Privacy Policy

The data controller for personal information collected through the Platform is Herpify Pty Ltd, a company incorporated in Australia. For privacy enquiries, contact: [email protected].

This policy applies to all users in all countries where Herpify operates: Australia, United States, United Kingdom, Canada, and Japan.

We use your personal information to:

• Create and manage your account
• Provide, operate, and improve the Platform
• Display your listings and profile to other users
• Process subscription payments and send billing communications
• Verify breeder credentials and display verification badges
• Send transactional notifications (listing enquiries, saved search alerts, messages)
• Send service and account communications (security alerts, policy updates)
• Send marketing communications, only where you have given consent or where permitted by applicable law
• Detect and prevent fraud, abuse, and prohibited listings
• Comply with legal obligations, including cooperation with wildlife authorities
• Analyse usage to improve the Platform (using aggregated or anonymised data where possible)

For users in jurisdictions that require a lawful basis for processing personal data (including the EU/EEA, UK, and South Africa), we rely on the following bases:

• Contractual necessity: processing required to provide you with the Platform and fulfil our agreement with you (account management, listings, subscriptions, messaging)
• Legitimate interests: fraud prevention, security monitoring, platform analytics, and communicating about service changes, where these interests are not overridden by your rights
• Legal obligation: compliance with applicable law, including wildlife protection legislation and data retention requirements
• Explicit consent (GDPR Article 9(2)(a)): processing of biometric data for identity verification via Stripe Identity. You provide explicit consent before verification begins, and may withdraw it at any time
• Consent: marketing communications, non-essential cookies. Where consent is required, you may withdraw it at any time

For Australian users, processing is conducted in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles.

We do not sell your personal information. We share information in the following circumstances:

• With other users: your display name, username, location (country/state), profile photo, bio, verification status, and listings are visible to other users on the Platform. Your email address is never publicly displayed.
• With service providers (processors): we share data with carefully selected third-party processors (listed in Section 6) who process data on our behalf under data processing agreements that require them to protect your information.
• With wildlife and law enforcement authorities: where required or permitted by law, we will disclose information to wildlife management authorities, customs agencies, or law enforcement investigating violations of wildlife protection legislation. We take this obligation seriously given the nature of the Platform.
• Legal requirements: when required by a court order, subpoena, or applicable law.
• Business transfers: in connection with a merger, acquisition, or sale of all or a portion of our assets, with advance notice to affected users. Any acquirer will be subject to the obligations in this Privacy Policy.
• With your consent: in any other circumstances where you have given explicit consent.

We use the following sub-processors to operate the Platform:

• Clerk, Inc. (clerk.com): authentication, user management, and session handling. Data may be processed in the US. Privacy policy: clerk.com/legal/privacy
• Stripe, Inc. (stripe.com): subscription billing, payment processing, and identity verification (Stripe Identity). For payments, Stripe acts as an independent data controller for payment data. For identity verification, Stripe processes your government-issued ID and biometric data (selfie) as our processor under a data processing agreement. Stripe retains biometric data for up to 1 year and non-biometric verification data for up to 3 years. You may request early deletion at any time. Privacy policy: stripe.com/privacy
• Amazon Web Services (aws.amazon.com): image and document storage. Files are stored in the ap-southeast-2 (Sydney, Australia) region.
• Resend (resend.com): transactional email delivery (listing enquiries, subscription confirmations, alerts). Data may be processed in the US.
• Upstash (upstash.com): Redis caching for performance. Data may be processed in the US and EU.
• Vercel, Inc. (vercel.com): hosting, CDN, and edge network infrastructure. Data may be processed in multiple regions. Privacy policy: vercel.com/legal/privacy-policy
• Svix (svix.com): webhook delivery infrastructure. Data may be processed in the US.

All processors are bound by data processing agreements that prohibit them from using your data for their own purposes and require them to maintain appropriate security measures.

Herpify is based in Australia and some of our processors operate in the United States, European Union, and other countries. When we transfer personal data internationally, we ensure appropriate safeguards are in place:

• EU/UK users: transfers to countries outside the EEA/UK are made under Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner's Office, or to countries with an adequacy decision.
• Australian users: we take reasonable steps to ensure overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles (APP 8).
• Japanese users: transfers to third countries are conducted with appropriate contractual protections consistent with the Act on the Protection of Personal Information (APPI).
• South Korean users: transfers to third countries are conducted in accordance with the Personal Information Protection Act (PIPA), including notification where required.
• South African users: transfers are conducted with appropriate safeguards consistent with the Protection of Personal Information Act 4 of 2013 (POPIA), including binding agreements with recipients.

We use the following categories of cookies and similar technologies:

• Strictly necessary cookies: authentication session, country/region preference, CSRF protection tokens. These are required for the Platform to function and cannot be disabled.
• Preference cookies: theme (light/dark), selected country. Stored in localStorage.
• Analytics cookies: we use anonymised analytics to understand usage patterns and improve the Platform. IP addresses are anonymised. You can opt out via your browser settings.

We do not use third-party advertising cookies or cross-site tracking technologies.

EU and UK users: where cookies require consent under applicable ePrivacy law, we will request your consent before setting them. You may withdraw consent at any time via your browser settings.

• Account data: retained for as long as your account is active, plus a 30-day grace period after account deletion to allow recovery. After 30 days, personal data is deleted or irreversibly anonymised.
• Listing data: active listings are retained while your account is active. Expired or deleted listings are retained in anonymised form for analytics for up to 26 months.
• Breeder verification records: licence numbers (encrypted) are retained for 7 years from submission to satisfy compliance and record-keeping obligations under applicable wildlife legislation. Stripe verification session IDs and pass/fail results are retained for the same period. Biometric data (ID photos, selfies) is held by Stripe (not Herpify) for up to 1 year, and can be deleted earlier via a right-to-erasure request. We can initiate redaction of your Stripe Identity data on your behalf at any time.
• Transaction and billing records: retained for 7 years as required by Australian taxation and accounting obligations.
• Support correspondence: retained for 3 years from the date of the last interaction.
• Analytics data: anonymised analytics data is retained for up to 26 months.

Depending on your country of residence, you have the following rights regarding your personal data:

To exercise any right listed above, email [email protected] with your request. We will respond within 30 days (or the shorter period required by applicable law in your jurisdiction). We may need to verify your identity before processing your request.

We implement appropriate technical and organisational security measures proportionate to the risks of processing. These include:

• TLS 1.3 encryption for all data in transit
• AES-256-GCM encryption for sensitive documents at rest
• Password hashing managed by Clerk (bcrypt)
• Row-level database access controls and principle of least privilege
• Regular security reviews and dependency updates
• File storage in a geographically restricted region (AWS ap-southeast-2)

No system is 100% secure. If you discover a security vulnerability in our Platform, please report it responsibly to [email protected] before any public disclosure.

Herpify is not directed at persons under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has created an account or provided us with personal information, please contact us immediately at [email protected] and we will take steps to delete the information and close the account.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and by posting a prominent notice on the Platform at least 14 days before the changes take effect. The date of the most recent revision is shown at the top of this page. Continued use of the Platform after changes take effect constitutes acceptance of the revised policy.

For privacy-related questions, requests, or complaints: [email protected]

We aim to respond to all privacy requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection or privacy authority in your country (see Section 10 for relevant authority details by jurisdiction).