Document Version: 1.1
Date Prepared: 01 February 2026
Next Review Date: 01 February 2027
Your privacy is important to us. This policy outlines how On Time Bookings collects, uses, and protects your personal information when you use our booking management platform.
👉 For organisations: You’re responsible for informing your end-customers about how their booking data is collected and used. We recommend referencing this Privacy Policy in your own privacy notice.
Effective Date: 01 February 2026
Last Updated: 29 May 2026
In most cases, we provide our services to organisations (such as driving schools, mobile pet groomers, fitness providers etc.), and personal information of their end-customers is collected by those organisations using our platform. We act as a service provider and processor on behalf of these organisations. The organisations are responsible for ensuring they have appropriate consents and privacy notices in place for their end-customers. This policy explains how we handle all personal information in this context.
In most cases, we provide our services to organisations (such as driving schools, mobile pet groomers, fitness providers etc.), and personal information of their end-customers is collected by those organisations using our platform. We act as a service provider and processor on behalf of these organisations. The organisations are responsible for ensuring they have appropriate consents and privacy notices in place for their end-customers. This policy explains how we handle all personal information in this context.
Business Name: Ontime Bookings
Email: support@ontimebookings.com.au
ABN: 30 246 362 400
Organisation Users: Small-to-medium business owners, managers, and staff who manage bookings and/or provide services through our platform
End-Customers: Customers being served by Organisation Users.
We collect personal information in the following ways:
We collect personal information in the following ways:
We use information to:
We use information to:
We may use anonymised and aggregated booking data (data stripped of personally identifiable information) to train artificial intelligence models that improve our platform’s features, including predictive analytics and natural language booking capabilities. Anonymised data cannot be used to identify you or end-customers and is permanently de-identified before use.
Examples of anonymised data we may use include aggregate booking patterns, service duration distributions, cancellation rates by service type, and geographic booking trends.
We do not use Google Workspace API data (including Google Calendar data), end-customer free-text notes, or financial data for AI or machine learning training — in any form, including anonymised.
Under the Privacy Act 1988, we collect and use personal information only where permitted by law, including where it is reasonably necessary for our business activities, required by law, or where you have consented. This includes:
We use the following sub-processors to deliver our services. These organisations process personal information on our behalf:
| Service Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and data storage | All personal data | ap-southeast-2 (Sydney) |
| Stripe | Payment processing | Name, email, billing address, payment token | Global (tokenised) |
| Google (Workspace APIs) | Optional Calendar sync (user-initiated) | Calendar events for opted-in providers; OAuth tokens encrypted at rest | Google-managed infrastructure |
| Stripe | Payment processing | Name, email, billing address, payment token | Global (tokenised) |
| Google (Analytics) | Platform usage analytics | Anonymised usage and device data | Global |
| Resend | Email delivery | Email address, contact details | Global |
| Mailgun | Transactional email | Email address, booking details | Global |
All sub-processors are bound by data processing agreements requiring them to implement appropriate security measures and use data only for the specified purposes.
We do not sell, rent, or lease your personal information to third parties. However, we may disclose information:
Your data is primarily hosted in AWS Sydney (ap-southeast-2), an Australian data centre. However, some sub-processors (Stripe, Google, Resend, Mailgun) may process data globally. These providers comply with the Privacy Act 1988 and implement Standard Contractual Clauses or similar safeguards for international transfers.
Providers can optionally connect their Google Calendar through Google’s OAuth consent flow.
OAuth refresh tokens are encrypted at rest (AES-256-GCM). Calendar data is processed only by automated systems for the purposes above. We do not use Google user data for advertising, allow staff to read it (except with your consent for support), transfer it beyond our hosting infrastructure, or use it for AI or machine learning training. Ontime Bookings’ use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. You can disconnect from your profile settings (which revokes the token and removes Ontime-pushed events from your calendar) or at myaccount.google.com/permissions.
We retain booking and end-customer data for 7 years after:
This retention period complies with Australian tax and financial record-keeping obligations under the Income Tax Assessment Act 1997.
Organisation user account data is retained for the duration of the subscription, plus 7 years post-closure for:
Data is automatically deleted or de-identified after the retention period expires. You may request earlier deletion (see Section 8: Your Rights).
Encrypted refresh tokens are retained while the integration is active and revoked on disconnect. Connection and disconnection audit logs are kept for 7 years and contain no calendar event content.
We implement industry-standard security controls to protect your personal information:
We are committed to working towards ISO 27001 certification as part of our long-term information security roadmap. We are building information security management systems aligned with this standard and continuously improving our practices. Current security measures already include encryption, access controls, authentication systems, monitoring, and regular security assessments.
Under the Privacy Act 1988, you have the following rights:
You can request access to personal information we hold about you. We will provide this within 30 days in a format that is clear and portable (if requested).
You can request correction of inaccurate or incomplete personal information. If we disagree with your correction request, we will note your request in our records.
You can request deletion of your personal information, subject to:
You can also revoke Google Calendar access immediately from My Profile > Calendar Sync > Disconnect or at myaccount.google.com/permissions
We will delete non-essential data within 30 days of your request.
If we process your information based on consent, you can withdraw that consent at any time. This does not affect the lawfulness of prior processing.
You can request a copy of your personal information in a structured, commonly used format (e.g., CSV) for transfer to another service provider.
To exercise any of these rights, contact us at support@ontimebookings.com.au with:
We will respond within 30 days. If we cannot comply, we will explain the reasons.
If a personal data breach occurs that is likely to result in serious harm to you, we will:
We will also notify the Office of the Australian Information Commissioner (OAIC) if required under the Privacy Act 1988.
If you believe we have breached your privacy rights, you can lodge a complaint by:
Include:
We will acknowledge your complaint within 5 business days and provide a response within 30 days. If your complaint is complex, we will keep you informed of our progress.
If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
The OAIC is the independent regulator for privacy in Australia and can investigate your complaint at no cost.
We use cookies to:
You can control cookies via your browser settings. Disabling essential cookies may impair platform functionality.
Our Service may be used by individuals under 18 years of age, particularly in contexts such as driving schools where learner drivers are often minors. In these cases:
If you provide information on behalf of a minor, you confirm that:
We may update this policy to reflect:
We will notify you of material changes by:
Your continued use of our services after changes constitutes acceptance of the updated policy.
We may send you promotional and marketing communications about our services, updates, and features, but only where you have consented or where permitted by law.
You can opt-out of promotional communications at any time by:
We will stop sending promotional content within 5 business days of receiving your opt-out request. Note: We will continue to send service-related communications (account alerts, billing notices, security updates) regardless of your promotional preferences.
We do not sell or provide your personal information to third parties for their marketing purposes.
If you are an organisation user, you are responsible for ensuring that end-customers are informed of:
In your privacy notices to end-customers, we recommend you inform them that:
We are not responsible for your organisation’s privacy notices or your compliance with privacy laws in informing end-customers. Organisations are responsible for their own privacy obligations under the Privacy Act 1988.
For privacy-related questions, requests, or complaints, please contact:
Ontime Bookings
This Privacy Policy is governed by the laws of New South Wales and the Privacy Act 1988 (Cth). Any disputes will be resolved in the courts of New South Wales.
Document Version: 1.1
Date Prepared: 01 February 2026
Next Review Date: 01 February 2027