Privacy Policy

1. About This Policy

This privacy policy explains how FindFetcher ("we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our website at findfetcher.com (the "Website"), our mobile application available on iOS and Android (the "App"), and related services (collectively, the "Service").

FindFetcher is an Australian-based service that helps you find deals on products and services by monitoring online sources and notifying you when items matching your criteria are listed.

We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes our practices and your rights under Australian law.

2. Information We Collect

2.1 Information You Provide Directly

When you use our Service, you may provide us with:

• Account information: Email address, name (optional), and password (stored encrypted)
• Fetch criteria: Product descriptions, target prices, locations, categories, and search preferences you set up
• Uploaded images: Product photos you upload to help identify items
• Communications: Messages you send us through support or feedback channels
• Payment information: If you subscribe to a paid plan, payment details are processed securely by our payment provider (Stripe) - we do not store your full card details
• Voice input: Audio recordings when you use voice-to-text to create fetches — transmitted to OpenAI for transcription and not stored by us or OpenAI after processing; only the resulting text is retained

2.2 Information Collected Automatically

When you access our Service, we automatically collect:

• Device information: Browser type, operating system, device type, app version, mobile device model, and operating system version
• Push notification tokens: If you enable push notifications on our App, we collect a device token to deliver notifications to your device
• Usage data: Pages visited, features used, timestamps, and interactions with email and push notifications
• IP address: Used for security, fraud prevention, and approximate location
• Cookies: Essential cookies for authentication and session management (see Section 14)
• Analytics data: Product usage patterns, feature interactions, and page views collected via PostHog and Google Analytics to improve our Service
• Error and performance data: Application errors, crash reports, and performance metrics collected via Sentry to maintain Service reliability. Error reports may incidentally include technical context such as URLs, device information, and request parameters
• Email engagement data: We track whether notification emails are opened and which match links are clicked, to improve the relevance of our notifications
• Fraud prevention identifiers: When you subscribe to a paid plan, we store a hashed card fingerprint (provided by Stripe) to detect trial abuse and prevent fraudulent multiple-account creation. This fingerprint is a one-way hash that cannot be used to identify or reconstruct your actual card details
• Biometric authentication (mobile): If you enable biometric unlock (Face ID, Touch ID, or fingerprint), authentication is handled entirely on your device using platform-native secure APIs (iOS Keychain / Android Keystore). We do not collect, store, receive, or transmit any biometric data. Biometric authentication is optional — you can always use your password instead

2.3 Information from Third Parties

• Sign-in providers: If you sign in with Google, we receive your email address and profile name
• Marketplace data: We collect publicly available listing information from marketplaces (Facebook Marketplace, Gumtree) to match against your fetch criteria

3. How We Collect Your Information

We collect personal information through:

• Direct collection: When you create an account, set up fetches, upload images, enable push notifications, contact us, or subscribe to paid plans
• Automatic collection: Through cookies, server logs, and analytics when you use our Website, and through our mobile App
• Third-party sources: Through OAuth sign-in providers (Google) when you choose to use them

We only collect personal information that is reasonably necessary for our functions and activities. We collect information by lawful and fair means.

4. Why We Collect Your Information

We use your personal information for the following purposes:

• Provide the Service: Monitor marketplaces based on your fetch criteria and send you notifications when matches are found
• Account management: Create and maintain your account, authenticate your identity, and manage subscriptions
• Communication: Send you service notifications, respond to enquiries, and provide customer support
• Improvement: Analyse usage patterns to improve our Service, develop new features, and fix bugs
• AI-powered features: Use artificial intelligence to analyse images, parse product descriptions, and improve match accuracy
• Security: Detect and prevent fraud, abuse, and security threats
• Legal compliance: Comply with applicable laws, regulations, and legal processes

4.1 Legal Basis for Processing

Under Australian Privacy Principle 3 (Collection) and APP 6 (Use and Disclosure), we process your personal information on the following bases:

5. What Happens If You Don't Provide Information

You can choose not to provide certain personal information, but this may affect your ability to use our Service:

• Email address: Required to create an account and receive match notifications - without it, you cannot use the Service
• Fetch criteria: Required to monitor listings - without specific criteria, we cannot find matches for you
• Payment information: Required only for paid plans — payment card data is handled directly by Stripe (PCI-DSS Level 1 certified) and is never transmitted to or stored on our servers. You can use our free tier without providing payment details
• Name: Optional - you may use the Service without providing your name

