Privacy Policy

This Privacy Policy explains how Crust ("we", "us", "our", or "the Company") collects, uses, discloses, stores, and protects your personal information when you visit our website at crustipizza.com, place an order, use our mobile application, or otherwise interact with our services. We are committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.

Please read this Privacy Policy carefully. By accessing or using our website, placing an order, or engaging with us in any capacity, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this policy. If you do not agree with any part of this Privacy Policy, please discontinue your use of our services immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post any updated version on this page with a revised effective date. We encourage you to review this policy periodically.

1. About Us

Crust is a food and hospitality business operating in Australia, providing pizza and food delivery, takeaway, and dine-in services to customers across the country. We operate both through our physical store locations and through our digital platforms, including our website at crustipizza.com and our mobile application.

For any privacy-related questions, concerns, or requests, please contact us at the email address listed above. We have designated a Privacy Officer who is responsible for overseeing compliance with this Privacy Policy and applicable Australian privacy laws.

2. Information We Collect

We collect various types of personal information in order to provide you with our food services, process your orders, improve our offerings, and communicate with you. The categories of personal information we collect include the following:

2.1 Personal Identification Information

When you create an account, place an order, or contact us, we may collect the following personal identification details:

• Full name
• Email address
• Phone number (mobile and/or landline)
• Delivery address and billing address
• Date of birth (where relevant, for age verification or promotional purposes)
• Account username and password (stored in encrypted form)
• Profile photograph (if voluntarily provided)

2.2 Order and Transaction Information

When you place an order with us, we collect information related to that transaction, including:

• Items ordered, customisations, and special requests
• Order history and frequency
• Payment information (note: we do not store full credit card or debit card numbers; payment processing is handled by secure third-party payment processors)
• Delivery instructions and preferences
• Voucher codes, discount codes, and loyalty reward redemptions
• Feedback, ratings, and reviews you leave about your orders

2.3 Usage and Behavioural Data

When you use our website or mobile application, we automatically collect certain information about how you interact with our digital platforms:

• Pages visited and time spent on each page
• Items viewed, added to cart, or abandoned at checkout
• Search queries entered on our website
• Links and buttons clicked
• Referral source (how you arrived at our website)
• Session duration and frequency of visits
• Navigation paths through our website or app

2.4 Device and Technical Information

We collect technical information about the device and connection you use when accessing our services:

• IP address
• Browser type and version
• Operating system and device type (desktop, mobile, tablet)
• Device identifiers (e.g., device ID, advertising ID)
• Mobile network information
• Time zone settings and language preferences
• Cookie identifiers and similar tracking technologies

2.5 Location Data

With your permission, we may collect your precise or approximate geographic location to:

• Identify the nearest Crust store to your location
• Provide accurate delivery estimates
• Show you location-based promotions and offers

You may disable location services at any time through your device settings. However, disabling location services may limit certain features of our application.

2.6 Communications Data

We collect the content of communications you send to us, including:

• Emails and messages sent to our customer service team
• Live chat transcripts
• Social media messages and interactions
• Survey responses and competition entries
• Feedback and complaints submitted through our website or in store

2.7 Sensitive Information

We generally do not seek to collect sensitive information as defined under the Privacy Act 1988 (Cth), such as health information, racial or ethnic origin, or religious beliefs. However, if you voluntarily provide information about dietary restrictions, food allergies, or health-related requirements when placing an order, this may constitute sensitive information. We collect such information solely for the purpose of preparing and delivering your food safely, and we will handle it with the highest level of care and discretion.

3. How We Collect Your Information

We collect personal information through a variety of means, including:

• Directly from you: When you register an account, place an order, contact our customer service team, participate in surveys, competitions, or promotions, or otherwise interact with us voluntarily.
• Automatically: When you browse our website or use our mobile application, through cookies, web beacons, pixels, and similar tracking technologies.
• From third parties: We may receive information about you from third-party partners such as food delivery platforms (e.g., DoorDash, Uber Eats, Menulog), social media platforms (if you connect your account or interact with us on social media), analytics providers, advertising partners, and payment processors.
• From publicly available sources: We may collect information from publicly available sources where permitted by law, such as public social media profiles or business directories.

