Privacy Policy

HILLTOPS APP PTY LTD (ACN 698 610 007)

1. Introduction

Hilltops ("we", "our", "us") operates the Hilltops mobile application (the "App") and the website at hilltops.app (the "Website"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our App and Website.

We are committed to protecting your privacy and complying with applicable data protection laws, including:

• The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, for users in the United Kingdom
• The EU General Data Protection Regulation (GDPR), for users in the European Economic Area
• The Personal Information Protection and Electronic Documents Act (PIPEDA), for users in Canada
• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), for users in California, United States

By using Hilltops, you consent to the practices described in this Privacy Policy. Where applicable law requires a different legal basis (such as legitimate interest or contractual necessity), we rely on that basis as described in the relevant sections below.

2. Information We Collect

2.1 Information You Provide

2.2 Information Collected Automatically

2.3 Information from Third Parties

3. How We Use Your Information

We use your personal information to:

3.1 Provide the Service

• Create and manage your account
• Display your profile to other users
• Show relevant events and rooms based on your location and interests
• Enable messaging between users
• Process room memberships and RSVPs

3.2 Personalise Your Experience

• Show events and rooms based on your selected location and filters
• Show content relevant to your city
• Remember your preferences

3.3 Communicate With You

• Send verification codes
• Notify you about room updates, messages, and activity
• Send important service announcements
• Respond to your enquiries

3.4 Safety and Security

• Verify your identity and age (18+)
• Detect and prevent fraud, abuse, and policy violations
• Enforce our Terms of Service and Community Guidelines
• Respond to legal requests

3.5 Improve Our Service

• Analyse usage patterns
• Fix bugs and technical issues
• Develop new features

4. How We Share Your Information

4.1 With Other Users

When you use Hilltops, certain information is visible to other users:

You control:

• Room visibility (Public or Private)
• Room audience filters (Women, Men, age range)
• Location reveal timing for rooms
• Discoverability in "Who's Around" (Settings → Discovery)
• Feeling-status expiry duration (1 hour to 7 days, default 7 days)

4.2 With Service Providers (Sub-Processors)

We share data with trusted third parties who help us operate the App. These providers act as data processors on our behalf and are contractually obligated to protect your data and process it only on our instructions.

4.3 For Legal Reasons

We may disclose your information if required by law, including:

• To comply with legal process (subpoena, court order)
• To respond to requests from the eSafety Commissioner or equivalent regulatory bodies in your jurisdiction
• To protect the rights, safety, or property of Hilltops, our users, or the public
• To detect, prevent, or address fraud, security, or technical issues

4.4 Business Transfers

If Hilltops is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

5. Data Storage & Residency

Your personal data is primarily stored in Sydney, Australia (AWS ap-southeast-2 region) via our infrastructure provider, Supabase. Supabase acts as a data processor on our behalf and processes your data only in accordance with our instructions.

Some data may be processed internationally by our service providers as described in Section 4.2. Where data is transferred outside of your country of residence, we ensure appropriate safeguards are in place (see Section 11).

6. Location Data

6.1 How We Use Location

• City-level location is required to show you relevant local content
• Precise location (GPS) is optional and used for map-based discovery

6.2 Your Controls

• You can enable/disable location permissions in your device settings
• Room hosts can set location reveal timing (immediate, members only, or timed)

6.3 We Never

• Sell your location data
• Share your precise location with other users without your consent
• Track your location when the App is not in use

6.4 People Nearby ("Who's Around")

Hilltops has a "Who's Around" feature that lets you see other Hilltops users near you who have chosen to be discoverable. New accounts appear in Who's Around by default. You can opt out at any time and changes take effect immediately.

