Privacy Policy
This policy explains how Hecta Pty Ltd (ABN 12 345 678 901) collects, uses, stores, and discloses personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
- We only collect what we need. Name, email, phone, address, and payment details — nothing more. We never buy data from third parties.
- We never sell your data. Your information is never sold, rented, or traded to anyone. Ever.
- Stripe handles payments. We never see or store full card numbers. Stripe processes all payments under their own privacy policy.
- You can access and delete your data. Request a copy, correction, or deletion of your personal information at any time.
- We’ll notify you of any breach. If your data is compromised, we notify you and the OAIC as required by law.
1. Who we are
Hecta Pty Ltd (ABN 12 345 678 901) operates hecta.com.au, a software platform that provides Australian farms with tools to sell directly to consumers. We are the “APP entity” responsible for the personal information we collect through our platform.
This policy applies to two groups of people who use Hecta:
- Farmers — farm operators who create a Hecta account to manage their online store, products, orders, and customer relationships.
- Customers — individuals who browse farm storefronts, place orders, and purchase products from farms using the Hecta platform.
Each farm on Hecta operates its own storefront. When a customer places an order, the farm is the primary business relationship. Hecta provides the technology platform — we facilitate the transaction but we are not the seller of the products.
Top2. What we collect
Information from farmers
| Data | Why we collect it |
|---|---|
| Name, email, phone | Account creation, communication, support |
| Farm name, ABN, location | Storefront display, tax compliance |
| Bank account details (via Stripe) | Payment processing — collected and stored by Stripe, not by Hecta |
| Identity verification documents (via Stripe) | Stripe’s Know Your Customer (KYC) requirements — collected and stored by Stripe |
| Product information, pricing, photos | Storefront display and order fulfilment |
| Login credentials (hashed password) | Account security — passwords are hashed and never stored in plain text |
Information from customers
| Data | Why we collect it |
|---|---|
| Name, email | Order confirmation, delivery notifications, account creation |
| Phone number | Delivery/pickup SMS notifications (optional) |
| Delivery address | Order delivery — only collected for delivery orders, not pickup |
| Payment details (via Stripe) | Order payment — collected and stored by Stripe, not by Hecta |
| Order history | Order management, subscription billing, customer service |
| Transfer receipts (PDF uploads) | Payment confirmation for bank transfer orders — stored temporarily |
Information we collect automatically
| Data | Why we collect it |
|---|---|
| IP address | Security, fraud prevention, error diagnostics |
| Browser type, device | Ensuring the platform works across devices |
| Pages visited, time on site | Understanding how the platform is used to improve it |
| Cookies | Session management, remembering login status (see section 10) |
Information we do NOT collect
We do not collect sensitive information as defined by the Privacy Act (racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, health information, biometric data) unless directly relevant to a farm's product descriptions (e.g., “halal certified”).
Top3. How we use your information
We use personal information only for the purpose it was collected (the “primary purpose”) or for directly related secondary purposes you would reasonably expect. Specifically:
- Operating the platform — creating accounts, processing orders, managing subscriptions, sending delivery notifications, generating packing lists, and facilitating payment processing.
- Communication — transactional emails (order confirmations, delivery reminders, billing notifications), account-related communications, and responses to support requests.
- Security and fraud prevention — detecting suspicious orders, preventing unauthorised access, and monitoring for payment fraud.
- Platform improvement — analysing usage patterns to improve features, fix bugs, and develop new functionality. This analysis uses aggregated, de-identified data wherever possible.
- Legal compliance — meeting our obligations under Australian law, including tax reporting (GST/BAS) and responding to lawful requests from authorities.
We do not use your personal information for:
- Selling or renting to third parties
- Direct marketing by Hecta to farm customers (we never email a farm's customers to promote Hecta)
- Automated decision-making that significantly affects you
- Profiling for advertising purposes
4. Who we share it with
We share personal information only with the following parties, only to the extent necessary for the stated purpose:
| Recipient | What we share | Why |
|---|---|---|
| Stripe (payment processor) | Payment details, identity verification for farmers | Processing card payments, managing connected accounts, KYC compliance |
| The farm (for customer data) | Customer name, email, phone, address, order details | Order fulfilment, delivery, customer communication |
| Resend (email service) | Email addresses, names | Sending transactional emails (order confirmations, notifications) |
| Twilio (SMS service) | Phone numbers | Sending delivery/pickup SMS notifications |
| Cloudflare (hosting/CDN) | IP addresses, request data | Content delivery, DDoS protection, image storage |
| Vercel (hosting) | IP addresses, request data | Frontend hosting and edge functions |
| Fly.io (hosting) | Application data | Backend hosting (Sydney region) |
We do not share personal information with any party not listed above. We do not sell, rent, or trade personal information. We do not share data with advertising networks or data brokers.
Top5. Overseas disclosure
Some of the service providers listed above process data outside Australia. In accordance with APP 8, we disclose the countries and take reasonable steps to ensure overseas recipients protect your information consistently with the APPs:
| Provider | Country | Protection |
|---|---|---|
| Stripe | United States | PCI DSS Level 1 certified, GDPR compliant, contractual data protection |
| Resend | United States | SOC 2 compliant, data processing agreement in place |
| Twilio | United States | SOC 2 and ISO 27001 certified, data processing agreement in place |
| Cloudflare | Global (nearest edge) | SOC 2, ISO 27001, data processing agreement in place |
| Vercel | United States (Sydney edge) | SOC 2 certified, data processing agreement in place |
| Fly.io | Australia (Sydney region) | Data stays in Australia |
Our database is hosted in Australia (Sydney region via Fly.io). Customer and farm data at rest remains in Australia. Some data passes through US-based services for processing (email delivery, payment processing) but is not stored there permanently.
