Privacy Policy

Last updated: 7 February 2026

This Privacy Policy explains how SURP ("we", "us") collects, uses, and shares information when you use the SURP app and website.

SURP operates in Australia and New Zealand. We aim to handle personal information in line with applicable privacy laws, including the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and the New Zealand Privacy Act 2020.

Key ideas

• We collect what we need to run the marketplace, process payments, improve safety, and support disputes.
• Some information is shared with service providers (notably Google Firebase and Stripe) so the app can work.
• Listings show approximate locations (e.g. suburb-level) to help protect privacy; exact pickup details are shared after a booking is confirmed/paid.

Information we collect

• Account information (e.g. name, email, authentication identifiers) when you create an account or sign in via email, Google, or Apple.
• Profile information you provide (e.g. display name, suburb/city/state, profile photo, phone number, and other optional fields you add).
• SERR Tax Data (Australian hosts only): When you set up payouts as a host, we collect information required under the Sharing Economy Reporting Regime (SERR):
  • For Business Accounts: Australian Business Number (ABN) and Trading Name;
  • For Individual Accounts: Legal name, Date of Birth, and Residential Address (street, city, state, postcode).
  This data is used for bi-annual SERR reports to the Australian Tax Office (ATO) and is retained for at least 5 years as required by law. We do not collect Tax File Numbers (TFNs).
• Identity Verification Data: If you complete identity verification (via Stripe Identity), this may include:
  • Government-issued photo ID images (passport, driver's license, national ID card);
  • Selfie and liveness detection for identity matching; and
  • Verification status and timestamps.
  Full ID documents are processed and stored by Stripe, not by SURP. We receive only verification status, metadata, and anonymized verification session IDs.
• Payment & Banking Information: Via Stripe:
  • Payment card details (tokenized – we do not store full card numbers);
  • Bank account details for host payouts (stored securely by Stripe);
  • Payment transaction history, refunds, and payout records;
  • Security Bond authorization holds and capture events; and
  • Stripe Customer IDs, Payment Method IDs, and Connected Account IDs.
  For SERR tax reporting, we retrieve BSB (routing number) and last 4 digits of bank accounts from Stripe – NOT full account numbers.
• Listings and marketplace activity (e.g. listing titles/descriptions, item photos, category, pricing, availability, market value estimates, item condition, and listing status/moderation history).
• Bookings (e.g. booking dates, rental periods, status, payment amounts, credits applied, Security Bond hold amounts and status, pickup/return confirmation timestamps, handover media, QR code scans).
• Messages between users (and related metadata like timestamps, read status, attachments you send, and auto-moderation flags).
• Support, disputes, and reports (e.g. support requests, dispute narratives, evidence such as photos/videos, AI-generated summaries, dispute outcomes, and reports about users or listings).
• Handover Media (Photos & Videos): Photos and videos you upload during rental pickup and return for condition verification and dispute evidence. This includes:
  • Image and video files;
  • Technical metadata (file hashes, upload timestamps, file size, content type);
  • EXIF data where available (camera model, capture time, GPS coordinates if enabled); and
  • Device information (platform, app version).
  Handover media is stored permanently for dispute resolution and legal compliance.
• Location information:
  • Approximate listing location (e.g. suburb-level, rounded GPS coordinates) shown to other users;
  • Exact pickup addresses (shared only after booking confirmed/paid);
  • Device location (if you enable it) to show nearby listings, calculate distance, or open directions via Google Maps; and
  • Location analytics (rounded coordinates logged with search queries for zero-result tracking and service improvement).
• Notifications (e.g. in-app notification records stored in your account and Firebase Cloud Messaging (FCM) push notification tokens if you enable push notifications on your device).
• Usage and device information (e.g. app interactions, screen views, search terms, listing clicks, booking creation events, diagnostics, crash reports, app performance metrics, device model, operating system version, and app version) to operate and improve the service and detect abuse.
• Competition & Referral Data:
  • Competition entries, prize preferences, and winner selection data;
  • Referral codes generated and used;
  • Referral share methods (WhatsApp, SMS, copy link) and timestamps;
  • Referral conversion tracking (signup and first booking); and
  • Credit balances and transaction history.
• Biometric Authentication Settings (Optional): If you enable biometric login (Face ID, Touch ID, fingerprint), we store:
  • A flag indicating biometric authentication is enabled for your account; and
  • Encrypted account credentials (email and encrypted password hash) in device secure storage.
  We do NOT store or transmit your actual biometric data (fingerprints, face scans). Biometric processing occurs entirely on your device.

