Privacy Policy

When you claim a voucher we collect:

• Your first name
• Your email address
• Your Australian mobile number
• Your nearest Third Wave BBQ venue
• Optional: birthday month/year, dining group size
• Technical metadata (IP address, browser, request timestamps)

We collect this information directly from you via our claim form. We do not purchase or rent personal information from third parties.

In addition, our systems automatically generate the following records as a side-effect of operating the program:

• Audit log of admin actions— when an authorised TWB admin (or a system process such as a webhook) acts on your data, we record a tamper-evident row including the action, the requestor's IP address, and the user-agent string. Retained for 12 months, then anonymised.
• IP address + user-agent in the audit log — retained for 12 months solely for security and forensic-incident response. We do not retain these fields against general claim records beyond the request itself.
• Customer-level aggregate metrics— lifetime stats (total claims, total redemptions, total voucher value) used for cohort and retention reporting. Aggregates are removed when you ask us to delete your data.
• MailerLite custom fields— when you opt into marketing email, we copy your first name and nearest venue to MailerLite as subscriber custom fields so the newsletter can be personalised.
• Cloudflare Turnstile interaction signals — the anti-bot challenge processes browser-derived signals (mouse movement, network signals) plus your IP address. These don't leave the Turnstile boundary except as a pass/fail token returned to us.
• Sentry error context— if a server-side error occurs while processing your request, we capture a stack trace + the request URL + headers for debugging. PII fields are scrubbed before transmission to Sentry.
• Idempotency key— a SHA-256 hash of your email address, stored against your claim, used solely to prevent duplicate claims when our claim form is accidentally submitted twice.
• Consent provenance— the timestamp and source (claim form, admin override, unsubscribe link, SMS STOP reply) of each consent state change.

• To issue and deliver the voucher you claimed
• To send you marketing communications about new TWB perks — only if you explicitly opt in at claim time
• To prevent abuse (rate limiting, fraud detection)
• To comply with tax and record-keeping obligations

We will not use your data for any new purpose without first telling you and obtaining consent (APP 6).

When you claim, we ask — with two separate unticked checkboxes — whether you want marketing email and/or marketing SMS. The voucher email itself is transactional and ships regardless. Marketing-only messages are sent only if you opted in. You can withdraw consent at any time by:

• Clicking unsubscribe in any marketing email
• Replying STOP to any marketing SMS
• Emailing [email protected]

Withdrawals are actioned within 5 working days (Spam Act 2003 §18 obligation).

We use a small number of contracted service providers to operate the Perks program. Each is bound by a written agreement requiring them to handle your data only for the purposes we've set, and in line with the APPs (APP 8.1). Some are located outside Australia. The current named processors are:

• DigitalOcean(Sydney, Australia) — hosting + managed database + object-storage backups. 100% of personal information at rest lives here on encrypted block storage.
• Cloudflare Turnstile(United States / global edge) — anti-bot challenge on the claim form. Processes browser-derived interaction signals and the visitor's IP address.
• MailerSend(United States) — delivers the transactional voucher email (sent regardless of marketing consent because you claimed a voucher).
• MailerLite(EU / United States) — manages the marketing-email subscriber list and sends opt-in newsletters. Only contacted when you tick the marketing-email checkbox.
• ClickSend(Australia, with carrier-level global routing) — delivers transactional and marketing-opt-in SMS, and receives inbound STOP-reply messages.
• Sentry(United States) — server-side error monitoring. PII fields are scrubbed before transmission; IP and user-agent may be captured as error context only.
• Anthropic (Claude)(United States) — AI assistance for internal editorial drafting (quarterly partner guides). Nopersonal information about claimants is sent — only partner-side public copy.
• GitHub(United States) — source-code hosting and CI build pipeline. No production customer data is ever pushed here; only application source code.

Full per-processor detail (purpose, location, data shared, cross-border transfer terms) is published at /privacy/processors. By claiming a voucher you consent to your data being transferred to and processed in those jurisdictions for the purposes above.

We keep personal information only as long as we reasonably need it for the purposes above, then de-identify or delete it (APP 11.2). Our retention defaults are:

• Claim PII (first name, email, mobile): up to 24 months from the claim date, then de-identified
• Voucher code records: until expiry + 90 days
• Audit log: 12 months from each entry, then anonymised
• Transactional records(for ATO record-keeping): up to 7 years (column-level scope only — PII is removed first)

You can ask us to delete your data sooner (see Section 7).

We take reasonable steps to protect your data, including:

• TLS in transit between you, our servers, and processors
• Encrypted-at-rest database storage
• Role-based access controls on internal admin tooling
• Tamper-evident audit logging of admin actions
• Rate limiting and bot challenges on public endpoints

If we become aware of an eligible data breach we will notify the OAIC and affected individuals within 30 days, as required by the Notifiable Data Breaches scheme (Privacy Act Part IIIC).

You can ask us to:

• Access the personal information we hold about you (APP 12)
• Correct anything that is inaccurate or out of date (APP 13)
• Delete your personal information (right to be forgotten)
• Withdraw marketing consent (see Section 3)
• Lodge a complaint with us, and (if unresolved) with the OAIC

Send requests to [email protected]. We respond within 30 days.

For unresolved complaints you can contact the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au.

We use a small set of cookies and similar technologies, strictly for:

• Authenticating admin sessions (NextAuth)
• Anti-bot challenges on the claim form (Cloudflare Turnstile)
• Server-side error monitoring (Sentry)

We do not use third-party advertising cookies, cross-site tracking pixels or behavioural-ad networks on this site.

Vouchers are strictly for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, contact [email protected] and we will delete it.

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent material change. If we change anything that materially affects how we use your data we will notify you via email (if you are an active subscriber).

Third Wave BBQ
Privacy enquiries: [email protected]