Privacy Policy

This Privacy Policy explains how OnCloudWine Labs Pty Ltd (ABN 20 690 638 736), trading as OnCloudWine(“we”, “us”, “our”), handles personal information in connection with the OnCloudWine software-as-a-service platform, our websites, APIs, and related services (collectively, the “Services”).

We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where the General Data Protection Regulation (GDPR), UK GDPR, or the California Consumer Privacy Act (CCPA/CPRA) applies to our processing, we comply with those laws as well.

The OnCloudWineplatform is built for wineries, wine clubs, and similar businesses (“Organisations”) to manage their wine releases, club memberships, orders, and customer relationships. Our role in relation to personal information depends on whose data is being processed:

• Organisation administrators and users. When you create or use an account to administer an Organisation on the platform, we act as the data controller for information about you as an administrator or user. This Policy governs that processing.
• Organisations’ contacts (members/customers). When an Organisation loads or collects information about its own customers, club members, or contacts (“Contacts”) into the Services, the Organisation is the data controller of that information and we act as a data processoron the Organisation’s behalf. The Organisation is responsible for its own privacy notices and for its lawful basis to collect and share that data with us. Contacts should read the relevant Organisation’s privacy notice for information about how their data is handled.

From Organisation administrators and users. Typically:

• Name, email address, phone number, and job title.
• Login credentials (hashed passwords, multi-factor authentication codes, session tokens).
• Billing details such as business name, billing address, and tax identifiers. We do not store full payment card numbers — see “Payment information” below.
• Business profile information you choose to provide (logo, website, time zone, currency, shipping preferences, social links).
• Support communications, feedback, and information you share when contacting us.

From Contacts, processed on behalf of Organisations. Organisations may load or collect data about their Contacts, including name, email, phone number, addresses, order history, wine preferences, club membership status, fulfilment details, and notes. We only process this data on the Organisation’s instructions.

Payment information. Payments on the platform are processed by third-party payment providers (including Stripe and Square). We do not store full card numbers, card verification values, or equivalent sensitive payment credentials. We store only payment tokens supplied by those providers plus non-sensitive metadata such as the last four digits, card brand, and expiry, as made available to us.

Automatically collected information. When you use the Services we automatically collect:

• Device and log information (IP address, user agent, operating system, referring URLs, timestamps, crash reports).
• Usage data (pages viewed, features used, actions taken in the Services).
• Cookies and similar technologies — see our Cookie Policy for details.

We use personal information to:

• Provide, operate, secure, and improve the Services.
• Create and authenticate accounts, and to verify identity where appropriate.
• Process subscription fees and, where applicable, platform transaction fees on payments made through the Services.
• Send service-related communications (account notices, billing, security alerts, product updates).
• Provide customer support and respond to your enquiries or complaints.
• Detect, investigate, and prevent fraud, abuse, or unlawful activity, and to enforce our Terms.
• Comply with legal obligations, lawful requests from authorities, and our record-keeping duties.
• Analyse usage trends and develop new features (using aggregated or de-identified data where practicable).

With your consent, we may also send marketing communications about our Services. You can unsubscribe at any time using the link in any marketing email or by contacting us.

If you are located in the European Economic Area or United Kingdom, we rely on one or more of the following legal bases to process your personal information:

• Performance of a contract— to provide the Services you have subscribed to.
• Legitimate interests— to secure and improve the Services, prevent fraud, and administer our business, where those interests are not overridden by your rights.
• Consent— for marketing communications and for cookies that are not strictly necessary.
• Legal obligation— to meet our obligations under applicable law (e.g. tax and record-keeping).

Where we process Contact data on behalf of an Organisation, the Organisation is responsible for identifying and documenting its own lawful basis.

We do not sell personal information. We share personal information only in the following circumstances:

• Service providers (sub-processors). We use carefully selected vendors to host, store, analyse, secure, and operate the Services. These include cloud infrastructure providers, payment processors (Stripe, Square), transactional email providers, error-monitoring and logging providers, and customer-support tools. These providers are bound by contractual obligations consistent with this Policy.
• Integrations you enable. When an Organisation connects a third-party integration (for example WooCommerce, Mailchimp, a shipping carrier, or a POS system), we share the information reasonably necessary to operate that integration. Those third parties handle data under their own terms.
• Between Organisations and their Contacts. Where we act as processor, we share Contact data with the Organisation that loaded it.
• Legal, safety, and enforcement. We may disclose information to comply with law, respond to valid legal process, protect our rights, property, or safety, or that of our users or the public, and to investigate fraud or security incidents.
• Business transfers. If we undergo a merger, acquisition, financing, reorganisation, bankruptcy, or asset sale, personal information may be transferred as part of that transaction.

We operate globally. Personal information may be processed and stored in Australia and in other countries where we or our service providers have facilities, including jurisdictions whose data protection laws may differ from those in your country.

Where we transfer personal information from the EEA, UK, or Switzerland to countries that have not been designated as providing adequate protection, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

We use reasonable administrative, technical, and physical safeguards to protect personal information, including encryption in transit, access controls, and logging. As noted above, we do not store full payment card data — card data is handled by PCI-DSS compliant payment processors.

No method of transmission or storage is completely secure. You are responsible for keeping your account credentials confidential and for notifying us promptly of any suspected unauthorised access to your account.

We retain personal information for as long as we need it for the purposes described in this Policy, including to provide the Services, maintain the integrity and security of our systems, comply with legal obligations, resolve disputes, and enforce our agreements.

Where we act as processor for an Organisation, retention of Contact data is governed by the Organisation’s instructions and its subscription. When an Organisation’s account is closed, we may delete or de-identify Contact data after a reasonable wind-down period, subject to our legal obligations.

Australian users. Under the APPs you may request access to, and correction of, the personal information we hold about you. You may also make a privacy complaint to us.

EEA and UK users. Subject to the conditions set out in the GDPR or UK GDPR, you have the right to access, rectify, erase, restrict processing of, object to processing of, and port your personal information, and to withdraw consent where processing is based on consent.

California users. Subject to the CCPA/CPRA, you have rights to know, delete, correct, and limit the use of certain personal information, and not to be discriminated against for exercising those rights. We do not sell personal information and we do not share personal information for cross-context behavioural advertising.

How to exercise these rights. Contact us at [email protected]. If you are a Contact of an Organisation, please direct your request to that Organisation, which controls your personal information; we will assist the Organisation in responding as required.

The Services are not intended for individuals under the age of 18 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.

Organisations that operate in the wine industry are responsible for ensuring they only collect information from individuals of legal drinking age in the relevant jurisdiction, and for complying with all applicable age-verification requirements.

We use cookies and similar technologies to operate the Services and to understand how they are used. See our Cookie Policy for details.

We may update this Policy from time to time. If we make material changes we will notify you by email or by posting a prominent notice in the Services. Your continued use of the Services after the updated Policy takes effect constitutes your acceptance of the changes.

For privacy questions, requests, or complaints contact:

OnCloudWine Labs Pty Ltd trading as OnCloudWine
Victoria, Australia
Email: [email protected]

We will acknowledge your complaint within a reasonable time and aim to resolve it promptly. If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or to the data protection authority in your country of residence.