Privacy Policy

PRIVACY POLICY

JCJW Pty Ltd ACN (662 005 334) trading as Zest (we, us, our) are committed to respecting your privacy.

Please read the following privacy policy (Privacy Policy) to understand how we collect, use, disclose, handle and protect your personal information.

We hope that this will help you make an informed decision when sharing personal information with us. As well as applying to our interactions with you, this Privacy Policy also applies to any information that we collect through this website www.zestapp.com.au (Website), the Zest Events mobile app (Zest App) or any other websites, platforms and/or mobile apps we operate (collectively, our Platform). Through our Platform, we provide services that connect Vendors in the events industry (Vendors) with users who may book those Vendors (Clients). This Privacy Policy applies to our interactions with any Platform users, including Vendors and Clients.

Openness and transparency

We are committed to protecting your privacy and respecting and upholding your rights in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles. We will ensure that we will take all necessary steps to comply with the Australian Privacy Principles and to deal with inquiries or complaints from individuals about compliance with the Australian Privacy Principles. By accessing and using our Platform, you agree to and consent to the collection, use, storage and disclosure of your personal information by us as set out in this Privacy Policy.

Personal information

In this Privacy Policy, the term ‘personal information’ has the meaning set out in the Privacy Act. In general terms, personal information is information (whether fact or opinion and whether true or not) about an individual who is identified or who is reasonably identifiable from that information, or from other information combined with that information.

Some types of personal information are classified as ‘sensitive information’ and/or ‘health information’, which are subject to additional protection under the Privacy Act. Sensitive information may include information about your racial origin and health status, and health information may include information about a health-related service you have had or will receive, including test results and appointment details.

What types of personal information do we collect?

The types of personal information we collect about you will depend on the purpose for which the personal information is collected. This can include:

  • - full name and address;
  • - email address;
  • - telephone number(s);
  • - date of birth;
  • - credit card information;
  • - your device ID, device type, computer and connection information, statistics on page views, traffic to and from the sites, ad data, IP address and standard web log information;
  • - in the case of customers using the Zest App – location data including the precise or approximate location information from customer’s mobile device when the Zest App is running in the foreground (app open and on-screen) or background (app open but not on-screen) and transaction information relating to the use of the Zest App);
  • - in the case of customers using the Zest App – usage data on how customers interact with the Zest App, including access dates and times, app features or pages viewed, browser type, app crashes and other system activity;
  • - in the case of customers using the Zest App – device data on how customers interact with the Zest App, including hardware models, device IP address or other unique device identifiers, operating systems and versions, software, advertising identifiers, device motion data and mobile network data;
  • - details of the services we have provided to you or that you have enquired about, including any additional information necessary to deliver those services and respond to your enquiries;
  • - any additional information relating to you that you provide to us directly through our website or app or indirectly through your use of our website or app or online presence or through other websites or accounts from which you permit us to collect information;
  • - information you provide to us through any customer surveys;
  • - Platform purchase history;
  • - any customer conversations from the inbuilt Platform help chat function;
  • - billing information (including credit and bank details);
  • - in the case of potential employees, or contractors or subcontractors, or prospective employees, contractors or subcontractors – information contained in your application or résumé, recorded during any interview, or obtained through any pre-employment checks, and government-issued identifiers such as tax file numbers;
  • - communications data collected through connected third-party accounts as set out in more detail in the “Connected third-party accounts and communication channels” section of this Privacy Policy.

Generally, we will not collect sensitive information from you. However, from time to time, if there is a religious celebration or event that people are sought out to perform services for, then we may collect information that is connected to that religious celebration or event, and which may amount to sensitive information under the Privacy Act.

How do we collect personal information

We collect your personal information directly from you, including when you:

  • - access or use our Platform;
  • - subscribe to or purchase our products or services;
  • - sign up to receive news and exclusive offers, promotions, or events;
  • - enter surveys, competitions, promotions or request information or material from us;
  • - make inquiries about us or our products or services or otherwise communicate with us by email, by telephone, in person, via a website or otherwise; and
  • - apply to work with us or are engaged by us as a contractor.

Where it is reasonable and practicable to do so, we will only collect personal information about you from you directly and not from third parties.

In limited circumstances, we may collect personal information about you from publicly available sources (such as the Internet) and from third parties (such as mutual contacts, or if someone makes a purchase on your behalf, or from your referees during the recruitment process if you apply for a job with us). We may also collect personal information through third parties such as our service providers or through promotional and marketing activities.

