Massage Ticket Pty Ltd (ABN 90 693 824 770) trading as “Massage Ticket” (“we”, “our”, or “us”) respects your right to privacy and is committed to protecting the personal information of our customers (“Customers”) and independent massage therapists (“Therapists”). We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) to the extent they apply to our business.
This Privacy Policy explains how we collect, store, use, and disclose your personal and sensitive information through our website, customer and therapist apps, and related services (collectively, the “Platform”). By creating an account or using the Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy.
2. What Personal Information We Collect
We collect personal information that is reasonably necessary to operate and improve our services, including:
(a) Basic details: name, email address, phone number, date of birth, gender, occupation, suburb, state, and (where required) service location details provided for booking purposes.
(b) Account information: username, password, role (Customer or Therapist), Stripe payment ID, Massage Ticket Balance information, and transaction records.
(c) Booking information: service type, ticket type, therapist selected, appointment date and time, booking location (for example, your property or workplace), pricing, booking status, and booking history.
(d) Device and technical data: app and OS version, device type and identifiers, IP address, browser type, crash logs, and usage analytics relating to how the Platform is used.
(e) Location data (Therapists only in connection with active bookings): approximate, real-time location and movement information from a Therapist’s mobile device when they have granted location permissions and have an active booking in a relevant status (for example, “Coming”). This is used only to display the Therapist’s approximate, real-time location and estimated arrival time to the Customer, and to improve safety, logistics, and dispute resolution.
(f) Therapist information: name, email address, phone number, address, suburb, state, job title, professional qualifications and training details, modalities and service offerings, professional registrations, insurance details, ABN, provider number, bank account details for payment, service category, working region, availability, public profile information (including profile description and images), average rating and reviews, and earnings and booking history.
(g) Chat communication data: text messages and timestamps exchanged between Customers and Therapists via the in-app chat feature. Chat is only available for confirmed bookings and is used for professional, booking-related communication.
(h) Support and feedback information: content of emails or messages you send to us via the “Contact Us” or “Contact Support” features, as well as ratings, reviews and feedback you submit about sessions or the Platform.
We may also collect non-identifying, aggregated information about how the Platform is used for analytics, security, and service improvement.
Massage Ticket does not collect, store or manage customer medical history, treatment notes, or other health records. Any health-related information required for treatment is collected and handled directly by the independent Therapist in accordance with their professional obligations and applicable law.
3. How We Collect Information
We collect information in several ways, including:
Directly from you when you:
(a) register, sign in, or update an account in the customer or therapist app;
(b) submit a booking request, accept a booking, or modify an appointment;
(c) top up your Massage Ticket Balance via Stripe or related payment systems (including Stripe Link);
(d) send feedback, contact support, or communicate via the in-app chat feature;
(e) interact with push notifications, SMS, emails, or our website.
Automatically, through:
(a) cookies and similar tracking technologies on our website;
(b) analytics tools integrated into the Platform to understand usage patterns and improve our services (for example, Google Analytics or similar tools);
(c) diagnostic and crash-reporting tools that help improve app stability and performance.
(d) location services on a Therapist’s mobile device, when the Therapist has granted location permissions and have an active booking in a relevant status (for example, “Coming”), so that we can show their approximate, real-time location and estimated arrival time to the Customer and support safety and dispute resolution.
From third-party providers, such as:
(a) Stripe, where we receive limited payment-related information (for example, transaction identifiers and status) to reconcile your Balance and bookings;
(b) authentication and infrastructure providers (for example, Firebase, Supabase) that help us manage logins, notifications and data storage.
Supabase Authentication and Tokens
When you sign in to the Massage Ticket apps, Supabase generates authentication tokens (such as access tokens, refresh tokens and session identifiers). These tokens allow you to stay securely logged in, access your account, and interact with features such as bookings and in-app chat.
In our mobile apps, these tokens are stored securely on your device using platform-level protected storage (such as iOS Secure Storage or Android Encrypted Shared Preferences). They are never stored in browser cookies.
Supabase may also process technical metadata associated with these tokens, such as the device used, timestamps, and IP addresses, for fraud prevention, security monitoring and session validation.
