Gatchy™ Privacy Policy
GoodCompany Technologies Pty Ltd
Effective Date: 4th April, 2026 · Version 1.0
1. Introduction
Gatchy™ (“we”, “us”, or “our”) is a product of GoodCompany Technologies Pty Ltd (ABN 97616237293), an Australian company. Gatchy is the world-first augmented reality charitable giving platform that enables users to trigger real donations to charities of their choice by engaging with participating retail stores — at zero cost to the user.
This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Gatchy app, App Clip, website, or any related services (collectively, the “Platform”). It applies to all users of the Platform, including app users, retailer administrators, and store managers.
We are committed to protecting your privacy and complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
2. Who We Are
GoodCompany Technologies Pty Ltd operates the Gatchy Platform as a commercial technology company. Charitable donations facilitated through the Platform are managed by GoodCompany Foundation (a separate charitable entity), in accordance with its own legal obligations.
For privacy enquiries, contact us at:
Privacy Officer
3. What Information We Collect
3.1 Information You Provide
-
Name and email address (for account registration)
-
PIN (stored as a one-way hash — we never store your PIN in plain text)
-
Date of birth and gender (optional, for demographic insights — see Section 6)
-
Charity preferences (which charities you choose to support)
3.2 Information We Collect Automatically
-
Catch activity: records of each Gatch you perform, including time, store location, and charity selected
-
Location: your GPS coordinates are captured at the moment of a Gatch to verify you are physically present in-store. Location is not stored or tracked continuously
-
Device identifiers: a device fingerprint is used solely for anti-fraud purposes and is never shared outside the Platform
-
App Clip / Play Instant usage: if you use a device-native mini-app version of Gatchy,your session data is captured and linked to your full account if you later register
3.3 Information From Third Parties
-
Sign in with Apple or Google: if you choose to sign in using Apple or Google, we receive a verified identity token from that provider. We do not receive your Apple or Google password
-
Invite attribution: if you were invited by another user via a share link, we record the invite code (not the inviter’s phone number or personal details)
4. How We Use Your Information
We use your personal information to:
-
Create and manage your Gatchy account
-
Verify your in-store presence at the time of a Gatch
-
Process and record charitable donations on your behalf
-
Display your catch history, leaderboard rank, and rewards
-
Detect and prevent fraud or abuse of the Platform
-
Send you transactional notifications (e.g. catch confirmations, reward updates)
-
Provide you with customer support
-
Improve the Platform through anonymised analytics
-
Comply with our legal obligations
We do not use your personal information for targeted advertising. We do not sell your data to third parties
5. Contacts Access (Invite Feature)
Gatchy’s “Invite Friends” feature allows you to invite contacts from your phone to join the Platform. Important privacy protections apply:
-
Your phone contacts are accessed on-device only and are never transmitted to any Gatchy server
-
Contact data is loaded temporarily for the purpose of displaying invite options and is discarded when you close the invite screen
-
Only the unique invite code (containing no personal information) is recorded on our servers when an invite is sent
-
The invite link uses a short code — not the recipient’s phone number
On iOS, we request access to your contacts under the permission: “Gatchy uses your contacts to let you invite friends to the app.” You may decline this permission at any time in your device settings without affecting your ability to use other features of the Platform.
6. Optional Demographic Data
During onboarding, you may optionally provide your date of birth (age group) and gender. This information is used to provide retailers with anonymised, aggregated audience insights.
Key protections:
-
Demographic data is entirely optional — you can use Gatchy without providing it
-
Individual demographic data is never shared with retailers or any third party
-
Data is only included in retailer reports as anonymised cohort statistics (e.g. “35–44 age group”)
-
A minimum threshold of 20 catches with demographic data is required before any cohort data appears in retailer reporting — this prevents re-identification of individuals
-
You may opt out of demographic reporting at any time via Profile → Settings → Data Preferences
Retailers are informed of this data through your onboarding screen: “Your data is never shared individually with retailers. Only anonymised group trends are used.”