What other users see about you:

• Your first name (no surname)
• Your profile photo, if set
• A fuzzed distance — anyone within 2 km is shown as "< 2 km", greater distances are rounded. Your exact coordinates are never shared with other users.
• Your feeling status, if you have set one
• Your online / last-active state, shown as "Online", "X minutes ago", "Yesterday", or "X days ago"
• Your nationality flag, if you have set one
• Your active vibe, if you have posted one

How to opt out:

• Open Discovery Settings → toggle off "Appear in Who's Around"
• You are immediately removed from Who's Around grids for all users
• You can re-enable at any time

Other controls:

• Feeling status auto-expires after a duration you choose (1 hour up to 7 days; default 7 days; server-capped at 7 days)
• Blocked users never see you in Who's Around, and you never see them
• You can adjust your search radius (1 km – 100 km) for whose profiles you see
• Premium subscribers can further filter the grid by gender, age range, and home country

In Who's Around, Hilltops never:

• Reveals your precise GPS coordinates to other users
• Shows your surname, phone number, email address, or date of birth in the grid
• Reveals your home address or any specific location

7. Analytics & Usage Tracking

7.1 In the App

The Hilltops app uses PostHog (operated by PostHog Inc.) for product analytics on both iOS and Android. PostHog helps us understand how features are used so we can fix bugs, prioritise improvements, and detect abuse.

What PostHog receives:

• Anonymous events from your sessions — screens you visit, features you use (e.g. opening an event, joining a room, applying a search filter)
• Your Hilltops user ID and email address, once you sign in (so your activity on iOS and Android stays linked to one account in our analytics, not split across devices)
• Device type, app version, language, and approximate country (derived from your IP address — never your precise GPS location)
• Aggregate properties on events. For example, our "people_nearby_grid_loaded" event records that a Who's Around grid loaded, with the user count and search radius, but never the identity of users in the grid

What PostHog does NOT receive:

• Your phone number, full name, date of birth, or profile photos
• Your precise GPS coordinates
• Message content, room chats, or any conversation history
• Identifiers of other users on Who's Around grid or tap events — we deliberately strip user IDs from those events

PostHog session recording (session replay) is disabled. We never record your screen.

Where this data is stored: Frankfurt, Germany (PostHog EU instance). PostHog Inc. acts as a data processor on our behalf under a Data Processing Agreement. This involves an international data transfer — see Section 11.

You can request deletion of your PostHog analytics record by emailing support@hilltops.app. We will forward the request to PostHog within 30 days. Deleting your Hilltops account also triggers deletion of your linked PostHog record as part of our 30-day anonymisation process.

Apple may also collect aggregate, non-identifying diagnostics through App Store Connect if you have shared diagnostics with app developers in your iOS device settings. Hilltops only sees this data in aggregated, non-identifying form.

7.2 On the Website

Our website (hilltops.app) uses Google Analytics 4 to understand how visitors interact with the site. Google Analytics collects:

• Page views and navigation patterns
• Approximate geographic location (country/city level)
• Device and browser information
• Referral sources

This data is aggregated and used to improve our website. It is not linked to your Hilltops app account. See Section 8 for cookie details.

7.3 On the Business Portal

The Hilltops Business Portal (business.hilltops.app) is the separate surface used by business operators (venues, creators, promoters) to manage their accounts. It uses Google Analytics 4 for page-level traffic metrics, with analytics cookies gated behind operator consent via a banner on first visit. We do not run session replay or ad personalisation on the Business Portal, and ABN, phone, address, and payment data are never sent to analytics.

Full disclosure of what the Business Portal collects from operators — including service-provider details and data residency — lives in the separate Business Portal Privacy Policy.

7.4 How This Data Is Used

Analytics data is used to:

• Identify and fix crashes and performance issues
• Understand which features are used most
• Improve the overall user experience

We do not use analytics data to build individual user profiles or make automated decisions about you.

8. Cookies & Web Tracking

Our website uses cookies, which are small text files stored on your device by your web browser.

8.1 Cookies We Use

8.2 Your Cookie Controls

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking essential cookies may affect website functionality.

The Hilltops mobile app does not use cookies.

