Privacy Policy

Entity: CR&CO Services — Proudly family owned & operated • Sole Trader (QLD, Australia)

ABN: 47 685 207 192

Effective: 22 September 2025

Contacts: support@crnco.com.au • privacy@crnco.com.au

This Privacy Policy explains what we collect, why we collect it, how we use and share it, and your choices. It should be read with our Terms of Service and Code of Conduct.

1) Scope & Definitions

“Service” means CR&CO Services’ online platform, website (crnco.com.au), mobile applications, and related products/features (including Memory Link, Universal Tags, Pet Tags, Support Payments, Boosts, Connect/Connected).

“You” means a visitor, registered supporter, or client (creator/campaign owner). “Responsible Adult” means a verified parent/caregiver/legal guardian supervising a minor’s use.

2) What We Collect

• Account & Profile Data: name, email, password (hashed), optional phone, display name, settings (visibility, Connect permissions), Stripe connection status (not card numbers), KYC status (pass/fail flags/timestamps from Stripe).
• Content & Campaign Data: posts, media, Memory Links, tag assignments (Pet Tags, Universal Tags including Memorials/Exhibitions), captions, metadata, and visibility (Private, Community, Public).
• Support & Boost Activity: event confirmations and amounts required for receipts, splits, and analytics. We do not store full card numbers.
• Device/Technical Data: IP address, device/browser type, OS, language, referral URL, approximate location (from IP), session logs, crash logs, cookies.
• Usage Data: pages viewed, features used (e.g., emoji reactions), Connect requests/approvals (timestamps), and fraud/safety signals.
• Communications: messages you send to support or safety channels, moderation reports, and our replies.

3) Payments & Stripe

We use Stripe for Support Payments and Boosts, and for our own product checkouts (e.g., subscriptions, tags). Stripe is an independent payment service provider and may act as its own controller for payment data.

• Card details are handled by Stripe. CR&CO Services does not store full card numbers.
• We receive limited payment metadata (e.g., success/failure, amounts, timestamps, last 4 digits) to operate features, receipts, and the 80/20 split.
• Creators must complete Stripe onboarding/KYC to receive payouts.

4) Why We Use Your Data

• Provide the Service: account creation, login, content hosting, tags, Memory Link, visibility/Connect settings, Support/Boost features.
• Payments & Receipts: verify transactions, apply revenue splits, enable payouts, and show campaign totals and recognition.
• Safety & Moderation: detect/prevent fraud, abuse, harassment; enforce the Code of Conduct; protect minors; handle reports/appeals.
• Improve & Support: troubleshoot, analytics, measure feature performance, improve reliability.
• Legal Compliance: AML/CTF, sanctions screening, tax/audit obligations, responding to lawful requests.
• Communications: transactional notices, security alerts, policy updates; optional product news if you opt in.

5) Lawful Bases (where applicable)

• Contract: to provide the Service you request (accounts, campaigns, Support/Boost processing via Stripe).
• Consent: optional marketing; minors’ access via a Responsible Adult; sensitive content tags where required.
• Legitimate Interests: platform safety, fraud prevention, analytics, product improvement (balanced against your rights).
• Legal Obligation: AML/CTF, sanctions, tax, safety reporting, lawful requests from authorities.
• Vital Interests: rare cases involving imminent risk of serious harm.

6) Sharing & Disclosures

• Processors: hosting, storage, analytics, email, customer support tools that help us operate the Service under contract.
• Stripe: for payment processing, KYC, and payouts. Stripe may separately process data under its own terms.
• Legal/Safety: if required by law, regulation, court order, or to protect users and the Service (e.g., fraud, harm, child protection).
• Business Events: if we reorganise, merge, or transfer parts of the business, data may transfer under similar protections.
• No sale of children’s data: we do not sell children’s personal data.

7) International Transfers

We may store or process data outside your country. Where required, we use recognised safeguards (e.g., standard contractual clauses) or rely on other lawful transfer mechanisms.

8) Retention

We keep data only as long as needed to operate the Service and for legitimate purposes (safety, fraud prevention, legal/tax/audit obligations). When no longer required, we delete or de-identify it. Transaction logs and moderation records may be retained for required periods.

9) Your Choices & Rights

• Access, Correct, Delete: request a copy, fix errors, or ask us to delete data where applicable.
• Object/Restrict: in some cases you can object to or restrict certain processing.
• Portability: request a copy in a portable format where technically feasible.
• Withdraw Consent: for any processing based on consent (e.g., marketing), you can opt out at any time.
• Australia (OAIC): you may have additional rights under the Privacy Act. You can also complain to the Office of the Australian Information Commissioner if unresolved.

Contact privacy@crnco.com.au to exercise rights or ask questions. We may verify identity to protect your account.

10) Children & Teens

• Child profiles are private by default and supervised by a Responsible Adult who controls sharing, Connect approvals, and can revoke access.
• We do not knowingly permit minors to receive payouts. KYC is required for adult payouts.
• We maintain reporting mechanisms and retain evidence as required by law to support investigations into child safety concerns.

11) Security

We use technical and organisational measures to protect data (encryption in transit, access controls, logging, backups). No system is 100% secure. Report suspected issues to security@crnco.com.au or privacy@crnco.com.au.

12) Cookies & Similar Technologies

We use cookies and similar technologies for essential functions (login, security), preferences, analytics, and to improve the Service. You can control cookies via your browser; blocking some cookies may affect functionality.

13) Communications Preferences

We send transactional messages (receipts, security alerts, policy updates). You may opt out of marketing emails via the unsubscribe link or in settings. We may still send essential notices.

14) Links & Third Parties

Third-party sites/services (including Stripe) have their own privacy policies. We are not responsible for their practices. Review their policies before use.

15) Changes to This Policy

We may update this Privacy Policy. For material changes affecting your rights or obligations, we will provide at least 30 days’ notice by email to registered users and/or a prominent in-service notice. Continued use after changes = acceptance.

16) Contact & Complaints

Questions or complaints: privacy@crnco.com.au. We aim to respond promptly. If unresolved, you may contact the Office of the Australian Information Commissioner (OAIC).