All authentication data is encrypted in transit and stored on Supabase’s secure servers. We do not allow Supabase to use this information for advertising or unrelated analytics.
We only collect personal and sensitive information where it is reasonably necessary for our functions and activities, or where we are required by law.
4. Legal Basis and Consent
By creating an account, submitting a booking, or using the Platform, you give your consent for us to collect, use, and disclose your personal information (including sensitive information) in accordance with this Privacy Policy and applicable law.
In particular, we rely on legitimate business purposes (such as providing and improving the Platform, processing payments, and ensuring security) and legal obligations (such as record-keeping and responding to lawful requests) as further bases for handling your information.
You may withdraw your consent at any time by contacting us at info@massageticket.com.au. If you withdraw consent, we may no longer be able to provide you with some or all Platform features or services (for example, if we cannot process essential booking, account or payment information, we may be unable to facilitate bookings).
Where applicable (for example, if we handle personal data of individuals located in the European Economic Area), we rely on consent and legitimate interests as lawful bases under the GDPR.
5. How We Use Personal and Sensitive Information
We use your personal and sensitive information for the following purposes:
(a) to verify your identity and manage your Massage Ticket account;
(b) to facilitate, manage and record bookings between Customers and Therapists;
(c) to process payments through Stripe and manage your Massage Ticket Balance and transaction history;
(d) to provide and support in-app chat and other communication tools for professional, booking-related discussions;
(e) to send booking updates, confirmations, reminders, invoices, receipts, and important service notifications;
(f) to provide customer support and resolve complaints or disputes;
(g) to maintain, monitor, and improve the functionality, performance, security and reliability of the Platform;
(h) to conduct analytics and reporting on de-identified or aggregated data (for example, to understand which services are most frequently used);
(i) to comply with legal obligations, respond to lawful requests from authorities, and enforce our terms and policies;
(j) to send optional promotional or marketing communications about Massage Ticket services, where permitted by law (you may opt out at any time).
6. Disclosure of Personal Information
We may disclose your information to the following third parties when reasonably necessary to operate the Platform or comply with legal obligations:
(a) Stripe: for secure payment processing and Balance top-ups. Your full card details are encrypted and handled by Stripe and are not stored by Massage Ticket.
(b) Supabase: for secure hosting and storage of our databases and application services.
(c) Firebase: for authentication, app configuration, diagnostics, and push notification infrastructure.
(d) Notification providers such as OneSignal and Twilio: for delivery of push notifications and SMS messages (using device tokens, mobile numbers, and message metadata).
(e) Analytics and monitoring providers: such as Google Analytics or similar tools, which may collect device, usage and performance data from our website and apps.
(f) Professional advisers, insurers, and IT contractors: who assist us in operating and protecting our business and are bound by confidentiality obligations.
(g) Government authorities, regulators, law enforcement agencies, or courts: where we are required or authorised by law to disclose information.
We may also review and disclose limited excerpts of chat communications (for example, screenshots or extracts of relevant messages) where reasonably necessary to:
(a) investigate safety concerns, inappropriate conduct or suspected policy breaches;
(b) resolve disputes or complaints between Customers and Therapists;
(c) comply with legal obligations or respond to law enforcement requests.
We do not sell, rent, or trade your personal information. All disclosures are made under confidentiality and security arrangements consistent with the APPs, and only to the extent reasonably necessary for the relevant purpose.
7. Storage, Security and Overseas Transfers
All data is stored using secure, access-controlled databases hosted by Supabase, Stripe and related cloud infrastructure providers. Depending on the service provider, your information may be stored or processed in:
(a) Australia;
(b) the United States;
(c) the European Union; or
(d) other locations where our service providers maintain servers.
Depending on the Supabase region selected for our project, your information may be stored in Australia, the United States, the European Union or other jurisdictions where Supabase operates secure infrastructure. We take reasonable steps to ensure that any overseas recipients provide a level of protection substantially similar to the Australian Privacy Principles.
Supabase acts as a data processor on our behalf. This means Supabase only processes your personal information in accordance with our instructions and for the purpose of hosting, authentication, database storage and app functionality.
