Clubvolare is committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you are located in the European Union or United Kingdom, additional rights under the General Data Protection Regulation (GDPR) and UK GDPR also apply and are described in section 1.13 below.

1.1 Who we are

Registrum (ABN 29 372 825 751), trading as Clubvolare ("we", "our", "us"), is an Australian business providing a digital travel planning application accessible at clubvolare.com.

Privacy Contact: support@clubvolare.com

Postal Address: P.O Box 99, Craigieburn VIC 3064, Australia

1.2 What personal information we collect

Information you provide directly:

• Full name and email address (on account registration)
• Password (stored in hashed form only — we never store plaintext passwords)
• Home city, home timezone, and nationality (optional profile fields used to personalise the app)
• Trip details: destinations, dates, itinerary items, notes, documents, expenses, journal entries, and research items
• Booking URLs and confirmation references you enter for itinerary items
• Photos and files you upload to the app
• Packing list data you create
• Payment information submitted when purchasing a subscription (collected and processed by Paddle — we do not receive or store your card number, expiry, or CVV)
• Support, feedback, and contact form submissions
• Booking confirmation emails forwarded for itinerary import (Explorer and Pro plans only — see section 1.2b)

Information collected automatically:

• IP address and approximate geographic location (country/city level)
• Browser type, version, and operating system
• Device type (mobile, tablet, desktop)
• Pages visited, features used, and session duration
• Error logs and crash reports
• Service worker and offline sync activity

GPS/precise location data: The Today page may request access to your device GPS to detect your current country and display local emergency numbers and consulate contacts. See section 1.2c.

1.2a Nationality data

You may optionally provide your nationality in your profile. This is used solely to display relevant consulate contact information for your nationality when you travel abroad. Nationality is stored in your profile and is not shared with third parties, used for profiling, or transferred for any other purpose. You may remove or change it at any time in Settings.

1.2b Email import data

Explorer and Pro subscribers may forward booking confirmation emails for automatic itinerary extraction. When you use this feature:

• Raw email content is processed to extract booking details only
• Raw email content is not retained after extraction is complete
• Only the extracted structured data is stored in your account
• You should not forward emails containing sensitive personal information beyond standard booking confirmations
• By using email import, you consent to this processing

1.2c GPS and precise location data

Before accessing your GPS location, Clubvolare displays an in-app consent prompt explaining the purpose. We collect GPS coordinates only when you grant permission and only to identify your current country for emergency numbers and consulate contacts. We do not store your precise GPS coordinates. Coordinates are passed to BigDataCloud (reverse geocoding) to identify your country and city — only the resulting country code and city name are retained in your browser's local storage. You may deny location access at any time through your browser settings.

1.3 How we use your personal information

• Creating and managing your Clubvolare account
• Providing the travel planning features of the app
• Personalising the app based on your nationality, home city, timezone, and language preferences
• Displaying relevant consulate contacts for your nationality when travelling abroad
• Processing subscription payments via Paddle
• Sending transactional emails (verification, password reset, receipts)
• Sending service announcements (material changes, security notices)
• Providing customer support
• Detecting, investigating, and preventing fraud, abuse, or security incidents
• Improving the app through aggregated, de-identified usage analytics
• Complying with our legal obligations

We do not sell, rent, or trade your personal information. We do not use your data for targeted advertising.

1.4 Legal basis for processing

• Contract performance — processing necessary to provide the service
• Legitimate interests — security, fraud prevention, de-identified analytics
• Legal obligation — responding to regulatory or law enforcement requests
• Consent — GPS location access, email import processing, optional marketing emails

1.5 Data processors and third parties

All third-party processors are engaged under data processing agreements. Supabase stores data on AWS servers which may be located outside Australia. By using Clubvolare you consent to your data being transferred and processed in these locations under appropriate safeguards. Supabase maintains SOC 2 Type 2 compliance.

