Legal

Privacy Policy

Gumshoe — The Supplier Verifier · Last updated: 15 June 2026

Plain-English summary of our actual practices. For legal queries, contact legal@gumshoe.au.

1. Who we are

Gumshoe ("Gumshoe", "we", "us") operates the supplier-verification service at gumshoe.au. We are based in Australia and handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you have a privacy question, contact us at privacy@gumshoe.au.

2. What we collect

Account information you give us: your name, email address, and password (stored hashed, never in plain text). If you purchase paid checks or a subscription, we also collect billing details sufficient to process your payment via eWAY.

Guest checkout: if you use guest checkout, we collect your email address to deliver your report. We create a minimal account record containing only your email — no password is set and you will not receive marketing communications without separately opting in. You may later claim this account by setting a password. Guest checkout records are retained for 2 years from your checkout date.

Search and verification data: the business identifiers you search (business names, ABNs, ACNs), and the results and reports generated, which we retain as a timestamped audit trail.

Supplier information from public registers: we draw on data from the Australian Business Register (ABR), ASIC Connect, and other public sources to produce verification results. For sole traders, ABN records can contain personal names and business addresses — we treat this as personal information under the Privacy Act and display only what is publicly registered with the ABR.

Premium-check data: where you run a paid Phone check, we place a recorded call to the supplier's published number; the recording and its transcript are stored as part of your report and retained for 2 years. The call includes an audible disclosure that it is recorded.

Technical data: browser type and usage logs for security and service operation. We record IP addresses in server logs (retained 90 days) and via our payment processor (eWAY) for fraud detection purposes (retained with payment records for 7 years per ATO requirements).

Browser local storage: your browser's local storage temporarily holds search state — pinned businesses and inputs you have entered — so your session survives page reloads. This data stays on your device and is not transmitted to our servers except as part of a verify request you initiate. It is cleared when you clear your browser storage.

3. How we use it

We use the information we collect to:

  • Provide supplier-verification results and reports
  • Maintain your account and audit trail
  • Process payments for premium checks and subscriptions
  • Deliver guest checkout reports to the email you provide
  • Enable report sharing when you generate a shared report link
  • Operate self-hosted analytics to understand how the service is used (see section 6)
  • Secure and improve the service
  • Send you service messages (e.g. receipts, account notifications)
  • Send you marketing or newsletter content if you have actively opted in
  • Meet our legal obligations, including tax and record-keeping requirements

We do not sell your personal information. We do not use your searches to advertise to you or profile you for third-party marketing.

4. Third-party data and scraping

Gumshoe draws on publicly available data from several external sources to build verification results. We are not affiliated with, endorsed by, or a data partner of any of these sources. The data may not be current — we note our cache periods below.

  • ABR (Australian Business Register): ABN status, GST registration, business name, entity type, and address. The authoritative public register of Australian business entities.
  • ASIC Connect: director, secretary, and officeholder information is obtained from ASIC's publicly accessible Connect Online service. ASIC director data is cached for up to 30 days.
  • Review platforms: we access publicly available pages on Trustpilot, ProductReview.com.au, Google, Yelp, and Glassdoor to retrieve aggregate ratings and review counts. We are not affiliated with these platforms and the data may not be current. Review ratings are cached for up to 3 days.
  • Fair Work Ombudsman (FWO) newsroom: we search FWO media releases for entity names to identify potential enforcement records. This is public information published by a Commonwealth regulator.
  • Mapillary and OpenStreetMap: street-level imagery and map data used for Street View checks.

A note on data aggregation: combining information from multiple public sources may reveal more about a business or its principals than any single source would. We present this information solely for legitimate due-diligence purposes. See our Acceptable Use Policy for the permitted and prohibited uses of results.

We do not sell data obtained from third-party sources to other parties.

5. Overseas processing (APP 8)

Some of Gumshoe's features involve sending data to third-party services based overseas. We disclose these transfers as required by APP 8 of the Privacy Act.

  • Street View Pro — Google (United States): street-level imagery and Places data is fetched from Google APIs. Google processes requests in the US under Google's own privacy policy.
  • Street View Pro — NVIDIA NIM (United States): images are submitted to NVIDIA's NIM AI inference API for classification. Processing occurs in the US under NVIDIA's service terms.
  • Phone verification — Twilio (United States): verification calls are routed via Twilio's communications platform. Call audio is processed in the US before the recording is returned to and stored on Gumshoe's own servers.
  • Address geocoding — Nominatim/OpenStreetMap (EU-based servers) and Google (US): addresses may be geocoded using both services depending on the check type.
  • Mapillary (EU/US): street-level imagery may be fetched from Mapillary for location checks.

Overseas processing is for service delivery only. These third-party providers do not store personal information beyond what their own service terms permit, and they do not receive your Gumshoe account information. By using premium checks that involve these services, you consent to this overseas processing.

6. Cookies and local storage

Session cookie (gs_session): we set one session cookie which is httpOnly (not accessible to JavaScript), secure (HTTPS only), SameSite=lax, and expires after 30 days. It is used solely for authentication — to keep you logged in. We do not use advertising cookies or any cookies that track you across other websites.

Browser local storage: as described in section 2, your browser's local storage is used to cache search state on your device. This data is not sent to our servers and is not accessible to us unless you submit a verify request.

