Legal
Privacy Policy
Effective date: 18 February 2026 · Last updated: 18 February 2026
Note: This policy refers to "Wabi Pty Ltd" as the operating entity. The corporate entity name may change. Any successor entity will honour this policy in full.
At Wabi, we take privacy seriously. This policy explains what data we collect, why we collect it, how we use it, and what rights you have. We've written it to be clear and readable — not to bury things in legalese.
This policy applies to all users of the Wabi platform, including business owners, their staff, and their end customers whose data is processed through Wabi.
1. Who We Are
Wabi Pty Ltd (ABN pending) is an Australian company that provides a modular business management platform. We are the data controller for data collected through our platform.
When our customers (businesses) use Wabi to process their own customers' data, the business is the data controller and Wabi acts as a data processor on their behalf.
2. What Data We Collect
Account Data
When you sign up for Wabi, we collect:
- Business name and type
- Owner/admin name
- Email address
- Phone number
- Business address
Transaction Data
When you use Wabi POS, we process:
- Transaction amounts, items, and timestamps
- Payment method type (card, cash, etc.)
- Refund and void records
We never store full card numbers, CVVs, or card PINs. Payment card data is handled entirely by Stripe (see Section 5).
Staff Data
If you use the Team module, you may store:
- Staff names, roles, and contact details
- Rosters and shift schedules
- Clock-in and clock-out records
Customer Data (Your Customers)
Through the CRM and Booking modules, your customers' data may include:
- Names and contact information
- Booking and visit history
- Loyalty program participation
- Preferences and notes
Operational Data
Inventory levels, menu items, floor plans, and other business configuration data you enter into the platform.
Usage Data
We automatically collect:
- Device type and browser information
- IP address and approximate location
- Pages visited and features used
- Performance and error data
3. Why We Collect Data
| Purpose | Legal Basis |
|---|
| Provide and operate the Wabi platform | Contract performance |
| Process payments via Stripe | Contract performance |
| Send service communications (receipts, alerts) | Contract performance |
| Provide AI-powered business insights | Contract performance |
| Improve the platform and fix bugs | Legitimate interest |
| Send marketing communications | Consent (opt-in) |
| Comply with legal obligations | Legal obligation |
| Prevent fraud and abuse | Legitimate interest |
4. Wabi Intelligence (AI Data Processing)
Wabi Intelligence uses large language models to analyse your business data — identifying trends, surfacing insights, and providing recommendations.
Here's how it works:
- What it analyses: Your sales data, customer patterns, booking trends, inventory movements, and staff metrics
- What it produces: Qualitative insights and recommendations. Intelligence never generates financial figures or numbers — all numerical data comes directly from your records.
- Your data is not used to train AI models. Your business data stays yours.
- Data isolation: Each business's data is processed in isolation. Your data is never mixed with other businesses' data.
- AI processing may involve sending data to third-party LLM providers. When this occurs, data is transmitted securely and subject to data processing agreements that prohibit training on your data.
5. Payment Data & PCI Compliance
All payment card processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. When your customers pay by card:
- Card data goes directly to Stripe — it never touches Wabi's servers
- We only receive a tokenised reference and transaction confirmation
- Stripe processes transactions at 2.6% + $0.10 per transaction
- Stripe's privacy policy and terms apply to payment processing: stripe.com/privacy
6. Biometric Data
Wabi may in the future offer biometric features, such as facial recognition for staff clock-in. If and when we introduce biometric features:
- Use will be optional and require explicit, informed consent from each individual
- Biometric data will be stored securely using encryption
- You will be able to delete biometric data at any time
- We will comply with all applicable biometric data laws, including providing specific notices where required
We will update this policy with detailed biometric provisions before any such features are released.
7. Who We Share Data With
We don't sell your data. We share it only with:
| Third Party | Purpose | Data Shared |
|---|
| Stripe | Payment processing | Transaction data, tokenised card info |
| Email service provider | Transactional & marketing emails | Email addresses, names |
| Analytics providers | Platform usage analysis | Anonymised/pseudonymised usage data |
| Cloud infrastructure | Hosting and storage | All platform data (encrypted) |
| LLM providers | AI-powered insights | Business data for analysis (not for training) |
All third-party providers are bound by data processing agreements. We also may disclose data when required by law, court order, or to protect the rights, safety, or property of Wabi or others.
8. Data Retention & Deletion
- Active accounts: We retain your data for as long as your account is active.
- Cancelled accounts: After cancellation, we retain your data for 30 days to allow you to export it or reactivate. After 30 days, data is permanently deleted.
- Transaction records: We may retain anonymised transaction records for up to 7 years for legal and tax compliance.
- Usage data: Retained for up to 24 months, then deleted or anonymised.
- Backups: Data in backups is purged within 90 days of deletion from the live system.
You can request deletion of your data at any time by contacting us at privacy@wabify.com.
9. Your Rights
Depending on where you are, you may have the following rights:
- Access — Request a copy of the personal data we hold about you
- Correction — Ask us to correct inaccurate or incomplete data
- Deletion — Ask us to delete your personal data
- Data portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing based on legitimate interests
- Restriction — Request we restrict processing of your data
- Withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, email privacy@wabify.com. We'll respond within 30 days.
If you are a customer of one of our business users and want to exercise rights over data held within their Wabi account, please contact the business directly — they are the data controller for your information.
10. Cookies & Tracking
We use cookies and similar technologies for:
- Essential cookies: Authentication, security, and platform functionality (always active)
- Analytics cookies: Understanding how the platform is used (can be opted out)
- Preference cookies: Remembering your settings (can be opted out)
We do not use third-party advertising cookies or sell data to advertisers. You can manage cookie preferences in your browser settings or through our cookie banner.
11. Data Security
We protect your data with:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication for all systems
- Regular security assessments and monitoring
- Incident response procedures with notification within 72 hours of a confirmed breach
No system is 100% secure. We work hard to protect your data, but we cannot guarantee absolute security.
12. Australian Privacy Principles
We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). In particular:
- We only collect personal information that is reasonably necessary for our functions (APP 3)
- We take reasonable steps to notify individuals of the collection of their data (APP 5)
- We only use or disclose personal information for the purpose for which it was collected, or a directly related purpose (APP 6)
- We take reasonable steps to protect personal information from misuse, interference, and loss (APP 11)
- Individuals can access and correct their personal information (APPs 12–13)
If you're not satisfied with how we've handled your data, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
13. GDPR-Ready Provisions
If you are located in the European Economic Area (EEA) or the United Kingdom, the following additional provisions apply:
- Legal basis: We process your data based on contract performance, legitimate interests, consent, or legal obligations (see Section 3)
- International transfers: Your data may be transferred to and processed in Australia. We ensure appropriate safeguards are in place, including standard contractual clauses where required.
- Data Protection Officer: You can contact our privacy team at privacy@wabify.com
- Supervisory authority: You have the right to lodge a complaint with your local data protection authority
14. Children's Privacy
Wabi is a business platform. It is not directed at children under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child's data has been submitted to Wabi, please contact us at privacy@wabify.com.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we'll provide at least 30 days' notice via email or in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.
16. Contact Us
For any questions about this Privacy Policy or how we handle your data:
Wabi Pty Ltd
Privacy Team
Email: privacy@wabify.com
Web: wabify.com