Legal

Privacy policy

Last updated 24 June 2026

This policy explains how brulee (“brulee”, “we”, “us”, “our”) collects, uses, holds, discloses and protects personal information when you visit our website, sign up for an account, or use our point-of-sale and operations platform (the “Service”). We handle personal information in accordance with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs).

By using the Service you agree to the collection and use of information in line with this policy. If you do not agree, please do not use the Service.

1. Who this policy covers

brulee provides software that independent venues use to run their business — taking orders, accepting payments through their own terminals, managing menus, and operating day-to-day. This policy governs personal information we handle on brulee-owned surfaces: our marketing website, sign-up and account flows, and the operation of the platform itself.

Two different relationships matter here. When you are a venue owner, operator or staff member, or a prospective customer, we collect and use your information as described below and we are responsible for it. Separately, when a venue uses brulee to serve its own customers, that venue decides what information to collect from those customers and why — the venue is responsible for that information, and we only process it on the venue’s behalf and on its instructions. If you are a customer of a venue and have a question about your information, contact that venue directly.

2. Information we collect

We collect only the information we need for the purposes set out in this policy. Every field we ask for has a stated reason; we do not collect information “in case we need it later”.

Account and identity information

  • Your email address, used to create and secure your account and to send service messages.
  • Business or venue name, owner or operator name, and contact phone number.
  • Trading address and business number where you provide them, used for tax invoices and compliance.

Authentication and security information

  • Securely hashed staff access codes (PINs) — we never store these in readable form.
  • Short-lived sign-in tokens and session information used to keep you logged in.

Operational and transaction information

  • Orders, line items, totals, discounts, refunds and related sales records.
  • Which staff member performed an action, for accountability and reporting.
  • Menu, product and configuration data you create in the Service.

Payment information

We deliberately handle as little payment data as possible. Card payments are processed by specialist, independently certified payment providers and terminals. We receive only payment metadata — for example the card brand, the last four digits, an authorisation code, and a terminal or transaction reference. We never collect, store or have access to full card numbers, security codes (CVV), PINs entered on terminals, or magnetic stripe / chip data.

Information you store about your own customers

If you use customer-facing features, the Service may store records you choose to keep — such as a customer’s name, contact details, visit history and (optionally) date of birth. As noted above, you decide what to collect here and you are responsible for having a lawful basis to do so.

Images you upload for AI features

To set up or maintain your menu, or to capture supplier documents, you may upload photographs (for example, an image of a printed menu or a supplier invoice). These images are processed to extract the information they contain. See section 5 for how AI processing works.

Technical and usage information

  • Device and browser type, and a truncated (partial) IP address.
  • Request logs, performance traces and error diagnostics used to keep the Service running and secure.
  • Privacy-preserving product analytics that help us understand how features are used. We strip personal information (such as emails, phone numbers and names) before it reaches our analytics and error-monitoring tools, and we do not record on-screen sessions.
  • An audit log of administrative actions taken in your account.

3. How we collect information

  • Directly from you — when you fill in a form, create an account, upload content, or contact us.
  • Automatically — as you use the Service, through the technical and usage information described above.
  • From services you connect — when you authorise a connection to a payment provider, accounting tool, or ordering/delivery marketplace, we receive information from that service so the integration can work. You control these connections and can disconnect them.

Where it is lawful and practicable to do so, you can interact with our marketing website without identifying yourself.

4. Why we use your information

We use personal information only for the purposes for which it was collected, and for directly related purposes you would reasonably expect, including to:

  • provide, operate, maintain and secure the Service;
  • process and reconcile orders and payments;
  • power AI features such as menu extraction, insights and draft communications;
  • send you service messages (for example receipts, security alerts and account notices);
  • manage billing and subscriptions;
  • detect, investigate and prevent fraud, abuse and security incidents;
  • meet our legal, tax and regulatory obligations; and
  • improve the Service, using aggregated or de-identified information wherever possible.

If we ever wish to use your information for a materially different purpose, we will seek your consent unless we are otherwise permitted or required by law.

5. How AI features handle your information

Some features use AI to save you time — for example extracting items and prices from a menu photo, summarising your own business performance, drafting customer messages, or reading a supplier document. When you use these features, the relevant content (such as an uploaded image, or aggregated figures about your business) is sent to an AI inference provider for processing.

We limit what is sent to what the feature needs. We do not send your raw customer database or individual payment metadata to AI providers for these features. Under our arrangements with AI providers, content sent for processing is not used to train their models, is retained only briefly for abuse-prevention and is then deleted.

AI-generated output that affects anything customer-facing is always created as a draft. A person with the right permissions must review and approve it before it is published or sent. We never auto-publish or auto-send AI-generated content.

