Privacy Policy
Effective 17 July 2026 · Version 1.2.0
Effective date: 17 July 2026. Version 1.2.0.
Stallion Software Solutions PTY LTD (ABN 88 699 486 747) (“we”, “us”, “our”) is committed to protecting the privacy of individuals who access or use the Friday platform (the “Service”). This Privacy Policy describes how we collect, hold, use, and disclose personal information in accordance with the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”). By using the Service, you consent to the practices described in this policy.
1. Definitions and Interpretation
In this Privacy Policy, “personal information” has the meaning given in the Privacy Act. References to “you” and “your” mean the individual or entity accessing or using the Service. Headings are for convenience only and do not affect interpretation.
2. Kinds of Personal Information We Collect
We may collect the following categories of personal information:
- Account and identity information: name, email address, telephone number, business name, LMCT number, business address, and related contact and identification details provided during registration or account management.
- Authentication and security data: credential hashes (we do not store plain-text passwords) and session identifiers necessary for secure access to the Service.
- Vehicle data: vehicle details such as registration, make, model, VIN, and condition that you input into the Service in the course of your use.
- Seller and buyer details: when you record a transaction, we collect information about the individual or entity selling or buying the vehicle, including their full name, email address, phone number, home address, date of birth, and (for buyers) driver’s licence number. We also collect a client type and client number, fields required by Victoria’s vehicle registration and transfer paperwork (such as Form 4 / Notice of Disposal). Depending on the client type, the client number is itself a government-assigned identifier: for a Private client it is the individual’s driver’s licence number, for an LMCT client it is the dealer’s Licensed Motor Car Trader number, and for an ACN client it is the entity’s Australian Company Number. Because a Private client number is typically a driver’s licence number, we treat it as sensitive personal information and protect it accordingly — see Section 3 for exactly how this information is stored and protected.
- Usage and technical data: pages visited, features used, session duration, browser and device information, and similar data generated by your interaction with the Service.
- Communications and support data: information you provide when contacting our support team or when corresponding with us in relation to the Service.
3. How We Store and Protect Seller and Buyer Details
Seller and buyer details are among the most sensitive information the Service handles, so we apply extra protections to them specifically, on top of the general security measures described in our Security page. Each protection below is explained in plain language first, with the technical detail underneath for readers who want it.
Encrypted in transit
Any information sent between your browser and our servers travels through an encrypted tunnel, the same kind of protection banks use, so it can’t be read if intercepted along the way.
In technical terms: All traffic to and from the Service is encrypted using TLS (HTTPS).
Encrypted at rest, field by field
The most sensitive seller and buyer details — phone number, email address, date of birth, driver’s licence number, home address, and client number — are individually scrambled before they are ever saved to our database. Even someone with direct access to the database would see unreadable, scrambled text rather than the real value.
In technical terms: These fields are encrypted individually using AES-256-GCM authenticated encryption with a unique random initialisation vector per value. The decryption key is held only by the application layer, not the database.
Looking up a client number without exposing it
So that you can still search for a returning client by their client number, we keep a separate, one-way “fingerprint” of that number alongside the encrypted value. A search can match against the fingerprint, but the fingerprint can never be reversed back into the original number.
In technical terms: Client numbers are additionally hashed with HMAC-SHA256 into a dedicated lookup column. Search and match queries run against this hash; the plaintext value is never queried or indexed.
Passwords
Your account password is never stored in a form anyone, including us, could read.
In technical terms: Passwords are hashed using bcrypt; plain-text passwords are never stored.
Fields not listed above — such as names and vehicle identifiers — are stored in structured form and protected by encryption in transit, access controls, and the infrastructure-level safeguards described in our Security page, rather than by individual field-level encryption.
4. Collection and Holding of Personal Information
We collect personal information:
- Directly from you when you register for the Service, use its features, or communicate with us (including for support).
- Automatically through cookies, server logs, and similar technologies when you access the Service (see our Cookie Policy).
- From third parties where you use functionality that relies on external services (for example, PDF import from registration documents), to the extent permitted by law and our agreements with those parties.
Personal information is held in secure, access-controlled, cloud-hosted environments. Access is restricted to authorised personnel and systems on a need-to-know basis in accordance with our internal policies. See Section 3 for how seller and buyer details specifically are encrypted.
5. Purposes of Collection, Use, and Disclosure
We collect, use, and disclose personal information for the following purposes:
- To provide, maintain, secure, and improve the Service.
- To authenticate your identity and manage your account and access rights.
- To generate documents (including Form 4 and buyer/seller papers) as part of the Service.
- To send transactional and service-related communications (including password resets and account notifications).
- To respond to support requests and enquiries.
- To comply with legal and regulatory obligations, including record-keeping under the Motor Car Traders Act 1986 (Vic) and the Privacy Act.
- To detect, prevent, and address technical faults, security incidents, or misuse of the Service.
We do not sell personal information to third parties. We may disclose personal information to service providers who assist us in operating the Service (such as cloud hosting and email delivery), subject to contractual obligations that require them to protect your information in a manner consistent with this policy and applicable law.
6. Access and Correction
You have the right to request access to, and correction of, personal information we hold about you. You may update certain account information directly through the Service. For other access or correction requests, please contact us at support@fridaydealer.com. We will respond within a reasonable period and, where the Privacy Act requires, within 30 days. We may require verification of your identity before processing a request.
7. Complaints
If you consider that we have breached the APPs or mishandled your personal information, you may lodge a complaint by writing to us at support@fridaydealer.com. We will acknowledge your complaint within a reasonable period (ordinarily within 5 business days) and will seek to resolve it in accordance with our internal complaint-handling procedures, typically within 30 days. If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC).
8. Overseas Disclosure
Our service providers and infrastructure may be located in, or may process or store data in, the following jurisdictions:
- Australia — primary hosting and data storage.
- United States — certain cloud infrastructure and third-party services (including email delivery and image hosting).
Where we disclose personal information to recipients overseas, we take such steps as are reasonable in the circumstances to ensure that the recipient does not breach the APPs (other than APP 1) in relation to that information. If the countries in which our providers operate change, we will update this policy as soon as practicable after we become aware of the change.
9. Data Retention
We retain personal information for as long as your account is active and as necessary to provide the Service and comply with our legal obligations. Following account closure, we may retain data for a further period that we reasonably consider necessary for legal, regulatory, dispute resolution, or enforcement purposes. Data that is no longer required for any permitted purpose is securely deleted or de-identified.
10. Security
We take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure. For seller and buyer details specifically, see Section 3 above. For a description of our broader technical and organisational measures, see our Security page. In the event of an eligible data breach likely to result in serious harm, we will comply with our obligations under the Notifiable Data Breaches scheme in the Privacy Act, including assessing the breach and notifying affected individuals and the OAIC where required.
11. Changes to This Policy
We may amend this Privacy Policy from time to time. Material changes will be communicated by email or by a prominent notice within the Service. Your continued use of the Service after the effective date of any change constitutes your acceptance of the revised policy. We encourage you to review this page periodically. The date of last update is indicated at the top of this page.
12. Contact
For privacy-related enquiries or to exercise your rights under this policy, contact us at support@fridaydealer.com.
Stallion Software Solutions PTY LTD
Melbourne, Victoria 3000, Australia