collected by businesses from their clients

When acting as a processor, the business using our platform is the data controller. They determine what information to collect and are responsible for having appropriate consent and legal basis. We process this information solely according to their instructions and to provide our Services.

Contacting the Right Party

If you are an end-user (customer of a business using Receptioner) and have questions about how your data is used, you should first contact the business directly. If the business is unable to assist, or if your inquiry relates to how we handle data as a processor, please contact our Privacy Officer at privacy@receptionerapp.com.

7. WHO DO WE SHARE YOUR INFORMATION WITH?

In Short: We share information with third-party service providers who help us operate our platform, and in certain other limited circumstances.

Third-Party Service Providers

We use the following third-party services to operate our platform. These providers only have access to the information necessary to perform their specific functions. A current and more comprehensive list, including the specific purpose, data processed, and location of each provider, is published at receptionerapp.com/subprocessors.

App Store Providers

Our mobile applications are distributed through:

• Apple App Store - for iOS devices
• Google Play Store - for Android devices
• Microsoft Store - for Windows devices

These platforms may collect information about app downloads and usage in accordance with their own privacy policies.

Other Disclosures

We may also share your information in the following circumstances:

• Legal Requirements: When required by law, court order, or government request.
• Protection of Rights: To protect our rights, privacy, safety, or property, or that of our users or others.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• With Your Consent: When you have given us explicit consent to share your information.

8. WHERE IS YOUR DATA STORED?

In Short: Your data is stored securely on servers in Australia and the European Union.

We use Amazon Web Services (AWS) to host our platform and store data. Your information is stored in the following regions:

• Australia (Sydney region) - Primary data storage for Australian and New Zealand users
• European Union (Stockholm region) - Redundant storage for data resilience and backup

International Data Transfers

Some of our subprocessors (in particular, our application monitoring providers Sentry and New Relic) are based in the United States. When information is transferred to those providers, we rely on the gateways available under Information Privacy Principle 12 of the New Zealand Privacy Act 2020 and Australian Privacy Principle 8 of the Privacy Act 1988, specifically:

• Comparable safeguards by contract: each provider is bound by written contract to data-protection obligations substantially equivalent to those required of us under New Zealand and Australian privacy law, including obligations relating to security, confidentiality, breach notification, and onward transfer.
• Limited and de-identified telemetry: our US-based monitoring providers receive only technical error traces, device and browser metadata, and limited request context, with sensitive fields scrubbed where configured. They do not receive customer records, booking data, intake-form responses, or health information in the ordinary course.
• Data minimisation: we limit the data shared with each provider to what is necessary for the specific service it performs.

A summary of the security controls we operate, including encryption, access management, and incident response, is published on our Trust & Security page.

Data Sovereignty

We understand the importance of data sovereignty for New Zealand and Australian users. Our primary platform data (including customer records, bookings, and health information) is stored within the Australia/EU regions and is not routinely transferred to other jurisdictions.

9. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We retain your information for as long as necessary to provide our Services and comply with legal obligations, with specific retention periods for different types of data.

Retention Periods

We retain different types of information for different periods:

• Active Account Data: Retained for as long as your account remains active and you continue to use our Services.
• On Termination: When a business customer formally terminates their account, a 30-day export window is provided (see our Terms of Service) after which Your Data is deleted from live production systems.
• Inactive Business Accounts: Business accounts that are not formally terminated are treated as inactive if they remain unused for an extended period. Such accounts and their associated dynamic data (bookings, customer records, etc.) are deleted 3 months after the last authenticated use, with prior notice to the account holder's email of record.
• Documents and Files: PDF documents, signed forms, and uploaded files are retained indefinitely during the life of the account unless you request deletion, to ensure businesses can access historical records for compliance purposes.
• Transaction Records: Payment and billing records are retained for 7 years to comply with tax and accounting requirements in New Zealand and Australia.
• System Logs: Technical logs and error reports are typically retained for 90 days for troubleshooting and security purposes.
• Backups: Encrypted backups are retained for up to 35 days on a rolling basis for disaster-recovery purposes. Data deleted from live systems may persist in backups for up to 35 days before being removed from all backup media.

Deletion Requests

You can request deletion of your personal information at any time by contacting us. We will process your request in accordance with applicable law. Some information may need to be retained where required by law (for example, health information under the Health (Retention of Health Information) Regulations 1996 (NZ), tax and financial records, or information subject to a legal preservation hold), or where necessary for legitimate business purposes such as fraud prevention, billing disputes, or establishing, exercising, or defending legal claims.

Data After Account Closure

When a business account is closed or becomes inactive:

• We notify the account holder before deletion occurs
• On formal termination, a 30-day export window is provided before deletion from live systems
• Inactive accounts are deleted 3 months after the last authenticated use
• Backup copies are retained for up to 35 days after live deletion
• Once fully deleted from both live and backup systems, data cannot be recovered

10. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use industry-standard security measures to protect your personal information.

