How we handle your information

Our Mate is an Australian directory of aged care, NDIS, retirement living, and community services. This Privacy Policy covers personal information collected through ourmate.com.au and any subdomain.

For privacy questions, email privacy@ourmate.com.au. For general support, support@ourmate.com.au.

We collect only what we need to run the directory and respond to you. The categories below cover everything; we do not buy data about you from data brokers, and we do not link your activity to an advertising ID.

• Account information. Your email address when you sign in to claim a listing or post a help request. We use magic links rather than passwords; no password is ever set or stored.
• Listing-claim evidence. When you claim a listing as the owner, we capture the evidence you submit (work email, ABN, register identifier) and the timestamps of each verification step. Used only to confirm ownership.
• Messages and help requests. The contents of messages you send to a listing owner, and the text of any help request you post. Help-request descriptions are stripped of identifying detail before publication; the original text is kept for moderation and abuse handling.
• Page-view pings. For each visit to a listing, we record an anonymous session identifier and a hour-bucketed timestamp so the listing owner can see how many people viewed their page. No tracking across listings, no advertising identifier.
• Anti-abuse fingerprints. When you submit a form (help request, contact message), we record a one-way hash of your IP address and a truncated user-agent string for 30 days. These are never displayed to listing owners; they are used only to investigate spam and protect the service.
• Payment information. Listing-owner subscriptions are processed by Stripe. We never see or store your card details. Stripe shares the last four digits, brand, and expiry with us so we can render a billing summary in your account.

We do not run advertising cookies. We do not use behavioural ad targeting. The cookies we DO set are:

• wm_analytics_sid (first-party): an anonymous session id used to dedupe rapid-refresh listing views in the owner analytics counter. Set when you land on any listing page.
• Better Auth session cookie (first-party): set after you sign in. Lets you stay signed in across pages without re-entering your email. Cleared when you sign out or after 30 days of inactivity.
• Google Analytics 4 cookies(third-party, typically _ga, _ga_*): set by Google’s gtag script to measure how visitors find and move through the site, so we can prioritise the pages and features people actually use. Aggregated, not used for advertising. Google’s own cookies policy has the full list. You can opt out of Google Analytics site-wide via the official browser opt-out add-on.
• wm_cookie_banner_dismissed_v1: a localStorage item (not a cookie strictly speaking) that records you’ve seen the cookie banner so we don’t show it again on the next visit.

We use a small set of trusted suppliers to host, send email, take payments, and prevent spam. They process your data on our behalf, under contract, and only for the purposes described here.

• Vercel— hosts the website. Sees your IP address and request headers to serve pages. Edge logs retained for up to 30 days for operations and abuse handling.
• Supabase— hosts the database (located in the Sydney AWS region) and uploaded photos. All listing, claim, message, and account data lives here.
• Resend— delivers transactional emails (sign-in magic links, claim verification, contact-form forwards, moderation notifications). Sees your email address and the message content.
• Stripe— processes listing-owner subscription payments. Subject to Stripe’s own privacy policy.
• Google Analytics 4— measures site-wide visitor traffic (which pages get viewed, where visitors arrive from, which devices they use). Aggregated reporting only; we do not use the data for advertising or remarketing. Data lives in Google’s infrastructure under Google’s privacy terms. You can opt out via the official browser opt-out add-on.
• Vercel Analytics + Speed Insights— first-party traffic counts and Core Web Vitals collected at the edge. Anonymised; no cross-site tracking, no advertising identifiers.
• Google reCAPTCHA(where enabled on contact forms) — helps us tell humans from bots. reCAPTCHA reads cookies set by your Google account if you have one. The contact form will work without it but the message may be queued for manual review.
• OpenStreetMap (map tiles) and cron-job.org (scheduled tasks) round out the infrastructure. Neither receives personal data about you.

• To run the directory: show listings, route messages between visitors and providers, process subscriptions, deliver email.
• To verify listing ownership against official Australian registers (My Aged Care, NDIS Commission, Australian Business Register).
• To moderate help requests and reported listings, including investigating spam or abuse.
• To improve the service: aggregated, de-identified counts of page views, search queries, and dropped funnels.
• To meet legal obligations under the Privacy Act 1988, the Australian Consumer Law, and tax and corporate record-keeping rules.

We do not sell your personal information. We do not share it with marketers. We do not use your behaviour to train third-party AI models.

Under the Australian Privacy Act, you can:

• Request a copy of the personal information we hold about you. Email privacy@ourmate.com.au; we respond within 30 days.
• Correct anything inaccurate. For listing data, the simplest path is to claim the listing and edit it directly.
• Delete your account. Email the privacy address above; we remove your personal account data within 30 days. Some records (audit logs, moderation history) are retained where required by law or for fraud prevention; they are not displayed and not linked to you.
• Complain. If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner at oaic.gov.au.

The service is intended for Australian adults, primarily family members researching care for an older relative. We do not knowingly collect personal information from anyone under 16. If you believe we have, contact us and we will delete it.

We update this page when our practices change. The “last updated” date at the top of the page reflects the most recent change. Material changes will be flagged in a notice on the homepage for at least 14 days.