Back to EventCub

Privacy Policy

Last updated: 2026-04-09

This Privacy Policy should be reviewed by a qualified legal professional before publication. It is designed to align with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

1. Introduction

EventCub is operated by Digital Event Publishing Pty Ltd (ABN 31 677 769 970, ACN 677 769 970), an Australian Private Company registered in New South Wales (“we”, “us”, or “our”). We are committed to protecting the privacy of our users, including parents, guardians, children, and activity providers. This Privacy Policy explains how we collect, use, disclose, store, and safeguard personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

By using the EventCub platform (the “Platform”), you consent to the collection and use of your personal information as described in this policy. If you do not agree with this policy, please do not use the Platform.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name
  • Email address
  • Password (stored in encrypted form; we never store plain-text passwords)

If you sign in using a third-party provider (Google or Apple), we receive your name and email address from that provider. We do not receive or store your third-party password.

2.2 Profile Information

When you complete your profile or make a booking, we may collect:

  • Phone number
  • Date of birth
  • Residential address (street address, suburb, state, postcode)

2.3 Children’s Information

When you create a child profile for the purpose of making bookings, we collect the following information about your child:

  • First name and last name
  • Date of birth
  • Gender
  • Customer Reference Number (CRN) — optional
  • Home language — optional

We also collect the following health and medical information about your child:

  • Immunisation status
  • Whether the child has been diagnosed as at risk of anaphylaxis
  • Whether the child has allergies
  • Whether the child has asthma
  • Whether the child has diabetes
  • Whether the child has a disability (e.g. ASD, ADHD)
  • Whether the child has dietary restrictions

This health information is classified as sensitive information under the Privacy Act 1988. We only collect it with your express consent (provided when you create a child profile and agree to these terms) and only for the purposes described in Section 3 below.

2.4 Booking Information

When you make a booking, we collect and generate:

  • The event and children selected
  • A unique booking reference code
  • Booking notes (if provided)
  • Booking status and timestamps (created, confirmed, cancelled, expired)

2.5 Provider Information

If you register as an activity provider, we collect:

  • Business name and description
  • Business contact email and phone number
  • Website URL
  • Business logo
  • Payment instructions
  • Cancellation policy

2.6 Automatically Collected Information

When you use the Platform, we automatically collect certain technical information, including:

  • IP address
  • Browser type and user agent
  • Pages visited and interactions with the Platform
  • Device information
  • Referring URL

2.7 Consent Records

When you accept our Terms & Conditions and this Privacy Policy, we record your consent along with a timestamp, IP address, and browser user agent for audit and compliance purposes.

3. How We Use Your Information

We use the personal information we collect to:

  • Provide and operate the Platform — creating and managing your account, processing bookings, and displaying event listings.
  • Facilitate bookings — sharing your name, contact details, and your child’s information (including health data) with the relevant Provider so they can manage the booking and ensure your child’s safety during the event.
  • Communicate with you — sending account verification emails, password reset emails, booking confirmations, booking status updates, and booking expiry notifications.
  • Verify age eligibility — calculating your child’s age at the date of an event to ensure they meet the stated age requirements.
  • Improve the Platform — analysing usage patterns and trends to improve functionality, performance, and user experience.
  • Ensure safety and security — detecting and preventing fraud, abuse, and unauthorised access to the Platform.
  • Comply with legal obligations — meeting our obligations under applicable Australian law, including the Privacy Act 1988.

We will not use your personal information for purposes other than those described above without your consent, unless required or authorised by law.

4. Disclosure to Third Parties

We may share your personal information with the following parties:

4.1 Activity Providers

When you make a booking, we share your name, contact details, and your child’s profile information (including health and medical data) with the relevant Provider. This is necessary for the Provider to manage the booking and ensure the safety and wellbeing of your child. Providers are bound by the Provider Terms which require them to handle this information in accordance with the Australian Privacy Principles.

