Privacy Policy

1. Introduction

1.1 This Privacy Policy explains how My Guest Work Pty Ltd (ABN 38 698 315 187), trading as MyGuestWork (we, us or our), collects, uses, holds, discloses and protects personal information. We handle personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs), and, where they apply to you, other privacy laws.

1.2 This Privacy Policy applies to our website at myguestwork.com, our app at app.myguestwork.com (together, the Platform), the event pages, QR code pages and guest seat-finder pages created through the Platform, and your communications with us.

1.3 If you do not agree with how we handle personal information as described in this Privacy Policy, you should not use the Platform.

2. Definitions

3. About the Platform

3.1 MyGuestWork is an event guest management platform. It helps Organisers manage guest lists, seating plans, QR code guest lookup pages, event pages, menus, floor plans, logos and related event materials.

3.2 Some features may only be available on certain plans, and some features may be introduced, changed or removed over time.

4. Personal Information We Collect

4.1 The personal information we collect depends on how you interact with the Platform.

4.3 We do not collect or store your full card number, CVC or bank account details. Payments are handled by Stripe (see clause 10).

4.4 Guest information uploaded by Organisers. Organisers may upload or enter personal information about Guests, which may include guest first name; guest last name, where provided; seating, table or assignment information; internal event notes; uploaded photos or videos, where those features are enabled; and an optional uploader display name for photo uploads.

4.5 Our core seat-finder feature is designed to use minimal guest information and does not require guest email addresses, phone numbers, dietary requirements or health information.

4.6 Future features may collect additional guest information. For example, if RSVP, invitation, email or WhatsApp invitation, plus-one or dietary features are enabled in the future, additional information may be collected where those features are used, such as guest email addresses, phone numbers, RSVP status, invite or family group details, dietary requirements, plus-one information and notes from Guests. We will only collect this where the relevant feature is available and used.

4.7 Guests using public event pages. If you are a Guest and you access an event page or seat-finder page using a QR code or link, we may process the page you visit, your search interactions, technical information about your device and browser, and analytics information (only if you accept analytics cookies). If you use a public photo upload feature where available, we may process the uploaded content and an optional uploader display name. These pages may display guest first names, last names (where provided) and seating or table assignments, but never guest email addresses, phone numbers or payment details. See clause 6.

4.8 Website visitors and support requests. When you visit myguestwork.com, we may collect information you submit through the contact form (name, email address, event type and message), analytics information (only if you accept analytics cookies), and general usage information including IP address as part of normal server logs. If you contact support, we may also collect your message, user ID (if logged in), the relevant event, the page URL, and technical details such as your user agent, viewport size, platform, browser language and timezone.

5. How and Why We Use Personal Information

5.1 We generally collect personal information directly from you. Where guest information is uploaded by an Organiser, we collect it from the Organiser rather than the Guest. We may also receive information from the service providers that help us operate the Platform (see clause 11).

5.2 We use personal information to provide and operate the Platform; create and manage accounts; authenticate users and maintain sessions; create, manage and display events and public guest pages; store and display uploaded files; process payments and manage plan access; provide support; send transactional and service-related emails; monitor, secure, maintain and improve the Platform; diagnose errors; understand usage where analytics consent is given; prevent misuse, fraud and security incidents; comply with our legal obligations; and enforce our Terms of Service.

5.3 We do not sell personal information. We will only use or disclose it for a purpose set out in this Privacy Policy, for a related purpose you would reasonably expect, or as otherwise permitted or required by law.

6. Public Guest Pages and QR Codes

6.1 Organisers may create QR codes or shareable links that let Guests access event pages or seat-finder pages without an account.

6.2 Anyone who has the QR code or URL can access these pages. Access is controlled by who holds the link, not by individual guest logins. A public seat-finder page may display a guest's first name, last name (where provided) and seating or table assignment. It does not display guest email addresses, phone numbers or payment details.

6.3 Organisers decide what guest information they upload and are responsible for sharing QR codes or links only with intended Guests. We configure app routes and public guest pages to discourage search-engine indexing (for example, using "noindex" and "nofollow" controls, a robots file and related headers), but we cannot guarantee how every search engine, browser or third party will treat a page, and anyone given the link may be able to open it.

6.4 If you are a Guest with concerns about your information appearing on an event page, please contact the Organiser first, as they control the content. You may also contact us using the details in clause 23.

