Privacy Policy

Shootbase is used by two types of people: Tenants (photography and videography businesses who subscribe to Shootbase) and Clients (the end customers who book shoots through a Tenant's portal). This policy applies to both.

Tenants have their own privacy obligations to their clients. Shootbase acts as a data processor on behalf of Tenants for client data, and as a data controller for Tenant account and billing data.

Rolling Digital Pty Ltd is an Australian company based in Brisbane, Queensland, with its registered office at 2/99 Musgrave Road, Red Hill QLD 4059, Australia. We develop and operate the Shootbase booking and business management platform for real estate media businesses.

You can contact our privacy officer at hello@shootbase.io.

Account information. When you sign up as a Tenant, we collect your name, email address, company name, and password. When you invite team members, we collect their names and email addresses.

Billing information. We collect billing details including your payment card information (processed and stored by Stripe — we do not store raw card numbers) and billing address.

Client data. When clients book through your portal, we collect the information you configure as required: name, email address, phone number, property address, booking preferences, and any other details you collect. This data belongs to you as the Tenant.

Usage data. We automatically collect information about how you use the platform: pages visited, features used, browser type, device information, IP address, and timestamps. This is collected via server logs and analytics tools.

Communications. If you contact us by email or in-platform messaging, we retain those communications.

We use personal information to:

• Provide, operate, and improve the Shootbase platform
• Process payments and manage subscriptions
• Send transactional emails (booking confirmations, invoices, password resets)
• Send service-related notifications (billing, platform updates, trial reminders)
• Provide customer support and respond to enquiries
• Monitor and ensure platform security and integrity
• Comply with legal obligations
• Analyse usage patterns to improve the platform (using aggregated, anonymised data where possible)

We do not use your personal information for direct marketing without your explicit consent, and we will never sell your data to third parties.

We do not sell, rent, or trade personal information. We may share data only in the following circumstances:

Service providers. We share data with trusted third-party providers who help us deliver the platform (see Section 6). These parties process data only as directed by us and under appropriate data processing agreements.

Legal requirements. We may disclose information where required by law, court order, or government authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of Shootbase, our users, or the public.

Business transfers. If Shootbase is acquired or merged with another company, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

Shootbase integrates with the following third-party services. Each has its own privacy policy:

• Supabase — Database and authentication infrastructure (data stored in Australia where available)
• Stripe — Payment processing. Card data is handled entirely by Stripe and subject to PCI-DSS compliance
• Postmark — Transactional email delivery
• Google — Calendar integration and Maps/Places API for address lookup
• Xero — Accounting and invoice integration (optional, enabled by Tenant)
• Notion — CRM sync integration (optional, enabled by Tenant)
• Vercel — Platform hosting and deployment infrastructure

Optional integrations (Xero, Notion, Google Calendar) are only activated when explicitly connected by a Tenant administrator. Connecting these services shares relevant booking and contact data with those platforms per their respective privacy policies.

We retain personal information for as long as necessary to provide the services and comply with our legal obligations:

• Active accounts: Data is retained for the lifetime of the account
• After cancellation: We retain data for 30 days to allow data export, then delete it
• Billing records: Retained for 7 years for tax and legal compliance
• Server logs: Retained for up to 90 days for security monitoring

You may request deletion of your personal information at any time (see Section 9). Note that some data may be retained for legal compliance even after a deletion request.

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

• TLS encryption in transit for all data communications
• Encryption at rest for sensitive data (API tokens, payment credentials)
• Row-level security on the database ensuring strict tenant data isolation
• Regular security reviews and dependency updates
• Access controls limiting data access to authorised personnel only

No system is perfectly secure. If you discover a vulnerability, please disclose it responsibly by contacting hello@shootbase.io.

Under the Australian Privacy Principles (and, where applicable, GDPR), you have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Delete your personal information (subject to legal retention requirements)
• Export your data in a machine-readable format
• Withdraw consent for optional data uses at any time
• Object to processing in certain circumstances

To exercise these rights, contact us at hello@shootbase.io. We will respond within 30 days. We may need to verify your identity before processing a request.

Client data requests. If you are a client (end customer) of a Shootbase Tenant, please direct requests to the Tenant directly. We will assist Tenants in fulfilling these requests as required.

Shootbase uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication sessions and platform functionality. These cannot be disabled.
• Analytics cookies: Used to understand how the platform is used so we can improve it. We use privacy-preserving analytics where possible.

We do not use advertising or tracking cookies. You can control cookie behaviour through your browser settings, though disabling essential cookies will prevent you from using the platform.

Shootbase is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-platform notice at least 14 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

For any privacy-related questions or concerns, contact our privacy officer:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):