LEGAL

Privacy Policy

Last updated: 17 May 2026

Version: 1.0

In plain English: We tell you what personal information we collect, why, where it goes, and how to control it. We don't sell your data. We don't train AI on it. You can email hello@belta.ai any time to access, correct, or delete what we have.

01Who we are

This Privacy Policy explains how Hoora Pty Ltd (ABN 87 689 552 449), trading as Belta ("Belta", "we", "us", "our"), handles your personal information. We're an Australian company operating a software-as-a-service platform for food and hospitality businesses.

Our registered office is at [Registered Address — to be inserted]. You can reach our privacy contact at hello@belta.ai.

We're an "APP entity" for the purposes of the Privacy Act 1988 (Cth) and we comply with the Australian Privacy Principles (APPs). We also act in accordance with the Spam Act 2003 (Cth) for any commercial electronic messages we send.

02What this Policy covers

This Policy covers personal information we collect when you:

  • Visit belta.ai or app.belta.ai;
  • Use the /try demo at app.belta.ai/try (whether or not you go on to create an account);
  • Create a Belta account and use the Service as a merchant;
  • Are a customer of a Belta merchant whose data is processed through Belta (for example, when you redeem a Treat);
  • Contact us by email, social media, or any other means.

For Belta merchants: this Policy describes how we handle the personal information of you and your team. It also describes our role when you use Belta to process personal information about your own customers — in which case, you remain primarily responsible for your customers' privacy, and your own privacy notice to them should reflect that.

03The personal information we collect

We collect different categories of personal information depending on how you use Belta.

3.1 From people who use /try (the invoice-upload demo)

When you upload an invoice on /try, we collect:

  • Invoice contents — supplier names, contact details, item descriptions, quantities, prices, dates. Invoices often contain the business name and contact details of the person or supplier sending the invoice.
  • Your email address and password if you choose to proceed to account creation. Until you do, we hold the invoice extraction in a temporary record on our database (called pending_onboarding).
  • Your IP address, browser, device, and approximate location (city level) for security, rate-limiting, and analytics.
  • Your business category, business name, suburb, and state if you proceed to create a store.

You can use /try without creating an account. If you don't proceed within a reasonable period, we delete the extracted data and the uploaded files within 30 days, or sooner if you ask us to.

3.2 From Belta merchants and their staff

If you create a Belta account, we collect:

  • Identity and contact information — your name, business name, mobile number, email, role (owner, manager, staff).
  • Business information — trading name, business type, location, ABN if you provide one, slug, integration details for connected services.
  • Authentication information — your password (stored as a salted hash; we never see your plain-text password), session tokens, and security logs.
  • Operational data — inventory, recipes, menus, supplier records, staff records, rosters, time entries, stocktakes, COGS, weekly revenue. Some of this is personal information about your staff.
  • Customer support communications — emails, chat messages, and recordings of any support calls you have with us.

3.3 From your end-customers (Treats, Spot Treats, loyalty)

When your customers redeem a Treat or interact with a Belta-powered promotional page, we may process:

  • Identifiers — mobile number, email address, or a generated customer ID;
  • Redemption activity — which Treat, when, at which location, by which staff member;
  • Aggregated visit history — for the purpose of attributing future visits to past promotions.

We process this information on behalf of you, the merchant. You are responsible for ensuring you have given your customers a proper privacy notice and have a lawful basis under the Privacy Act to share their information with us. See Section 11 for the merchant-customer split.

3.4 From integrations you connect

If you connect a third-party service to your Belta account, we receive data from that service. This includes:

  • Square (POS sync) — sales, items, locations, transactions, item-level revenue. Square's data may include limited customer information (for example, last four digits of payment cards, redacted by Square).
  • Stripe (billing) — your subscription status, payment method type (we don't store full card numbers — Stripe does), invoices, payment events. Stripe's full privacy practices apply at stripe.com/privacy.
  • Email-forwarded reports — if you forward Square or other weekly reports to a Belta address, we process those emails to extract relevant business data.

3.5 Automatically, when you use the Service

  • Usage data — pages visited, features used, errors encountered, timestamps;
  • Device and connection data — IP address, browser type, operating system, device identifiers, language;
  • Cookies and similar technologies — see Section 9.