Payments and identity verification

SURP uses Stripe to process payments (including Security Bond authorisation holds), refunds, and host payouts (via Stripe Connect). Where enabled, SURP may also use Stripe Identity for identity verification.

SURP does not store full payment card numbers. Payment details are handled by Stripe and may be processed under Stripe's own policies. Hosts who wish to receive payouts must complete Stripe onboarding, which may require additional information such as identity details, date of birth, and bank account details.

If a listing includes a security deposit, SURP may place a security deposit hold (authorization) on your payment method, and in some cases a portion may be captured later in line with the dispute/damage process.

If identity verification is required for certain features, Stripe Identity may collect government ID images and a selfie/liveness check. SURP generally receives verification status and related metadata rather than your full ID documents.

How we use information

• To provide core features (accounts, listings, bookings, messaging, support, and competitions).
• To process payments, Security Bond authorisation holds, refunds, host payouts (via Stripe Connect), and identity verification where applicable (via Stripe Identity).
• To collect and report SERR tax data to the Australian Tax Office (ATO) for hosts who earn income through SURP, as required by Australian law.
• To coordinate handovers and returns, including sharing pickup/return details after a booking is confirmed/paid, and collecting handover photos/videos for evidence.
• To improve safety and prevent fraud, abuse, circumvention, and policy violations (including AI-powered content moderation, detecting suspicious activity, investigating reports, and reviewing handover media).
• To resolve disputes and respond to chargebacks/payment disputes, which may involve reviewing booking records, messages, handover photos/videos, and other evidence.
• To maintain, debug, and improve the app (including search analytics, usage analytics, crash diagnostics, zero-result search tracking, and feature adoption metrics).
• To send notifications about bookings, messages, disputes, competitions, and other time-sensitive updates via push notifications and in-app alerts.
• To administer referral programs, competition entries, badge awards, and promotional credit systems.
• To provide location-based features including nearby listing discovery, distance calculation, and mapping/directions via Google Maps.

Safety, moderation, and message review

SURP may use a combination of automated checks, AI-powered moderation (via Google Gemini), and human review to detect fraud, prohibited conduct, and safety risks. This can include:

• Reviewing reports from users and investigating flagged bookings and listings;
• Scanning listing descriptions and titles for scams, prohibited items, or misleading information;
• Analyzing chat messages for circumvention attempts, harassment, or policy violations;
• Comparing handover photos using AI to detect damage or discrepancies;
• Identifying patterns of suspicious account activity or payment fraud; and
• Reviewing admin-flagged content or dispute evidence.

We do not guarantee that automated or manual moderation will detect all prohibited conduct. Users remain responsible for their own safety and due diligence.

Search analytics and logs

To improve discovery, reduce "zero-result" searches, and detect abuse, we log search analytics and product events including:

• Search terms you enter (limited to 120 characters);
• Filters applied (category, price range, location radius);
• Number of results returned for each search;
• Which listings you click after searching;
• Your approximate location (rounded GPS coordinates) when performing location-based searches;
• Session identifiers to track search-to-booking conversion; and
• Whether searches resulted in zero results (to identify inventory gaps).

These logs may be associated with your account or device. Search analytics are retained for up to 26 months and may be aggregated and anonymized for long-term trend analysis.