6. Disclosure of Your Information

We do not sell your personal information. We may share your information in the following circumstances:

6.1 Service Providers

We use trusted third-party service providers to help operate our Service. Each provider operates under a data processing agreement or equivalent contractual obligations. Our providers are grouped below by function:

Infrastructure

• Supabase: Database hosting and authentication (United States / European Union)
• Vercel: Website hosting and serverless functions (global edge network)
• Upstash: Redis caching for rate limiting and performance (United States)
• Trigger.dev: Background job scheduling and processing (United States)

AI & Search

• Anthropic (Claude): Natural language understanding, image analysis, and match scoring (United States)
• OpenAI (GPT-4o): Voice transcription and search verification (United States)
• Google (Gemini): Screenshot-based price extraction and search verification (United States)
• Perplexity AI: AI-powered search for product discovery (United States)

Payments

• Stripe: Payment processing for subscriptions (United States) — PCI-DSS Level 1 certified; payment card data is handled directly by Stripe and never touches our servers

Communications

• Resend: Email delivery for notifications and communications (United States)
• Apple (APNs): Push notification delivery for iOS devices (United States)
• Google (FCM): Push notification delivery for Android devices (United States)

Analytics & Monitoring

• PostHog: Product analytics and user behaviour tracking (United States / European Union)
• Google Analytics (via Google Tag Manager): Website traffic and usage analytics (United States)
• Sentry: Application error tracking and performance monitoring (United States)

Mobile

• Expo (EAS): Mobile app build and over-the-air update delivery (United States)

Web Scraping & Data Collection

• ScraperAPI: Web scraping infrastructure (United States)
• Firecrawl: Web page crawling and content extraction (United States)
• Jina AI: Web content reading and extraction (United States)
• Tavily: AI-powered web search (United States)
• Brave Search: Web search API (United States)

These scraping and search services receive only public URLs and search queries — they do not receive your personal information, account details, or payment data.

Marketplace APIs

• Ticketmaster: Event and ticket listing data (United States)
• eBay: Product and auction listing data (United States)
• Google Calendar API: Calendar integration for Pro plan users (United States)
• SeatGeek: Event and ticket listing data (United States)
• Browserless: Browser automation for data collection (United States)

6.2 Legal Requirements

We may disclose your information if required by law, court order, or government authority, or if we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.3 Business Transfers

If FindFetcher is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

7. Overseas Disclosure

Your personal information may be disclosed to, and stored by, service providers located outside Australia. The countries where your data may be processed include:

• United States: Supabase, Vercel, Upstash, Trigger.dev, Anthropic, OpenAI, Google (Gemini, Analytics, Calendar, FCM), Perplexity AI, Stripe, Resend, Apple, Expo, ScraperAPI, Firecrawl, Jina AI, Tavily, Brave Search, Ticketmaster, eBay, SeatGeek, Browserless, PostHog, Sentry
• European Union: Supabase (regional data centres), PostHog (regional data centres)

Safeguards for Overseas Transfers

Under Australian Privacy Principle 8, we remain accountable for how overseas recipients handle your personal information. We take reasonable steps to ensure our overseas service providers do not breach the Australian Privacy Principles, including:

• Contractual obligations: Data processing agreements (DPAs) or equivalent contractual protections with all providers that process personal information
• Security certifications: Our key providers maintain recognised security certifications including SOC 2 Type II, ISO 27001, and PCI-DSS Level 1 (Stripe)
• Data minimisation: We only share the minimum information necessary for each provider to perform its function — for example, scraping and search providers receive only public URLs and queries, not personal data
• Encryption in transit: All data transmitted to overseas providers is encrypted using TLS 1.2 or higher
• Periodic review: We periodically review our service providers' security practices and compliance status

8. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

Technical Measures

• Password encryption using bcrypt hashing
• HTTPS/TLS encryption for all data in transit
• Row-level security in our database ensuring users can only access their own data
• Secure API authentication using industry-standard protocols
• Encrypted local storage on mobile devices for authentication tokens (using platform-native secure storage)

Organisational Measures

• Access to personal information is limited to authorised personnel only
• Regular security reviews and updates
• Use of reputable, security-certified service providers

Data Breach Response

In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, we maintain the following data breach response procedures:

• Assessment: Upon discovering a suspected breach, we will conduct an assessment within 30 days to determine whether it is likely to result in serious harm
• Notification to you: If a breach is assessed as notifiable, we will notify affected users as soon as practicable via email and push notification (if enabled), including: a description of the breach, the types of information involved, and recommended steps you should take (e.g., changing your password)
• Notification to the OAIC: We will submit a notification statement to the Office of the Australian Information Commissioner as required by law
• Remediation: We will take immediate steps to contain the breach, including revoking compromised tokens, forcing password resets where appropriate, and engaging external security experts if necessary

9. Data Retention

We retain your personal information according to the following schedule:

When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain certain information (e.g., financial records for tax purposes). Data may persist in encrypted database backups for up to 30 days after deletion, after which it is permanently removed.