04How we collect personal information

We collect personal information:

  • Directly from you — when you upload an invoice, sign up, fill in a form, talk to us, or use the Service;
  • From integrations — when you authorise us to connect to Square, Stripe, or another service;
  • From cookies and analytics tools — embedded in our website and app (see Section 9);
  • From publicly available sources — for example, when our competitor-monitoring feature retrieves public menu information from third-party delivery platforms. This generally does not include personal information.
  • From your staff or other authorised users — for example, when an owner adds a staff member to their roster.

Where it's reasonable and practical, we collect personal information directly from the individual it relates to. Where we collect from someone else (for example, a merchant adds their staff member), we rely on the merchant having an appropriate basis to do so.

05Why we collect and use personal information

We collect and use personal information for the following purposes:

PurposeExamples
To provide the ServiceRunning /try; extracting and structuring your data; generating campaigns; processing redemptions; syncing Square.
To create and manage your accountAuthentication; subscription management; trial-to-paid conversion; password resets.
To process paymentsCharging your subscription via Stripe; generating tax invoices; handling failed payments.
To communicate with youService notices, trial reminders, support replies, security alerts, billing emails.
To send marketing (if you've opted in)Product updates, tips, occasional newsletters. You can unsubscribe at any time.
To improve the ServiceDiagnosing bugs; understanding how features are used; tuning AI prompts; analytics.
To produce aggregated insightsDe-identified industry benchmarks, internal analytics. We don't publish anything that re-identifies you.
To meet legal obligationsTax records, responding to lawful requests, security and fraud prevention.
To enforce our TermsInvestigating breaches of acceptable use, suspending accounts where appropriate.
We don't sell personal information.

06AI processing and overseas disclosure

The Service uses third-party AI to provide some features — currently Anthropic, PBC (provider of Claude), with processing occurring on Anthropic's infrastructure in the United States. We may also use Anthropic infrastructure in other countries where Anthropic operates.

When we send your data to Anthropic:

  • It's sent through Anthropic's API under a commercial contract that prohibits Anthropic from using your data to train their general models;
  • Inputs and outputs are processed transiently and Anthropic's commercial API zero-retention or limited-retention terms apply;
  • We send only the data needed for the feature you're using (for example, an invoice you uploaded, or campaign-generation inputs).

We've taken reasonable steps to ensure that our overseas service providers handle personal information in a manner consistent with the Australian Privacy Principles. By using the Service, you acknowledge that some of your personal information will be processed in the United States and possibly other countries, where local laws may differ from Australian law.

We also use the following overseas service providers:

  • Supabase, Inc. (database and authentication);
  • Stripe Payments Australia Pty Ltd with parent processing in the United States;
  • Vercel, Inc. (web hosting and analytics) — United States;
  • Meta Platforms Ireland Limited / Meta Platforms, Inc. (advertising pixel on /try) — Ireland and United States.

We list the most material providers here; this is not an exhaustive list of every sub-processor. Where we make material changes to who processes personal information, we'll update this Policy.

07Who we share personal information with

We share personal information with:

  • Service providers that help us deliver the Service (hosting, AI, payments, email, analytics, customer support tools). They're permitted to use personal information only to provide their services to us;
  • Square, Stripe, and other integrations you connect — when you authorise the integration;
  • Other users of your store — for example, your owner can see staff records; staff can see relevant roster data;
  • Professional advisors — lawyers, accountants, auditors, under confidentiality;
  • Government, law enforcement, or regulators — where we're required to by law, or to protect the rights, safety, or property of Belta, our users, or others;
  • In a business transaction — if we're acquired, merged, or restructured, personal information may be transferred to the successor entity, subject to this Policy.
We do not sell personal information to third parties.

08How we store and secure personal information

We store personal information on cloud infrastructure provided by reputable service providers. We use a range of technical and organisational measures, including:

  • Encryption in transit (TLS) and at rest;
  • Row-level security policies in our database to restrict access to your store's data;
  • Salted password hashing — we don't store your plain-text password;
  • Access controls — only authorised personnel have access to production data, and only where needed;
  • Logging and monitoring of suspicious activity;
  • Regular review of our security practices.

