Privacy Policy v1.0
Doughboy Platform · operated by Cameron James Moir · ABN 52 721 553 987 · Effective 13 May 2026
Plain-English summary. We collect the minimum personal data needed to run Doughboy for your team - your name, email, role, and the records you enter while using the platform. Payment data goes directly to Stripe and we never see your card details. Your data is stored with Supabase (Tokyo region) and served via Vercel. We don't sell, share, or use your data for anything other than running the service for you. You can ask for your data, correct it, or have it deleted at any time. If we ever have a data breach that could seriously harm you, we'll tell you and notify the OAIC.
1. Who we are
The data controller for Doughboy is Cameron James Moir, ABN 52 721 553 987, of Queensland, Australia. Cameron operates as a sole trader (not an incorporated company). "Streamables" is the informal brand name used for the business. Cameron is the only person who has administrative access to user data.
Contact for any privacy question: general@streamables.live
2. Our legal basis
Cameron James Moir operates as a small-business sole trader. Under the Privacy Act 1988 (Cth), small businesses with annual turnover under $3 million are not strictly bound by the Australian Privacy Principles (APPs). However, we choose to comply with the APPs voluntarily because:
- our customers expect us to;
- our partners (Supabase, Stripe, Vercel) operate to international standards;
- handling personal data responsibly is the right thing to do.
This policy describes how we apply the APPs to our handling of your personal information.
3. What we collect
Account data (from you and your admin)
- full name (set by you, or set by your team admin when they invite you);
- email address;
- role (Owner, Exec Chef, Head Chef, Dough Production, Pizza Chef, Kitchen Staff, Driver);
- assigned venue / organisation;
- password (stored only as a one-way hash via Supabase Auth - never as plaintext, never visible to us).
Acceptance records (when you agree to Terms of Use)
- the date and time you accepted;
- your IP address;
- your browser user-agent string;
- the version of the Terms you accepted;
- the full legal name you typed.
Operational data (from your use of the platform)
- batch logs, EOD reports, recipe customisations, training acknowledgements;
- notifications you send/receive within Doughboy;
- activity timestamps (when you logged in, what records you edited).
Billing data (handled by Stripe)
- your Stripe customer ID (we store this to link your subscription to your organisation);
- subscription plan and status;
- credit card / bank details: never seen, stored, or transmitted by Doughboy. Stripe handles all of this directly. We only see "succeeded" / "failed" / "past_due" status flags via webhook.
What we deliberately don't collect
- government ID numbers (TFN, passport, driver licence);
- health or medical information;
- biometric data;
- location/GPS data;
- analytics tracking (no Google Analytics, Hotjar, Mixpanel, etc.);
- marketing cookies of any kind.
4. Why we collect it
We use your personal information for the following purposes only:
- to provide you with access to the Doughboy platform;
- to authenticate you and protect your account;
- to allow your team to manage roles, venues, and assignments;
- to deliver service emails (invites, password resets, billing receipts, breach notifications if ever required);
- to charge you correctly and reconcile payments;
- to comply with our legal obligations (tax records, dispute resolution, lawful requests);
- to investigate and respond to security incidents or terms violations.
We do not use your data to: train AI models, profile you for advertising, sell to third parties, or share with anyone other than the service providers listed in clause 6.
5. Where it's stored
| Provider | Purpose | Region |
|---|
| Supabase | Database (Postgres), authentication, file storage | Tokyo (ap-northeast-1) |
| Vercel | Web hosting, serverless functions, edge delivery | Global edge, function execution in Sydney (syd1) or Tokyo region |
| Stripe | Payment processing, subscription billing | United States (with EU/AU data residency where Stripe allows) |
| Namecheap PrivateEmail | Transactional email delivery (invites, password resets) | United States |
This means some of your personal information (specifically your email address used for billing receipts and your account email for password resets) is transferred outside Australia. By using Doughboy, you consent to this transfer. All providers use TLS 1.2+ encryption in transit and at rest.