7. Information Shared With Retailers
Participating retailers (e.g. Craveable Brands, JB Hi-Fi) can access a reporting dashboard for their stores. The following applies strictly:
-
Individual user data — including your name, email address, and catch history — is never shared with retailers
-
GPS coordinates recorded at the time of a Gatch are used for audit purposes only and are never included in retailer analytics
-
Retailers see only aggregated, anonymised data: total catches, total donation value, and (where the threshold is met) cohort demographic trends
-
Retailers cannot identify, contact, or profile individual Gatchy users using any data provided through the Platform
8. Information Shared With Charities
Charities receive donation records from Gatch activity as aggregate totals. Charities do not receive any individual user data (names, emails, or catch history) unless the user has provided explicit opt-in consent through the Platform.
9. App Clip and Google Play Instant
If you use Gatchy via an iOS App Clip or Android Play Instant (device-native mini-appexperience):
-
A temporary account is created using a magic link (one-time email token, valid for 15minutes)
-
If you later download the full Gatchy app and sign in with the same Apple or Google account, all your catch history, rewards, and leaderboard data transfer automatically
-
Your App Clip or Play Instant acquisition is recorded for platform analytics but is not shared with retailers
10. Data Security
We take the security of your personal information seriously. Our technical measures include:
-
All data in transit is encrypted via HTTPS — unencrypted HTTP connections are rejected
-
All API requests require a valid, short-lived JWT (JSON Web Token) — there is no server-side session state
-
PINs are hashed using bcrypt and are never stored in plain text
-
Input validation is applied across all endpoints to prevent injection attacks
-
AWS Web Application Firewall (WAF) rate limiting is applied at the network edge
-
Access to user data is role-scoped: store managers can only see their own store’s data; franchise HQ admins see only their own group’s data
While we take all reasonable steps to protect your information, no system can guarantee absolute security. If you become aware of any security concern, please contact us immediately at privacy@goodcompany.org.au.
11. Your Rights
Under the Australian Privacy Principles, you have the right to:
-
Access the personal information we hold about you
-
Request correction of inaccurate or incomplete information
-
Request deletion of your account and all associated data at any time via Profile →Settings → Delete Account
-
Opt out of optional demographic data collection at any time
-
Withdraw consent for contacts access at any time via your device settings
-
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have not handled your information appropriately
To exercise any of these rights, contact us at privacy@goodcompany.org.au. We will respond within 30 days.
12. Data Retention
We retain your personal information for as long as your account is active or as required to provide our services and comply with legal obligations. When you delete your account:
-
Your personal profile data (name, email, preferences) is deleted within 30 days
-
Anonymised catch records may be retained for aggregate reporting and platform integrity purposes
-
Donation records are retained as required for financial and charitable compliance purposes
13. Cookies and Web Tracking
The Gatchy website (www.gatchy.com.au) uses cookies to improve your browsing experience and to understand how visitors use the site. You can manage your cookie preferences via the cookie banner displayed on your first visit.
The Gatchy app does not use browser cookies. Device identifiers used within the app arelimited to anti-fraud functions as described in Section 3.2.
14. Children and Minors
Gatchy is available to users of all ages. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact us at privacy@goodcompany.org.au and we will take steps to delete that information.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Platform. When we make material changes, we will notify you via the app or by email prior to the change taking effect. The effective date at the top of this document will always reflect the most current version.
Continued use of the Platform after any changes take effect constitutes your acceptance of the updated Privacy Policy.
16. Contact Us
For any questions, concerns, or requests relating to this Privacy Policy or our handling of
your personal information, please contact:
Privacy Officer
GoodCompany Technologies Pty Ltd
Email: privacy@goodcompany.org.au
Website: www.gatchy.com.au
You may also contact the Office of the Australian Information Commissioner (OAIC):
Website: www.oaic.gov.au
Phone: 1300 363 992