Privacy

Privacy Policy · Version 1.0

Privacy Policy

This policy explains what personal information Varoo collects, why we collect it, how we use it, who we share it with, and how you can access or correct it. We follow the Australian Privacy Principles in the Privacy Act 1988 (Cth) and Google’s API Services User Data Policy where applicable.

Effective: 8 May 2026 · Last updated: 8 May 2026

Contents
  1. Who we are
  2. What information we collect
  3. Why we collect it and how we use it
  4. Google user data and the Limited Use rules
  5. Who we share information with
  6. Storage, security, and overseas disclosure
  7. How long we keep your information
  8. Accessing, correcting, and deleting your information
  9. Direct marketing and unsubscribing
  10. Cookies and analytics on varoo.com.au
  11. AI-powered customer support
  12. Data breaches
  13. Changes to this policy
  14. Contact and complaints

1. Who we are

Varoo is operated by Adam Shephard, sole trader, trading as varoo. ABN 71 562 261 801. Based on the Gold Coast, Queensland, Australia. We’re an Australian small business that builds AI-optimised websites and manages Google Business Profiles for other Australian small businesses.

In this policy, “we”, “us”, and “our” mean Varoo. “You” means anyone whose personal information we hold, including business owners, their staff, and visitors to varoo.com.au.

2. What information we collect

2.1 Information you give us directly

  • Your name, business name, email address, and phone number when you fill in our audit request form, contact form, or sign up for a service.
  • Your business address and trading details when you become a paying client (so we can update your Google Business Profile and website).
  • Payment details for invoicing. Card numbers are processed by Stripe and never stored on our servers.
  • Any messages, photos, or files you send us by email, WhatsApp, or web form.

2.2 Information we collect about your public business presence

  • Publicly listed Google Business Profile fields (name, address, phone, hours, categories, photos, reviews) retrieved through the Google Places API.
  • Public website content (HTML, headings, structured data, images, robots.txt, sitemap) retrieved by our audit crawler.
  • Search engine and search-AI signals from third-party data providers (currently DataForSEO and Google PageSpeed Insights).

2.3 Information we collect when you authorise Google access

If you sign in with Google to let us manage your Google Business Profile, we receive an access token from Google together with profile metadata, listing data, posts, reviews, and aggregated performance metrics. We never receive your Google password. The exact data depends on the OAuth scopes you grant. See section 4.

2.4 Information we collect automatically

  • varoo.com.au uses minimal first-party logging (page URL, referrer, user-agent, country, anonymised IP) for fraud prevention and aggregate traffic counts. We do not run advertising trackers.
  • Our internal operator dashboard is internal-only and not accessible to clients.
  • The audit report URL we send you logs access events (date, anonymised IP, user-agent) for security and to confirm the report you’ve been sent has been opened.

3. Why we collect it and how we use it

We collect personal information for the following purposes only:

  • To produce the audit report you’ve asked for and to send it to you.
  • To deliver the services you’ve signed up for (website builds and hosting, Google Business Profile optimisation, monthly reports, review responses, posts).
  • To bill you correctly and to keep records required by Australian tax law.
  • To contact you about your audit, your account, or material changes to our service.
  • To improve the accuracy and usefulness of our audits over time, using aggregate, de-identified signals only.
  • To comply with our legal obligations, including the Privacy Act 1988, the Spam Act 2003, and the Australian Consumer Law.

We don’t sell your personal information. We don’t share it with advertising networks. We don’t use it to train machine-learning models.

4. Google user data and the Limited Use rules

When you sign in with Google to authorise Varoo to manage your Google Business Profile, you grant specific OAuth scopes. We use that access in line with Google’s API Services User Data Policy, including the Limited Use requirements.

4.1 Scopes we may request

Scope What it lets us do Why we need it
Business Profile management Read and update your Google Business Profile information (name, hours, services, categories, attributes, photos, posts). To run the GBP overhaul, post updates, and maintain accuracy on your behalf.
Business Profile Performance API Read aggregated profile metrics (views, calls, direction requests, search queries). To produce monthly trend reports showing how your visibility is changing.
Business Profile reviews Read reviews and post replies. To respond to customer reviews on your behalf when you’ve subscribed to a tier that includes review management.

4.2 Limited Use commitment

Varoo’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

  • We use Google user data only to provide or improve user-facing features that are prominent in Varoo’s user-facing experience (your audit, your monthly report, your GBP optimisation work).
  • We do not transfer Google user data to third parties except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
  • We do not use Google user data to serve advertisements, including retargeting, personalised, or interest-based advertising.
  • We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data is aggregated and used for internal operations and only in accordance with applicable privacy laws.
  • We do not use Google user data to train machine-learning or AI models.

4.3 Token storage and revocation

Access tokens and refresh tokens are stored encrypted at rest on our Australian-region server. They’re never written into reports, never logged in plain text, and never shared. You can revoke Varoo’s access at any time at myaccount.google.com/permissions. Once revoked, we lose all ability to read or update your Google Business Profile, and any tokens we hold for you become useless.

