Privacy Policy for Deal Once

Effective Date: 2 December 2025
Last Updated: 31 May 2026

Deal Once is a trading name of NENO GROUP PTY LTD AS TRUSTEE FOR TANEJA & SONS FAMILY TRUST
ACN: 671 083 711

Deal Once ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.

1. Information We Collect

1.1 Personal Information

When you create an account and use Deal Once, we collect:

• Account Information: Name, email address, phone number, profile photo
• Country and Currency Preferences: Your country of residence and preferred currency, used to determine applicable payment methods, supported Stripe features, and regulatory requirements
• Location Data: Your approximate location to show nearby services and listings
• Photos and Media: Images you upload for listings, profile pictures, and verification. If you choose to use our optional AI feature when creating listings, job requests, or rental listings, photos you submit for that purpose are processed to generate suggested details and price recommendations
• Payment Information: Payment details are securely processed through Stripe (we do not store your full payment card details). Seller payout account details are held by Stripe Express where available in your country
• Verification Data (optional): If you choose to use our identity or business verification features, government-issued ID documents, a biometric facial scan, and/or business registration documents are collected and processed by Didit, our verification provider. Your verification status badges (Verified ID, Verified Business, Verified ABN) are stored in your profile. Verified ABN is available to Australian users only and is verified against the Australian Business Register (ASIC/ABR)
• Communications: Messages you send through the app's messaging system

1.2 Automatically Collected Information

• Device Information: Device type, operating system, unique device identifiers
• Usage Data: Features you use, pages you view, time spent on the app
• Log Data: IP address, crash reports, performance data
• Advertising Identifiers (Android Only): On Android devices, Google AdMob may access a device advertising identifier solely for ad delivery. This identifier is not used for tracking, personalization, or building user profiles. iOS devices do not provide advertising identifiers to our app.

2. How We Use Your Information

We use the collected information for:

• Service Delivery: To provide, maintain, and improve Deal Once services
• Matching: To connect service providers with job requesters based on location and preferences
• Communication: To send notifications about offers, messages, job updates, and app announcements
• Payments: To process secure payments and verify transactions
• Safety: To verify identities, prevent fraud, and ensure user safety
• AI-Powered Listings (optional): When you optionally use AI assistance on the create listing, job request, or rental listing pages, to process photos and generate suggested descriptions and price ranges
• Analytics: To understand how users interact with the app and improve functionality
• Advertising: To display non-personalized contextual ads through Google AdMob

3. Permissions We Request

Camera Permission

We request camera access to allow you to:

• Take photos for your profile picture
• Capture images of items or services you're listing
• Upload verification photos for completed jobs

You can deny camera permission and still use the app by selecting photos from your gallery.

Location Permission

We request location access to:

• Show you nearby services and listings
• Help service providers find jobs in their area
• Improve search results based on proximity

Location data is approximate and used only to enhance your experience.

Precise Location (GPS Coordinates)

During transaction verification, we collect precise GPS coordinates of both parties when entering the verification code:

• For product sales: Precise location of both buyer and seller
• For service transactions: Precise location of both service provider and customer

This location data is used to:

• Verify that both parties are at the agreed location
• Prevent fraud and unauthorized transactions
• Resolve disputes about product delivery or service completion
• Ensure platform safety and security

Location data is only collected during the verification process and is stored securely for dispute resolution purposes.

Photo Library/Storage Permission

We request access to your photo library to allow you to select existing photos for your profile and listings.

Notification Permission

We request permission to send you push notifications about:

• New offers on your job requests
• Acceptance or rejection of your offers
• Messages from other users
• Job completion reminders
• Payment confirmations

4. How We Share Your Information

With Other Users

When you create a listing or make an offer, certain information becomes visible to other users:

• Your name and profile photo
• Listings you create
• Offers you make
• Messages you send

With Service Providers (Sub-processors)

• Supabase: Database, authentication, and serverless function hosting. Data stored in Singapore (ap-southeast-1)
• Stripe: Secure payment processing, payment method storage, verification fee collection (PCI-DSS compliant), and Stripe Express payout accounts for sellers in 45 supported countries. Data processed in the United States
• Didit: Identity and business verification — processes government-issued ID documents and biometric facial data when you optionally use the Verified ID or Verified Business features. Didit acts as an independent data processor for verification sessions. Based in the EU/EEA (Estonia)
• Cloudflare Images: Storage and global delivery of listing photos and profile images (served via imagedelivery.net)
• Cloudflare Stream: Storage and global delivery of listing videos. Data processed by Cloudflare in the United States with global CDN distribution
• ASIC / Australian Business Register (ABR) — Australia only: ABN verification via the Australian Business Register API. Only queried when an Australian user initiates a Verified ABN check
• Google Gemini (Google AI Studio): When you use the optional AI feature, listing images are processed by Google Gemini to generate suggested descriptions and price recommendations. Data processed by Google in the United States
• Google AdMob: Non-personalized contextual advertising services
• Expo (Push Notification Service): Push notification delivery via Expo's Push API (exp.host), which relays notifications to Apple APNs (iOS) and Google FCM (Android). Location data is collected directly from your device's native GPS and is not processed by Expo's servers.

