GUESTGAIN PRIVACY POLICY

Effective Date: 17 January 2026

ABN: 66 694 395 787 | GUESTGAIN PTY LTD

AUSTRALIAN PRIVACY LAW COMPLIANCE STATEMENT

This Privacy Policy is prepared in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act. We are committed to protecting your personal information and being transparent about how we handle it.

1. INTRODUCTION AND SCOPE

1.1. About Us: GUESTGAIN PTY LTD ("GuestGain," "we," "us," or "our") operates the guestgain.ai platform (the "Platform"), which connects short-term rental hosts with guests to facilitate checkout task completion in exchange for rewards.

1.2. Scope: This Privacy Policy applies to all personal information collected by GuestGain through:

  • The Platform at guestgain.ai and any associated applications;
  • Email and other communications with us;
  • Third-party integrations (property management systems, payment processors);
  • Our verification and fraud prevention systems.

1.3. Voluntary Compliance: Regardless of our annual turnover, we commit to handling personal information in compliance with the APPs as a matter of best practice and respect for user privacy.

2. AUSTRALIAN PRIVACY PRINCIPLES COMPLIANCE

This Policy addresses each of the 13 Australian Privacy Principles:

  • APP 1: Open and transparent management (Section 1)
  • APP 2: Anonymity and pseudonymity (Section 3.6)
  • APP 3: Collection of solicited personal information (Section 3)
  • APP 4: Dealing with unsolicited personal information (Section 3.7)
  • APP 5: Notification of collection (Section 3)
  • APP 6: Use or disclosure (Section 4)
  • APP 7: Direct marketing (Section 4.5)
  • APP 8: Cross-border disclosure (Section 5)
  • APP 9: Adoption of government identifiers (Section 3.8)
  • APP 10: Quality of personal information (Section 7)
  • APP 11: Security of personal information (Section 6)
  • APP 12: Access to personal information (Section 8)
  • APP 13: Correction of personal information (Section 8)

3. COLLECTION OF PERSONAL INFORMATION (APP 3, 5)

3.1. Types of Information Collected: We collect personal information that is reasonably necessary for the operation of the Platform and provision of our services.

3.2. Identity and Contact Data (from all Users):

  • Full name;
  • Email address;
  • Phone number (where provided);
  • Account credentials (username and hashed password);
  • Booking reference numbers.

3.3. User Content (from Guests):

Photographs and videos submitted as evidence of task completion. This content may include:

  • Images of completed tasks;
  • Incidental captures of faces or personal items;
  • Property interiors and exteriors.

3.4. Forensic Metadata (from User Content submissions):

Important: Metadata Collection Notice

Submitted photographs and videos may contain embedded metadata that we collect and analyse for verification and fraud prevention purposes.

We collect and analyse the following metadata:

  • EXIF Data: Camera make/model, image dimensions, creation timestamps, and file properties;
  • GPS Coordinates: Location data embedded in photographs (where device settings permit);
  • Timestamp Information: Date and time of capture, timezone data;
  • Device Information: Device type, operating system version, and unique device identifiers;
  • Manipulation Indicators: We analyse metadata for signs of editing, tampering, or manipulation (flagged as "metadata_flags" in our systems).

3.5. Technical and Usage Data:

  • IP addresses;
  • Browser type and version;
  • Pages visited and actions taken on the Platform;
  • Referral URLs;
  • Session identifiers.

3.6. Anonymity (APP 2): Due to the nature of our service (verifying task completion and processing rewards), it is not practicable for users to deal with us anonymously or under a pseudonym. We require accurate identity information to prevent fraud and facilitate reward payments.

3.7. Unsolicited Information (APP 4): If we receive personal information that we did not solicit and that information is not reasonably necessary for our functions, we will destroy or de-identify that information as soon as practicable, unless retention is required by law.

3.8. Government Identifiers (APP 9): We do not collect or use Australian government identifiers (such as tax file numbers or Medicare numbers) as identifiers for individuals. Our system uses proprietary String(32) identifiers generated using cryptographically secure methods.

4. USE AND DISCLOSURE OF PERSONAL INFORMATION (APP 6)

4.1. Primary Purposes: We collect, hold, and use your personal information for the following primary purposes:

  • Operating and providing the Platform;
  • Verifying guest bookings and stay information;
  • Processing and verifying task completion submissions;
  • Facilitating reward payments;
  • Preventing and detecting fraud;
  • Communicating with you about your account and transactions.

4.2. Verification and AI Processing: User Content (photographs and videos) and associated metadata are processed through our verification systems, which include:

  • Truth Engine: Our AI-assisted verification system that analyses submissions for authenticity and task completion;
  • AI Confidence Scoring: Automated assessment of submission quality and authenticity (stored as "ai_confidence");
  • Perceptual Hashing: Image fingerprinting to detect duplicate or manipulated submissions (stored as "image_hash").

Human-in-the-Loop Disclosure

While automated systems assist in the initial assessment of submissions, final decisions regarding reward approval or rejection may involve human oversight. This ensures fairness and accuracy, particularly during the current phase of platform development. No fully automated decision will result in significant effects on your rewards without the opportunity for human review.

4.3. Disclosure to Third Parties: We may disclose your personal information to:

  • Hosts: Guest names, email addresses, and submission information necessary for task management;
  • Payment Processors: Information required to process reward payments (e.g., Stripe);
  • Cloud Infrastructure Providers: For data storage and processing (see Section 5);
  • Professional Advisers: Lawyers, accountants, and auditors where reasonably necessary;
  • Regulatory Authorities: Where required by law or to protect our legal rights.

