PBX1 Privacy Policy
This Privacy Policy explains how PBX1 Fadez & Cuts ("PBX1", "we", "us", "our"), operated by RS SUMAN PTY LTD, collects, uses, stores and shares your personal information when you use our mobile app, web app and related services (together, the "Services"). We are an Australian business based in Sydney, New South Wales, and we handle your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
1. Who we are
PBX1 Fadez & Cuts operates two barbershop locations in Sydney and provides this app so customers can book appointments, browse hair-care products and merchandise, and redeem loyalty points. Barbers use the app to manage their schedule and chair; admin staff use it to run the shop.
2. Information we collect
We collect the following categories of personal information, only as needed for the purposes described in section 3.
2.1 Account information
- Full name
- Email address
- Mobile phone number
- Password (stored only as a salted hash, so we never see your plain-text password)
- Date of birth (optional, used for birthday offers and age-appropriate services)
2.2 Booking information
- Chosen location, service, barber, date and time
- Booking notes you provide
- Payment method on file and any deposit paid
- Contact details associated with that specific booking (phone, email)
2.3 Hair profile (optional)
- Hair type, length and texture
- Known allergies or skin sensitivities
- Personal notes you choose to share with your barber
2.4 Family bookings
If you book on behalf of a child, we collect the child's first name and date of birth so the barber can deliver an age-appropriate service. This information is only collected from the parent or legal guardian and is never used for marketing.
2.5 Photos
You may optionally upload photos of your hair, your finished look or your purchases. Photos are only uploaded with your explicit in-app consent. You can delete any photo you have uploaded at any time from your profile.
2.6 Loyalty programme
- Current points balance
- Transaction history (points earned and redeemed)
2.7 Reviews
- Star rating
- Written review body
- Optional photo attachment
2.8 Payments
Where card payments apply, they are processed by Stripe. We store the transaction amount, the brand and last four digits of the card, and a Stripe customer reference. We do not store full card numbers, CVV codes or expiry dates on our servers.
2.9 Notifications
When you opt in to push notifications, we store an anonymous Apple or Google device token so we can send you booking reminders, confirmations and offers you have asked for.
2.10 Analytics
We collect anonymised, aggregated event counts (for example, "X bookings were started today") to understand how the app is used and to fix bugs. These counts are not linked to your identity.
2.11 Technical information
When you use the app we automatically receive limited technical information such as device type, operating system version, app version, approximate region (city level) and crash diagnostics. This is used for security, debugging and improving the product.
3. Why we use it
| Purpose | Information used |
|---|---|
| Creating and securing your account | Account, technical |
| Taking and managing bookings | Booking, account, hair profile, family |
| Processing deposits, sales and refunds | Payments, booking, account |
| Running the loyalty programme | Loyalty, account, booking |
| Sending booking reminders and receipts | Notifications, account, booking |
| Displaying reviews to other customers | Reviews (your display name only) |
| Improving the app and fixing bugs | Analytics, technical |
| Meeting our tax and legal obligations | Payments, booking |
4. When we share your information
We never sell your personal information. We share it only with the trusted processors listed below, and only to the extent needed to deliver the Services. Each processor is contractually required to protect your data.
| Processor | What it does | Privacy contact |
|---|---|---|
| Supabase | Database, authentication and file storage hosting | privacy@supabase.io |
| Stripe | Card payment processing | privacy.stripe.com |
| Cloudflare | Content delivery network and edge security | privacy@cloudflare.com |
| Apple Push Notification service | Push notifications on iOS (where enabled) | apple.com/legal/privacy |
| Google Firebase Cloud Messaging | Push notifications on Android (where enabled) | policies.google.com/privacy |
Some of these processors may store data outside Australia (most commonly in the United States or the European Union). Where that happens, we rely on the recipient's contractual commitments to provide a level of protection comparable to the Australian Privacy Principles.
We may also disclose information where required by Australian law, by a court order, or to protect the safety of our staff or customers.
5. How long we keep it
- Booking and payment records: retained for at least 7 years to meet our taxation and consumer-law obligations.
- Account profile: retained while your account is active; deleted within 30 days of a verified deletion request, subject to the 7-year rule above for finance records (which are de-identified where possible).
- Photos: you can delete any photo from your profile at any time; deleted photos are removed from our storage within 30 days.
- Loyalty history: retained while your account is active; cleared on account deletion.
- Analytics: retained in aggregated form indefinitely.
6. How we secure your information
- All traffic between the app and our servers is encrypted in transit (TLS 1.2+).
- Data at rest in Supabase is encrypted using industry-standard ciphers.
- Passwords are stored only as salted hashes.
- Access to production data is limited to a small number of authorised staff and is logged.
- We use row-level security so that one customer cannot read another customer's data.
7. Your rights
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles you have the right to:
- Access the personal information we hold about you.
- Correct any information that is inaccurate, out of date, incomplete or misleading.
- Delete your account and the personal information associated with it (subject to records we are legally required to keep). See our Delete Your Account page.
- Withdraw consent at any time for any processing that depends on your consent, including marketing emails, SMS and push notifications.
- Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have mishandled your information.
To exercise any of these rights, email admin@pbx1fadezandcuts.com.au. We respond within 30 days.
8. Children
Our Services are intended for customers aged 13 and over. Where a parent or guardian books a service for a younger child, the parent or guardian remains responsible for the account and for any information provided about the child. We do not knowingly collect personal information directly from children under 13.
9. Cookies and similar technologies
Our web app uses a small number of strictly-necessary cookies and local-storage entries to keep you signed in and remember your preferences. We do not use third-party advertising or tracking cookies.
10. Marketing communications
We will only send you marketing emails, SMS or push notifications if you have opted in. You can opt out at any time from inside the app under Settings → Notifications, or by using the unsubscribe link in any marketing email.
11. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you inside the app before the change takes effect.
12. Contact us
If you have any questions, requests or complaints about this policy or about how we handle your information, please contact our privacy officer:
PBX1 Fadez & Cuts (RS SUMAN PTY LTD)
Email: admin@pbx1fadezandcuts.com.au
Postal: Sydney, NSW, Australia