Legal Requirements

We may disclose your information if required by law, court order, or to:

• Comply with legal obligations
• Protect our rights and property
• Prevent fraud or illegal activities
• Protect the safety of users

5. Data Security

We implement industry-standard security measures to protect your information:

• Data encryption in transit (HTTPS/TLS)
• Data encryption at rest
• Secure authentication through Supabase
• PCI-compliant payment processing through Stripe
• Regular security audits and updates

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as:

• Your account is active
• Needed to provide you services
• Required by law or for legitimate business purposes

When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law.

7. Your Rights and Choices

Access and Control

You have the right to:

• Access: Request a copy of your personal information
• Update: Edit your profile and account information in the app
• Delete: Request deletion of your account and associated data
• Opt-Out: Disable push notifications in your device settings
• Restrict: Limit how we process your information

How to Exercise Your Rights

To exercise any of these rights, contact us at the email address below. We will respond within 30 days.

8. Children's Privacy

Deal Once is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If we discover that a child has provided us with personal information, we will delete it immediately.

• United States (COPPA): We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with information, please contact us at support@dealonce.com and we will delete it promptly
• European Economic Area (GDPR Article 8): We do not knowingly collect personal information from children under 16 (or the lower age of digital consent applicable in their EU member state). Parental or guardian consent is required for users under this age
• All other jurisdictions: We do not knowingly collect personal information from anyone under 18

If you are a parent or guardian and believe your child has used Deal Once, please contact us immediately. For child-privacy concerns, include "Child Privacy" in your email subject line to support@dealonce.com.

9. Advertising and Privacy

What Data AdMob Collects

AdMob may collect minimal technical information to serve ads:

• Device type and operating system
• IP address (for general location, not precise tracking)
• App usage (which screens show ads)
• Device advertising identifier (Android only - not used for tracking or creating user profiles)

Non-Personalized Ads

We use non-personalized advertising, which means:

• ✅ Ads are based on app content, not your behavior
• ✅ We do not track you across other apps or websites
• ✅ We do not build a profile of your interests
• ✅ We do not share your personal data with advertisers
• ✅ No cross-app or cross-site tracking occurs

App Tracking Transparency (iOS)

We do not use App Tracking Transparency (ATT) or any tracking frameworks. Since we only serve non-personalized contextual ads, user tracking is not necessary. This means:

• You will not see a tracking permission dialog
• No tracking occurs across other companies' apps or websites
• Ads are contextual and privacy-friendly
• No personal data is shared for advertising purposes

SKAdNetwork (iOS)

We use Apple's SKAdNetwork framework for privacy-preserving ad attribution on iOS. This allows ad networks to measure ad effectiveness without tracking individual users or compromising your privacy.

Your Advertising Choices

While we don't use personalized advertising, you can still manage advertising preferences on your device:

• Android: Settings → Google → Ads → Reset advertising ID
• iOS: Settings → Privacy & Security → Tracking (to see app tracking status)

Learn more about Google's advertising practices: Google Ads Policy

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. The table below identifies where each sub-processor is located and the safeguard used for transfers from the EEA/UK:

Sub-processor	Country	Transfer mechanism (EEA/UK users)
Supabase	Singapore	Standard Contractual Clauses (SCCs)
Stripe	United States	SCCs (Stripe's DPA)
Didit	EU/EEA (Estonia)	Within EEA — no transfer mechanism required; adequacy applies for AU/UK transfers
Cloudflare (Images & Stream)	United States (global CDN)	SCCs (Cloudflare's DPA)
Google (Gemini + AdMob)	United States	SCCs (Google's DPA)
ASIC / ABR	Australia	Australia only — no cross-border transfer

Where we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or their UK equivalent (IDTA/addendum), we ensure the sub-processor is bound by the same obligations regarding your personal data. You may request a copy of the relevant transfer mechanism by contacting us at support@dealonce.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes (changes that affect how we use or share your data, or that add new categories of data collection), we will give you at least 30 days' advance notice (or such longer period as required by applicable law in your jurisdiction) by:

• Sending you a push notification or in-app notice
• Posting the updated Privacy Policy on our website
• Updating the "Last Updated" date at the top of this policy

If you do not accept a material change, you should stop using Deal Once before the change takes effect. Your continued use of Deal Once after the effective date of a change constitutes acceptance of the updated policy. For non-material changes (such as clarifications or corrections), we will update the "Last Updated" date without advance notice.

