Back to home

Business Portal Privacy Policy

This policy describes how Hilltops handles the personal information of business operators using the Hilltops Business Portal at business.hilltops.app. The handling of consumer personal information is covered by the separate consumer Privacy Policy at eventimeetup.com/privacy.

Last updated: June 2026

Hilltops App PTY LTD (ACN 698 610 007) operates the Hilltops Business Portal. We are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This policy explains what we collect from business operators, why we collect it, who we share it with, and the choices you have.

1. Summary

  • What we collect. Identity and contact details (name, email, phone), business information (ABN, business name, venue address), authentication metadata, and usage/audit logs.
  • Why. To verify and operate your business account, provide the portal, communicate with you, prevent fraud, comply with law, and improve the product.
  • How we share. With service providers acting under contract on our instructions, with end users where you choose to publish information, and with authorities where required by law.
  • Where it lives. Hilltops primary data is hosted in Sydney (Supabase / AWS Australia). Some service providers process data in the EU or US under data-protection commitments. See section 5 for the full list.
  • Your rights. Access, correction, deletion, and complaints — see section 8.

2. Personal information we collect from operators

2.1 Account and identity

  • Email address (mandatory for portal sign-in)
  • Password (hashed; we never store or see the plaintext)
  • Phone number (where you link the consumer iOS app or use phone OTP)
  • First name and any display name you set
  • Profile photo, cover photo, bio (optional)

2.2 Business and creator details

  • Business display name and slug
  • Australian Business Number (ABN) and the business name registered against it
  • Organisation type and category (e.g. nightclub, gallery, creator)
  • Address, city, contact email and phone (where you supply them)
  • Social and website links (Instagram, Facebook, website, SoundCloud, Spotify, TikTok, etc.) where you choose to publish them
  • For creator accounts: creator type (DJ, musician, etc.) and genres

2.3 Operational data

  • Venues you create or are granted access to manage
  • Events, performances, channels, posts, and messages you publish
  • Team members you invite and the roles assigned to them
  • Subscription tier, billing status, and payment metadata (last 4 digits, expiry — full card data is held by our payment processor, not by Hilltops)

2.4 Technical and audit data

  • Sign-in timestamps, IP address, browser and device type, locale
  • Audit log entries for sensitive actions (account approval, role changes, deletions)
  • Cookies and similar technologies — see section 7

2.5 ABN verification

Where you provide an ABN, we look it up against the Australian Business Register to confirm it is current and matches the business name you have provided. We record the verification timestamp and the registered business name returned by the Register. We do not share your ABN with parties outside Hilltops except as part of legitimate business operations (e.g. tax invoicing).

3. Why we use this information

  • Operate your account. Sign you in, render the portal, route notifications, manage team membership and venue permissions.
  • Verify your business. Run ABN lookups, review applications, and decide whether to approve a business or creator account.
  • Communicate with you. Send account, security, billing, and product update emails. We use Resend as our transactional email provider.
  • Prevent abuse. Detect and stop fraud, spam, and breaches of the Business Portal Terms of Service.
  • Comply with law. Including tax, accounting, consumer protection, and any lawful disclosure requests.
  • Improve the product. Including aggregate analytics on portal usage — see section 6.

4. Sharing

4.1 With end users

Information you publish — business name, bio, social links, venue addresses, event details, channel posts, messages, photos — is shared with end users of the Hilltops consumer app as part of the service. You control what you publish; we render it to the audience you choose (public, follower-only, channel-member-only, etc.).

4.2 With service providers

We engage the following service providers, each under contract to process data only on our instructions and to protect it appropriately:

ProviderPurposeLocation
Supabase / AWS AustraliaPrimary database, authentication, file storageSydney, AU
Vercel Inc.Hosting and edge serving of the Business PortalUS (global edge)
ResendTransactional email (sign-in, password reset, billing)US
PostHog Inc. (planned)Product analytics on portal usageFrankfurt, DE (EU instance)
Google LLCGoogle Analytics 4 for portal page-level trafficUS
Australian Business RegisterABN verification at application timeAU (Australian Government)

Each provider is bound by either a Data Processing Agreement or equivalent contractual data-protection commitments. We do not sell or rent operator personal information to any third party.

4.3 With authorities

We may disclose information where required by law (subpoena, court order, lawful regulatory direction) or to protect the rights, property, or safety of Hilltops, our users, or the public. Where legally permitted, we will notify you of such requests.

4.4 In a corporate transaction

If Hilltops is acquired or merges with another entity, your information may be transferred as part of that transaction. Material changes will be notified to you in advance where practicable.

5. Storage and retention

Operator data is stored primarily in Sydney (Supabase / AWS Australia). Backups, indexes, and certain operational data may be stored elsewhere as listed in section 4.2.

We retain operator data for as long as your business account is active, plus a reasonable period thereafter for legal, accounting, and dispute-resolution purposes (typically up to 7 years for billing and tax records). After this period the data is deleted or irreversibly anonymised.

Audit logs of sensitive actions (account approval, role changes, access changes) are retained for at least 12 months for security and compliance review.

6. Analytics

We use product analytics to understand how the portal is used and to improve it. We do not enable session replay on the Business Portal, and we do not capture sensitive fields (ABN, phone, address, payment data) in analytics events.

  • Google Analytics 4 is used for page-level traffic metrics on the portal.
  • PostHog (planned, EU-hosted) will be used for product analytics on operator funnels (sign-up, application, activation). Where deployed, the operator is identified by their Supabase user ID and grouped by their business_account ID. No card data, ABN, or message content is sent to PostHog.

Where required by applicable law (e.g. the EU GDPR), analytics will be gated behind your consent. If you are in a jurisdiction that requires opt-in consent and do not provide it, analytics will not fire for your sessions.

7. Cookies and similar technologies

The portal uses cookies for the following purposes:

  • Strictly necessary — session, authentication, account-switching, CSRF protection. These cannot be disabled.
  • Preference — theme, density, last active business account.
  • Analytics — Google Analytics 4 and, where deployed, PostHog. See section 6 and our Cookie Statement.

You can manage cookies through your browser. Disabling strictly necessary cookies will prevent sign-in.

8. Your rights

You can:

  • Access the personal information we hold about you by emailing support@hilltops.app
  • Correct inaccuracies via the portal settings or by contacting us
  • Delete your business account from the portal; some data may be retained as described in section 5
  • Opt out of non-essential analytics (where consent is available) and unsubscribe from non-transactional emails
  • Complain to us first, and if unsatisfied, to the Office of the Australian Information Commissioner

9. Security

We use industry-standard security controls: TLS for all data in transit, encryption at rest in the primary database, hashed passwords, row-level security policies that restrict each operator to their own data, audit logs for sensitive actions, and the principle of least privilege for staff access.

No system is perfectly secure. If we become aware of a notifiable data breach affecting operator personal information, we will notify affected operators and the OAIC as required by the Notifiable Data Breaches scheme.

10. Children

The Business Portal is not directed at children. You must be at least 18 to register a business or creator account.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify operators by email or via the portal and update the "Last updated" date above.

12. Contact and complaints

Privacy questions or complaints can be sent to support@hilltops.app. We will acknowledge within 7 days and aim to resolve within 30 days.

This Privacy Policy applies only to the Hilltops Business Portal. The consumer Privacy Policy at eventimeetup.com/privacy governs the handling of personal information of end users of the Hilltops mobile app and website.