5. Who we share information with

We share information only with the following categories of recipient, only for the purposes listed:

  • Hosting and infrastructure: Hostinger International Ltd (server hosting, Australian-region VPS), Cloudflare (DNS).
  • Payment processing: Stripe (card processing and recurring billing). Stripe receives the data needed to charge your card and is itself bound by PCI-DSS and Australian privacy law.
  • Email delivery: Hostinger email (transactional and account email).
  • Analytics and audit data sources: Google (Places API, PageSpeed Insights, Business Profile API), DataForSEO. These providers receive only the queries needed to retrieve public data about a business, not your personal information.
  • AI processing: Anthropic (Claude API) for two purposes: drafting client-facing content (recommendations in your audit, blog posts, GBP posts, review reply drafts), and powering the customer-support assistant described in section 11. Anthropic processes the data needed for each task and contractually does not train its models on our inputs.
  • Accountants and tax authorities where required by Australian law.
  • Law enforcement in response to a valid legal request.

We don’t share your personal information with anyone else without your consent.

6. Storage, security, and overseas disclosure

Your information is stored on a Hostinger virtual private server in Australia (Sydney region) running encrypted disks and standard server hardening (firewall, key-only SSH, automatic security updates). Backups are encrypted and retained for 30 days.

Some of the providers we use store data outside Australia: Stripe (United States and Ireland), Cloudflare (United States and global CDN), Google (United States and global), DataForSEO (United States). By using Varoo you consent to your information being disclosed to these overseas recipients for the purposes set out in this policy. We have taken reasonable steps to ensure these providers handle personal information consistently with the Australian Privacy Principles.

We use HTTPS for all connections to varoo.com.au, ops.varoo.com.au, and audit report URLs. We don’t store payment card numbers, CVCs, or bank account passwords.

7. How long we keep your information

Type of information Retention period
Audit reports and the data behind them (free or paid) Indefinitely while the related business folder is active. Deleted within 30 days of a written request.
Lead and contact information (no purchase made) 24 months from last contact, then deleted.
Active client records and invoices For the duration of the engagement and at least 7 years after, as required by Australian tax law.
Google OAuth access and refresh tokens For the duration of your subscription. Revoked and deleted within 7 days of cancellation, suspension, or your revocation through your Google account.
Email and WhatsApp message history 3 years from last contact.
Server access logs 90 days.

8. Accessing, correcting, and deleting your information

You can ask us at any time to:

  • Tell you what personal information we hold about you.
  • Correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
  • Delete information we no longer need to keep (subject to our legal record-keeping obligations).

Send a request to hello@varoo.com.au with the subject line “Privacy request”. We aim to respond within 14 days and will complete reasonable requests within 30 days. There is no charge for access or correction. If we refuse a request we’ll explain why in writing and how you can complain.

9. Direct marketing and unsubscribing

If you’ve given us your email address (by buying an audit, signing up, or asking us to contact you), we may occasionally send you product updates or offers from Varoo. Every marketing email has a one-click unsubscribe link. Transactional emails (your audit, your invoice, account changes) aren’t covered by unsubscribe and will continue while you have an active account or pending audit. We comply with the Spam Act 2003 (Cth).

10. Cookies and analytics on varoo.com.au

varoo.com.au uses one strictly-necessary first-party cookie for form CSRF protection. We don’t run Google Analytics, Meta Pixel, or any third-party advertising trackers on the public site. Audit report pages may include a privacy-respecting first-party page-view counter so we can tell you whether your report was opened. No personal data is collected from third-party visitors to public pages beyond what is described in section 2.4.

11. AI-powered customer support

Customer support is delivered by an AI assistant (currently powered by Anthropic’s Claude). To answer your questions and act on your service requests, the AI may read:

  • Your message to us (email, WhatsApp, web form, dashboard chat).
  • Your Varoo account record (name, email, phone, business name, ABN, subscription tier, account status, payment status).
  • Your audit reports and the data behind them.
  • Past support transcripts on your account.

What the AI does not read in normal support work:

  • Live Google user data (profile fields, posts, reviews, performance metrics retrieved through OAuth). Google user data flows only through the audit and service-delivery pipelines, never through the support assistant.
  • Your card or payment details (these stay with Stripe and never reach the AI).
  • Other clients’ data.

The AI passes any Google-OAuth-related question to a separate, isolated workflow that follows our Limited Use commitments in section 4.

Support transcripts are retained for 3 years from the date of last contact. They’re used to deliver and improve support, to handle complaints, and to demonstrate compliance with our service obligations. They’re not used to train AI models. Anthropic’s terms with us prohibit them from training on our inputs.

You can ask to speak to a human at any time. The human operator (Adam Shephard) reviews and confirms cancellations, refunds, complaints, and any decision that changes your contract before that decision becomes binding.

12. Data breaches

We’re required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 to notify you and the Office of the Australian Information Commissioner if there’s an eligible data breach involving your personal information. Notification will happen as soon as practicable after we become aware of the breach and will include what happened, what information was involved, what we’re doing about it, and what you can do.

13. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top changes whenever any edit is made.

Material changes include: new categories of data we collect, new third-party recipients, new overseas storage locations, changes to retention periods, changes to OAuth scopes we request, changes to our security measures, changes to your access or correction rights, or anything else that materially affects how your personal information is handled. Material changes are emailed to active clients and posted on varoo.com.au at least 14 days before they take effect.

Non-material changes (typo fixes, formatting, contact-detail updates, additions to the third-party processors list of the same kind already listed, clarifications that don’t change rights or obligations) are made without notice. The “Last updated” date still changes so you can see when something was edited.

14. Contact and complaints

If you have a question or complaint about how Varoo handles your personal information, contact us first:

We’ll acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you’re not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner: