Privacy Policy | Ludo Leisure Suite

Sendrato Australia Pty Ltd(ABN 98 605 555 833) operates the Ludo Leisure Suite platform and the Ludo mobile applications. In this Privacy Policy, "we," "us," and "our" refer to Sendrato Australia Pty Ltd.

The Ludo mobile applications on the Apple App Store and Google Play are published by our affiliate Ludo Leisure Suite Pty Ltd. Personal Information collected through the applications is handled by Sendrato Australia Pty Ltd as the data controller under this Privacy Policy.

1. Purpose of This Policy

1.1 We have adopted this Privacy Policy to explain how we handle Personal Information about individuals when we provide our cashless payments, ticketing, and visitor experience services to event organisers, venues, and the people who attend their events.

1.2 This Privacy Policy is written to comply with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). It also covers notification obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act) and cross-border disclosure obligations under APP 8.

1.3 By publishing this policy we aim to make it easy for customers and the public to understand what Personal Information we collect, why we collect it, how we protect it, and the rights individuals have in relation to their Personal Information.

2. Who and What This Policy Applies To

2.1 This policy applies to Personal Information as defined in the Privacy Act, in all forms, physical or electronic.

2.2 We handle Personal Information in our own right and on behalf of our customers (event organisers and venues).

2.3 This policy does not apply to Personal Information handled by event organisers or venues in their own right. If an organiser or venue is a separate Australian Privacy Principle entity, they are responsible for their own privacy compliance.

2.4 If an individual provides us with Personal Information about someone else, they warrant that they have that person's consent to do so.

2.5 Our services are not directed at children under the age of 18 without the consent of a parent or legal guardian.

3. Information We Collect

3.1 The Personal Information we collect depends on how an individual interacts with us. Categories we may collect include:

(a) Identity Information: name, date of birth, nationality, and government identifier numbers where required for AML/KYC verification.

(b) Contact Information: email address, phone number, postal address.

(d) Transaction Information: wallet load amounts, spend history, vendor interactions, and balance redemptions at events.

(e) Financial Information: bank account or card details used for cash-out or settlement, held by our payment partners (we do not store full card numbers).

(f) Device and Usage Information: device identifiers, IP address, app version, crash reports, and interaction events.

(g) Location Information: approximate location of transactions at events, where location services are enabled on a user's device.

4. How We Collect Information

4.1 We collect Personal Information directly from the individual when they:

(a) Register for a Ludo account, purchase a ticket, or load a wristband, card, or mobile wallet at an event;

(b) Contact us by email, phone, or contact form;

4.2 We may also receive Personal Information from:

(a) Event organisers or venues who have engaged us to deliver services to their attendees;

(b) Ticketing platforms that integrate with our systems under an organiser's instructions;

(d) Identity verification services, where required for AML/KYC.

4.3 Where we obtain Personal Information without the individual's knowledge, we will either inform the individual at the earliest reasonable opportunity or destroy the information, in accordance with APP 3 and APP 5.

5. How We Use and Disclose Information

5.1 We use Personal Information for the primary purposes for which it is collected, including:

(a) Providing our platform, applications, and services;

(b) Processing transactions, settlements, and refunds;

(d) Communicating with users about their account, transactions, and support requests;

(e) Improving our platform and preventing fraud or misuse;

(f) Meeting legal, regulatory, and audit obligations.

5.2 We do not sell Personal Information. We may disclose Personal Information to:

(a) The event organiser or venue that engaged us, limited to information reasonably necessary for them to run their event;

(b) Our service providers and sub-processors listed in section 10;

(d) Professional advisers (legal, accounting) under duties of confidentiality.

5.3 We will only use Personal Information for a secondary purpose where that purpose is related to the primary purpose and the individual would reasonably expect it, or with the individual's consent.

6. Choice and Consent

6.1 An individual may choose not to provide certain Personal Information, but we may be unable to provide some services (for example, we cannot redeem a cash balance without sufficient identity information to comply with AML/KYC).

6.2 Individuals can opt out of marketing communications using the unsubscribe link in any email or by contacting us. Transactional and service notices (for example, receipts, security alerts, balance notifications) are not optional while an account is active.