No system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm, we'll notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act.

09Cookies, pixels, and analytics

We use cookies and similar technologies for:

  • Authentication and security (essential cookies — these can't be disabled);
  • Analytics — Vercel Web Analytics provides aggregated, cookie-free or low-personal-information page-view data;
  • Advertising and conversion measurement — on the /try page we operate a Meta Pixel to measure conversion rate from our advertising. The Meta Pixel sets cookies and reports events (such as "TryStarted" and "TryCompleted") to Meta.

You can control cookies through your browser settings. Disabling essential cookies will affect your ability to use the Service.

If you're located in the EU, UK, or another jurisdiction with specific cookie-consent laws, we honour the consent signals provided by your browser.

10Marketing communications

If you're a Belta user, we may send you:

  • Service emails — billing, security, trial expiry, important Service changes. These aren't marketing and you can't opt out while you have an active account, although you can close the account.
  • Marketing emails — product updates, tips, occasional newsletters. We send these only where we have a basis under the Spam Act 2003 (Cth) (consent, or an existing customer relationship within scope). Every marketing email includes an unsubscribe link. Unsubscribing is honoured promptly.

You can opt out of all marketing at any time by clicking unsubscribe or emailing hello@belta.ai.

11Merchants and their customers

If you're a Belta merchant and you use features that process your customers' personal information (for example, Treats redemption capturing customer mobile numbers): you are primarily responsible to your customers under the Privacy Act for collecting and handling their personal information lawfully, fairly, and transparently.
  • You must have your own privacy notice that tells your customers what you collect, why, who you share it with (including Belta), and how to contact you;
  • You must have a lawful basis under the Privacy Act for sharing your customers' personal information with us (typically: explicit consent at point of collection);
  • We act as your processor for that information, handle it on your instructions, and apply this Policy and the Terms to it.

If you're a customer of a Belta merchant and you want to know how your data is being used, contact the merchant first. We can help redirect your enquiry if needed. You can reach us at hello@belta.ai.

12How long we keep personal information

We keep personal information only as long as we need to for the purposes set out in this Policy, or as required by law.

CategoryRetention
/try uploads that don't proceed to account creationUp to 30 days, then deleted
Active account dataWhile your account is active
Closed account dataUp to 90 days after closure, then deleted (except records we're legally required to retain)
Financial records (invoices, payment receipts)At least 7 years (Australian tax law)
Security and audit logsUp to 12 months
Marketing-list informationUntil you unsubscribe, then deleted from active lists within 30 days

You can request earlier deletion at any time (see Section 13).

13Your rights

Under the Privacy Act, you have rights to:

  • Access the personal information we hold about you;
  • Correct information that's inaccurate, out of date, or incomplete;
  • Complain about how we've handled your personal information;
  • Withdraw consent to a specific use (where we relied on consent);
  • Opt out of marketing at any time.

You may also ask us to delete your personal information. We'll do so unless we're legally required to retain it (for example, financial records).

To exercise any of these rights, email hello@belta.ai. We'll respond within 30 days, usually sooner. There's no charge for reasonable requests.

If you're a customer of a Belta merchant and you want to exercise rights over the information the merchant shares with us, please contact the merchant first.

14Complaints

If you think we've mishandled your personal information:

  1. Tell us first. Email hello@belta.ai with the details. We'll acknowledge within 5 business days and aim to resolve within 30 days.
  2. If you're not happy with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, 1300 363 992.

15Children

The Service isn't directed at children. We don't knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, contact hello@belta.ai and we'll delete it.

16Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top shows the most recent change. For material changes that affect how we handle your personal information, we'll give reasonable notice by email or in-app notice. Your continued use of the Service after the change takes effect means you accept the updated Policy.

17Contact us

Hoora Pty Ltd Trading as Belta
ABN 87 689 552 449
[Registered Address — to be inserted]
Email: hello@belta.ai

For privacy-specific enquiries, use the same address with "Privacy" in the subject line.

This Policy is a baseline working version pending review by qualified Australian legal counsel. It's not legal advice.