Privacy Policy (Australia)
Last updated: 9 September 2025
Who we are
Castlemaine Social is a community project created by locals living in Castlemaine. For legal and operational purposes, the service is operated by Alpaca Travel Pty Ltd (ABN 29 608 409 990) (“we”, “us”, “our”). For the purposes of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), Alpaca Travel Pty Ltd is the entity responsible for managing personal information collected through Castlemaine Social.
Contact (privacy & complaints)
- Email: [email protected]
- Registered address: 5B/21 Northumberland Street, Collingwood VIC 3066, Australia
The short version
- We collect only what we need to run a community events calendar (accounts, event/venue submissions, category subscriptions, essential security logs).
- We do not sell or rent your personal information. We don’t run ads or upsells.
- Event and venue/place content you submit is intended to be public and discoverable online (including venue addresses/locations).
- Your account details and subscription settings are kept private.
- You can unsubscribe from non-essential emails any time via the link in every email or via the unsubscribe page.
- We host core data in Australia (AWS Sydney). We use reputable providers (Neon, Vercel, Cloudflare, AWS Cognito & SES, Google Analytics) and require them to protect your information.
- You can ask us to access, correct, or delete your personal information.
What we collect
Information you give us
- Account details: name/display name, email, and authentication credentials. We use AWS Cognito to manage sign-in. We do not store your plaintext password. If you sign in with email/password, Cognito protects your password in an irreversible, cryptographically secured form and we cannot view it (we can only help you reset it).
- Event submissions: title, description, dates/times, venue/location (including street address or map pin), categories, images, and optional organiser contact details (published if provided).
- Venue/place submissions: name, address/location, description, images, links, categories (published).
- Preferences: categories you follow and notification settings.
- Reports & messages: content moderation reports, support requests, feedback.
Information we generate or receive automatically
- Service & security logs: IP address, device/browser details, timestamps, error logs, basic usage to keep the site reliable and secure.
- Analytics: aggregated usage/performance metrics via Google Analytics and Cloudflare.
- Location: we do not collect precise location passively. If you enter an exact event/venue location (or choose a “use my location” feature), we use it only for that purpose.
We do not intentionally collect sensitive information (e.g., health, biometrics). Please avoid including sensitive personal info in public listings.
What we publish publicly (and search engines)
This website is designed so that community information can be found online.
- Public: event listings (title, description, dates/times), venue/place pages and venue addresses/locations, categories/tags, images, and any organiser contact details you choose to include.
- Private: your account email, password hash, subscription settings, and internal logs.
- Search engines: public pages may be indexed by search engines and shared on other sites or feeds.
We may edit or remove content that breaches our guidelines or the law.
How we use your information
- Provide the service: create accounts, authenticate sign-ins, publish events/venues, show relevant content, manage your subscriptions.
- Notify you: account emails (e.g., sign-in, approvals) and category/event digests you opted into (unsubscribe any time).
- Keep it safe: prevent abuse/spam, detect fraud, ensure availability, and debug issues (some automated checks plus human volunteer moderation where needed).
- Improve the service: analyse de-identified, aggregated usage (never for advertising).
Sign-in with Google/Apple
If you choose to sign in with Google or Apple, we receive basic profile details (e.g., name and email) from the identity provider to create or connect your account. We do not receive your Google/Apple password.
Our service providers (and overseas processing)
We use trusted providers who act on our instructions and must protect your information:
- Database/hosting: Neon (Postgres) hosted on AWS (Sydney region)
- Identity & email: AWS Cognito; emails via AWS SES
- App hosting & delivery: Vercel (app hosting), Cloudflare (proxy/CDN, performance & security)
- Analytics: Google Analytics and Cloudflare analytics
Some providers operate globally, which can involve processing outside Australia. Where this occurs, we take reasonable steps under APP 8 to ensure comparable privacy safeguards (e.g., contractual protections, due diligence).
Direct marketing & unsubscribing
We do not sell your data or run third-party advertising. If we send you emails about your account or community updates you opted into, every message includes an unsubscribe link and you can also opt out at /unsubscribe (we maintain a suppression list to honour your choice).
Cookies & similar technologies
We use essential cookies/local storage (e.g., keep you signed in, remember settings) and privacy-respecting analytics. You can block cookies in your browser, but some features may not work as intended.
Security
We apply appropriate safeguards (TLS encryption in transit, least-privilege access, auditing/monitoring, and regular reviews). No method is perfect, but we work to prevent unauthorised access, misuse, alteration, or loss.
Retention & deletion
We keep personal information only as long as needed to operate the service, meet legal obligations, or resolve disputes, then delete or de-identify it.
Indicative periods (to be finalised and published if they change):
- Accounts & profile: retained while your account is active; deleted on request.
- Public listings (events/venues): retained as part of the site’s public record; creators can request removal of outdated/incorrect listings.
- Suppression list (email opt-outs): retained to ensure we honour unsubscribes.
- Security/error logs: ≥30 days (minimum target window while we finalise a standard).
- Backups: rolling backup cycle (typically ~35 days) before automatic purge.
On deletion requests, we remove or de-identify personal information where feasible and permitted. Some records (e.g., logs/backups) are erased on their normal cycles.
Your rights (access, correction, deletion)
You can:
- Access your personal information we hold;
- Request corrections to inaccurate or incomplete information;
- Request deletion of your account and personal information (subject to legal/operational constraints).
To exercise these rights, email [email protected]. We’ll respond within a reasonable time.
Children and young people
This is a general-audience community site. If you are under 16, please use the service with a parent or guardian. If we learn we’ve collected personal information from a child without appropriate consent, we’ll delete it.
Data breaches
If an eligible data breach occurs (likely to result in serious harm), we will notify affected users and the Office of the Australian Information Commissioner (OAIC) in line with the Notifiable Data Breaches (NDB) scheme.
OAIC: www.oaic.gov.au
Complaints
If you have a privacy concern, please contact [email protected]. We’ll investigate and respond. If you’re not satisfied, you can contact the OAIC (www.oaic.gov.au).
Changes to this policy
We may update this policy to reflect service or legal changes. We’ll post updates here and revise the “Last updated” date above. Significant changes may also be notified by email or in-app.