Whilst we will always maintain robust privacy practices, we are not responsible for the privacy practices of third parties, so you should review their relevant privacy policy to satisfy yourself as to how they protect and handle your personal information.

We also use the following technologies to collect technical information and general analytics:

  • - cookies, which are data files that are placed on your device and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org;
  • - log files, which track actions occurring on our website; and
  • - web beacons, tags, and pixels, which are electronic files used to record information about how you browse our website.

Analytics and measurement tools

We use third-party services to understand how our Platform is used and to improve it. These include analytics providers (which collect aggregate information about how visitors interact with our website and mobile app) and session-recording tools (which capture interactions such as clicks, scrolling, and page navigation on our website to help us identify usability issues). Form input fields are automatically masked and are not recorded by these tools.

Where this information is processed

Some of these services process data on servers located outside Australia, including in the United States. We have reviewed each provider's data-processing terms and consider their privacy protections to be appropriate.

How long we keep it

Aggregated analytics data is retained for up to 14 months from the date of collection. Session recordings are retained for up to 30 days.

Opting out

You can limit what these tools record by:

  • - installing browser privacy extensions (such as uBlock Origin or Privacy Badger), which block most analytics and recording tools;
  • - adjusting your browser's privacy settings to disable cookies and block trackers; or
  • - using the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout.

Can you choose not to disclose your personal information?

If you use a pseudonym when dealing with us or you do not provide identifiable information to us, we might not be able to provide you with any or all of our services as requested. If you wish to remain anonymous when you use our Platform, then do not sign into it or provide any information that might identify you. We require individuals to provide accurate, up-to-date and complete personal information at the time it is collected.

How do we use your personal information?

We use and disclose your personal information for the purposes for which the information is collected including managing our business and providing our products and services to you, including to:

  • - providing our Platform to you;
  • - administering, protecting, improving or optimising our Platform and services (including performing data analytics, conducting research and for advertising and marketing purposes);
  • - billing you via our Platform;
  • - communicating to you about our application, website, products, services, rewards, surveys, contests, or other promotional activities or events sponsored or managed by us or our business partners;
  • - responding to any inquiries or comments that you submit to us;
  • - verifying your identity;
  • - considering you for a job;
  • - facilitating communications between Vendors and Clients through our Platform, including through connected third-party communication channels as described in the “Connected third-party accounts and communication channels” section;
  • - any other purpose you have consented to;
  • - complying with our legal obligations such as notifying you of matters that we may be required by law to do so;
  • - contacting you regarding any of the above, including via electronic messaging such as SMS and email, by mail, by phone or in any other lawful manner;
  • - preventing, detecting and investigating suspicious, fraudulent, criminal or other activity that may cause you, us or others harm, including in relation to our products and services.

Connected third-party accounts and communication channels

Our Platform provides Vendors with the ability to connect third-party accounts to manage their Client communications in a unified inbox within the Platform. This section describes how we handle data from each connected service.

Overview

Our Platform provides Vendors with the ability to receive and manage communications with Clients and potential Clients through a unified inbox within the Platform. This includes emails sent to the Vendor’s dedicated Platform inbox address, social media messages via connected third-party accounts, and messages from the Platform marketplace. This section describes how we handle data from each communication channel.

We access only the minimum data necessary to provide the unified inbox functionality. We do not access, collect, or store data beyond what is described in this section.

Email (Platform inbox address)

How it works: Each Vendor is assigned a unique Platform inbox email address. When an email is sent to this address — either directly by a Client or forwarded by the Vendor — we receive and store the email content. We do not access the Vendor’s personal email account (Gmail, Outlook, or any other email provider). We only receive emails that are explicitly sent to the Vendor’s Platform inbox address.

Specific data collected: Sender name and email address, recipient email address, email subject line, email body content (text and HTML), file attachments, and email metadata (date and time message identifiers used for threading).

How we use this data: To display incoming emails in the Vendor’s unified inbox within the Platform, to enable the Vendor to reply to emails from within the Platform and to match email conversations with the Vendor’s Client contacts and bookings.

Outbound emails: When a Vendor replies to an email from within the Platform, the reply is sent from the Vendor’s Platform inbox address with the Vendor’s personal email address included in CC, so the Vendor has a copy of all correspondence.

How we store this data: Email content is stored in our secure database, encrypted at rest, and scoped to the individual Vendor’s account. Only the Vendor who owns the inbox address can view their email data. We do not share email content with other Platform users or any third parties.

