Privacy policy

Scannable is a product of IDP Solutions Pty Ltd, a company incorporated in Australia. In this policy, “we”, “us”, and “our” refer to IDP Solutions Pty Ltd. “You” refers to the person or organisation using Scannable or visiting our websites.

You can contact our privacy officer at info@idpsolutions.com.au.

This policy applies to:

• The scannable.au marketing website.
• The Scannable customer portal at portal.scannable.au.
• QR redirect domains that you connect to your Scannable tenant (including custom domains you own).
• The Scannable API and MCP (Model Context Protocol) connector used by AI assistants you authorise.

We only collect personal information that we need to deliver the service to you. This generally falls into the following categories.

Account and billing information

Your name, email address, organisation name, and billing details required to create and run your account. Payment card details are captured directly by our payment processor and are not stored on our servers.

QR code content you create

The destination URLs, labels, logos, and other content you upload or configure in your tenant. This content belongs to you; we process it to provide the service.

Scan telemetry

When someone scans one of your QR codes, we log the timestamp, a coarse location derived from the IP address (typically country or region), the user agent, and the referrer. We do not attempt to identify individual scanners or build profiles of them, and we do not sell this data.

Support and communications

If you email us or contact support, we keep a record of that correspondence so we can help you and improve the service.

Cookies and similar technologies

We use a small number of cookies for login sessions, your theme preference, and privacy-respecting analytics. See section 10 below.

Under APP 6, we use personal information for the primary purpose of providing the Scannable service, and for related secondary purposes you would reasonably expect, including:

• Creating and managing your account, and authenticating you.
• Generating QR codes, redirecting scans, and reporting scan analytics to you.
• Issuing invoices and processing payments.
• Keeping the service secure, detecting abuse, and investigating incidents.
• Improving and developing features, using aggregated or de-identified data where possible.
• Sending service communications (for example, outages, security notices, or important account changes).
• Meeting our legal and regulatory obligations in Australia.

We only send marketing emails to people who have consented, as required by the Spam Act 2003 (Cth). Every marketing email includes a working unsubscribe link, and you can also email info@idpsolutions.com.au at any time to opt out. Service and billing communications are not marketing and cannot be unsubscribed from while your account is active.

We do not sell personal information. We share it only with service providers who help us run Scannable, and only to the extent they need to perform their service. These include:

• Hosting: our primary application and database are hosted in Australian regions of reputable cloud providers.
• Payments: Stripe processes payments and stores cardholder data on our behalf. Stripe operates in Australia and the United States.
• Email delivery: a transactional email provider is used to send sign-in, billing, and service emails.
• AI assistants and MCP: if you connect an AI assistant (for example, Claude or ChatGPT) to your tenant, that assistant receives only the data you authorise it to access, using credentials you can revoke at any time.
• Professional advisers and authorities: we may disclose information where required by Australian law, a court order, or to protect our rights.

Under APP 8, where a service provider is located outside Australia, we take reasonable steps to ensure they handle your information consistently with the APPs, through contractual terms and recognised privacy frameworks.

Your tenant data, QR codes, and scan logs are stored in Australia. We encrypt data in transit using TLS and at rest on our database and object storage. Access to production systems is limited to authorised personnel and protected by multi-factor authentication and role-based access control.

We follow the Notifiable Data Breaches (NDB) scheme. If a data breach is likely to result in serious harm to affected individuals, we will notify those individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

We keep personal information only for as long as we need it:

• Account data is retained while your account is active.
• After you cancel, we keep account and billing records for a reasonable period to meet Australian tax and accounting obligations (typically up to seven years).
• Raw scan telemetry is kept for a limited rolling window and then deleted or aggregated into non-identifying statistics.
• Backup copies are retained on a short, rotating schedule and then overwritten.

You can request earlier deletion of your account data at any time by emailing info@idpsolutions.com.au, subject to any legal records we are required to keep.

