Privacy Policy

This Privacy Policy explains how XPERT Moto Group Pty Ltd (ABN 72 629 456 408) (“XPERT Moto”, “we”, “us”, “our”) handles your personal information. We are bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs) set out in Schedule 1 to that Act. Each section below addresses a single APP so you can see exactly how we meet our obligations.

For a summary of our technical security controls, see our Trust & Security page.

APP 1 — Open and transparent management

This policy is published on our website and is available free of charge. Our Privacy Officer is the point of contact for any privacy question, access request, correction request or complaint:

• Email: book@scootering.com.au
• Post: the registered office of XPERT Moto Group Pty Ltd (ABN 72 629 456 408)

We review this policy at least annually and whenever our practices change materially. Prior versions are preserved on request.

APP 2 — Anonymity and pseudonymity

You may browse our public website, fleet pages, pricing and locations anonymously. We do not require you to identify yourself to read information about our services. To make a booking, ride insurance, or hold a bond, we must identify you — this is required by the Road Transport Acts of each state in which we operate, our insurer, and our obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) in relation to payment processing.

APP 3 — Collection of solicited personal information

We collect only the personal information reasonably necessary to provide our vehicle hire services. Specifically:

• Identity and contact: name, email address, mobile phone number, date of birth, residential address.
• Driver licence: licence number, issuing state, class, expiry date, and a photograph of the front and back of the licence. Required to verify your legal entitlement to ride.
• Passport (optional, overseas visitors): passport number, country of issue, expiry and a photograph where the licence alone is insufficient for identification.
• Emergency contact: name, phone number and relationship to you, for use in the event of an accident during your hire.
• Booking and rental records: pickup and return depot, dates and times, vehicle assigned, odometer readings, fuel level, pre- and post-hire inspection notes and photographs, and your digital signature on the rental agreement.
• Payment information: billing details and tokenised payment method references processed by our payment provider, Stripe. We never store full card numbers, CVV codes or card-not-present credentials on our systems.
• Device and usage data: IP address, browser and device identifiers, pages viewed, and cookie data when you use the site.
• Communications: records of emails, SMS messages and phone calls between you and our team.
• Incidents and infringements: accident reports, damage photographs, police and insurance reference numbers, and any traffic or parking infringement notices issued in respect of a vehicle you hired.
• Marketing preferences: your email and SMS marketing opt-in status, recorded explicitly, defaulting to off.

APP 4 — Dealing with unsolicited personal information

If we receive personal information we did not ask for and could not have collected under APP 3, we will, within a reasonable time, destroy or de-identify it unless we are required by law or a court order to retain it or it is otherwise contained in a Commonwealth record.

APP 5 — Notification of collection

When we collect personal information directly from you, we take reasonable steps to make you aware of: our identity and contact details, the purposes of collection, the consequences of not providing the information, the types of organisations we may disclose it to, and the fact that this policy contains information about how to access, correct or complain about our handling of your personal information. For website and booking flows, this notice is provided at the point of collection. For telephone or in-person collection, it is provided verbally or in the rental agreement you sign.

APP 6 — Use or disclosure of personal information

We use your personal information only for the primary purpose for which it was collected — providing our hire services — or for a secondary purpose you would reasonably expect and that is related to the primary purpose. This includes:

• Processing bookings, payments, bond holds and releases, and issuing tax invoices;
• Verifying your identity, age and licence before a vehicle is handed over;
• Sending booking confirmations, reminders and return notifications;
• Managing incidents, damage claims, infringements and recoveries;
• Meeting our tax, consumer law and insurance obligations;
• Responding to your enquiries and support requests.

We disclose personal information only where necessary for these purposes or where required by law, including to Stripe (payment processing), Twilio (SMS), our email provider, our cloud infrastructure providers, insurers and assessors in the event of damage, theft or accident, state transport authorities where infringements must be nominated, and police or regulators in response to a lawful request. We do not sell your personal information.

APP 7 — Direct marketing

We send marketing communications (offers, fleet updates, promotions) only where you have explicitly opted in. Marketing opt-in defaults to off when you register. Every marketing email and SMS includes a clear unsubscribe mechanism, and you may also update your preferences at any time by signing in to your customer dashboard or contacting our Privacy Officer.