10. Fetch-A-Friend Referral Program Data

If you participate in our Fetch-A-Friend referral program, we collect and use additional information as described below.

10.1 Referral Data We Collect

When you participate in the referral program, we collect:

• Referral code: A unique code generated for your account (e.g., "FETCH-ABC123")
• Referral relationships: Records linking referrers to referred users
• Referral status: Whether a referral is pending, rewarded, expired, or revoked
• Timestamps: When referrals were created, qualified, rewarded, or revoked

10.2 How We Use Referral Data

We use referral data to:

• Track and award bonus fetch slots to both referrers and referred users
• Display your referral statistics on your dashboard
• Send notifications about referral rewards and status changes
• Detect and prevent fraudulent referral activity
• Manage slot deactivation when subscription status changes

10.3 Information Shared with Other Users

To provide a personalised experience, we share limited information between referral participants:

• Referral landing page: When someone visits your referral link, they see your first name only (not your full name or email)
• Referrer's dashboard: You can see the first names of users you've referred, along with their referral status
• Referred user: You can see the first name of the person who referred you

We do not share email addresses, full names, or other personal details between referral participants.

10.4 Referral Data Retention

Referral records are retained as follows:

• Active referrals: Retained while both users maintain active accounts
• Expired referrals: Pending referrals that are not completed within 30 days are marked as expired and retained for 12 months for analytics
• Revoked referrals: Records of revoked slots are retained for dispute resolution and audit purposes
• Account deletion: If you delete your account, your referral records are anonymised or deleted within 30 days, except where linked to another user's active bonus slot

11. Your Rights Under Australian Law

Under the Privacy Act and Australian Privacy Principles, you have the following rights:

11.1 Right to Access

You can request access to the personal information we hold about you. We will provide this information within a reasonable timeframe, usually within 30 days.

11.2 Right to Correction

If you believe the personal information we hold about you is inaccurate, incomplete, or out of date, you can request that we correct it. You can update most information directly in your account settings.

11.3 Right to Delete

You can delete your account at any time through your account settings. This will result in the deletion of your personal data within 30 days.

11.4 Right to Data Portability

You can request an export of your data in a machine-readable format (JSON or CSV). Your export will include your account information, fetch criteria, match history, and preferences. We will provide this export within 30 days of your request.

11.5 Right to Withdraw Consent

Where we process your information based on consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing before the withdrawal.

11.6 Right to Opt-Out of Marketing

You can opt out of marketing communications at any time by clicking the unsubscribe link in our emails or updating your notification preferences in your account settings.

11.7 Right to Object

Where we process your personal information on the basis of legitimate interest (see Section 4.1), you have the right to object to that processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

How to Exercise Your Rights

To exercise any of these rights, please contact us at joey@findfetcher.com.au. We may need to verify your identity before processing your request.

• Acknowledgment: We will acknowledge your request within 7 days
• Response: We will respond to your request within 30 days
• Marketing opt-out: Marketing opt-out requests will be actioned within 48 hours, and no later than 5 business days as required by the Spam Act 2003

12. Anonymity and Pseudonymity

Under APP 2, you have the option to interact with us anonymously or using a pseudonym where practicable. However, due to the nature of our Service:

• An email address is required to create an account and receive match notifications
• You may use any name or pseudonym for your account display name
• You can browse our public website without creating an account

If you contact us with general enquiries, you may do so without identifying yourself.