1.6 International data transfers

Clubvolare is an Australian business. When your data is transferred outside Australia, we ensure appropriate safeguards are in place as required under APP 8 of the Privacy Act 1988 (Cth). For EU/EEA users, transfers to the USA are covered by Supabase's Standard Contractual Clauses (SCCs) under Article 46 GDPR. For UK users, Supabase's International Data Transfer Agreement (IDTA) applies.

1.7 Data retention

• Account data: retained while your account is active and for 90 days after deletion request
• Trip data: deleted within 30 days of your account deletion request
• Payment records: retained for 7 years as required by Australian tax law
• Support correspondence: retained for 2 years
• Email import raw content: deleted immediately after extraction
• GPS coordinates: not retained beyond the duration of the geocoding API call
• Server logs: 90 days

1.8 Security

• All data transmitted is encrypted using TLS 1.2 or higher
• Passwords are hashed using bcrypt — we never store plaintext passwords
• Row Level Security (RLS) policies ensure users can only access their own data
• Private documents are served via time-limited signed URLs — not publicly accessible
• Content Security Policy (CSP) headers restrict which external resources may load
• Access to production systems is restricted to authorised personnel only

In the event of an eligible data breach, we will notify affected users and the OAIC as required under the Notifiable Data Breaches scheme within 30 days of becoming aware.

1.8a Bot protection (Cloudflare Turnstile)

We use Cloudflare Turnstile on our sign-in and sign-up forms to protect against automated abuse (credential stuffing, fake account creation, spam). Turnstile runs in invisible mode — there is no checkbox or visual challenge. To determine whether a request is human, Cloudflare silently collects and analyses your IP address, browser and device characteristics, and behavioural signals from your session. The resulting token is then verified server-side against Cloudflare's API before the authentication request proceeds.

This processing is carried out by Cloudflare, Inc. as an independent processor under the Cloudflare Turnstile Privacy Addendum, which forms part of this Privacy Policy. Our legal basis is legitimate interest (Art. 6(1)(f) GDPR) in protecting the service and our users from automated attacks. Turnstile data is not used for advertising, profiling, or cross-site tracking.

1.9 Your rights under the Australian Privacy Principles

• Access — request a copy of the personal information we hold about you
• Correction — request correction of inaccurate or incomplete information
• Deletion — request deletion via Settings → Delete Account or by emailing us
• Withdraw consent — withdraw consent for GPS access or email import at any time
• Complaint — lodge a complaint with the OAIC

We respond to requests within 30 days at no charge.

1.10 Children's privacy

Clubvolare is not directed at children under 16. We do not knowingly collect personal information from children under 16. Parents or guardians who believe their child has provided us with personal information should contact us at support@clubvolare.com.

1.11 Cookies and local storage

See our Cookie Policy for full details.

1.12 Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

1.13 Additional rights for EU, EEA, and UK users (GDPR / UK GDPR)

If you are located in the EU, EEA, or UK, you have additional rights including:

• Right of access (Article 15) — obtain a copy of your personal data
• Right to rectification (Article 16) — have inaccurate data corrected
• Right to erasure (Article 17) — request deletion where there is no legitimate reason to continue processing
• Right to restrict processing (Article 18) — limit how we use your data
• Right to data portability (Article 20) — receive your data in a machine-readable format
• Right to object (Article 21) — object to processing based on legitimate interests

To exercise these rights contact support@clubvolare.com. You may also lodge a complaint with your local supervisory authority — in the UK this is the ICO at ico.org.uk.

Our lawful bases under GDPR: contract performance (6(1)(b)), legitimate interests (6(1)(f)), legal obligation (6(1)(c)), and consent (6(1)(a)) for GPS, email import, and optional marketing.

1.14 California users (CCPA)

If you are a California resident, you have rights under the CCPA including the right to know what personal information we collect, the right to delete it, and the right to opt out of sale. Clubvolare does not sell personal information. Contact support@clubvolare.com to exercise your rights.

1.15 Contact for privacy queries

Email: support@clubvolare.com

Post: Privacy Officer, Registrum, P.O Box 99, Craigieburn VIC 3064, Australia

You may also lodge a complaint with the OAIC at www.oaic.gov.au or by calling 1300 363 992.