7. Security and Data Breach Response

7.1 We take reasonable steps to protect Personal Information from misuse, interference, loss, and unauthorised access, modification, or disclosure, in accordance with APP 11.

7.2 Our technical and organisational measures include TLS encryption in transit, at-rest encryption for sensitive data stores, role-based access controls, multi-factor authentication for administrative accounts, and regular review of access logs.

7.3 Online transmission and storage can never be guaranteed to be fully secure. We disclaim liability for unauthorised access that occurs despite our reasonable precautions.

7.4 Notifiable Data Breaches scheme.If we become aware of a data breach that is likely to result in serious harm to an individual, we will assess the breach in accordance with Part IIIC of the Privacy Act. Where the breach is an "eligible data breach," we will notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable, and in any event within 30 days of becoming aware of the breach.

7.5 Individuals who suspect a data breach involving their Personal Information should contact us immediately at gday@ludo.computer.

8. Identity Verification for AML/KYC Compliance

Disclosure for Verification

To meet our obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and associated rules, we may disclose an individual's full name, residential address, and date of birth to a third-party verification service provider. That provider may pass the information to a credit reporting agency (CRA) for identity assessment.

Document Verification Services

We may also use the Australian Government's Document Verification Service (DVS) to confirm the authenticity of identity documents.

CRA Assessment

The CRA may compare the details provided by an individual with the personal information they hold (including names, addresses, and dates of birth of other individuals) for the purpose of verifying identity.

Notification and Record-Keeping

If we are unable to verify an individual's identity, we will notify them and provide the name of the CRA used so they can correct their information. We retain verification records for 7 years from the date of the request, in line with AML/CTF obligations. Individuals can request access to their verification records.

9. How to Access and Update Information

9.1 Users can view and update their Personal Information from within their Ludo account.

9.2 Under the APPs, individuals may request access to the Personal Information we hold about them. We will respond within 28 days of a written request.

9.3 We will correct errors in Personal Information within 7 days of receiving written notice, or explain in writing if we disagree with the correction.

9.4 It is an individual's responsibility to keep their account information accurate and up to date.

9.5 We may charge a reasonable fee to cover the cost of supplying copies of information in response to large or repeated requests. We will tell the individual the fee before proceeding.

10. Overseas Disclosure and Sub-Processors

10.1 Some of our service providers store or process Personal Information outside Australia. Before disclosing Personal Information overseas, we take reasonable steps to ensure the overseas recipient handles the information in a way consistent with the APPs, as required by APP 8.

10.2 Our current sub-processors include:

Vercel Inc. (United States): website and application hosting, edge compute, analytics.
Google LLC (United States): Google Analytics for website measurement, Google Play distribution, and push notifications for Android.
Apollo.io (United States): website visitor tracking and account-level visitor analytics.
Neon Inc. (United States): managed PostgreSQL database hosting.
Vercel Blob (United States): file and image storage.
Resend, Inc. (United States): transactional and marketing email delivery.
Twenty SAS (France / European Union): customer relationship management.
Apple Inc. (United States): App Store distribution and push notifications for iOS.
Payment acquirer (Australia): card and bank settlement. Acquirer-specific disclosures are provided at the point of transaction.

10.3 We may update this sub-processor list from time to time. Material changes will be reflected here with an updated "Last updated" date.

11. How Long We Keep Information

11.1 We retain Personal Information only for as long as necessary for the purposes for which it was collected, unless a longer period is required or permitted by law. Indicative periods:

AML/KYC verification records: 7 years from the date of the transaction or verification, as required under the AML/CTF Act.
Financial transaction records: 7 years from the end of the relevant financial year.
Account data: for the life of the account, and up to 24 months after the account is closed or inactive.
Support correspondence: 24 months from the last interaction.
Marketing suppression list: indefinitely, to ensure individuals who have opted out are not contacted again.
Website analytics: retained according to the active reporting windows in Vercel Web Analytics, Google Analytics, and Apollo. This may include page view, referrer, UTM, custom event, public feature-flag experiment, and account-level visitor dimensions.
Proposal and Blueprint analytics: 13 months, using pseudonymous visitor and session hashes, approximate location, source attribution, and engagement events. We do not store raw IP addresses or raw proposal tokens in these analytics records.
Server and access logs: 90 days.