Analytics: Gumshoe uses self-hosted Umami analytics running on our own servers at a private IP address. Umami does not use cookies, does not fingerprint users, and does not share any data with third parties. It collects anonymised page-view counts and interaction events to help us understand how the service is used. No personal information is transmitted to any external analytics service.

7. Direct marketing (APP 7)

We only send marketing communications if you actively opt in — for example, by subscribing to our newsletter. Guest checkout email addresses are used only to deliver your report and are not added to any marketing list. If you have opted in to marketing, you can opt out at any time via the unsubscribe link in any marketing email, or by emailing privacy@gumshoe.au.

8. Disclosure

We share information only with:

  • eWAY (our payment processor): your payment card details, billing name, and IP address are submitted to eWAY to process transactions. eWAY is an Australian payment gateway operating under PCI DSS. Gumshoe does not store your full card number.
  • Infrastructure providers that run the service on our behalf under confidentiality obligations (hosting, email delivery). These providers process data only as directed by us.
  • Overseas processing providers named in section 5, for the specific premium-check functions described.
  • Authorities where required by law — for example, in response to a court order or regulatory requirement.

We do not disclose your search history to third parties for their own purposes. We do not sell personal information. Gumshoe is not a credit provider and does not provide information to credit reporting bodies.

9. Recorded calls (premium Phone check)

Where you initiate a Phone verification, we make an automated, recorded call to the supplier's publicly listed number to confirm details. The recipient is told at the start of the call that it is being recorded. Recordings and transcripts are kept as part of the verification report and are accessible to the account that ran the check.

Call recording and consent: most Australian states and territories permit single-party consent to recording of a telephone conversation. Gumshoe's automated disclosure at the start of each call additionally informs the recipient that the call is recorded, satisfying the notification requirements applicable in all Australian jurisdictions. You are responsible for using verification calls for legitimate due-diligence purposes only and for handling any information obtained in compliance with the Privacy Act.

Call recordings are retained for 2 years and then permanently deleted.

10. Data sourcing and attribution

Gumshoe contains data sourced from the Australian Business Register and ASIC, © Commonwealth of Australia, licensed under CC BY 3.0 AU. Gumshoe is not affiliated with or endorsed by the ABR, ASIC, the Fair Work Ombudsman, or any review platform we draw on. We surface only information that is publicly available.

Sole trader records: ABN records for sole traders may include a personal name and business address registered with the ABR. We treat this as personal information under the Privacy Act and display only what is publicly registered. We rate-limit bulk exposure of sole-trader records and require that users handle this information in accordance with the Acceptable Use Policy.

11. Storage and security (APP 11)

Data is stored on servers we control. We take the following reasonable steps to protect personal information:

  • All traffic is encrypted in transit (HTTPS/TLS)
  • Passwords are stored using a strong one-way hash — we cannot recover your password
  • Session cookies are httpOnly and secure, preventing JavaScript access and transmission over unencrypted connections
  • Database access is restricted by role-based permissions; not all staff have access to all data
  • Call recordings and premium-check artefacts are stored with access controls limiting retrieval to the account that ran the check
  • IP address logs are held separately from account data and automatically purged after 90 days

No system is perfectly secure. If we become aware of a breach that is likely to result in serious harm to affected individuals, we will notify the OAIC and affected individuals as required by the Notifiable Data Breaches scheme.

12. Retention

We retain different types of data for different periods, based on operational need and legal obligation:

Data typeRetention period
Account dataWhile account is active + 7 years post-deletion
Payment records7 years (ATO requirement)
Verification audit trail7 years
Call recordings2 years
Guest checkout records2 years from checkout date
IP address logs90 days
Review cache3 days
ASIC director cache30 days
Session tokens30 days
Browser local storageUntil cleared by user

After the applicable retention period, data is deleted or de-identified. Where a legal obligation requires us to retain records (e.g. payment records for ATO purposes), we retain only the minimum necessary and restrict access to authorised personnel.

13. Your rights (APPs 12 & 13)

Under the Privacy Act, you have the right to:

  • Access the personal information we hold about you. Email privacy@gumshoe.au and we will respond within 30 days. There is no charge for a reasonable access request.
  • Correct personal information that is inaccurate, out of date, incomplete, or misleading. Contact us and we will correct our records or note your objection.
  • Portability: you can export your verification history from your account dashboard at any time in a machine-readable format.
  • Delete your account: you may close your account at any time from account settings or by emailing us. We will delete your account data. Note that payment records and the verification audit trail are retained for the periods set out in section 12 to meet legal obligations — we cannot delete these records early.
  • Opt out of marketing at any time via the unsubscribe link in any email or by contacting privacy@gumshoe.au.

Complaints: if you are not satisfied with our response to a privacy request or concern, you may contact the Office of the Australian Information Commissioner (OAIC):

  • Website: oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

14. Children

Gumshoe is a business-to-business service intended for use by adults in a commercial or professional context. You must be 18 or older to create an account or use the service. We do not knowingly collect personal information from persons under 18. If we become aware that we have done so, we will delete that information promptly.

15. Changes to this policy

We may update this policy from time to time. When we do, we will post the new version here with a revised date. For material changes — changes that significantly affect how we handle your personal information — we will notify registered account holders by email before the change takes effect.

Legal Hub · Terms of Service · Refund Policy · Acceptable Use · privacy@gumshoe.au

We use session cookies for authentication and privacy-friendly analytics (no cross-site tracking). Privacy policy