Privacy Policy
Last updated: 29 June 2026
This Privacy Policy explains how we collect, use, disclose and protect your personal information when you use Totler. We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Totler is designed around data minimisation — and especially around collecting as little as possible about children.
1. Who we are
Totler is operated by Totler Pty Ltd (ACN 699 604 656, ABN 23 699 604 656), an Australian company. In this policy, “Totler”, “we”, “us” and “our” mean Totler Pty Ltd.
Totler is an Australian progressive web app (PWA) that helps parents and carers discover local children’s activities — classes, events, playgroups and playgrounds — lets businesses list their activities, and lets parents create private, invite-only meetups.
2. What personal information we collect
We deliberately collect as little personal information as possible, and we are especially careful with anything relating to children. “Personal information” has the meaning given to it in the Privacy Act 1988 (Cth).
Adult account holders (parents, carers and business operators)
Our account holders are adults. When you create and use an account, we may collect:
- your email address;
- a username you choose;
- a password — this is created and managed by our authentication provider and stored only as a secure cryptographic hash. We never see or store your plain-text password;
- a display name;
- your home suburb and postcode — this is an approximate location only. We do not collect or store your full street address;
- your interests and the languages you speak; and
- an avatar choice (a selected illustrated avatar — it need not be a photo of you).
We also collect limited technical information needed to run the service securely (for example, log and session data) — see “Cookies and essential storage” below.
Children’s information — birth year only
Children are not users of Totler and never hold accounts. We intentionally minimise children’s data. For a child associated with your account, we store only a birth year (an age band). We do not collect a child’s name, full date of birth, photographs, contact details, or any other identifying information. The birth-year value exists solely so we can show age-appropriate activities without identifying any child.
Activity, RSVP and meetup information
When you RSVP to an activity or create a private meetup, we record information such as the activity, your attendance status and a guest count (a number of attendees). RSVPs and bookings carry guest counts only — never the identities of any children. Community and messaging features are not yet active; if we introduce them, we will update this policy first.
Business listing information
If you operate a business and list activities, we collect the business name, its ABN or ACN, business address, contact details, and your acknowledgement of Working with Children Check (WWCC) obligations.
3. How and why we use your information
We use personal information to:
- create and manage your account and keep it secure;
- show you relevant, age-appropriate local activities (using the child birth year / age band);
- let you RSVP to activities and create private, invite-only meetups;
- let businesses publish and manage activity listings;
- send transactional and service messages (for example, account, booking and security emails);
- process payments for paid bookings or business features;
- respond to your enquiries and provide support; and
- maintain the safety and integrity of the service, prevent misuse, and meet our legal obligations.
We do not sell your personal information, and we do not use children’s information for advertising or profiling.
4. The precise-address reveal rule
To protect families, the precise address of an activity is hidden by default. Listings show an approximate location until you RSVP “going” to that activity — the exact address is revealed to you only at that point.
Businesses and Totler administrators see attendee age bands and Working with Children Check status — never the identities of any children.
5. Disclosure to our service providers
We do not sell personal information. We share it only with trusted service providers (“processors”) who help us run Totler, and only to the extent they need it to provide their service to us. These include:
- Supabase — our database, user authentication and file storage;
- Fly.io — application hosting;
- Resend — sending transactional and service emails; and
- Stripe — payment processing. Your card details are collected and handled directly by Stripe and are not stored by Totler.
We may also disclose personal information where required or authorised by law, or where necessary to protect the safety of a person or the public.
6. Cross-border disclosure (APP 8)
Some of the service providers listed above store or process data on servers located outside Australia (for example, in the United States). This means your personal information may be disclosed to, and stored or processed in, overseas locations.
We take reasonable steps to ensure these providers handle personal information consistently with the APPs. However, we will be honest with you: their handling may also be subject to the laws of the countries in which they operate, and we cannot guarantee that an overseas recipient will be subject to a law substantially similar to the APPs.
7. Security
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. These steps include encryption of data in transit, hashed password storage handled by our authentication provider, access controls, and our deliberate data-minimisation approach — the less we hold, the less is ever at risk.
No online system can be guaranteed to be completely secure. Minimising what we collect — especially about children — is central to how we protect families.
8. Data retention and account deletion
We keep personal information only for as long as we need it to provide the service, or to meet legal, accounting or tax obligations.
Account deletion. You can delete your account at any time from Settings. When you delete your account, we remove or de-identify the personal information associated with it — including your profile details, interests and the child birth-year (age band) values.
What we may retain. We may need to keep certain records for a limited period where the law requires it — for example, transaction and payment records we are legally obliged to retain (held by us and/or by Stripe) for financial and tax compliance. Any information we retain is kept only for as long as legally required, and is protected by the same safeguards. Routine backups are cycled and purged on a regular schedule.
9. Your rights — access, correction and deletion
Under the Australian Privacy Principles, you have the right to:
- access the personal information we hold about you;
- ask us to correct it if it is inaccurate, out of date, incomplete or misleading; and
- delete your account and the personal information associated with it (subject to the limited legal retention described above).
You can manage and update much of your information — and delete your account — directly in the app’s Settings. For any other request, contact us using the details below. We will respond within a reasonable time. Where the APPs allow us to charge for giving access, we will tell you of any cost first. If we refuse access or correction, we will explain why in writing and let you know how you can complain.
10. Complaints
If you have a concern about how we have handled your personal information, please contact us first (see “How to contact us” below). We will acknowledge your complaint and aim to resolve it promptly.
If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001
11. Children’s privacy
Protecting children is at the core of Totler’s design.
- Children are not users of Totler and cannot hold accounts. Accounts are for adults (parents, carers and business operators).
- We deliberately minimise children’s data. The only child-related information we store is a birth year (age band). We do not collect a child’s name, date of birth, photograph, or contact details.
- The precise address of an activity is hidden until an adult RSVPs “going” (see section 4).
- Businesses and administrators see age bands and Working with Children Check status — never child identities.
If you believe we have somehow collected more information about a child than is described here, please contact us and we will delete it.
13. Changes to this policy
We may update this policy from time to time — for example, if we add new features (such as community or messaging). When we make material changes, we will update the “Last updated” date and, where appropriate, notify you in the app or by email. The current version will always be available on this page.
14. How to contact us
For privacy questions, requests or complaints, contact us:
Totler Pty Ltd
ACN 699 604 656 · ABN 23 699 604 656
Email: hello@totler.com.au
Postal address available on request.
© 2026 Totler Pty Ltd. We may update this Privacy Policy from time to time; the “Last updated” date above reflects the current version.