What we do not do with your email data:

  • - We do not access, read, or store any emails from Vendor’s personal email accounts. We do not sell, rent, lease, or trade email data to any third party.
  • - We do not use email content for advertising, marketing, or any purpose other than displaying it in the unified inbox and enabling replies.
  • - We do not use email content to train machine learning or artificial intelligence models.
  • - We do not scan or analyse email content for purposes unrelated to providing the unified inbox service.

Deletion: Vendors may request deletion of specific email threads or all stored email data at any time through the data deletion options in their Platform account settings or by contacting us at support@zestapp.com.au. See our Data Deletion Instructions for full details.

Calendar accounts (Google Calendar and Microsoft Outlook Calendar)

What we access: When a Vendor connects their Google or Microsoft calendar account via OAuth, we access their calendar data to display availability and sync confirmed bookings.

Specific data collected: For events on the Vendor’s personal calendar, we collect only the start time, end time, and busy/free status of events. We do NOT collect or store event titles, descriptions, attendee lists, locations, attachments, or any other event details from the Vendor’s personal calendar. For bookings confirmed through the Platform, we create calendar events containing booking details (event name, Client name, location) which are generated from the Vendor’s CRM data, not from their personal calendar.

How we use this data: We use this data to display the Vendor’s availability in the Platform calendar view, to detect scheduling conflicts when creating bookings, and to write confirmed Platform bookings back to the Vendor’s connected calendar so their schedule stays in sync.

How we store this data: Calendar availability data (busy/free time slots only) is stored in our secure database, scoped to the individual Vendor. No personal calendar event content is stored.

Disconnection and deletion: You may disconnect your calendar account at any time through your Platform account settings. When disconnected, all stored calendar availability data is immediately deleted. Platform created booking events on the Vendor’s external calendar are not removed from the Vendor’s external calendar — they remain on the Vendor’s calendar as a record of their bookings. The Vendor can delete these manually if desired.

Instagram Direct Messages

What we access: When a Vendor connects their Instagram Business or Creator account, we access direct messages sent to and from the Vendor’s Instagram account via the Meta Platform APIs.

Specific data collected: Message content (text, images, video, audio), sender profile information (Instagram user ID, display name), message timestamps, delivery and read status, and conversation metadata.

How we use this data: To display Instagram direct messages in the Vendor’s unified inbox within the Platform, to enable the Vendor to reply to Instagram messages from within the Platform, and to match conversations with the Vendor’s Client contacts and bookings.

How we store this data: Instagram message content is stored in our secure database, encrypted at rest, and scoped to the individual Vendor’s account. Only the Vendor who connected the account can view their Instagram message data. We do not share Instagram message content with other Platform users or any third parties beyond what is necessary to provide the service.

What we do not do with your Instagram data:

  • - We do not sell, rent, lease, or trade Instagram data to any third party.
  • - We do not use Instagram data for advertising, marketing, or any purpose other than displaying it in the unified inbox and enabling replies.
  • - We do not use Instagram content to train machine learning or artificial intelligence models.
  • - We do not scan or analyse Instagram content for purposes unrelated to providing the unified inbox service.

Instagram’s messaging policies: Our use of Instagram messaging data complies with Meta’s Platform Terms and Instagram’s API Terms of Use. We respect Instagram’s 24-hour messaging window policy, and we do not use the Instagram API to send unsolicited messages, spam, or messages that violate Meta’s policies.

Facebook Messenger

What we access: When a Vendor connects their Facebook Page, we access messages sent to and from the Vendor’s Facebook Page via Facebook Messenger through the Meta Platform APIs.

Specific data collected: Message content (text, images, video, audio, files), sender profile information (Facebook user ID, display name), message timestamps, delivery and read status, and conversation metadata.

How we use this data: To display Facebook Messenger conversations in the Vendor’s unified inbox within the Platform, to enable the Vendor to reply to Facebook messages from within the Platform, and to match conversations with the Vendor’s Client contacts and bookings.

How we store this data: Facebook Messenger content is stored in our secure database, encrypted at rest, and scoped to the individual Vendor’s account. Only the Vendor who connected the account can view their Facebook message data.

What we do not do with your Facebook data:

  • - We do not sell, rent, lease, or trade Facebook data to any third party.
  • - We do not use Facebook data for advertising, marketing, or any purpose other than displaying it in the unified inbox and enabling replies.
  • - We do not use Facebook content to train machine learning or artificial intelligence models.
  • - We do not scan or analyse Facebook content for purposes unrelated to providing the unified inbox service.

