Privacy Policy
Last updated: 26 May 2026 · Effective: 26 May 2026
Who We Are
Shakewell Wallet Pty Ltd (ABN to be advised) is the entity responsible for the operation of the Shakewell Wallet platform (the "Platform"). Our registered office is 223/111 Harrington Street, The Rocks, NSW 2000, Australia. References in this Policy to "Shakewell Wallet," "we," "us," and "our" are to Shakewell Wallet Pty Ltd.
For matters relating to this Policy, you can contact our Privacy Officer at privacy@shakewellwallet.com.
Scope
This Policy explains how we collect, use, hold, disclose, and protect personal information in connection with shakewellwallet.com and the Platform. It applies to: (a) visitors to our website; (b) prospective and existing customers of the Platform ("Customers"); and (c) end users whose passes are created, distributed, or managed through the Platform ("Passholders").
We act in two distinct capacities. In relation to Customer account data and our website visitors, we act as a data controller (or APP entity, under Australian law). In relation to Passholder data processed on behalf of a Customer, we act as a data processor — the Customer is the controller and remains responsible for the lawfulness of processing.
Information We Collect
Customer account information
- Name, work email address, role, and organisation
- Billing contact details and payment method (processed by our payment provider; we do not store full card numbers)
- Authentication credentials and multi-factor authentication tokens
- Communications you send us (support tickets, sales enquiries, feedback)
Passholder information (processed on behalf of Customers)
- Identifiers chosen by the Customer (e.g. membership ID, name, email, mobile)
- Pass content and state (tier, points balance, expiry, status)
- Installation events, push notification opt-in status, and engagement events
- Optional fields the Customer's signup form requests (e.g. birthday, postcode)
Technical information
- IP address, approximate location derived from IP, device type, browser, and operating system
- Pages viewed, referrers, and time stamps
- Diagnostic and performance information generated by the Platform
How We Collect It
We collect information directly from you when you register for an account, configure templates, distribute passes, or contact us. We collect Passholder information through our Customers — for example, when a Passholder completes a Customer's signup form, or when a Customer issues a pass to a Passholder via the Platform. We also collect technical information automatically through standard server logs and first-party cookies that are strictly necessary for the operation of the Platform.
How We Use It
We use personal information to:
- Provide, maintain, and improve the Platform
- Create, deliver, and update digital passes as directed by the Customer
- Send push notifications and operational communications on a Customer's behalf
- Authenticate users and protect against unauthorised access
- Bill Customers and manage subscriptions
- Comply with legal obligations, respond to lawful requests, and enforce our terms
- Generate aggregated, de-identified analytics about platform usage
We do not sell personal information, and we do not use Passholder data for any purpose other than providing the Platform to the Customer that controls it.
Legal Bases
Where the GDPR applies, our legal bases for processing personal information include: performance of a contract (Article 6(1)(b)), our legitimate interests in operating and securing the Platform (Article 6(1)(f)), compliance with a legal obligation (Article 6(1)(c)), and, where required, consent (Article 6(1)(a)). For Australian Privacy Principles purposes, we collect personal information by lawful and fair means for purposes that are reasonably necessary for our functions and activities.
Sub-Processors
We use a small number of sub-processors to operate the Platform. A current list is published at /sub-processors. We require each sub-processor to commit to data protection obligations that are substantially equivalent to those in this Policy. We provide at least thirty (30) days' notice before adding any new sub-processor that processes Customer personal data, and Customers may subscribe to that notice via the sub-processors page.
International Transfers
Personal information may be transferred to, and processed in, countries other than the country in which you are resident. Where personal information originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not been deemed to provide an adequate level of protection, we rely on Standard Contractual Clauses (and, where applicable, the UK International Data Transfer Addendum) to safeguard the transfer.
Data Residency
By default, Customer data and Passholder data are stored in Australia for Australian Customers and in the United States for Customers located outside Australia. Customers on Scale and Enterprise plans may request specific data residency arrangements as part of their contracting.
Retention
We retain personal information only for as long as is necessary for the purposes described in this Policy and to comply with our legal obligations. On cancellation of a Customer's account, Customer and Passholder data are retained in production systems for thirty (30) days and then permanently deleted. Backups containing Customer or Passholder data are retained for up to ninety (90) days and then purged. Customers may request immediate deletion at any time by contacting privacy@shakewellwallet.com.
Your Rights
Subject to applicable law, you may have the right to: (a) access personal information we hold about you; (b) correct inaccurate or incomplete information; (c) request deletion of your personal information; (d) object to or restrict certain processing; (e) request portability of personal information you have provided to us; and (f) withdraw any consent on which we rely.
Where we process Passholder data on behalf of a Customer, requests should ordinarily be directed to that Customer. We will reasonably assist Customers to respond to such requests.
If you are in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local supervisory authority. If you are in Australia, you can make a complaint to the Office of the Australian Information Commissioner (oaic.gov.au).
Security
We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS 1.2 or higher) and at rest (AES-256), isolated key management for pass-signing credentials, role-based access controls, and regular security testing. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Further detail is available at /security and from our Trust Center at /trust-center.
Children's Privacy
The Platform is not directed to, and we do not knowingly collect personal information from, individuals under the age of sixteen (16). If you believe a child has provided us with personal information, please contact privacy@shakewellwallet.com and we will take reasonable steps to delete it.
Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by posting an updated version on this page and updating the "Last updated" date above. Where required by law, we will provide additional notice and, where applicable, obtain your consent.
Contact Us
Privacy enquiries, including requests to exercise rights or to receive a copy of our Data Processing Agreement, may be sent to privacy@shakewellwallet.com or by post to:
Privacy Officer · Shakewell Wallet Pty Ltd · 223/111 Harrington Street · The Rocks NSW 2000 · Australia