4. How We Use Your Information

We use the personal information we collect for the following purposes, all of which are directly related to our operations as a food service business:

4.1 Providing and Managing Our Services

• Processing and fulfilling your food orders
• Managing your account and preferences
• Facilitating payment and refund processing
• Coordinating delivery and providing delivery updates
• Responding to your customer service enquiries, feedback, and complaints
• Sending order confirmations, receipts, and service notifications

4.2 Improving Our Products and Services

• Analysing ordering patterns and preferences to improve our menu offerings
• Conducting internal research and data analytics to enhance the customer experience
• Testing new features, products, and website functionalities
• Monitoring and improving the performance and security of our digital platforms

4.3 Marketing and Promotional Communications

With your consent where required by law, we may use your personal information to:

• Send you promotional emails, SMS messages, or app notifications about special offers, new menu items, discounts, and events
• Personalise marketing content based on your order history and preferences
• Administer loyalty programmes, competitions, and surveys
• Display targeted advertisements on third-party platforms and social media

You may opt out of receiving marketing communications at any time by clicking the "unsubscribe" link in any marketing email, replying "STOP" to any SMS, adjusting your notification preferences in your account settings, or contacting us directly at [email protected]. Please note that opting out of marketing communications will not affect transactional communications related to your orders.

4.4 Legal and Compliance Purposes

• Complying with our legal and regulatory obligations under Australian law
• Enforcing our Terms of Service and other agreements
• Detecting, preventing, and responding to fraud, security incidents, or other potentially illegal activities
• Responding to legal process, court orders, or requests from government authorities
• Protecting the rights, property, and safety of Crust, our customers, and the public

5. Sharing Your Information with Third Parties

We respect your privacy and do not sell your personal information to third parties. However, we do share personal information with certain third parties in the circumstances described below:

5.1 Service Providers and Business Partners

We engage trusted third-party service providers who assist us in operating our business. These may include:

• Payment processors: To securely process credit card, debit card, and digital wallet payments.
• Delivery platform partners: Including third-party food delivery platforms such as Uber Eats, DoorDash, and Menulog, through which orders may be placed and fulfilled.
• IT and cloud service providers: Who host our website, database, and operational systems.
• Email and SMS marketing platforms: Used to send you communications with your consent.
• Analytics providers: Such as Google Analytics, which help us understand how users interact with our website and application.
• Customer relationship management (CRM) software providers.
• Loyalty programme providers.

All third-party service providers are required to handle your personal information in accordance with our instructions and applicable Australian privacy laws. We enter into data processing agreements with service providers where appropriate.

5.2 Franchise and Related Entities

As a franchised food brand operating across Australia, certain personal information may be shared with our franchise network, related corporate entities, and head office operations for the purposes of business management, quality assurance, and customer service improvement. All entities within our network are bound by this Privacy Policy and applicable privacy laws.

5.3 Legal and Regulatory Disclosures

We may disclose your personal information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, court order, or government request
• Cooperate with law enforcement or regulatory authorities
• Protect and defend our legal rights or property
• Prevent or investigate possible wrongdoing in connection with our services
• Protect the personal safety of users or the public

5.4 Business Transactions

In the event of a merger, acquisition, restructure, sale of assets, or other business transaction, personal information held by us may be transferred to the relevant successor entity as part of that transaction. We will endeavour to notify you of any such transfer and any changes to this Privacy Policy that may result.

6. Cookies and Tracking Technologies

Our website at crustipizza.com uses cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and support our marketing activities.

6.1 What Are Cookies?

Cookies are small text files that are placed on your device when you visit a website. They allow the website to recognise your device and remember information about your visit, such as your preferred settings or items in your shopping cart.

6.2 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the operation of our website, including enabling you to log in to your account and complete purchases.
• Performance and Analytics Cookies: Help us understand how visitors use our website, which pages are most popular, and where improvements can be made.
• Functional Cookies: Remember your preferences and settings (such as your delivery address or language preferences) to enhance your experience.
• Marketing and Advertising Cookies: Used to deliver relevant advertisements to you on our website and third-party platforms, and to measure the effectiveness of our marketing campaigns.

