Privacy Policy

Savvy Investments Co Pty Ltd (ABN 50 698 325 334) · surprisebonus.com · NSW governing law

Last updated: 7 June 2026

Privacy enquiries: privacy@surprisebonus.com · General enquiries: hello@surprisebonus.com

1. Introduction

1.1 Savvy Investments Co Pty Ltd ABN 50 698 325 334 ("we", "us", "our") operates SurpriseBonus at surprisebonus.com. We are committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs").

1.2 This Privacy Policy explains what personal information we collect, why we collect it, how we use and store it, who we share it with, and your rights in relation to it.

1.3 By using SurpriseBonus, you consent to the collection, use, and disclosure of your personal information as described in this Policy. If you do not agree, please do not use the Service.

1.4 References to "the Service" have the same meaning as in our Terms of Service.

2. What Personal Information We Collect

2.1 We collect the following categories of personal information to operate the Service:

Category	Examples
Identity	Name, date of birth, age
Contact	Email address, phone number
Financial / income	Employment status, income range, household income, Centrelink or government payment status
Family and household	Family composition, relationship status, number and ages of dependants
Employment	Employment type, employer type, industry, work hours
Health and disability	Disability status, chronic health conditions, carer status (where you voluntarily provide this to improve eligibility matching)
Location	State or territory of residence, postcode
Technical	IP address, browser type, device identifiers, usage data, cookies
Account	Username, password (hashed), account activity
Competition submissions	Taglines or other content you submit in competitions

2.2 Sensitive information. Some of the information listed above — specifically health, disability, and carer status — is "sensitive information" under the Privacy Act. We only collect sensitive information where you voluntarily provide it for the purpose of improving the accuracy of your eligibility match Results. You may choose not to provide sensitive information; this may affect the completeness of your Results but will not prevent you from using the Service.

2.3 We collect personal information directly from you when you register, use the interview or intake process, purchase access to Results, or participate in competitions or surveys.

3. Why We Collect Your Personal Information — Purpose of Collection

3.1 We collect and use your personal information for the following purposes:

(a) Eligibility matching: to process your information through our AI model and generate personalised eligibility match Results for government programs, entitlements, benefits, and grants;
(b) Account management: to create and manage your account and authenticate your access;
(c) Service delivery: to deliver your Results, notifications, and paid content;
(d) Improving the Service: to analyse aggregate usage patterns and improve the accuracy and coverage of our matching model (where data is de-identified or aggregated where practicable);
(e) Customer support: to respond to queries and resolve complaints;
(f) Legal compliance: to comply with our obligations under applicable laws, including the Privacy Act and Notifiable Data Breaches scheme;
(g) Competition administration: to administer competitions and notify winners;
(h) Communications: to send you transactional and service-related communications.

3.2 We do not use your personal information to send you third-party marketing. We do not sell your personal information to third parties. We do not share your personal information with third parties for their marketing purposes.

4. How We Process Your Information — AI and Automated Processing

4.1 The Service uses artificial intelligence and fully automated processing to generate eligibility match Results. When you provide your information through the intake process, it is processed by our AI model without individual human review. No person at SurpriseBonus reviews your specific information to generate your individual Results.

4.2 This automated processing constitutes automated decision-making for the purposes of the Privacy Act and, from 10 December 2026, the Privacy Act as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth) ("Tranche 2 Amendments"). See clause 11 for our Tranche 2 automated decision-making transparency obligations.

4.3 Results produced by automated processing may be inaccurate, incomplete, or based on outdated information. Automated processing cannot account for all individual circumstances. Results are information only and are not a formal eligibility determination.

4.4 You have the right to request human review of automated processing that significantly affects you. To make such a request, contact us at hello@surprisebonus.com. We will acknowledge your request within 5 business days and advise you of the review process and timeframe.

5. Storage and Security

5.1 Storage location. Your personal information is stored using Supabase, a cloud database provider. Supabase infrastructure used by SurpriseBonus is hosted in Singapore. By using the Service, you consent to your personal information being stored and processed in Singapore.

5.2 Cross-border disclosure. In addition to Supabase (Singapore), your personal information may be processed by the following categories of overseas recipients for the purpose of AI model operation and service delivery:

(a) AI model and large language model providers (which may be located in the United States or other countries);
(b) Cloud infrastructure and hosting providers.

Before disclosing your personal information to overseas recipients, we take reasonable steps, as required by APP 8, to ensure those recipients handle your information in accordance with the APPs or in a manner that provides comparable protections. By using the Service, you acknowledge and consent to these cross-border disclosures.

5.3 Security measures. We implement reasonable technical and organisational security measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. These measures include encryption in transit and at rest, access controls, and regular security reviews.