Top6. Security
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:
- Encrypted data transmission (TLS/HTTPS on all connections)
- Encrypted data at rest (database encryption)
- Password hashing using bcrypt (we never store plain-text passwords)
- Stripe handles all payment card data — we never see or store full card numbers, CVVs, or PINs
- Access controls and role-based permissions for platform administration
- Regular security updates and dependency patching
- Transfer receipts are stored in encrypted object storage (Cloudflare R2) and automatically deleted 12 months after the order date
- Admin access to farm accounts is time-limited (2 hours maximum), logged with administrator identity and duration, and restricted to the purposes described in our Terms of Service (section 6)
No system is perfectly secure. While we implement industry-standard protections, we cannot guarantee absolute security of your data. If you discover a security vulnerability, please report it to security@hecta.com.au.
Top7. Data breaches
We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we experience a data breach that is likely to result in serious harm to affected individuals, we will:
- Conduct a reasonable assessment within 30 days of becoming aware of the suspected breach
- If the breach qualifies as an “eligible data breach,” notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals as soon as practicable
- Include in the notification: a description of the breach, the types of information involved, and recommendations for steps individuals should take
- Take reasonable steps to contain the breach and prevent further unauthorised access
Notifications will be sent directly to affected individuals via email. If direct notification is not practicable, we will publish a notice on our website.
8. Data retention
Active accounts
We retain personal information for as long as your account is active and the information is necessary for the purposes described in this policy.
After cancellation
When a farm cancels their Hecta subscription, we retain their data (products, customers, orders) for 90 days to allow reactivation. After 90 days, all farm data is permanently deleted from our systems and backups. The farmer can export their data at any time before deletion.
Customer data
Customer data (name, email, address, order history) associated with a farm is deleted when the farm's data is deleted. If a customer has ordered from multiple farms, only the data associated with the deleted farm is removed — their data on other farms is unaffected.
Transfer receipts
Bank transfer receipt PDFs are retained for 12 months after the order date, then permanently deleted from storage. This covers the typical dispute window and a full financial year for the farmer's records. The order record itself (amount, date, payment status, confirmation timestamp) is retained in the database independently of the receipt file — only the uploaded PDF is deleted.
Exceptions
We may retain certain information beyond these periods where required by law (e.g., financial records required under the Taxation Administration Act for 5 years, or records required for legal proceedings).
Top9. Your rights
Under the Australian Privacy Principles, you have the right to:
Access your information (APP 12)
You can request a copy of the personal information we hold about you. Farmers can export their data (products, customers, orders) from Settings at any time. For a formal access request, contact privacy@hecta.com.au. We will respond within 30 days.
Correct your information (APP 13)
You can update your personal information through your account settings at any time. If you believe we hold inaccurate, out-of-date, incomplete, irrelevant, or misleading information, contact us and we will correct it.
Request deletion
You can request deletion of your personal information. For farmers, this is handled through the account cancellation flow (90-day preservation window) or the immediate “Delete account” option. For customers, contact privacy@hecta.com.au and we will delete your information from our systems within 30 days, subject to any legal retention requirements.
Anonymity (APP 2)
You may browse farm storefronts anonymously without creating an account. However, placing an order requires identifying information (name, email, delivery address) for fulfilment. We cannot provide our full service anonymously because orders require personal information to process and deliver.
Opt out of communications
Transactional emails (order confirmations, delivery notifications) cannot be opted out of — they are necessary for the service. You can opt out of any non-transactional communications (e.g., farm newsletters sent through Hecta) via the unsubscribe link in each email.
Top10. Cookies and analytics
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| hecta_session | Authentication — keeps you logged in | 30 days |
| hecta_cart | Shopping cart contents for customer storefronts | 7 days |
We do not use third-party tracking cookies, advertising cookies, or cross-site tracking. We do not use Google Analytics, Facebook Pixel, or any advertising-related tracking.
We may use privacy-respecting analytics (e.g., Plausible, Fathom) to understand aggregate platform usage — page views, feature adoption, error rates. These tools do not collect personal information or use cookies.
Top11. Children
Hecta is not directed at children under 18. We do not knowingly collect personal information from children. Farm storefronts may be viewed by anyone, but placing an order requires an email address and payment method, which implies the person is at least 18 or acting with parental consent. If we become aware that we have collected information from a child without parental consent, we will delete it promptly.
Top12. Changes to this policy
We may update this privacy policy to reflect changes in our practices, legal requirements, or platform features. When we make material changes:
- We will notify you by email at least 14 days before the change takes effect
- We will post the updated policy on this page with the new effective date
- Previous versions will remain accessible via the “Previous versions” link above
Continued use of Hecta after the effective date constitutes acceptance of the updated policy. If you disagree with a material change, you may cancel your account before it takes effect.
Top13. Contact and complaints
For questions, access requests, corrections, or complaints about how we handle your personal information:
Privacy Officer
Hecta Pty Ltd
Email: privacy@hecta.com.au
Post: [Business address], Queensland, Australia
We will acknowledge your inquiry within 5 business days and provide a substantive response within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
Office of the Australian Information Commissioner
Website: oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5218, Sydney NSW 2001
Queensland, Australia
This privacy policy complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
For the companion document, see our Terms of Service.