How we share information

We may share information with service providers that help us run SURP (for example hosting, databases, analytics, payments, and AI services). For example:

• Google Firebase (authentication, Cloud Firestore database, Cloud Storage for photos/videos, Cloud Functions for backend logic, Firebase Analytics, Firebase Cloud Messaging for push notifications, and Firebase Hosting for web app).
• Stripe (payment processing, Security Bond authorizations, refunds, Stripe Connect for host payouts, and Stripe Identity for ID verification where enabled).
• Google Generative AI (Gemini) (AI-powered listing moderation, chat message moderation, dispute photo analysis, and damage assessment).
• Google Maps Platform (maps display, geocoding addresses, distance calculation, and directions to pickup locations).

We may also share information if required by law, to enforce our terms, or to protect the rights, safety, and security of users and the platform.

Tax authority reporting (AU/NZ): Where required by law (including the Sharing Economy Reporting Regime - SERR), we disclose seller identity and transaction information to government agencies and tax authorities. For Australian hosts, this includes bi-annual reports to the Australian Tax Office (ATO) containing:

• Legal name, date of birth, and residential address (individuals) OR ABN and trading name (businesses);
• Gross rental income earned per quarter;
• Platform fees and GST components;
• Number of completed rental transactions;
• Bank account identifiers (BSB and last 4 digits only – retrieved from Stripe); and
• Contact details (email and phone number).

Dispute & Chargeback Defense: If a dispute or payment chargeback occurs, we may share booking information, handover photos/videos, chat messages, timestamps, and dispute outcomes with Stripe, banks, payment networks, and (if legally required) law enforcement or courts. This is necessary to defend legitimate transactions and enforce platform policies.

What other users can see

• Profile: Your display name, profile photo (if provided), suburb/city/state (if provided), verification badges (e.g., SURP 25, Brisbane Pioneer), and public activity statistics.
• Listings: Other users can see your listing content, photos, pricing, item condition, and your approximate listing location (e.g. suburb-level with rounded GPS coordinates).
• Bookings: Once a booking is confirmed/paid, the other party may see handover details needed to complete the booking (for example pickup/return address, scheduled handover times, QR codes for confirmation, and agreed terms).
• Messages: Messages you send to another user are visible to that user and may be retained by SURP as part of platform records and dispute evidence.
• Reviews: Reviews you write about other users or items may be publicly visible on the Platform (if review features are enabled).
• Competition Entries: Your participation in competitions may be visible to admins and, in some cases, displayed on public leaderboards or winner announcements (name and likeness only).

Data retention

We retain information for as long as needed to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary by data type:

• SERR Tax Data: Minimum 5 years after the relevant financial year (Australian Tax Office requirement for SERR compliance).
• Handover Media: Photos and videos captured during rental pickup and return are stored permanently for dispute evidence, fraud prevention, and legal compliance. Metadata (hashes, timestamps) is also retained permanently.
• Transaction Records: Booking data, payment records, Stripe IDs, platform fees, and refund history are retained indefinitely for accounting, audit trails, and financial reconciliation.
• Dispute Records: Dispute claims, evidence, AI analysis, and outcomes are retained for 7 years or until any related legal proceedings are resolved.
• Chat Messages: Retained until account deletion, or longer if associated with an active dispute or investigation.
• Search Analytics: Individual search logs retained for 26 months; aggregated/anonymized analytics may be retained longer for trend analysis.
• Account Information: Retained while your account is active and for a reasonable period after deletion, subject to legal obligations described above.
• Admin Audit Logs: Actions performed by platform administrators are logged and retained for 7 years for accountability and compliance.

If you request account deletion, we will take reasonable steps to delete or anonymize personal information that is no longer needed for legal compliance. However, information subject to SERR reporting, accounting requirements, or ongoing disputes will be retained as described above. Retained data will be isolated from active systems and marked as belonging to a deleted account.