13. Automated Decision-Making and AI

13.1 How We Use AI

AI is central to how FindFetcher operates. We use multiple AI providers to deliver our Service:

• Natural language understanding: Anthropic Claude analyses your text descriptions to extract search criteria and constraints
• Image analysis: Anthropic Claude identifies products from uploaded images and suggests search criteria
• Voice transcription: OpenAI converts your voice input to text
• Search & verification: OpenAI GPT-4o and Perplexity AI search for products and verify pricing information (GPT-4o serves as a fallback provider)
• Screenshot price extraction: Google Gemini analyses page screenshots to extract pricing when text-based methods are unavailable
• Search verification: Google Gemini provides supplementary product search results
• Match scoring: Anthropic Claude scores and ranks listing matches based on how well they meet your criteria — scores represent a probabilistic assessment, not a guarantee

13.2 Limitations and Accuracy

We want to be transparent about the limitations of AI-powered features:

• AI-generated results may contain errors, inaccuracies, or incomplete information
• Match confidence scores are probabilistic estimates and should be treated as guides, not definitive assessments
• Product identification, price extraction, and search results may not always be accurate
• AI performance may vary across categories, product types, and marketplaces
• We do not use AI to make decisions about your account access, pricing, or standing

FindFetcher is a discovery tool, not a purchasing advisor. You should independently verify all information before making purchasing decisions.

13.3 Right to Explanation and Human Review

You have the right to:

• Request an explanation of how match scoring works for your fetches
• Request human review of your fetch configuration and match results
• Adjust your fetch criteria at any time to refine results

To request an explanation or human review, contact us at joey@findfetcher.com.au.

13.4 AI Data Processing

Your data is transmitted securely (TLS-encrypted) to AI providers for processing. Our AI providers (Anthropic, OpenAI, and Google) are contractually prohibited from using your data to train their models when accessed via their API services. This means your search criteria, images, and voice transcriptions are processed but not retained for model training. Data sent to AI providers includes only the information necessary for the specific function (e.g., an image for analysis, text for parsing) and does not include your identity or account information.

14. Cookies and Tracking Technologies

Essential Cookies

We use essential cookies that are necessary for the Service to function properly:

The "*" in cookie names represents your project identifier. These are strictly necessary cookies and cannot be disabled without losing the ability to stay logged in.

Analytics Cookies

We use the following analytics services to understand how our Service is used and to improve it:

Opting Out of Analytics

• Google Analytics: You can opt out by installing the Google Analytics Opt-out Browser Add-on
• PostHog: PostHog respects your browser's Do Not Track (DNT) signal. You can also disable analytics in your account settings

What We Don't Use

We do not use third-party advertising cookies, cross-site tracking cookies, or retargeting pixels. We do not share cookie or analytics data with advertisers or data brokers. Our analytics are used solely to improve our Service and are not used to build advertising profiles.

Managing Cookies

You can control cookies through your browser settings. Please note that disabling essential cookies may prevent you from using certain features of our Service, including staying logged in. Disabling analytics cookies will not affect your ability to use the Service.

Mobile App Storage

Our mobile App does not use browser cookies. Instead, we use platform-native secure storage (such as iOS Keychain and Android Keystore) to store authentication tokens locally on your device. These tokens are encrypted and only accessible by the FindFetcher App.

Do Not Track (DNT)

FindFetcher does not use cross-site tracking cookies or advertising cookies. Our analytics provider PostHog respects Do Not Track (DNT) signals — if your browser sends a DNT signal, PostHog will not collect analytics data from your session. Google Analytics does not natively support DNT, but you can opt out using the browser extension linked above.

15. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18 without appropriate parental consent, we will take steps to delete that information as soon as possible.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at joey@findfetcher.com.au. We will verify your identity and delete the child's information within 7 business days.

16. Third-Party Links

Our Service may contain links to third-party websites, including marketplace listings on Facebook Marketplace, Gumtree, and other platforms. We are not responsible for the privacy practices of these external sites.

When you click on a match notification, you will be directed to the original marketplace listing. We encourage you to review the privacy policies of any third-party sites you visit.

17. Making a Complaint

If you believe we have breached your privacy or mishandled your personal information, you can make a complaint.

Step 1: Contact Us

Please first contact us directly at joey@findfetcher.com.au. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

Step 2: Internal Review

We will investigate your complaint and provide you with a written response explaining the outcome and any actions we have taken.

Step 3: External Review

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

18. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make significant changes, we will:

• Update the "Last updated" date and version number at the top of this policy
• Notify you via email, through a notice on our Website, or through an in-app notification in our mobile App
• For material changes affecting your rights, we may seek your consent before the changes take effect

Your continued use of our Service after changes are posted constitutes acceptance of the updated policy.

19. Contact Us

If you have any questions about this privacy policy, our data practices, or wish to exercise your privacy rights, please contact us:

FindFetcher is operated by Joseph Douglas Krosch (ABN 12 842 265 699), trading as FindFetcher.