Facebook’s messaging policies: Our use of Facebook Messenger data complies with Meta’s Platform Terms and the Messenger Platform Policy. We respect Facebook’s 24-hour messaging window policy, and we do not use the Messenger API to send unsolicited messages, spam, or messages that violate Meta’s policies.

General provisions for all connected accounts

Consent: By connecting a third-party account to the Platform, you consent to us accessing and storing the data described in this section for the purposes outlined. You may withdraw your consent at any time by disconnecting the account through your Platform settings. When we receive a de-authorization signal from any of your connected services, we treat it as a disconnection request and apply the same data handling described above.

Data minimisation: We only access and store the data necessary to provide the unified inbox service. We do not access contacts, address books, or other account data beyond the messaging functionality described above.

No sale of data: We do not sell, rent, lease, or trade any data obtained from connected third-party accounts to any third party, for any purpose.

No use for advertising: We do not use data from connected third-party accounts to display advertisements, and we do not provide this data to advertisers or advertising networks.

Client awareness: When a Vendor’s Client sends an email to the Vendor’s Platform inbox address, or sends a message via Instagram or Facebook to the Vendor’s connected account, the Client’s interaction is with the Vendor, not with us. We act as a tool that the Vendor uses to manage their communications. Vendors and Clients are responsible for complying with all applicable privacy laws including the Privacy Act in any communications with each other. To the maximum extent permitted by law, we disclaim responsibility for the handling of personal information by Vendors and Clients.

Data portability: You may request an export of your stored communication data at any time by contacting us at support@zestapp.com.au.

Google API Services — Data Handling

Our use of information received from Google APIs adheres to the Google API Services User Data Policy.

We access Google Calendar data solely to provide the calendar availability and booking sync features within the Platform. Specifically:

  • - We only use Google Calendar data to display Vendor availability and sync confirmed bookings.
  • - We store only busy/free time slot information from the Vendor’s calendar — we do not store event titles, descriptions, attendees, or other event details.
  • - We do not use Google Calendar data for advertising, marketing, or any purpose other than the calendar features described in the “Calendar accounts” section above.
  • - We do not transfer Google Calendar data to third parties except as necessary to provide the service, comply with applicable laws, or as part of a merger, acquisition, or sale of assets (with notice to users).

We do not access Gmail or any other Google services beyond Google Calendar.

To whom do we disclose your personal information?

We may disclose your personal information to third parties in connection with the purposes described above (see the “How do we use your personal information” section).

This may include disclosing your personal information to the following types of third parties:

  • - the third parties we ordinarily engage from time to time to perform functions on our behalf for the above purposes, including cloud hosting providers, payment processors, and email delivery services;
  • - any potential third party acquirer of our business or assets, and advisors to that third party;
  • - any person or entity to whom you have consented to our disclosing your personal information;
  • - our external business advisors, auditors, lawyers, insurers and financiers;
  • - third-party service providers that assist us in operating the Platform, including but not limited to Amazon Web Services (cloud hosting), Stripe (payment processing), Pusher (real-time notifications), and Postmark (transactional email delivery);
  • - accounting software providers when you choose to connect your Platform account to an accounting platform (such as Xero), in which case invoice and payment data is shared with that provider at your direction; and
  • - any person or entity to whom we are required or authorised to disclose your personal information to in accordance with the law.

We do not disclose, sell, or transfer communication data from connected third-party accounts (as set out in the “Connected third-party accounts and communication channels” section) or to any third party, except as required by law.

Account Deletion

You can delete your account by clicking into account preferences and selecting the “Delete Account” option, or by contacting us, at which point our team will disable your account and permanently delete your data from our database. For step-by-step instructions, see our Data Deletion Instructions.

Permanently deleting your account will render inaccessible all of the information that you provided to us, including all data from connected third-party accounts (email messages and social media messages), Client contacts, booking records, invoices, quotes, forms, and all other data associated with your account. Once your account is permanently deleted, you will not be able to reactivate it, and you will not be able to retrieve any information.

It can take up to 30 days for us to completely delete your data from our servers and database following an account deletion request. During this period, your account will be deactivated and inaccessible. After that time, your information will continue to be stored in our backups and will be deleted as part of our ongoing data retention and deletion processes in accordance with our Data Retention Policy.

You may also request the deletion of specific data without deleting your entire account, including:

  • - data from a specific connected third-party account (which you may delete by disconnecting the account and choosing to delete stored data);
  • - specific Client contact records;
  • - specific communication threads.

Vendors who have connected Meta-owned services (Facebook, Instagram) may also initiate data deletion via the data deletion request mechanism published on our Platform, in accordance with Meta’s Platform Terms.