9. Your Rights

9.1 All Users (Australian Privacy Principles)

Under the Privacy Act 1988, you have the right to:

• Access your data: Request a copy of the personal information we hold about you
• Correct your data: Update your profile information at any time in the App, or contact us to correct other data
• Delete your data: Delete your account in the App (Settings > Account > Delete Account). This removes your profile from public view immediately and anonymises your data within 30 days
• Opt out of marketing: Manage notification preferences in Settings or unsubscribe from marketing emails at any time
• Withdraw consent: Withdraw consent for optional data collection at any time. This includes:
  • Precise location: turn off in your device settings
  • Discoverability in Who's Around: Discovery Settings → toggle off "Appear in Who's Around"
  • Analytics: contact support@hilltops.app to request your PostHog record be deleted

9.2 Users in the European Economic Area & United Kingdom (GDPR)

If you are located in the EEA or UK, you have additional rights under GDPR:

• Right of access: Obtain confirmation of whether we process your data and request a copy
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure: Request deletion of your personal data (subject to legal obligations)
• Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format
• Right to restrict processing: Request that we limit how we use your data in certain circumstances
• Right to object: Object to processing based on legitimate interests, including direct marketing
• Rights related to automated decision-making: Hilltops does not currently make automated decisions that produce legal or similarly significant effects on you (see Section 10)

To exercise these rights, contact us at support@hilltops.app. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with your local data protection authority (e.g., the ICO in the UK).

9.3 Users in Canada (PIPEDA)

If you are located in Canada, you have rights under PIPEDA, including:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Withdrawal of consent: Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
• Complaints: File a complaint with the Office of the Privacy Commissioner of Canada

9.4 Users in California, United States (CCPA/CPRA)

If you are a California resident, you have rights under the CCPA and CPRA, including:

• Right to know: Request disclosure of the categories and specific pieces of personal information we collect, use, and disclose
• Right to delete: Request deletion of your personal information
• Right to opt out of sale: We do not sell your personal information. No opt-out is necessary
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at support@hilltops.app.

10. Automated Recommendations & Decision-Making

Hilltops shows you events, rooms, and content based on:

• Your selected city or location
• Filters and preferences you set (e.g., event categories, date ranges)
• Your map region when browsing

This content surfacing is user-driven, not based on automated profiling or algorithmic scoring. We do not make any automated decisions that produce legal or similarly significant effects on you.

If we introduce algorithmic recommendations in the future, we will update this policy and notify you accordingly.

11. International Data Transfers

Your personal data is primarily stored in Sydney, Australia (AWS ap-southeast-2) via Supabase. However, some data may be processed outside Australia by the following services:

Where your data is transferred outside your country of residence, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses (SCCs) where required under GDPR
• Binding data processing agreements with all service providers
• Compliance with Australian Privacy Principle 8 (APP 8) for cross-border disclosure
• Compliance with relevant data protection laws in the destination country

12. Data Retention

13. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS/SSL)
• Encryption at rest
• Row-level security policies
• Secure authentication (phone OTP)
• Regular security reviews

However, no method of transmission or storage is 100% secure. You are responsible for keeping your account credentials secure.

14. Children's Privacy

Hilltops is intended for users aged 18 and over. We do not knowingly collect personal information from anyone under 18.

If we become aware that we have collected data from someone under 18, we will delete it immediately. If you believe a minor is using Hilltops, please contact us.

15. Third-Party Links

The App may contain links to third-party websites or services (e.g., Ticketmaster for ticket purchases). We are not responsible for their privacy practices. Please review their privacy policies.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy in the App and on the Website
• Sending you a notification (for significant changes)

Your continued use of Hilltops after changes constitutes acceptance of the updated policy.

17. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

HILLTOPS APP PTY LTD (ACN 698 610 007)
Email: support@hilltops.app

18. Complaints

If you are not satisfied with our response to a privacy complaint, you may contact the relevant authority in your jurisdiction:

Australia

Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

United Kingdom

Information Commissioner's Office (ICO):

• Website: ico.org.uk

European Union

Contact your local Data Protection Authority. A list is available at edpb.europa.eu.

Canada

Office of the Privacy Commissioner of Canada:

• Website: www.priv.gc.ca

19. Privacy Policy Summary

We never sell your data. We never share your location without consent.

This Privacy Policy is governed by the laws of Australia. Where you are located in another jurisdiction, the applicable local data protection laws also apply to our processing of your personal data as described in this policy.