5.4 Data retention. We retain your personal information for as long as necessary to provide the Service and meet our legal obligations. We apply the following retention periods:

(a) Account data: retained for the duration of your account and for 2 years following account closure or last activity, whichever is later;
(b) Results data: retained for 2 years following generation;
(c) Financial transaction records: retained for 7 years in accordance with taxation law requirements;
(d) Competition submissions: retained for 2 years following the relevant competition period;
(e) Legal hold: where required by law or for the resolution of a complaint or dispute, data may be retained beyond the above periods.

At the end of the applicable retention period, we will take reasonable steps to destroy or de-identify personal information in accordance with APP 11.2.

6. Cookies

6.1 The Service uses cookies and similar tracking technologies to operate the platform, maintain your session, and analyse aggregate usage.

6.2 We use the following categories of cookies:

(a) Strictly necessary cookies: required for the Service to function. These cannot be disabled without affecting your ability to use the Service;
(b) Analytics cookies: used to understand how users interact with the Service in aggregate. This data is de-identified where practicable;
(c) Functional cookies: used to remember your preferences and improve your experience.

6.3 We do not use cookies to track you across third-party websites for advertising purposes. We do not share cookie data with third-party advertisers.

6.4 You can manage cookie preferences through your browser settings. Disabling cookies may affect your ability to use certain features of the Service.

7. Third-Party Sharing

7.1 We do not sell your personal information.

7.2 We do not share your personal information with third parties for their marketing purposes.

7.3 We share your personal information only with:

(a) Service providers who assist us in operating the Service (including cloud storage, AI model providers, and payment processors), under contractual arrangements requiring them to protect your information;
(b) Professional advisers (lawyers, accountants) bound by confidentiality obligations, where necessary;
(c) Regulators and law enforcement, where required by law or in response to a valid legal process;
(d) Successors in business, in the event of a sale, merger, or restructure of our business — in which case we will notify you.

8. Your Rights Under the Australian Privacy Act

8.1 You have the following rights in relation to your personal information:

(a) Access: you may request access to the personal information we hold about you (APP 12);
(b) Correction: you may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13);
(c) Complaint: you may make a complaint about our handling of your personal information (see clause 10);
(d) Anonymity: where practicable and lawful, you may use the Service without identifying yourself, but this will limit the Results we can generate for you (APP 2).

8.2 To exercise your rights, contact us at privacy@surprisebonus.com. We will acknowledge your request within 5 business days and respond within 30 days. We will not charge you for making an access or correction request.

9. Notifiable Data Breaches

9.1 We are bound by the Notifiable Data Breaches ("NDB") scheme under Part IIIC of the Privacy Act. If we have reasonable grounds to believe an eligible data breach has occurred — that is, a breach involving your personal information that is likely to result in serious harm to you — we will:

(a) notify you directly by email or other practicable means; and
(b) notify the Office of the Australian Information Commissioner ("OAIC").

9.2 We will notify you as soon as practicable after we become aware of an eligible data breach, providing a description of the breach, the types of information involved, and the steps we recommend you take to protect yourself.

10. Complaints

10.1 If you have a concern about our handling of your personal information, please contact us first at privacy@surprisebonus.com. We will acknowledge your complaint within 5 business days and respond within 30 days.

10.2 If you are not satisfied with our response, you may lodge a complaint with the OAIC at www.oaic.gov.au or by calling 1300 363 992.

11. Automated Decision-Making Transparency — Privacy Act Tranche 2 (from 10 December 2026)

11.1 From 10 December 2026, the Privacy Act as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth) introduces new transparency requirements for automated decision-making that significantly affects individuals.

11.2 SurpriseBonus uses automated processes — specifically AI-driven eligibility matching — to generate Results that identify programs you may potentially be eligible for. This constitutes automated decision-making. We are transparent about this use throughout our Terms of Service, at the point of Result delivery, and in this Policy.

11.3 From 10 December 2026, this Privacy Policy will include and we will maintain a current disclosure of:

(a) the types of personal information used in automated decision-making processes;
(b) the kinds of decisions made using automated processes;
(c) the fact that decisions are made without individual human review;
(d) your right to request human review or further information about automated processing that significantly affects you.

11.4 Right to request human review. If you believe an automated Result has significantly affected you and you wish to request human review, contact us at hello@surprisebonus.com. We will acknowledge within 5 business days and respond within 30 days. We note that because Results are information only and are not binding determinations, the scope of human review is limited to confirming whether the automated process was applied correctly.

12. Changes to This Policy

12.1 We may update this Policy from time to time. We will notify you of material changes by email or prominent notice on the platform. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

13. Contact

Savvy Investments Co Pty Ltd

ABN 50 698 325 334

Australia

Privacy enquiries: privacy@surprisebonus.com

General enquiries: hello@surprisebonus.com

Website: surprisebonus.com