12. Third-Party Links

The app may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA, effective 1 January 2023):

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, and how it is used and shared
• Right to delete: Request deletion of your personal information, subject to certain exceptions
• Right to correct: Request correction of inaccurate personal information we hold about you
• Right to opt-out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising
• Right to limit use of sensitive personal information: Where we process sensitive personal information (such as government ID or biometric data for optional identity verification), you may request that we limit its use to what is necessary to perform the services you requested
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights

To exercise your CCPA/CPRA rights, contact us at support@dealonce.com with "California Privacy Request" in the subject line. We will respond within 45 days (extendable once by a further 45 days with notice).

14. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR). As controller of your personal data, Deal Once processes data on the following legal bases under Article 6 GDPR:

• Contract (Art. 6(1)(b)): Account creation, listing management, payments, messaging, and verification — processing necessary to perform or prepare a contract with you
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, security, analytics, and non-personalised advertising — where our interests are not overridden by your rights
• Legal obligation (Art. 6(1)(c)): Retaining records required by applicable law
• Consent (Art. 6(1)(a)): Optional features such as AI listing analysis. You can withdraw consent at any time without affecting prior processing

For biometric data processed for optional identity verification (Didit), we rely on your explicit consent under Article 9(2)(a) GDPR. You may withdraw this consent at any time by contacting us.

Your GDPR Rights

• Right of access — obtain a copy of your personal data
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object — including to processing based on legitimate interests
• Right to withdraw consent at any time without affecting prior processing
• Right to lodge a complaint with your national data protection authority (supervisory authority)

To exercise your GDPR rights, contact us at support@dealonce.com with "GDPR Request" in the subject line. We respond within 30 days (extendable by two further months for complex requests).

Automated Processing and Profiling

Some Deal Once features use automated processing. When you use the optional AI listing tool, images are processed by Google Gemini to generate suggested titles, descriptions, and price ranges — this does not produce legal or similarly significant effects and is not subject to Article 22 GDPR. Fraud-signal analysis may use algorithmic checks on transaction patterns; where this produces significant effects you have the right to request human review, express your point of view, and contest the decision by contacting us at support@dealonce.com.

14A. United Kingdom Privacy Rights (UK GDPR)

If you are in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018) apply. Your rights mirror those set out in §14 above. The UK's supervisory authority is the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

Transfers of your data from the UK to our sub-processors in third countries use the UK's International Data Transfer Agreement (IDTA) or an addendum to EU SCCs, as applicable. Australia holds an adequacy decision from the UK for the purposes of transfers to ASIC/ABR.

15. Australian Privacy Rights (Privacy Act 1988)

If you are an Australian resident, Deal Once complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

Your Rights Under Australian Privacy Law

• Access: You have the right to request access to the personal information we hold about you
• Correction: You can request correction of inaccurate, out-of-date, incomplete, or misleading personal information
• Complaints: You can lodge a complaint about our handling of your personal information
• Overseas Disclosure: We may disclose your personal information to overseas recipients (Supabase servers in Singapore, Stripe payment processing). By using our service, you consent to this disclosure

Collection and Use of Personal Information

We collect and use your personal information in accordance with the APPs:

• APP 3 - Collection: We only collect information that is reasonably necessary for our business functions
• APP 5 - Notification: We notify you about how we collect, use, and disclose your information through this Privacy Policy
• APP 6 - Use or Disclosure: We only use or disclose your information for the primary purpose of providing Deal Once services, or for related secondary purposes you would reasonably expect
• APP 8 - Cross-border Disclosure: Your information may be stored on servers located in Singapore (Supabase), processed in the United States (Stripe for payments, Cloudflare for media storage, Google Gemini for optional AI features, Google AdMob for advertising, Expo for push notifications), and processed within the EU/EEA (Didit for optional identity and business verification). We take reasonable steps to ensure overseas recipients comply with Australian privacy standards
• APP 11 - Security: We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorized access, modification, or disclosure

Making a Privacy Complaint

If you have a complaint about how we handle your personal information:

1. Contact us at support@dealonce.com with details of your complaint
2. We will acknowledge your complaint within 7 days
3. We will investigate and respond within 30 days
4. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):
   • Website: www.oaic.gov.au
   • Phone: 1300 363 992
   • Email: enquiries@oaic.gov.au

Data Retention in Australia

We retain your personal information for as long as necessary to provide our services and comply with Australian legal obligations. When we no longer need your information, we will take reasonable steps to destroy or de-identify it.