We take the security of your information seriously and have implemented appropriate technical and organisational measures to protect it, including:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256 encryption)
• Access Controls: Strict access controls limit who can access personal information within our organisation
• Secure Infrastructure: Our platform is hosted on AWS, which maintains industry-leading security certifications
• Regular Security Reviews: We regularly review and update our security practices
• Payment Security: Payment processing is handled by Stripe, which is PCI-DSS compliant

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at privacy@receptionerapp.com.

11. PRIVACY BREACH NOTIFICATION

In Short: If there is a privacy breach that is likely to cause serious harm, we notify our business customers, affected individuals where practicable, and the relevant privacy regulator.

We maintain a documented incident-response process. If we become aware of a notifiable privacy breach within the meaning of the New Zealand Privacy Act 2020 or the Australian Privacy Act 1988 that affects personal information processed through our platform, we will:

• Assess the nature and scope of the breach and the risk of serious harm
• Notify the affected business customer (where we act as data processor) as soon as practicable, and in any event without undue delay — we aim to notify within 72 hours of becoming aware of the breach, consistent with the guidance published by the Office of the Privacy Commissioner
• Notify the Office of the Privacy Commissioner (New Zealand) or the Office of the Australian Information Commissioner, as applicable
• Where the breach originates from our platform and it is practicable to do so, notify affected individuals directly; otherwise, assist our business customers to meet their own notification obligations
• Take prompt steps to contain the breach, remediate the cause, and prevent recurrence

If you believe a privacy breach has occurred, please contact us at privacy@receptionerapp.com as soon as possible.

12. AUTOMATED DECISION-MAKING AND AI

In Short: We do not use automated decision-making or artificial intelligence in ways that significantly affect individuals, and we do not use your information to train AI models.

As at the date of this Privacy Policy:

• We do not use personal information to make automated decisions that have a legal or similarly significant effect on any individual.
• We do not use personal information (including end-user customer data, booking data, or health information) to train general-purpose artificial intelligence or machine-learning models, whether our own or those of any third party.
• We do not sell personal information, and we do not share personal information with data brokers or advertising networks.

If we introduce automated decision-making or artificial-intelligence features in the future, we will update this Privacy Policy before those features take effect, provide the notice required by applicable law (including the transparency requirements under the Privacy Act 1988 (Cth) in respect of automated decisions that significantly affect individuals), and give you a meaningful opportunity to review the change.

13. DIRECT MARKETING

In Short: We only send direct marketing with consent, we always include an unsubscribe option, and we never use sensitive information for marketing.

We may send you direct marketing communications about our Services, including product updates, promotional offers, and newsletters. We will only do so where we have a lawful basis under Australian Privacy Principle 7, the New Zealand Privacy Act 2020, the Unsolicited Electronic Messages Act 2007 (NZ), and the Spam Act 2003 (Cth) (Australia). For commercial electronic messages (email and SMS), this means we send marketing only on the basis of your express or inferred consent within the meaning of the Unsolicited Electronic Messages Act 2007 (NZ) and the Spam Act 2003 (Cth). Inferred consent will only be relied on where it is clearly inferable from a current customer relationship and the marketing is closely related to the Services you have purchased.

Every direct marketing email and SMS we send includes a free, prominent mechanism for you to opt out (for example, an unsubscribe link or "STOP" reply). We will honour opt-out requests within 5 working days, as required by both Acts. We do not use sensitive information (including health information) for direct marketing purposes, and we do not share your information with third parties for their own marketing.

14. ANONYMITY AND PSEUDONYMITY

In Short: The nature of our Services requires identified interaction, so anonymous use is generally not practicable.

Under Australian Privacy Principle 2, individuals have the option, where lawful and practicable, to deal with an APP entity anonymously or using a pseudonym. Because our platform supports bookings, payments, appointment reminders, and (in many cases) the delivery of health services, identified interaction is required for the Services to function correctly. In particular, business customers need real contact details to contact their clients, process payments, and meet their own professional record-keeping obligations.

You may browse our marketing website without creating an account. If you have questions about anonymity in a specific context, please contact us at privacy@receptionerapp.com.

15. COOKIES AND TRACKING TECHNOLOGIES

In Short: We use cookies and similar technologies to improve your experience on our Services.

We use cookies and similar tracking technologies to collect and store information when you use our Services. Cookies are small text files stored on your device that help us:

• Remember your preferences and settings
• Understand how you use our Services
• Improve your experience
• Keep you logged in

Types of Cookies We Use

• Essential Cookies: Required for the platform to function properly (e.g., authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our Services so we can improve them

Managing Cookies

Most web browsers allow you to control cookies through their settings. However, disabling certain cookies may affect the functionality of our Services.

For more detailed information about our use of cookies, please see our Cookie Policy.

16. CHILDREN'S PRIVACY

In Short: Our Services are intended for adult account holders. Where a business books or collects information about a minor, the business is responsible for obtaining parental or guardian consent.

Receptioner is a business-to-business platform. To register and operate a business account with Receptioner, you must be at least 18 years old. Our marketing website and direct marketing are not directed at children.