6. When we disclose information

We do not sell personal information, and we do not disclose it for others’ marketing. We disclose information only as needed to run the Service, and only to categories of recipients such as:

  • cloud hosting, database and storage providers that operate our infrastructure;
  • payment providers and terminal/EFTPOS routing services that process payments;
  • AI inference providers, as described in section 5;
  • an accounting integration, where you connect one, to sync financial summaries;
  • ordering and delivery marketplaces, where you connect them, to exchange order information;
  • communication providers used to deliver email or messages on our behalf;
  • error-monitoring, analytics and logging tools that help us keep the Service reliable; and
  • professional advisers, or government and law-enforcement bodies, where we are required or authorised by law.

We put contractual data-protection terms in place with the service providers that handle personal information on our behalf, and we require them to use it only for the purposes we specify.

7. Where your information is stored (cross-border disclosure)

We store the core of your information — including your account, transaction and customer records — on infrastructure located in Australia.

A limited set of supporting functions are provided by reputable overseas processors. These are: error-monitoring and product analytics (which receive only information with personal details removed), and AI inference (which receives only the specific content a feature needs, as described in section 5). Where we disclose information overseas, we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles. Financial summaries synced to an accounting integration you connect do not include your customers’ personal information.

8. Communications and marketing

We distinguish between service messages — such as receipts, security alerts and account notices, which are part of providing the Service — and marketing messages. We send marketing only where we are permitted to, in line with the Spam Act 2003 (Cth). Every marketing message identifies us and includes a simple way to unsubscribe, which we action promptly.

If you use brulee to send marketing to your own customers, you are the sender of those messages and are responsible for obtaining and keeping the necessary consents. We provide the tools; the obligation to comply rests with you.

9. How we protect your information

We take the security of your information seriously and apply layered safeguards, including:

  • encryption of information in transit and at rest, with additional application-level encryption applied to the most sensitive fields;
  • regular rotation of encryption keys;
  • strict separation of each venue’s data, enforced at the database level, so one venue can never see another’s information;
  • role-based access so staff only see what their role requires;
  • tightly controlled and audited internal access — by default our team cannot access your business data, and support access requires your explicit, time-limited approval;
  • automated removal of personal information from logs before they reach our monitoring tools; and
  • keeping card data out of our systems entirely by relying on independently certified payment providers.

No method of transmission or storage is completely secure, but we work to protect your information and to continually improve our safeguards.

10. How long we keep information

We keep personal information only for as long as we need it for the purposes described in this policy, or for as long as the law requires. In general:

  • Transaction and tax records are retained for around seven years to meet Australian tax and record-keeping obligations.
  • Payment metadata is retained for the period needed to support reconciliation and any payment-dispute (chargeback) window.
  • Customer records you store are kept until you delete them or close your account.
  • Audit logs, integration event records and operational logs are kept for limited periods appropriate to their purpose.
  • Uploaded images used for AI features that are not committed to your account are removed after a short retention period.

When information is no longer needed, we delete it or de-identify it. Note that some summarised records may be retained where the law requires us to keep them (for example, tax records), even after an account is closed.

11. Your rights and choices

Under the Australian Privacy Principles you have the right to ask us for access to the personal information we hold about you, and to ask us to correct it if it is inaccurate, out of date or incomplete. You can also ask us to delete your personal information, subject to the retention obligations described above.

To make any of these requests, email us at hello@bruleepos.com.au and we will action it directly. We may need to verify your identity before we can act on a request. We will respond within a reasonable time, and there is normally no charge.

12. Cookies and local storage

We use a small number of cookies and similar technologies that are necessary to run the Service — for example to keep you signed in and to remember preferences such as your chosen theme. We use privacy-preserving analytics that do not rely on advertising identifiers, and we do not use third-party advertising trackers or record your on-screen sessions. You can control cookies through your browser settings, though some features may not work without them.

13. Children’s information

The Service is intended for businesses and is not directed at children. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.

14. Data breaches

We maintain a process to detect, assess and respond to data-security incidents. If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme. We aim to notify those affected promptly — and faster than the law requires where we can.

15. Changes to this policy

We may update this policy from time to time to reflect changes to the Service, our practices, or legal requirements. When we do, we will revise the “last updated” date above and post the new version here. If the changes are material, we will take reasonable steps to let you know.

16. How to contact us

If you have a question about this policy, want to exercise a privacy right, or wish to make a complaint about how we have handled your personal information, contact us at hello@bruleepos.com.au. We will acknowledge your complaint and work with you to resolve it.

If you are not satisfied with our response, you can refer your complaint to the Office of the Australian Information Commissioner (OAIC), which oversees compliance with the Privacy Act 1988 (Cth).

See also our legal & terms page.