6.3 Managing Your Cookie Preferences

You can manage your cookie preferences through your browser settings or our cookie consent tool available on our website. Please note that disabling certain cookies may affect the functionality of our website. For more detailed information about our use of cookies, please refer to our Cookie Policy.

7. Data Security

We take the security of your personal information very seriously and have implemented a range of technical, organisational, and physical security measures to protect your data from unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encryption: We use industry-standard SSL/TLS encryption to protect data transmitted between your device and our servers.
• Secure servers: Our databases and servers are hosted in secure, access-controlled environments.
• Password hashing: User passwords are stored using strong cryptographic hashing algorithms and are never stored in plain text.
• Access controls: Access to personal information is restricted to authorised employees and contractors who require it to perform their duties, and is governed by strict access control policies.
• Regular security assessments: We conduct periodic security audits, vulnerability assessments, and penetration testing of our systems.
• Incident response: We have a data breach response plan in place. In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth), we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by law.
• Employee training: Our staff receive regular training on privacy and data security best practices.

While we take all reasonable steps to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and you use our services at your own risk. We encourage you to use strong, unique passwords for your account and to keep your login credentials confidential.

8. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable Australian law. Our general data retention practices are as follows:

When personal information is no longer required, we will securely destroy or de-identify it in accordance with our data destruction procedures and applicable Australian standards.

9. Your Privacy Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have specific rights regarding your personal information. We are committed to honouring these rights promptly and transparently.

9.1 Right of Access

You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days of receipt. In some cases, we may charge a reasonable fee to cover the administrative cost of providing access. We may decline access in limited circumstances permitted by the Privacy Act 1988 (Cth), and if we do, we will provide written reasons.

9.2 Right to Correction

If you believe that personal information we hold about you is inaccurate, incomplete, out of date, or misleading, you have the right to request that we correct it. We will respond to correction requests within 30 days and will take reasonable steps to correct the information. If we do not agree that the information needs to be corrected, we will advise you of our reasons and your right to complain.

9.3 Right to Deletion (De-identification)

In certain circumstances, you may request that we delete or de-identify your personal information. We will consider your request having regard to our legal obligations to retain certain records and the legitimate purposes for which the information was collected. We will advise you of the outcome of your request within 30 days.

9.4 Right to Opt Out of Direct Marketing

You have the right to opt out of receiving direct marketing communications from us at any time, without charge. You can exercise this right by:

• Clicking the "unsubscribe" link in any marketing email
• Replying "STOP" to any marketing SMS
• Updating your communication preferences in your account settings
• Contacting us at [email protected]

9.5 Right to Withdraw Consent

Where we rely on your consent to process your personal information (for example, for certain marketing activities or location tracking), you may withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of any processing conducted prior to the withdrawal.

9.6 Right to Data Portability

While the Australian Privacy Principles do not currently mandate a formal right to data portability, we endeavour to provide your personal information to you in a structured, commonly used, and machine-readable format upon request where practicable.

9.7 How to Exercise Your Rights

To exercise any of your privacy rights, please contact our Privacy Officer by email at [email protected]. We may need to verify your identity before processing your request. We aim to respond to all legitimate privacy requests within 30 days. In complex cases, we may extend this period by a further 30 days and will notify you accordingly.

10. Children's Privacy

Our website, mobile application, and food ordering services are directed to adults aged 18 years and over. We do not knowingly or intentionally collect personal information from children under the age of 18 years. If you are under 18, please do not provide us with any personal information or use our services without the supervision and consent of a parent or legal guardian.

If we become aware that we have inadvertently collected personal information from a child under 18 without appropriate parental consent, we will take immediate steps to delete that information from our records. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at [email protected] so that we can take appropriate action.

11. International Data Transfers

As a business operating in Australia, we primarily store and process personal information within Australia. However, some of our third-party service providers, including cloud hosting providers, analytics platforms, marketing tools, and software vendors, may be located overseas or may process data on servers located in other countries. These countries may include, but are not limited to, the United States, the United Kingdom, and countries within the European Union and the Asia-Pacific region.