4.4. AI Model Training: As disclosed in our Terms of Service, User Content may be used to train, improve, and develop our AI verification systems. This processing is conducted in accordance with the licence granted by users upon submission.

4.5. Direct Marketing (APP 7): We may use your contact information to send you service-related communications. We will not use your information for direct marketing purposes unrelated to our services without your express consent. You may opt out of marketing communications at any time by contacting us or using unsubscribe links.

5. CROSS-BORDER DISCLOSURE OF PERSONAL INFORMATION (APP 8)

Important: Overseas Data Storage Disclosure

By using the Platform, you acknowledge and consent to the disclosure of your personal information to recipients located outside Australia, as detailed below.

5.1. Primary Data Storage Location: Your personal information, including User Content, submission forensics, and associated metadata, is stored in cloud infrastructure located in the Singapore Region (ap-southeast-1).

5.2. Reason for Location: Singapore was selected for its:

  • Strong data protection laws under the Personal Data Protection Act 2012 (Singapore);
  • Network proximity to Australian users (low latency);
  • Robust cloud infrastructure availability.

5.3. Other Countries: Personal information may also be disclosed to service providers in the following countries:

  • United States: Payment processing (Stripe), email delivery services, and certain cloud services;
  • European Union: Certain analytics and monitoring services.

5.4. APP 8 Compliance: Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information. Where we cannot ensure compliance, we will only make the disclosure with your consent or as otherwise permitted under APP 8.

6. SECURITY OF PERSONAL INFORMATION (APP 11)

6.1. Security Commitment: We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

6.2. Technical Security Measures:

  • Password Hashing: All user passwords are secured using bcrypt cryptographic hashing with appropriate salt rounds. We never store plaintext passwords;
  • Encryption in Transit: All data transmitted between your device and our servers is protected using TLS 1.2 or higher (HTTPS);
  • Encryption at Rest: Sensitive data stored in our databases and file storage is encrypted;
  • Secure Identifiers: We use cryptographically generated String(32) identifiers rather than sequential IDs to prevent enumeration attacks.

6.3. Audit Logging: All access to personal information is recorded in our audit logging system using String(32) identifiers. Audit logs capture:

  • The identity of the accessor;
  • The type of access (view, create, update, delete);
  • Timestamp of access;
  • IP address of the request;
  • The resource accessed.

6.4. Organisational Measures:

  • Access to personal information is restricted to authorised personnel only;
  • Staff receive privacy and security awareness training;
  • Regular security assessments and vulnerability testing.

6.5. Data Breach Response: In the event of a data breach that is likely to result in serious harm, we will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988, including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.

7. QUALITY OF PERSONAL INFORMATION (APP 10)

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant. We rely on users to provide accurate information and to update their details when necessary.

8. ACCESS AND CORRECTION (APP 12, 13)

8.1. Right of Access: You have the right to request access to the personal information we hold about you. We will provide access within a reasonable period (usually within 30 days) unless:

  • Providing access would pose a serious threat to life, health, or safety;
  • Providing access would unreasonably impact the privacy of others;
  • The request is frivolous or vexatious;
  • Access is otherwise prohibited by law.

8.2. Right of Correction: You have the right to request correction of any personal information that you believe is inaccurate, incomplete, out-of-date, irrelevant, or misleading. We will respond to correction requests within a reasonable period.

8.3. How to Make a Request: To request access to or correction of your personal information, please contact our Privacy Officer at legal@guestgain.ai.

9. DATA RETENTION AND DESTRUCTION

9.1. Retention Period: We retain personal information for as long as reasonably necessary for the purposes for which it was collected, or as required by law. Specific retention periods include:

  • Account information: Duration of account plus 7 years;
  • Transaction records: 7 years (to comply with tax and financial regulations);
  • User Content submissions: Duration of account plus 2 years;
  • Audit logs: 5 years.

9.2. Destruction: When personal information is no longer needed for any purpose for which it may be used or disclosed, and we are not required by law to retain it, we will take reasonable steps to destroy or de-identify the information.

9.3. Deletion Requests: You may request deletion of your personal information by contacting us. We will process such requests subject to our legal obligations and legitimate business interests.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1. Cookies: We use cookies and similar technologies to enhance your experience, analyse Platform usage, and assist with fraud prevention.

10.2. Types of Cookies:

  • Essential Cookies: Required for Platform operation (e.g., authentication);
  • Functional Cookies: Remember your preferences and settings;
  • Analytics Cookies: Help us understand how users interact with the Platform.

10.3. Managing Cookies: You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect Platform functionality.

11. COMPLAINTS

11.1. Internal Complaints: If you believe we have breached the APPs or mishandled your personal information, please contact our Privacy Officer at legal@guestgain.ai. We will investigate your complaint and respond in writing within 30 days.

11.2. External Complaints: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner

Website: www.oaic.gov.au

Phone: 1300 363 992

Email: enquiries@oaic.gov.au

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated Policy on the Platform and updating the "Effective Date" above. We encourage you to periodically review this Policy.

Contact Our Privacy Officer

GUESTGAIN PTY LTD

Privacy Officer Email: legal@guestgain.ai

Website: guestgain.ai

For privacy enquiries, access requests, corrections, complaints, or any questions about this Policy, please contact our Privacy Officer at the email address above. We are committed to resolving all enquiries promptly and transparently.