Legal
Last updated: 24 April 2026
Plain-English operating policy. This policy is written and maintained by Arvocado’s operator, not by a law firm. It describes how Arvocado actually handles personal information today and is the operating basis on which we run the service. It is provided as information, not legal advice. If you need a legal opinion on how Australian privacy law applies to your circumstances, consult a qualified Australian solicitor.
Arvocado is built to respect the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). We collect the minimum personal information needed to help you find a property, we do not sell it, and we do not use it for third-party advertising or profiling.
Arvocado is operated by Aapo Foundation Pty Ltd from Melbourne, Australia. Contact for privacy matters: hello@arvocado.com.au.
Account information. When you sign in with a magic link, we collect your email address, an optional display name, and your Arvocado preferences (saved listings, saved searches, tags, notes, personality quiz results, notification channel choice).
Activity info. When you view a listing, we increment a server-side counter and keep a short list of your recently viewed listings in your browser’s localStorage so the home page can surface them back to you. The localStorage list never leaves your device unless you explicitly share it.
Enquiry content. If you send an enquiry to an agent, the name, email, phone and message you submit are passed to that agent and stored so they can reply to you.
Push subscriptions. If you opt in to Web Push notifications we store your browser’s push endpoint and encryption keys. You can switch it off any time from /profile.
Payment data. Donations are processed by Stripe. We never receive or store full card numbers. We retain only the transaction metadata Stripe returns (customer reference, amount, currency, timestamp).
Technical logs. Our hosting provider (Vercel) and database provider (Supabase) log request metadata (IP, timestamp, path) for security and debugging. These logs are retained per each provider’s default policy.
Analytics. No third-party analytics. No Google Analytics, no Meta Pixel, no Hotjar, no advertising identifiers. We do not build advertising profiles on you.
We do not sell personal information, use it for third-party advertising, participate in ad-targeting exchanges, or share it with data brokers.
We disclose information only to the service providers who help us run the app, and only to the extent needed:
Some of these providers are located outside Australia or route traffic through US infrastructure. Under APP 8 we take reasonable steps to ensure overseas recipients handle your data consistently with the Australian Privacy Principles, relying on their contractual commitments and their own privacy programmes.
Listings on Arvocado are provided by real estate agents. We don’t independently verify property details, photos, prices, or inspection times. If you believe a listing contains inaccurate personal information about you (e.g. you’re the vendor and something’s wrong) contact hello@arvocado.com.au and we will investigate. Agents subject to the Estate Agents Act 1980 (Vic) and equivalent state legislation remain the primary source of truth for their listings.
Arvocado uses the minimum set of cookies required to run the service: a Supabase session cookie for sign-in, and first-party preference keys in localStorage (recently viewed listings, explore filter state, push opt-in state). No third-party tracking cookies. No advertising identifiers.
If you’re signed in and have opted in, we may email you when: (a) a saved listing changes (price, inspection time, new photos, status); (b) new listings match a saved search; (c) a saved coming-soon listing goes live; (d) your compatibility partner saves a listing. Every email has an unsubscribe link. Alert delivery (email, push, both, or off) is controlled from /profile.
Account data is kept while your account is active. When you close your account (email hello@arvocado.com.au), the account is deleted from Supabase authentication and cascading data (saves, tags, notes, searches, push subscriptions, compatibility pairs) is removed. Enquiries you sent to agents remain in the agent’s inbox. We can’t retract those. Stripe retains transaction records independently for its own legal and tax obligations.
Under the Privacy Act 1988 (Cth) you can:
Email hello@arvocado.com.au and we will respond within 30 days. If you’re not satisfied with our response, you can contact the Office of the Australian Information Commissioner.
All traffic is HTTPS. Sessions use httpOnly cookies. Sign-in is password-less (magic-link JWT) so there’s no password for us to lose. Row-level security is enforced at the database layer so one user can’t read another user’s private rows. Access to the production service-role key is restricted to deployment secrets. No system is unbreakable; use a secure email account and keep your device locked.
Arvocado is aimed at adults making property decisions. We don’t knowingly collect personal information from anyone under 18. If you believe an under-18 has created an account, email hello@arvocado.com.au and we’ll remove it.
We may update this policy as the service evolves or as Australian privacy law changes. Material changes will be noted on this page and, for signed-in users, notified by email. Continued use after an update constitutes acceptance of the revised policy.
Privacy questions or requests: hello@arvocado.com.au. See also our Terms of Service.