We use a combination of technical and organisational measures to protect your information, including:
(a) encryption in transit and at rest (where appropriate);
(b) role-based access controls and authentication;
(c) secure network protocols and firewalls;
(d) logging and monitoring for suspicious activity;
(e) regular security reviews and updates.
Chat messages:
(a) are transmitted and stored in our Supabase database using reasonable technical and organisational safeguards;
(b) are accessible to the Customer and the allocated Therapist within the app only while the booking is active;
(c) become locked and archived once the booking is marked “Completed” or otherwise closed. At that point, both parties lose the ability to send new messages in that chat thread;
(d) are retained for up to five (5) years for service quality, record-keeping, dispute resolution and legal compliance, after which they are securely deleted or de-identified where practicable and lawful.
While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we strive to protect your data in line with industry best practice and applicable privacy law.
8. Cookies and Analytics
We use cookies and similar technologies on our website to:
(a) recognise your browser and remember preferences;
(b) monitor website performance and diagnose issues;
(c) understand how visitors use our website and improve user experience;
(d) measure marketing effectiveness and improve our services.
Our mobile apps do not use browser cookies. Instead, authentication tokens and local data are stored using secure device storage mechanisms. Cookies apply only to our public website.
We may use tools such as Google Analytics, or similar services. These tools may collect information such as your device type, IP address, pages viewed, session duration, and actions taken on our website.
You can disable cookies through your browser settings. However, if you choose to disable or reject cookies, some features of the website may not function properly.
9. Direct Marketing and Communication
We may send you:
essential communications, such as booking confirmations, changes, cancellations, receipts, account updates, security alerts, and important service announcements; and
optional marketing communications, such as promotions, special offers, or news about Massage Ticket services.
Essential service communications are generally required for the operation of your account and bookings and cannot usually be opted out of without deactivating your account.
You can unsubscribe from marketing communications at any time by:
(a) using the “unsubscribe” or “opt-out” link included in a marketing email; or
We will not sell your personal information for marketing purposes.
In-app chat communications are not used for marketing or advertising. They are strictly limited to professional and booking-related communication between Customers and Therapists and the support and safety functions described in this Policy.
10. Access, Correction, Deletion and Complaints
Access and Correction
You may request access to the personal information we hold about you, or request that we correct information that is inaccurate, out of date, incomplete or misleading.
We will respond to your request within a reasonable time and in accordance with the Australian Privacy Principles. We may need to verify your identity before providing access or making corrections.
Deletion and Account Closure
You may request deletion of your personal information and closure of your account at any time by contacting info@massageticket.com.au.
We will take reasonable steps to permanently and securely erase or de-identify your personal information, except where we are legally required or permitted to retain certain records (for example, for taxation, accounting, dispute resolution, health record or regulatory purposes). Where deletion is not possible, we will continue to protect your information in accordance with this Policy and applicable law.
Complaints
If you believe we have breached your privacy rights or this Privacy Policy, you may lodge a complaint with us using the contact details below. Please include sufficient details for us to understand and investigate your complaint. We will investigate and respond within a reasonable period.
If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner (OAIC). Further information about making a privacy complaint is available at: https://www.oaic.gov.au/privacy/privacy-complaints
11. Children and Underage Users
The Platform is intended solely for individuals aged 18 years and over.
(a) You must be at least 18 years of age to create an account, hold a Massage Ticket Balance, make a booking, or otherwise access or use any part of the Platform.
(b) We do not permit individuals under the age of 18 to access, use, or receive services through the Platform under any circumstances, including where a parent or legal guardian is involved.
(c) We do not knowingly collect personal information from individuals under the age of 18. If we become aware that personal information has been collected from a person under 18, we will take reasonable steps to promptly delete or de-identify that information in accordance with applicable laws.
If you believe that an individual under the age of 18 has provided us with personal information or accessed the Platform, please contact us so that we can take appropriate action.
12. Changes to This Policy
We may modify or update this Privacy Policy from time to time to reflect changes in our services, operational requirements, or legal obligations.