Under APPs 12 and 13, you can ask us to:

• Confirm what personal information we hold about you and give you a copy.
• Correct information that is inaccurate, out of date, incomplete, or misleading.
• Delete your account and associated personal information, subject to legal retention requirements.
• Explain how we have handled your information.

To make a request, email info@idpsolutions.com.au. We will respond within 30 days. There is no charge for making a request, though we may charge a reasonable fee for unusually large or complex access requests.

Scannable uses a small number of cookies and similar technologies to:

• Keep you signed in to the customer portal.
• Remember preferences such as your light or dark theme.
• Understand how the marketing site is used, in aggregate, so we can improve it.

You can clear or block cookies using your browser settings. Blocking cookies may affect your ability to sign in to the portal.

If you use Scannable from outside Australia, additional privacy rules may apply. This section supplements the Australian Privacy Act coverage above. It is general information, not legal advice.

New Zealand — Privacy Act 2020

If you are a New Zealand organisation using Scannable, the Privacy Act 2020 may apply when personal information is handled outside New Zealand.

When you configure QR codes, destinations, and branding for your organisation, you are generally the agency that decides why and how personal information is collected from people who scan your codes. IDP Solutions Pty Ltd (Scannable) and our infrastructure providers act as agents processing that information on your instructions — for example, redirecting scans, showing your content, and providing analytics to you.

Under Information Privacy Principle 12, an agency must not disclose personal information overseas unless an exception applies. When a provider processes information only on your behalf and only for your purposes, the Office of the Privacy Commissioner's guidance often treats that as use by an agent, not a disclosure by you. You remain responsible for complying with the Privacy Act, including telling people how their information is used.

If we use personal information for our own purposes (for example, product analytics unrelated to your tenant, billing, fraud prevention, or support unrelated to your instructions), a separate analysis may apply. Contact us if you need a data processing agreement with an IPP 12 annex.

Tenant data and scan logs are stored in Australia (see section 7). Some processing occurs on global edge networks for performance. See our Subprocessors list. You may complain to us first, or to the Office of the Privacy Commissioner (New Zealand).

United Kingdom — UK GDPR and international transfers

If you are in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) may apply to personal information you put into Scannable and to information we process about you as a customer.

The UK has not issued an adequacy decision for Australia. Where you (as a UK controller) transfer personal data to Scannable in Australia, that is generally a restricted transfer unless another valid transfer tool applies.

For QR content, scan telemetry, and other data you configure in your tenant, Scannable generally acts as your processor. For account, billing, and service communications about your organisation, we act as a controller (see sections 3–4 above).

For UK business customers who need contractual protection, we offer a Data Processing Agreement (DPA) incorporating the UK International Data Transfer Agreement (IDTA) published by the Information Commissioner's Office, with Scannable as data importer in Australia and you as data exporter in the UK. See our UK DPA overview or email info@idpsolutions.com.au for a countersigned copy. We maintain a transfer risk assessment for the categories of data described in that agreement.

We use the service providers listed in the Subprocessors section below, with data protection terms consistent with UK GDPR Article 28 where applicable.

Our public website may use analytics cookies (see section 10). For UK visitors we will align cookie use with applicable UK rules, including PECR, as we roll out UK-facing pages.

UK data subjects may have rights of access, rectification, erasure, restriction, objection, and portability, subject to exemptions. You may complain to the Information Commissioner's Office. Scannable stores tenant data in Australia. Scan requests are served from a global edge network; this does not mean your data is UK-hosted.

We use the following third parties (subprocessors) to run Scannable. They process personal information only as needed for their component of the service, under contract terms that require appropriate security and confidentiality.

We may update this list when providers change. Material updates appear on this page and, where required, we notify account holders. For a DPA subprocessor appendix, email info@idpsolutions.com.au.

Scannable is a business tool and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this policy from time to time. When we do, we will update the effective date at the top of this page. If the changes are significant, we will take reasonable steps to tell account holders by email or through the portal before they take effect.

If you have a privacy question or complaint, please email us first at info@idpsolutions.com.au. We aim to acknowledge complaints within 7 days and to resolve them within 30 days.

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.