We recognise that some of our business customers (for example, paediatric physiotherapists, dental clinics, or family beauty salons) legitimately book appointments or record information about minors on behalf of their clients. In those cases:

• The business customer is the data controller and is solely responsible for obtaining appropriate parental or guardian consent before collecting information about a minor.
• The business customer is responsible for ensuring that any intake forms collected from or on behalf of minors are lawful and appropriate to the child's age.
• We act as a data processor in respect of that information and handle it in accordance with this Privacy Policy and our Data Processing Agreement.

If we become aware that we have directly collected personal information from a child under 18 (other than through a business customer relationship as described above) without appropriate consent, we will take steps to delete that information as quickly as possible. If you believe we may have inadvertently collected information from a child, please contact us at privacy@receptionerapp.com.

We monitor developments in child-specific privacy regulation (including the Australian Children's Online Privacy Code, scheduled for registration by 10 December 2026) and will update this Privacy Policy as required.

17. YOUR PRIVACY RIGHTS (NEW ZEALAND)

In Short: Under the New Zealand Privacy Act 2020, you have specific rights regarding your personal information.

If you are located in New Zealand, you have the following rights under the Privacy Act 2020:

Your Rights

• Right to Access: You can request access to the personal information we hold about you (Information Privacy Principle 6).
• Right to Correction: You can request that we correct any inaccurate or incomplete personal information (Information Privacy Principle 7).
• Right to Know: You can ask whether we hold personal information about you and how we use it.

How to Exercise Your Rights

To exercise any of these rights, please email our Privacy Officer at privacy@receptionerapp.com. We will respond to your request within 20 working days, as required by the Privacy Act 2020.

We may need to verify your identity before processing your request. There is generally no fee for accessing your personal information, though we may charge a reasonable fee for requests that are manifestly unfounded or excessive.

Complaints

If you are not satisfied with how we handle your personal information or your privacy request, you have the right to lodge a complaint with the Office of the Privacy Commissioner:

Office of the Privacy Commissioner
PO Box 10094, Wellington 6143
Phone: 0800 803 909
Website: www.privacy.org.nz

18. YOUR PRIVACY RIGHTS (AUSTRALIA)

In Short: If you are located in Australia, you have rights under the Privacy Act 1988 and Australian Privacy Principles (APPs).

If you are located in Australia, the following rights apply to you under the Privacy Act 1988:

Your Rights Under the Australian Privacy Principles

• Right to Access: You can request access to the personal information we hold about you (APP 12).
• Right to Correction: You can request that we correct any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
• Right to Anonymity: Where practicable, you have the option to interact with us anonymously or using a pseudonym.
• Right to Know: You can ask us what personal information we hold about you and how we use it.

How to Exercise Your Rights

To exercise any of these rights, please email our Privacy Officer at privacy@receptionerapp.com. We will respond to your request within 30 days, as required by the Privacy Act 1988.

Access to your personal information is generally provided free of charge, though we may charge a reasonable fee to cover administrative costs in some circumstances.

Complaints

If you believe we have breached the Australian Privacy Principles or are not satisfied with how we have handled your personal information, you can lodge a complaint with us first. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner
GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992
Website: www.oaic.gov.au

19. UPDATES TO THIS POLICY

In Short: We may update this policy from time to time. For material changes that adversely affect your rights, we will give at least 30 days' notice before the change takes effect.

We may update this Privacy Policy from time to time to reflect:

• Changes to our Services or data practices
• Changes in applicable laws or regulations
• Feedback from users and regulators

For changes that materially and adversely affect your rights — including, without limitation, changes that materially reduce the privacy, security, or data-protection obligations that apply to your personal information — we will provide at least 30 days' notice before the changes take effect, via email to the account holder's email of record, in-product notification, or both. This is consistent with the material-change notice commitment in our Terms of Service.

For non-material changes — including those required by law, those that correct errors or ambiguities, those that expand or clarify your rights, or those that add new optional features — we may make changes effective immediately upon posting. The "Last updated" date at the top of this policy will reflect any change.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

20. HOW TO CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Redium Limited
Trading as Receptioner
NZBN: 9429046707000
Registered office: as recorded on the New Zealand Companies Register
New Zealand

Privacy Officer

In accordance with section 201 of the Privacy Act 2020 (NZ), we have appointed a Privacy Officer. You can reach our Privacy Officer at:

Email: privacy@receptionerapp.com

Other Contact Channels

General support: support@receptionerapp.com

Legal notices: legal@receptionerapp.com

Website: https://receptionerapp.com/contact

Privacy Requests

For requests to access, correct, or delete your personal information, please email us at privacy@receptionerapp.com with the subject line "Privacy Request". Please include:

• Your name and contact details
• A description of your request
• Any information that will help us identify you in our systems

We may need to verify your identity before processing your request. We will respond to your request within the timeframes required by applicable law (20 working days for New Zealand, 30 days for Australia).