To make such a request, please contact us at support@zestapp.com.au.

Access and management

You may request access to any personal information that we hold about you at any time by contacting us at support@zestapp.com.au. We will provide access to that information in accordance with the Privacy Act, subject to any exemptions that may apply. We may charge an administration fee in limited circumstances, but we will let you know in advance if that is the case.

If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then you may request us to amend it by contacting us at support@zestapp.com.au. Where we agree that the information needs to be corrected, we will update it. If we do not agree, you can request that we make a record of your correction request with the relevant information.

You can also ask us to notify any third parties to whom we provided incorrect information about the correction. We’ll try and help where we can — if we can’t, then we’ll let you know.

Data retention

Generally, we will retain your personal information for the period necessary for the purposes for which your personal information was collected (as outlined in this Privacy Policy) unless a longer retention period is required by law or if it is reasonably necessary for us to comply with our legal obligations, resolve a dispute or maintain security.

Communication data from connected third-party accounts is retained for as long as the relevant account remains connected and until the Vendor requests deletion. Financial records (invoices, payments, and transaction records) are retained for a minimum of seven (7) years following the end of the financial year in which the transaction occurred, in accordance with Australian tax law requirements.

When personal information is no longer required, we will take reasonable steps to delete the personal information from our systems or de-identify the personal information.

Direct marketing

We will only send you direct marketing communications (either through mail, SMS or email), including any news and exclusive offers, promotions, or events, where you have consented for us to do so.

You may opt-out of receiving direct marketing communications at any time by contacting us or by using opt-out facilities provided in the direct marketing communications.

We do not use data obtained from connected third-party accounts (as described in the “Connected third-party accounts and communication channels” section) for direct marketing purposes.

Cross-border disclosures

We may disclose your personal information to third party recipients located outside of Australia in order to provide our Platform, products and services to you. Our primary data processing and storage occurs on servers located in Australia and the United States (via Amazon Web Services).

You consent to us transferring your personal information to such Recipients in the knowledge that if your personal information is mishandled in an overseas jurisdiction, we disclaim responsibility and you will not have a remedy under the Privacy Act.

Data from connected third-party accounts may be processed by the relevant platform provider (Google, Microsoft, or Meta) in accordance with their own privacy policies and terms of service.

How do we protect your personal information?

When transmitting personal information from your computer to the Platform, you must keep in mind that the transmission of information over the Internet is not always completely secure or error-free. Accordingly, you transmit your personal information to us online at your own risk and are encouraged to exercise care when sending personal information via the internet. Please notify us immediately if you know or reasonably suspect that your personal information has been subject to any data breach, breach of security or other unauthorised activity.

Our Platform may use “cookies” or other similar tracking technologies on our website that help us track your website usage and remember your preferences. Cookies are small files that store information on your computer, TV, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser but if you do so, you may not be able to fully experience the interactive features of our Platform.

We may hold your personal information in either electronic or hard copy. We take reasonable steps to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your personal information.

Our security measures include:

  • - encryption of data at rest and in transit (TLS/HTTPS); secure authentication via Amazon Cognito;
  • - encrypted storage of third-party access tokens using industry-standard encryption;
  • - role-based access controls ensuring that Vendor data is only accessible to the Vendor who owns it;
  • - regular security reviews and monitoring.

Personally identifiable information is stored on highly secure third-party cloud services. Our website and mobile application transfer data over HTTPS to protect data during transit.

However, we cannot guarantee the security of any personal information transmitted over the internet and therefore you disclose information to us at your own risk. We will not be liable for any unauthorised access, modification or disclosure, or misuse of your personal information.

Contact information

If you require further information regarding our Privacy Policy or wish to make a privacy complaint, please contact us at:

Privacy Officer: Jordan Cohen
Email: support@zestapp.com.au
Phone: 0404 233 363
Post: Level 39, 55 Collins Street, Melbourne, VIC 3000

If you are not satisfied with our response to your privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at:

Office of the Australian Information Commissioner
Email: enquiries@oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5218 Sydney NSW 2001
Website: www.oaic.gov.au

Miscellaneous

We reserve the right to modify this Privacy Policy in whole or in part from time to time without notice and amendments will be effective immediately upon posting of the amended Privacy Policy on our Platform. You are responsible for reviewing this Privacy Policy periodically and informing yourself of any changes. We suggest that you check back regularly. If we make significant changes to our Privacy Policy, we will seek to inform you by notice on our website or by email.

Dated: 23 April 2026

This Privacy Policy was last updated on 23 April 2026.