Where personal information is transferred overseas, we take steps to ensure that appropriate protections are in place in accordance with Australian Privacy Principle 8 (APP 8). This may include:

• Entering into contractual arrangements with overseas recipients that require them to handle personal information in a manner consistent with the Australian Privacy Principles
• Transferring data only to countries with data protection frameworks recognised as providing substantially similar protections to those in Australia
• Obtaining your consent to the overseas transfer where required

Please note that when personal information is disclosed to an overseas recipient, we may remain accountable for any acts or practices of that recipient that breach the Australian Privacy Principles, as set out in APP 8.1, unless a specific exception applies.

If you have questions about our international data transfers, please contact us at [email protected].

12. Third-Party Websites and Links

Our website and app may contain links to third-party websites, social media platforms, and partner services that are not operated by us. This Privacy Policy applies only to our own platforms and services. We have no control over and assume no responsibility for the privacy practices, content, or conduct of third-party websites or services.

We encourage you to review the privacy policies of any third-party websites you visit, particularly those of food delivery platforms through which you may place orders (such as Uber Eats, DoorDash, or Menulog), as these platforms have their own independent privacy policies and practices.

13. Social Media and User-Generated Content

We maintain a presence on various social media platforms including, but not limited to, Instagram, Facebook, TikTok, and Twitter/X. When you interact with us on social media — by commenting on posts, sending direct messages, tagging us, or participating in social media competitions — those platforms collect and process your information in accordance with their own privacy policies.

If you submit reviews, testimonials, photographs, or other user-generated content to us (whether through our website, app, or social media), you acknowledge that we may use such content for promotional, marketing, and quality assurance purposes. We will not publish personally identifiable information about you without your consent.

14. Loyalty Programmes and Promotions

If you participate in our loyalty programme or any promotional activity (such as competitions, giveaways, or referral programmes), we collect and use the personal information you provide for the purpose of administering those programmes, including:

• Tracking points earned and rewards redeemed
• Notifying you of programme updates and exclusive offers
• Verifying eligibility for competitions and processing prize fulfilment
• Complying with any applicable Australian consumer law requirements regarding promotional activities

Participation in loyalty programmes and promotions is voluntary. Specific terms and conditions applicable to each programme or promotion will be provided at the time of your participation.

15. Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme established under Part IIIC of the Privacy Act 1988 (Cth). This scheme requires organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs — that is, when there has been unauthorised access to, or unauthorised disclosure or loss of, personal information that is likely to result in serious harm to one or more individuals.

In the event of an eligible data breach, we will:

• Conduct a prompt assessment of the breach
• Notify the OAIC as soon as practicable
• Notify affected individuals directly where practicable, or through a public statement on our website where direct notification is not possible
• Provide guidance to affected individuals on the steps they can take to protect themselves
• Take immediate remedial action to contain the breach and prevent future incidents

16. Privacy Complaints

If you believe that we have handled your personal information in a manner that is inconsistent with the Privacy Act 1988 (Cth) or this Privacy Policy, we encourage you to contact us in the first instance so that we can try to resolve your concern.

16.1 Internal Complaints Process

To submit a privacy complaint, please contact our Privacy Officer:

• Email: [email protected]
• Subject Line: "Privacy Complaint"

Please provide as much detail as possible about your complaint, including the nature of your concern, any relevant dates, and the outcome you are seeking. We will acknowledge your complaint within 5 business days and endeavour to provide a full response within 30 days. If the matter is complex, we may require additional time and will keep you informed of progress.

16.2 Escalating Your Complaint to the OAIC

If you are not satisfied with our response to your complaint, or if we have not responded within 30 days, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC), which is the independent regulator responsible for privacy in Australia.

You may also be able to seek further remedies through the courts in accordance with Part VI of the Privacy Act 1988 (Cth).

17. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal information, please do not hesitate to contact us. We are committed to addressing your enquiries promptly and transparently.

Our Privacy Officer will endeavour to respond to all privacy enquiries within 5 business days. For formal privacy complaints, please refer to Section 16 of this Privacy Policy.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business practices, technology, legal requirements, or industry standards. When we make material changes to this policy, we will:

• Post the updated policy on our website at crustipizza.com with a revised "Last Updated" date
• Where practicable, notify registered account holders by email
• Display a prominent notice on our website for a reasonable period following any material changes

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal information. Your continued use of our services after any changes to this Privacy Policy constitutes your acceptance of the updated terms.