4.2 Service Providers

We use the following third-party service providers to operate the Platform:

  • Brevo (formerly Sendinblue) — for sending transactional emails (account verification, booking notifications, password resets). Brevo processes your email address and name.
  • Microsoft Azure — for cloud hosting and image storage (provider logos and event photos). Azure stores uploaded images in Australia or the nearest available region.
  • PostHog — for product analytics. PostHog collects anonymised usage data to help us understand how the Platform is used and improve the user experience.
  • Google and Apple — if you choose to sign in via Google or Apple, your authentication is handled by these providers under their respective privacy policies.

4.3 Legal Requirements

We may disclose your personal information if required to do so by law, by a court order, or by a regulatory authority, or if we reasonably believe that disclosure is necessary to protect the rights, property, or safety of Digital Event Publishing Pty Ltd, our users, or the public.

4.4 No Sale of Data

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

5. Overseas Disclosure

Some of our third-party service providers may store or process data outside of Australia (for example, Brevo is headquartered in France, and PostHog may process data in the United States or European Union). Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles your information in accordance with the Australian Privacy Principles, as required by APP 8.

6. Cookies & Analytics

The Platform uses cookies and similar technologies to maintain your session, remember your preferences, and collect analytics data. Cookies used include:

  • Session cookies — to keep you signed in and maintain your authentication state. These are essential for the Platform to function.
  • Analytics cookies — used by PostHog to collect anonymised usage data, including pages visited, features used, and general interaction patterns.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Platform, such as signing in or making bookings.

7. Data Security

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

  • Passwords are hashed using bcrypt with a cost factor of 12 and are never stored in plain text.
  • All data is transmitted over HTTPS (TLS encryption) between your browser and our servers.
  • Database access is restricted to authorised application services only.
  • Uploaded images are stored in secure cloud storage with access controls.
  • Authentication tokens expire after defined periods (24 hours for email verification, 1 hour for password resets).

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme.

8. Access & Correction

Under APPs 12 and 13, you have the right to access and correct the personal information we hold about you. You can:

  • View and update your profile information (name, phone, address, date of birth) at any time through the Account > Profile section of the Platform.
  • View, update, or delete your children’s profiles through the Account > Children section. Note that child profiles with active bookings (Pending or Confirmed) cannot be deleted until those bookings are cancelled or completed.
  • Request access to or correction of any other personal information we hold about you by contacting us at [email protected].

We will respond to access and correction requests within 30 days. We may refuse a request in limited circumstances permitted by law, and will provide written reasons if we do so.

9. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Platform’s services. Specifically:

  • Account data is retained for the life of your account. If you request account deletion, we will delete your personal information within 30 days, except where we are required by law to retain it.
  • Booking records are retained for a reasonable period after the event date for record-keeping and dispute resolution purposes.
  • Consent records are retained indefinitely as evidence of your consent for legal compliance.
  • Email verification and password reset tokens are automatically deleted after they expire (24 hours and 1 hour respectively).

10. Children’s Privacy

EventCub is a platform designed for parents and guardians to find and book activities for their children. We do not knowingly collect personal information directly from children. All child profile information is provided by a parent or legal guardian, who must consent to the collection on the child’s behalf.

We treat children’s health and medical information with the highest level of care. This sensitive information is only shared with the Provider for a specific booking and solely for the purpose of ensuring the child’s safety during the activity.

If you believe a child’s information has been collected without appropriate parental consent, please contact us immediately at [email protected] and we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make changes, we will update the “Last updated” date at the top of this page. If we make material changes to how we handle personal information, we will notify you by email or by posting a prominent notice on the Platform. Your continued use of the Platform after any changes take effect constitutes your acceptance of the revised policy.

12. Complaints

If you believe your privacy has been breached or you are dissatisfied with how we have handled your personal information, you may lodge a complaint with us by contacting [email protected]. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

13. Contact Us

If you have any questions or concerns about this Privacy Policy or the handling of your personal information, please contact our Privacy Officer at [email protected].