APP 8 — Cross-border disclosure

Some of the service providers we rely on to operate this service store or process personal information outside Australia. Before we disclose information to them, we take reasonable steps to ensure they handle it consistently with the APPs. Our current offshore sub-processors include:

• Stripe, Inc. (United States, European Union): payment processing and bond authorisation.
• Twilio, Inc. (United States): SMS and messaging delivery.
• Resend, Inc. (United States): transactional email delivery.
• Sentry, Inc. / Functional Software, Inc. (United States): application error monitoring.
• Amazon Web Services, Inc. (Australia, with replication depending on the service tier): object storage and application hosting.

We select providers with equivalent privacy and security safeguards. Where processing occurs in jurisdictions with privacy frameworks different from the APPs, contractual safeguards cover the gap.

APP 9 — Government identifiers

We collect driver licence numbers and (for visitors who do not hold an Australian licence) passport numbers solely to verify your identity and legal entitlement to ride. We do not use these government identifiers as our own internal identifier for you; our systems key customer records to an internally generated identifier. We do not disclose government identifiers except as required by law or to our insurer in connection with a claim.

APP 10 — Quality of personal information

We take reasonable steps to ensure that the personal information we collect, use and disclose is accurate, up to date, complete and relevant. You can review and update most of your personal information through your customer dashboard. For fields you cannot edit directly — licence details, for example — contact our Privacy Officer and we will correct the record.

APP 11 — Security of personal information

We hold personal information in access-controlled systems and protect it with the following measures:

• Encryption: TLS in transit across all public endpoints (with HTTP Strict Transport Security); licence and passport numbers are additionally encrypted at the application layer using AES-256-GCM with keys managed outside the database.
• Access control: role-based access, with multi-factor authentication enforced for all staff and administrator accounts. All access to customer records is audit-logged.
• Payment data: full card numbers and CVV codes never reach our servers. Payments are processed directly by Stripe, a PCI-DSS Level 1 certified provider.
• Backups: nightly encrypted backups with a 30-day retention window.
• Breach response: we maintain a written Data Breach Response Plan aligned with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). See the Trust & Security page for more.

We retain personal information only as long as reasonably required for the purpose for which it was collected or as required by Australian tax, consumer protection and transport law. Financial and tax records are retained for seven years in line with obligations under the Income Tax Assessment Act 1997 (Cth) and A New Tax System (Goods and Services Tax) Act 1999 (Cth). When information is no longer needed and no legal retention obligation applies, we destroy or de-identify it.

APP 12 — Access to personal information

You have a right to request access to the personal information we hold about you. Submit a request to our Privacy Officer using the contact details in APP 1. We will respond within 30 days, usually by providing a copy of your record at no charge. In limited circumstances we may be permitted or required to refuse access (for example, where disclosure would unreasonably impact the privacy of another person). If we refuse, we will set out the reasons in writing and explain how to complain.

APP 13 — Correction of personal information

If the personal information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you may ask us to correct it. We will respond to correction requests within 30 days. Where we have disclosed the information to a third party, we will, if you ask, take reasonable steps to notify that third party of the correction, unless it is impracticable or unlawful to do so.

Complaints

If you believe we have breached the APPs or mishandled your personal information, please contact our Privacy Officer first. We will acknowledge your complaint within five business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

Cookies and analytics

We use cookies and similar technologies to keep you signed in, remember your booking progress and measure site performance. You can disable cookies in your browser, but some parts of the booking flow may stop working.

Children

Our services are not intended for people under the minimum licensing age for the vehicle categories we hire. We do not knowingly collect personal information from minors outside a parent- or guardian-supervised booking.

Changes to this policy

We may update this policy from time to time. The current version and its effective date are always shown at the top of this page. Material changes will be communicated through a notice on the site. Previous versions are retained internally and available on request.

Version history

• 2.0 — 21 April 2026. Restructured into thirteen APP-indexed sections; added explicit offshore sub-processor list, security control summary, and complaint handling timeframe.
• 1.0 — April 2026. Initial policy.