11.2 When we no longer need Personal Information, we destroy or de-identify it in accordance with APP 11.2.

12. Automated Decision-Making

12.1 We do not use wholly automated decision-making to make decisions that produce legal or similarly significant effects on individuals. Fraud prevention and risk scoring systems may flag transactions for human review, but final decisions about accounts or transactions are made by our staff.

12.2 If this changes, we will update this policy to describe the logic involved and the significance of any decisions made by automated means, consistent with the transparency requirements introduced by the Privacy and Other Legislation Amendment Act 2024.

13. Publishing Partner and App Stores

13.1 The Ludo mobile applications are published on the Apple App Store and Google Play by our affiliate Ludo Leisure Suite Pty Ltd. Ludo Leisure Suite Pty Ltd acts as the publisher of record for app store purposes and shares common systems, infrastructure, and personnel with Sendrato Australia Pty Ltd. All Personal Information collected through the applications is handled by Sendrato Australia Pty Ltd under this Privacy Policy.

13.2 When an individual installs, updates, or pays for the Ludo application through an app store, Apple or Google may collect information about the individual under their own privacy policies. Those collections are governed by Apple's and Google's policies respectively, not this policy.

14. Complaints and OAIC Escalation

14.1 If an individual has a complaint about how we handle their Personal Information, they should raise it with us in writing at gday@ludo.computer. We will acknowledge the complaint within 7 days and aim to resolve it within 30 days.

14.2 If an individual is not satisfied with our response, they may escalate the complaint to the Office of the Australian Information Commissioner (OAIC):

Website: www.oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5288, Sydney NSW 2001

15. Contacting Us

15.1 The Privacy Officer for all privacy correspondence is:

The Privacy Officer
Sendrato Australia Pty Ltd
1044A Dandenong Rd, Carnegie VIC 3163, Australia
Email: gday@ludo.computer

16. Cookies and Tracking Technologies

16.1 We use cookies and similar technologies (like web beacons and local storage) on the Ludo Leisure Suite websites and applications. They help sites remember preferences, keep users signed in, and measure how the site is performing.

16.2 Strictly Necessary Cookies: These are required for the site to function, including session/authentication (keeping users signed in) and load balancing.

16.3 Website analytics:We use Vercel Web Analytics and Google Analytics to measure page views, referrers, UTM parameters, custom events, and public feature-flag experiment dimensions. Vercel Web Analytics does not use tracking cookies. Google Analytics may use cookies or similar technologies according to Google's policies and browser settings.

16.4 Website visitor tracking:We use Apollo website visitor tracking to understand account-level interest in our website. Apollo's tracking script may set first-party cookies or use similar technologies to connect website activity with company and visitor-interest signals. We use this for sales prioritisation, not for automated decisions with legal or similarly significant effects.

16.5 Email Tracking Pixels: Transactional and marketing emails sent through our provider (Resend) may include a small tracking pixel to measure delivery, opens, and clicks. See resend.com/legal/privacy-policy.

16.6 Proposal and Blueprint analytics: Private Blueprint links may record page views, section views, CTA clicks, approximate city/country, referrer host, and UTM parameters so we can understand whether a proposal has been reviewed. These records are tied to a named share link and pseudonymous hashes, not raw IP addresses or raw URL tokens.

16.7 Third-Party Cookies: If you follow a link from our site to a third-party service, that third party may set its own cookies governed by its own privacy and cookie policies.

16.8 Managing Cookies: Most browsers allow cookies to be blocked, deleted, or restricted to specific sites. Blocking strictly necessary cookies will break parts of the site, including sign-in.

17. Updates to This Policy

17.1 We may update this policy from time to time. Material changes will be posted to this page with an updated "Last updated" date. Continued use of our services after the update constitutes acceptance of the updated policy.

17.2 Nothing in this policy limits our obligations under the Privacy Act or the Australian Privacy Principles.