16. New Zealand Privacy Rights (Privacy Act 2020)

If you access Deal Once from New Zealand, the Privacy Act 2020 applies. Deal Once acts as an agency under that Act. You have the right to:

• Access personal information we hold about you
• Request correction of that information
• Make a complaint about how we handle your personal information

We collect your information only for the purposes described in this policy and handle it in accordance with the Privacy Act 2020's Information Privacy Principles. If you have a complaint about our privacy practices, contact us at support@dealonce.com. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner:

• Website: privacy.org.nz
• Phone: 0800 803 909

17. Canadian Privacy Rights (PIPEDA / Quebec Law 25)

If you access Deal Once from Canada, your privacy rights are governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, for residents of Quebec, by Law 25 (Act Respecting the Protection of Personal Information in the Private Sector, as amended 2022):

• Right of access: Request access to the personal information we hold about you
• Right to correction: Request correction of inaccurate personal information
• Right to withdraw consent: Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
• Right to portability (Quebec): Request that personal information be communicated to you or to another organisation in a technology-neutral structured format
• Right to de-indexation (Quebec): Request that hyperlinks to personal information be de-indexed where its dissemination causes serious injury

To exercise your rights, contact us at support@dealonce.com with "Canadian Privacy Request" in the subject line. We respond within 30 days. If not satisfied, you may contact the Office of the Privacy Commissioner of Canada:

• Website: priv.gc.ca
• Phone: 1-800-282-1376

Quebec residents may also contact the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.

18. US State Privacy Rights (Beyond California)

In addition to California rights (§13), residents of the following US states have rights under their respective state privacy laws. In each case you have, at minimum: the right to know/access; the right to delete; the right to correct; the right to opt out of sale or sharing; and the right to appeal a decision about your request.

• Virginia — Consumer Data Protection Act (VCDPA)
• Colorado — Colorado Privacy Act (CPA)
• Connecticut — Connecticut Data Privacy Act (CTDPA)
• Utah — Utah Consumer Privacy Act (UCPA)
• Texas — Texas Data Privacy and Security Act (TDPSA)
• Oregon — Oregon Consumer Privacy Act (OCPA)
• Montana — Montana Consumer Data Privacy Act (MCDPA)

We do not sell personal information and do not process personal data for targeted advertising. To exercise your rights under any of the above laws, contact us at support@dealonce.com with "US State Privacy Request — [your state]" in the subject line. We respond within 45 days (extendable by a further 45 days with notice). To appeal a decision, reply to our response email with "Appeal" in the subject line.

19. Indian Privacy Rights (DPDP Act) & Grievance Officer

If you access Deal Once from India, the Digital Personal Data Protection Act, 2023 (DPDP Act) may apply to digital personal data we process there. Where it applies, Deal Once acts as a Data Fiduciary and you may have rights, subject to conditions in Indian law and delegated rules, to:

• access information about the personal data we process about you;
• correct or erase your personal data where applicable;
• nominate another person to exercise your rights in the event of your death or incapacity;
• grievance redressal in respect of any act or omission by us regarding your personal data;
• withdraw any consent you have previously given.

You may escalate complaints to the Data Protection Board of India when its operational procedures permit.

Grievance Officer (India)

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act, 2023, the following Grievance Officer is designated for users in India:

• Name: Amit Taneja
• Designation: Grievance Officer, NENO GROUP PTY LTD (ACN 671 083 711)
• Email: support@dealonce.com (please include "Grievance" in the subject line)
• Office hours: Mon–Fri, 9am–5pm AEST (excluding Australian public holidays)

We acknowledge grievances within 24 hours and aim to resolve them within 15 days of receipt. Complaints relating to content that exposes the private area of an individual, depicts such individual in any sexual act or conduct, or is in the nature of impersonation in an electronic form (including artificially morphed images), will be acted upon as expeditiously as possible and resolved within 72 hours, in line with Rule 3(2) of the IT Rules 2021.

---

© 2026 Deal Once. All rights reserved.