PRIVACY POLICY

Membero Pty Ltd (ABN 62 693 926 779), trading as Membero (“we”, “us”, “our”), operates a Software as a Service booking and accommodation management platform (“the Service”) for recreational clubs and similar organisations.

This Privacy Policy explains how we collect, use, hold, and disclose personal information in connection with the Service, and your rights in relation to that information. We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

If you have questions about this policy, please contact us at the details set out at the end of this document.

About our role as a platform provider

We operate as a service provider to clubs and organisations (our customers). Personal information about individual club members is held by us on behalf of those clubs. In most cases, the club is your primary contact for how your data is used within their operations. This policy covers how we, as the platform provider, handle that information at the infrastructure and service level.

1. What Personal Information We Hold

Through the operation of the Service, we hold personal information entered by our club customers on behalf of their members. This may include:

• Names, email addresses, phone numbers and postal addresses
• Membership details and membership status
• Booking records, including accommodation and activity bookings
• Financial transaction records, including payment history and receipts
• Documents uploaded by clubs or their members through the Service
• Login credentials for member portal access

We do not collect this information directly from individuals. It is entered into the Service by the club or by the individual through the club’s booking portal. We do not seek or hold any sensitive information as defined under the Privacy Act (such as health information or government identifiers) unless a club has specifically entered such information for their own operational purposes.

2. How We Collect Personal Information

Personal information held within the Service is collected in two ways:

• Directly by clubs — staff or administrators of our club customers enter or import member and booking data into the Service as part of their normal operations.
• Directly by individuals — members may enter their own information when making bookings or updating their profile through the club’s online portal.

We do not purchase, obtain from third parties, or independently collect personal information about individuals for our own purposes.

3. How We Use Personal Information

We use personal information held within the Service solely to operate and deliver the Service to our club customers. This includes:

• Storing and making available booking, member, and financial records as directed by the club
• Processing payment transactions through approved payment gateways (eWAY and PayPal)
• Sending booking confirmations and transactional SMS messages as directed by the club
• Providing technical support in response to requests from clubs
• Maintaining backups and enabling disaster recovery

We do not use personal information held in the Service for marketing, profiling, advertising, or any purpose beyond delivering the Service. We do not sell personal information.

We may use anonymised and aggregated data derived from use of the Service for internal analytical and product improvement purposes, provided no individual or club is identifiable from such data.

4. Disclosure to Third Parties

We do not disclose personal information to third parties except in the following circumstances:

• payment gateway providers, including eWAY and PayPal, to process transactions on behalf of clubs;
• communications providers, including Twilio or similar providers, where clubs use SMS or related messaging features;
• cloud hosting, infrastructure, backup, monitoring, security and software service providers engaged by us from time to time;
• Australian-based support personnel and, where reasonably necessary, specialist technical contractors or service providers located elsewhere;
• professional advisers, insurers, financiers and prospective purchasers or successors in connection with our business operations, subject to appropriate confidentiality arrangements; and
• regulators, law enforcement bodies, courts or other persons where required or authorised by law.

Access to personal information is limited according to role and operational need, applying the principle of least privilege where reasonably practicable.

5. Storage and Security

The Service is currently primarily hosted on cloud infrastructure located in Australia. We may from time to time change, replace, upgrade or relocate hosting, infrastructure, backup, monitoring, security, support or related service arrangements where reasonably necessary for operational, security, legal, disaster recovery, cost, performance or service improvement purposes. As a result, personal information may be stored, processed, backed up, transmitted or accessed in Australia and, where reasonably necessary for service delivery, in other jurisdictions.

We take reasonable technical and organisational measures to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. These measures may include role-based access controls, authentication controls, system monitoring, patching, intrusion protection, backup processes, administrative access controls, confidentiality obligations and incident response procedures.

No method of internet transmission or electronic storage is completely secure. While we take reasonable steps to protect personal information, we cannot guarantee absolute security.

6. Data Retention

We retain personal information for as long as reasonably necessary for the purposes described in this policy, including while the relevant club remains a customer of the Service and for a reasonable period afterwards to facilitate export, transition, backup rotation, legal compliance, dispute resolution, enforcement of our agreements, and internal record-keeping.

In relation to customer data held within the Service, upon termination of a club’s subscription we generally retain the data for at least 30 days to allow for export or download, after which it may be deleted from active systems. Backup copies and archival records may persist for a further limited period in accordance with our backup rotation, disaster recovery, legal and operational requirements.

7. Access and Correction

Individuals have the right under the Australian Privacy Principles to request access to personal information we hold about them, and to request correction of information that is inaccurate, out of date, incomplete, or misleading.

Because we hold personal information on behalf of clubs, requests from individuals should in the first instance be directed to the relevant club. The club can update or export information directly through the Service. If you are unable to obtain access or correction through the club, you may contact us directly and we will assist where we are able to do so.

8. Data Breaches

We are subject to the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). In the event of an eligible data breach that is likely to result in serious harm to any individual, we will:

• Take immediate steps to contain the breach and assess the likely harm
• Notify affected clubs as soon as practicable
• Notify the Office of the Australian Information Commissioner (OAIC) where required
• Assist clubs with communicating the breach to affected individuals where required

Where a club is the relevant entity required to notify individuals or regulators in relation to personal information it controls through the Service, we will provide reasonable cooperation and practical assistance to support that process.

9. Complaints and Enquiries

If you have a concern about how we have handled your personal information, please contact us in the first instance. We will acknowledge your complaint promptly and aim to respond substantively within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or legal requirements. The current version will always be available on our website. We will notify our club customers of any material changes.

11. Contact Us

For privacy enquiries, access and correction requests, or complaints, please contact:

Privacy Officer

Membero Pty Ltd

Email: support@cbdweb.net

Website: www.cbdweb.net

Membero Pty Ltd  |  ABN 62 693 926 779  |  www.cbdweb.net  |  Effective March 2026