7. Organiser Responsibility for Guest Data

7.2 For guest information an Organiser uploads, the Organiser decides what is collected and how it is used, and we generally handle that information on the Organiser's behalf by storing and displaying it as directed. To the extent concepts such as controller and processor apply to you under laws such as the GDPR or UK GDPR, the Organiser will usually be the controller and we will usually act as a processor or service provider. This is a general description and not legal advice; your role depends on the facts and the laws that apply to you.

8. Cookies, Local Storage and Analytics

8.1 We use cookies, local storage and similar technologies to operate the Platform.

8.2 Strictly necessary cookies and storage. We use these to authenticate users, keep them logged in, maintain sessions, secure the app and operate core functionality. This includes Supabase authentication and session cookies (using an "sb-*" naming pattern). They are essential, are not used for analytics, and cannot be switched off through our cookie preferences while you use the app. We also use browser local storage for interface preferences and your cookie consent choice (stored as "mgw_cookie_consent").

8.3 Analytics. We load Google Analytics 4 and Microsoft Clarity only after you accept analytics in our cookie banner or Cookie settings. If you decline, those scripts are not loaded. Where accepted, they may collect information such as pages visited, time on pages, device and browser information, approximate location, clicks, scrolling and interactions, referral information and session activity.

8.4 Microsoft Clarity is not used on public guest seat-finder pages; if it is already running and a user navigates to one, we stop it for that page. You can change your analytics preference at any time, and we do not use analytics to sell personal information.

9. Contact Forms, Emails and Marketing

9.1 If you submit a contact form, we collect your name, email address, event type and message, delivered using Brevo, and use it to respond. We may also use Brevo (or another provider) to send service-related emails, support messages, account notifications and event-related transactional emails, and, where permitted, product updates to account users.

9.2 We do not send marketing emails to Guests. If future RSVP or invitation features are enabled and an Organiser uses them, Guests may receive transactional, event-related messages sent at the Organiser's direction.

9.3 You can unsubscribe from marketing emails where required by law. Service-related emails (such as security, billing, account or event-functionality messages) may still be sent because they are necessary to provide the Platform.

10. Billing and Payments

10.1 Payments are processed by Stripe, which may collect card, billing and payment method information directly. We do not collect or store your full card number, CVC or bank account details. Stripe's own privacy policy applies to information it processes.

10.3 We use this information to process payments, manage your plan, subscription and event credits, issue and reconcile invoices, maintain an accurate record of credit and subscription changes, prevent and investigate payment issues or misuse, and comply with our tax, accounting and other legal obligations.

11. Service Providers and International Transfers

11.2 We use Sentry to monitor and diagnose software errors. Error reports may include technical information such as error messages, stack traces, page URL, browser version, operating system and technical context. We configure Sentry to avoid sending cookies, request headers, request bodies and user identity where reasonably practical.

11.3 Our primary application database and file storage are hosted with Supabase in an Australian region. However, these providers operate in Australia and overseas, so your personal information may be processed, stored or accessed in countries outside your country of residence, including the United States and Europe. Where required by applicable law, we take reasonable steps to ensure overseas disclosures are subject to appropriate protections, such as contractual protections or standard contractual clauses.

12. Data Retention

12.1 We retain personal information for as long as reasonably necessary to provide the Platform, maintain event records, provide support, comply with legal obligations, resolve disputes, enforce agreements and maintain security.

12.2 Event data, guest lists, seating assignments and uploaded files may be retained while the relevant account or event remains active, unless deleted earlier by the Organiser or by us. Billing, subscription and transaction records may be retained longer where required for tax, accounting, legal or compliance purposes.

12.3 Where we no longer need personal information and are not required or permitted by law to keep it, we take reasonable steps to delete, destroy or de-identify it.

13. Accessing, Correcting or Deleting Information

13.1 You may be able to access, edit or delete certain information directly through the app, and you may request access to or correction of the personal information we hold about you.

13.2 Organisers are responsible for maintaining the guest information they upload. If you are a Guest and want your information corrected or removed, contact the Organiser first, as they control the relevant data.

13.3 You may also contact us using the details in clause 23. We may need to verify your identity, and we may refer your request to the relevant Organiser where they control the data. We will respond within a reasonable time and, where the Privacy Act applies, within the time it requires. If we decline access or correction, we will explain why where required to do so.

