Privacy Policy

Kiosku is operated by Sebastian Arthur Chua, a sole trader based in Sydney, New South Wales, Australia. Kiosku is an order-management platform for small businesses that sell through chat channels such as WhatsApp and Instagram DM.

Sebastian Arthur Chua is the data controller for personal information collected through this service. If you have any questions about this policy or how your information is handled, please contact:

We collect different information depending on how you interact with Kiosku.

Merchant account information

When you sign up as a merchant, we collect your email address and, if you sign in with Google, your Google profile name and profile picture URL. We also store a hashed password if you use email and password sign-in.

Merchant business configuration

We store the information you enter to set up your store: your business name, contact details, operating hours, product catalogue, delivery zones, and payment configuration. This is business data you provide voluntarily to make Kiosku work for your store.

End-customer information

When your customers place orders — either through a checkout link you share or manually entered by you — we collect:

• Name, phone number, and delivery address
• Order details (items, quantities, special instructions)
• Payment metadata (payment status, reference numbers). We do not store raw card numbers or full bank account details — those are handled directly by our payment processors.

This information is entered on behalf of, or directly by, your customers. As the merchant, you are responsible for ensuring you have the appropriate basis to share your customers' data with us.

Session and technical data

We use essential session cookies to keep you logged in. These are set by our authentication provider (Supabase) and contain only an encrypted session token — no personal details, no tracking identifiers. We do not use analytics, advertising, or marketing cookies.

We use personal information to:

• Provide and operate the service — authenticate your account, display your orders, process payments, and deliver the features you sign up for.
• Communicate with you — send transactional emails (password resets, order confirmations) when you or your customers trigger them.
• Improve reliability — diagnose errors and maintain the platform's performance.
• Comply with legal obligations — retain records as required under applicable law.

We do not sell personal information. We do not use it for behavioural advertising.

We use a small set of third-party service providers (sub-processors) to operate Kiosku. Each receives only the data necessary for their function:

We do not share personal information with any other third parties except where required by law (e.g., a lawful request from a government authority).

Your data is stored primarily in Supabase's Singapore region (ap-southeast-1). This means your data is hosted in Singapore by Supabase.

Some of our sub-processors operate infrastructure in the United States (Supabase's control plane, Vercel's edge network, and Stripe's payment platform). By using Kiosku, you acknowledge that your information may be transferred to and processed in countries outside your own, including Singapore and the United States.

Where we transfer personal information internationally, we take reasonable steps to ensure it receives an equivalent level of protection. Our sub-processors are bound by their own privacy policies and applicable data protection laws.

We retain your personal information for as long as your account is active. If you request account deletion, we will delete your account data within a reasonable period, subject to any legal obligations that require us to retain certain records for longer.

End-customer order data is retained as part of your merchant account and is deleted when you delete your account or when you manually remove individual records.

To request deletion, contact us at sebastian.a.chua@gmail.com.

Kiosku is governed by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Under these, you have the right to:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct information that is inaccurate, out of date, or incomplete.
• Complaint — if you believe we have mishandled your personal information, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

To exercise your access or correction rights, contact us at sebastian.a.chua@gmail.com. We will respond within 30 days.

We take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, or disclosure. Our security measures include:

• Encrypted HTTPS connections for all data in transit
• Cookie-based sessions with HTTP-only, Secure flags set by Supabase's SSR library
• Row-level security (RLS) policies on our database, ensuring each merchant can only access their own store's data
• Authentication handled by Supabase, which manages credential hashing and token rotation

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately.

Kiosku is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. If the changes are material, we will notify merchants by email.

Continued use of Kiosku after a policy update constitutes acceptance of the revised policy.