Data Privacy
Data Privacy Standards
Compliance framework for the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This document also addresses relevant Victorian and international obligations.
Legal disclaimer: This document is an operational guide, not legal advice. Consult a qualified privacy lawyer for formal compliance assessments, especially before handling sensitive information or launching new services.
Applicable Law
| Instrument | Jurisdiction | Applicability |
|---|---|---|
| Privacy Act 1988 (Cth) | Commonwealth | Applies to businesses with annual turnover > $3M, or any business that trades in personal information, or handles health/sensitive information. Apply as best practice regardless of threshold. |
| Australian Privacy Principles (APPs) | Commonwealth | 13 principles governing collection, use, disclosure, and storage of personal information. See below. |
| Spam Act 2003 (Cth) | Commonwealth | Governs commercial electronic messages. Consent required; unsubscribe mechanism mandatory. |
| Australian Consumer Law (Sch 2, CCA 2010) | Commonwealth | Prohibits misleading/deceptive conduct. Applies to all consumer-facing representations. |
| Privacy and Data Protection Act 2014 (Vic) | Victoria | Applies to Victorian public sector organisations. Does not apply to private businesses. |
| GDPR | EU | Applies if any EU/EEA residents’ data is collected. Triggers consent, right-to-erasure, DPA obligations. |
What Is Personal Information
Under the Privacy Act, personal information is any information or opinion about an identified individual or an individual who is reasonably identifiable. This includes:
- Name, email address, phone number
- IP address (in context)
- Username linked to a real identity
- Location data
- Payment information
- Device identifiers
- Any combination of data points that together identify a person
Australian Privacy Principles Summary
| APP | Title | Key Obligation |
|---|---|---|
| APP 1 | Open and transparent management | Maintain a privacy policy; make it accessible |
| APP 2 | Anonymity and pseudonymity | Allow users to interact anonymously where practicable |
| APP 3 | Collection of solicited personal information | Collect only what is necessary for the function |
| APP 4 | Dealing with unsolicited personal information | Destroy or de-identify unsolicited data that couldn’t have been collected under APP 3 |
| APP 5 | Notification of collection | Notify individuals at or before collection: who you are, why you’re collecting, who you’ll disclose to |
| APP 6 | Use or disclosure of personal information | Use/disclose only for the primary purpose collected, or with consent |
| APP 7 | Direct marketing | Individuals may opt out; no use of sensitive information for marketing without consent |
| APP 8 | Cross-border disclosure | Take reasonable steps to ensure overseas recipients comply with APPs |
| APP 9 | Adoption, use, or disclosure of government-related identifiers | Don’t adopt TFN, Medicare numbers etc. as own identifiers |
| APP 10 | Quality of personal information | Take reasonable steps to ensure information is accurate and up to date |
| APP 11 | Security of personal information | Protect from misuse, loss, unauthorised access; destroy when no longer needed |
| APP 12 | Access to personal information | Individuals may request access to their personal information |
| APP 13 | Correction of personal information | Correct inaccurate information on request |
Data Collection Principles
- Minimisation — collect the minimum personal information necessary. Do not collect “just in case.”
- Purpose limitation — define the purpose before collecting. Do not repurpose data without consent.
- Transparency — inform users what is collected, why, and who it is shared with, at point of collection.
- Consent — obtain explicit consent for marketing communications and any secondary use.
Data Classification in Systems
| Data Type | Classification | Storage | Retention |
|---|---|---|---|
| Email addresses | Personal | Supabase (encrypted at rest) | Duration of account + 30 days |
| Display names / usernames | Personal | Supabase | Duration of account + 30 days |
| Betting/pick history | Personal | Supabase | Duration of account + 30 days |
| IP addresses (logs) | Personal (contextual) | Server logs only | 14 days |
| Payment information | Sensitive | Never stored locally; payment processor only | N/A |
| Session tokens | Confidential | Client-side (Supabase session) | Session duration |
| Aggregated/anonymised stats | Non-personal | Supabase | Indefinite |
Data Retention and Deletion
- Personal information is retained only as long as required for its stated purpose
- On account deletion: personal information deleted within 30 days; aggregated non-identifiable data may be retained
- Right-to-erasure requests (GDPR) fulfilled within 30 days of verified request
- Backup copies purged on the next backup rotation after the deletion window
Notifiable Data Breaches (NDB Scheme)
If a data breach is likely to result in serious harm to any individual:
- Assess within 30 days of becoming aware of a potential eligible breach
- Notify the Office of the Australian Information Commissioner (OAIC) via the NDB notification form
- Notify affected individuals as soon as practicable
- Notification must include: identity of organisation, description of breach, type of information involved, recommended steps for individuals
OAIC notification: www.oaic.gov.au
Privacy Policy Requirements
A publicly accessible privacy policy must cover:
- What personal information is collected
- How it is collected (directly, via cookies, from third parties)
- Why it is collected and how it is used
- Who it may be disclosed to (including overseas recipients)
- How individuals can access and correct their information
- How individuals can make a privacy complaint
- Contact details for the Privacy Officer
- Date of last update
Spam Act Compliance
For any commercial electronic message (email, SMS, in-app notification with commercial content):
- Consent — must have express or inferred consent from recipient
- Identify — message must clearly identify Level147 as the sender
- Unsubscribe — every message must include a functional unsubscribe mechanism, honoured within 5 business days
- No harvesting — do not use address-harvesting software or purchased lists
Third-Party Data Processors
Under APP 8, ensure overseas recipients provide privacy protections comparable to the APPs.
| Processor | Data shared | Location | Adequacy basis |
|---|---|---|---|
| Supabase (AWS ap-southeast-1) | User accounts, picks, bets | Sydney, AU | Australian region; Supabase DPA |
| Cloudflare | IP addresses, request metadata | Distributed | Standard Contractual Clauses / DPA |
| n8n (self-hosted) | Fight data, intel content | Own infra | Self-managed |
Individual Rights Requests
Respond to all individual rights requests within 30 days:
| Request type | Response |
|---|---|
| Access request | Export of all personal data held |
| Correction request | Update inaccurate data |
| Deletion request | Delete personal data; confirm in writing |
| Opt-out of marketing | Remove from all marketing lists |
Log all requests and responses in a private request register.
Privacy Contact
Privacy complaints and requests are directed to:
Privacy Officer — Level147
Email: privacy@level147.net
Response time: 30 days