14. Children and Minors

14.1 The Platform is not directed at children, and you must be at least 18 to create an account or purchase a paid plan.

14.2 Children may nonetheless appear in guest lists, photos or videos uploaded by Organisers or Guests. Organisers are responsible for ensuring they have appropriate permission to upload or share information or media involving minors. If you believe information about a child has been uploaded without appropriate permission, please contact the Organiser or contact us using the details in clause 23.

15. Sensitive Information

15.1 We do not ask for sensitive information for the core features of the Platform. Depending on how the Platform is used, sensitive information could nonetheless be included in uploaded files, event names, guest notes, dietary requirements (where future features are enabled), photos, videos or messages.

15.2 Organisers and users should avoid uploading sensitive information unless it is necessary, they have the right to do so, and (where required) they have the individual's consent. Where we become aware that we hold sensitive information, we handle it in accordance with applicable law and this Privacy Policy.

16. Security

16.1 We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification and disclosure. These steps may include HTTPS for data in transit; authentication and session controls; access controls and internal restrictions; database and storage security measures provided by our infrastructure providers; error monitoring; and security reviews and updates.

16.2 No online service can be completely secure. You are responsible for keeping your account secure and for managing access to event links, QR codes and public guest pages.

17. Your Privacy Rights

17.1 Depending on where you live and the laws that apply to you, you may have rights in relation to the personal information we hold about you. This clause gives a general overview. Clauses 18 to 20 set out additional information for users in Australia, the United Kingdom and the European Economic Area, and the United States (including California).

17.3 Not all of these rights apply in every location, and some are subject to conditions and exceptions. To exercise a right, contact us using the details in clause 23. We may need to verify your identity before responding, and some requests may be limited where we need to retain information for legal, security, billing or other legitimate reasons. We will not discriminate against you for exercising a privacy right.

18. Australian Users

18.1 If you are in Australia, we handle your personal information in accordance with the Privacy Act and the APPs.

18.2 You may request access to, or correction of, the personal information we hold about you. If we decline a request, we will explain why where we are required to do so, and tell you how to complain. You may complain to us first using the details in clause 23, and if you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

19. UK and European Users

19.1 If you are in the United Kingdom or the European Economic Area, the UK GDPR or EU GDPR may apply to our handling of your personal information. This clause applies to the extent those laws apply to you.

19.2 Our role. For most personal information we handle about account users, we act as a controller. For guest information that an Organiser uploads, the Organiser is usually the controller and we usually act as a processor (see clause 7).

19.3 Legal bases. Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases: performance of a contract with you (to provide the Platform); our legitimate interests (such as securing, maintaining and improving the Platform), balanced against your rights; your consent (for example, for analytics cookies, which you can withdraw at any time); and compliance with our legal obligations.

19.5 To exercise any of these rights, contact us using the details in clause 23. If you are in the UK, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EEA, you may complain to your local data protection authority. Information about international transfers of your personal information is set out in clause 11.

20. United States and California Users

20.1 If you are in the United States, this clause applies in addition to the rest of this Privacy Policy. If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the CCPA), may give you the rights described below to the extent it applies to you.

20.3 We do not sell your personal information for money, and we do not knowingly engage in cross-context behavioural (targeted) advertising. We do not exchange personal information for targeted advertising purposes.

20.4 We use analytics tools (Google Analytics 4 and Microsoft Clarity) only after you accept analytics through our cookie banner or Cookie settings. Where you accept analytics, the information those tools receive could, depending on how the law is interpreted, be treated as a "sale" or "share" under the CCPA. You can avoid this by declining analytics cookies, and you can change your choice at any time using Cookie settings. Outside analytics you have consented to, we do not sell or share your personal information.

20.5 We will not discriminate against you for exercising any privacy right. To make a request, contact us using the details in clause 23. We may need to verify your identity, and you may use an authorised agent where the law allows.

21. Complaints

21.1 If you have a privacy complaint, please contact us first using the details in clause 23. We will review it and respond within a reasonable time.

21.2 If you are not satisfied with our response, you may be able to contact your local privacy regulator. Details of the relevant regulators for Australia, the UK and the EEA are set out in clauses 18 and 19.

22. Changes to this Privacy Policy

22.1 We may update this Privacy Policy from time to time. If we make material changes, we may notify users by updating this page, sending an email or displaying a notice in the app. The updated Privacy Policy applies from the date it is published unless stated otherwise.

23. How to Contact Us