6. Who else sees your data
The only parties with access to your personal information are:
- You - your own data through the Doughboy interface;
- Your team and admins - within your organisation, based on your role (e.g. an Owner can see all team members' names, emails, and roles);
- Cameron / Streamables - for support, billing, and operations;
- Our service providers listed in clause 5 - strictly for the purpose of running the service;
- Law enforcement or regulators - if we receive a lawful and binding request (we'll push back on overreach and tell you unless legally prohibited).
We do not sell, rent, trade, or transfer personal information to third parties for marketing or any commercial purpose.
7. Cookies and tracking
Doughboy uses only the minimum necessary cookies:
- Authentication cookies set by Supabase to keep you logged in. These are essential and you can't disable them while using the platform.
- Session storage in your browser for UI preferences (e.g. which tab you had open). This stays on your device.
We do not use Google Analytics, Facebook Pixel, marketing cookies, advertising trackers, or third-party analytics of any kind.
8. Your rights
Under the Australian Privacy Principles, you can:
- Access the personal information we hold about you. Email us and we'll provide a copy within 30 days at no cost.
- Correct any inaccurate information. Most fields are editable directly in the platform; if you can't edit something yourself, email us.
- Export your operational data (batch logs, EOD reports, etc.) at any time through the Admin tab.
- Delete your account and associated data. Email us to request deletion. We'll process within 30 days subject to any legal retention obligations (e.g. tax records under the ATO 5-year rule).
- Complain if you think we've mishandled your data. Start with us (general@streamables.live); if not resolved within 30 days, you can escalate to the Office of the Australian Information Commissioner (oaic.gov.au).
9. Data retention
We retain your data as follows:
- Active accounts: for as long as your subscription is active.
- After cancellation: we retain your data for 90 days to allow re-activation, then permanently delete it (except as noted below).
- Billing and tax records: 5 years from the end of the financial year, per ATO requirements.
- Acceptance records (Terms of Use): retained indefinitely as evidence of the agreement between us.
- Backups: automatic Supabase backups are retained per Supabase's standard schedule (currently 7 days for daily backups). Deletion requests are applied to the live database immediately; backup data is overwritten on the standard schedule.
10. Security
We protect your data using:
- TLS 1.2+ encryption in transit across all connections;
- encryption at rest on Supabase, Stripe, and Vercel infrastructure;
- Row Level Security (RLS) policies in Supabase, so users from one organisation cannot see data from another organisation;
- passwords stored only as one-way bcrypt hashes (Supabase Auth standard);
- service-role secrets stored only in Vercel environment variables, never in client-side code;
- no payment data ever transits or touches our infrastructure - it flows directly between you and Stripe.
11. Children
Doughboy is a workplace tool for adult employees. It is not designed for or marketed to anyone under 18. If you become aware that someone under 18 has been given an account, contact us and we'll delete it.
12. Data breaches
If we suffer a data breach that is likely to result in serious harm to you, we will:
- notify you as soon as practicable;
- notify the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme;
- tell you what happened, what data was affected, and what steps you should take.
"Serious harm" includes identity theft, financial loss, reputational damage, or threats to physical safety. Minor or contained incidents will be handled internally and disclosed only if relevant to you.
13. Changes to this policy
We may update this policy over time. The version number and effective date at the top of the page tell you which version applies. For any material changes (e.g. adding a new service provider, expanding what we collect, or changing how we share data), we'll email active subscribers at least 30 days before the change takes effect.
14. International data transfers
As noted in clause 5, some of your data is processed outside Australia. We rely on the following safeguards:
- Supabase uses AWS Tokyo with ISO 27001, SOC 2 Type II, and HIPAA-eligible infrastructure.
- Stripe is PCI-DSS Level 1 certified and complies with EU GDPR Standard Contractual Clauses where relevant.
- Vercel serves through global edge nodes but executes our serverless functions in regions we select (currently Sydney / Tokyo for latency).
Where personal data is transferred overseas, we take reasonable steps to ensure the overseas recipient handles it in line with the Australian Privacy Principles.
15. Contact
All privacy requests, questions, or concerns:
- Email: general@streamables.live
- Postal: Cameron James Moir, Queensland, Australia (full postal address provided on request)
You can also escalate unresolved concerns to the OAIC: