Privacy Policy

Last updated: April 2026 · Effective immediately

Short version: We collect your email to run your account and send your API key. We use Stripe for payments — your card details never touch our servers. We do not log the address queries you make through the API. You can request deletion of your data at any time.

This Privacy Policy explains how DingoFind ("we", "us", "our") collects, uses, stores, and shares personal information when you use the DingoFind website and API (collectively, "the Service"). We are committed to handling your information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. Who we are

DingoFind is an Australian address API service. Our primary contact for privacy matters is hello@dingofind.com.

2. What personal information we collect

Information	Why we collect it	When
Email address	Account creation, sending your API key, billing notifications, service alerts	At sign-up or checkout
Payment information	Billing. Processed entirely by Stripe — we never see or store card numbers, CVVs, or full card details	At checkout
Stripe customer & subscription IDs	Linking your account to your Stripe billing record so we can apply the correct tier and handle renewals	After successful payment
API request counts	Rate limiting and enforcing your daily quota. We count requests per key per day — we do not log the content of queries.	On each API call
IP address	Abuse detection, security, and server-side rate limiting. Stored transiently in memory; not written to persistent logs.	On each API call
Session token	Keeping you logged in to the dashboard. Stored as a hashed token in our database — not a tracking cookie.	On dashboard login

3. What we do NOT collect

The actual address strings you query through the API. We count requests; we do not log query content.
Browser fingerprints, device identifiers, or behavioural tracking data.
Cookies beyond the session token used for dashboard login. We do not use advertising, analytics, or third-party tracking cookies.
Your card number, CVV, or full payment details — these go directly to Stripe and never pass through our servers.

4. How we use your email address

We use your email address for the following purposes only:

Delivering your API key — sent once when your account is provisioned.
Transactional billing emails — subscription confirmations, renewal notices, payment failure alerts, and cancellation confirmations from Stripe.
Service alerts — critical notices such as planned maintenance, security incidents affecting your account, or upcoming deprecations.
Responding to your support requests — if you email us, we reply.

We do not send marketing emails, newsletters, or promotional content unless you explicitly opt in. We will never sell, rent, or share your email address with third parties for marketing purposes.

5. Third-party services

Service	Purpose	Data shared	Their privacy policy
Stripe	Payment processing and subscription management	Email address, payment details (collected directly by Stripe)	stripe.com/au/privacy
Email (SMTP)	Sending transactional emails (API key delivery, billing notices)	Your email address and the content of the transactional email	Per our configured SMTP provider
Oracle Cloud Infrastructure	Hosting — all infrastructure runs in OCI Melbourne (ap-melbourne-1)	All data resides on OCI servers in Australia. No data leaves Australian territory.	oracle.com/legal/privacy

We do not use Google Analytics, Facebook Pixel, Mixpanel, Segment, or any other third-party analytics or advertising service.

6. Data storage and retention

Account data (email, API key hash, tier, billing IDs): retained for the life of your account and deleted within 30 days of a verified deletion request.
Usage counts (requests per key per day): retained for 90 days for billing verification, then deleted.
Session tokens: expire after 30 days of inactivity and are purged automatically.
API key hashes: we store a SHA-256 hash of your API key, not the key itself. The raw key is shown to you once and never stored on our servers.
Server logs (nginx access logs): retained for 14 days for security and debugging, then rotated and deleted.

All data is stored on Australian infrastructure (Oracle Cloud, Melbourne region). We do not transfer personal data outside Australia.

7. Security

We implement the following technical measures to protect your information:

All communication encrypted in transit via TLS 1.2/1.3 (HTTPS enforced, HSTS preload).
API keys stored as SHA-256 hashes — the raw key is never persisted.
Passwords stored as Argon2 hashes.
Database access restricted to the application service user — no public database exposure.
Firewall (UFW) permits only ports 22, 80, and 443.
Payment processing delegated entirely to Stripe — no card data handled by our servers.

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your personal information, we will notify you by email and report to the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme.

8. Your rights

Under the Australian Privacy Act 1988, you have the right to:

Access the personal information we hold about you.
Correct inaccurate personal information.
Request deletion of your personal information (subject to legal and billing obligations).
Opt out of any marketing communications (we don't send any, but you can ask us to confirm).

To exercise any of these rights, email hello@dingofind.com with the subject line "Privacy Request" and your registered email address. We will respond within 30 days.

If you are not satisfied with our handling of your request, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9. Cookies and local storage

The DingoFind website uses a single item of browser local storage: df-theme, which stores your light/dark mode preference. This is a non-identifying preference only and is never sent to our servers.

The dashboard stores your session token in browser local storage to keep you logged in. This token is also stored (as a hash) in our database and expires after 30 days of inactivity.

We do not use advertising cookies, cross-site tracking cookies, or any third-party analytics cookies.

10. Children's privacy

The Service is intended for developers and businesses. We do not knowingly collect personal information from individuals under 18 years of age. If you believe a minor has provided us with personal information, contact us at hello@dingofind.com and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes — particularly changes that affect how we use your email address or what we share with third parties — we will notify you by email at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

12. Contact

Privacy questions, access requests, or complaints:

Email: hello@dingofind.com
Subject line: Privacy Request
Response time: Within 30 days

DingoFind · Australian Address API · dingofind.com · Terms of Service