Your choices

• Location: you can deny or revoke location permissions in your device settings; some location features (nearby search, maps, directions) may not work without location access.
• Push notifications: you can disable notifications in your device settings; you may still need to check the app for time‑sensitive messages about bookings and disputes.
• Marketing communications: You can opt out of promotional push notifications by disabling them in your device settings. Service communications (booking confirmations, payment notifications, dispute alerts) cannot be disabled as they are essential to platform operation.
• Camera & photo access: You can deny camera and photo library access in device settings, but this will prevent you from uploading listing photos or completing required handover photo verification.
• Biometric authentication: You can enable or disable biometric login (Face ID, Touch ID) at any time in your account settings. Biometric data never leaves your device.
• Competition auto-entry: If you do not wish to be auto-entered into competitions you qualify for, contact support to opt out. Manual entry competitions always require explicit consent.
• Analytics: You cannot opt out of Firebase Analytics while using the app, as it is essential for detecting abuse and improving service quality. Analytics data is pseudonymous and not used for individual account decisions.

Data breaches

We comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth) and equivalent New Zealand obligations. If we become aware of an eligible data breach that is likely to result in serious harm to you, we will:

• Notify you as soon as practicable (typically within 72 hours of becoming aware);
• Notify the Office of the Australian Information Commissioner (OAIC) and/or the New Zealand Office of the Privacy Commissioner as required; and
• Take reasonable steps to remediate the breach and prevent future incidents.

Access, correction, and complaints (AU/NZ)

You can request access to, or correction of, personal information we hold about you. If you believe we have mishandled your personal information, you can also make a complaint.

To exercise your rights, contact us at: support@surp.com.au

We will respond within a reasonable time (typically within 30 days) and in accordance with applicable law. If you are not satisfied with our response, you may escalate your complaint to:

• Australia: Office of the Australian Information Commissioner (OAIC) – www.oaic.gov.au
• New Zealand: Office of the Privacy Commissioner – www.privacy.org.nz

Limitations on Deletion: While you have the right to request deletion of your personal information, we may retain certain data where legally required, including:

• SERR tax data (5+ years for ATO compliance);
• Transaction records for accounting and audit purposes;
• Handover media and dispute evidence;
• Data subject to legal holds or law enforcement requests; and
• Anonymized analytics data that cannot be linked back to you.

Biometric authentication

If you enable biometric authentication (Face ID, Touch ID, or fingerprint) on the mobile app, biometric data is processed locally on your device and is not transmitted to or stored by SURP. We only store a flag indicating whether biometric login is enabled for your account. Biometric authentication is optional and can be disabled at any time in your account settings.

Security

We use reasonable administrative, technical, and physical safeguards designed to protect information. However, no method of transmission or storage is 100% secure.

Age restrictions

SURP is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us immediately at support@surp.com.au.

International transfers

Our service providers (such as Google/Firebase, Stripe, and Google Maps/Gemini AI) may store or process data in Australia, New Zealand, the United States, and the European Union.

Where we disclose personal information to overseas recipients, we take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles (APP 8). Our service providers maintain industry-standard security practices and, where applicable, comply with frameworks such as:

• EU-US Data Privacy Framework (for US-based processors);
• Standard Contractual Clauses (SCCs) for EU data transfers; and
• ISO 27001 and SOC 2 compliance (Firebase, Stripe).

By using SURP, you consent to these cross-border disclosures for the purposes described in this Privacy Policy. You may have rights to access and correct your information held by these service providers through us by contacting support@surp.com.au.

SERR Data Localization: SERR tax data collected for ATO reporting is stored primarily in Australian Firebase regions where available, but may be replicated to US/EU regions for backup and disaster recovery purposes.

Contact us

Questions about privacy or data practices? Contact support@surp.com.au.

SURP Pty Ltd (ABN: 45 694 480 236)
Brisbane, Queensland, Australia

For privacy complaints or data access requests, please include:

• Your full name and account email;
• A description of your request or concern;
• Any relevant dates, booking IDs, or reference numbers; and
• Your preferred contact method for our response.

We aim to respond to privacy requests within 30 days.

Back to SURP