Privacy Policy

Lembra Pty Ltd is committed to protecting your privacy and complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what personal information we collect across both Celebrations and Catering, how we use and share it, and the rights you have in relation to it.

Lembra Pty Ltd
Registered office: 11 Wilson Street, South Yarra VIC 3141
Privacy contact: support@lembra.com.au

We collect only the information we need to run the service.

On both platforms

• Account information: full name, work email address, password (stored as a hash), and company name.
• Brief and event details: the structured and free-text fields you fill in to describe what you need (occasion or event type, date, time window, venue or delivery address, headcount, dietary requirements, budget, notes).
• Brand-kit details: if you upload a logo, colours, fonts, or paste your website URL, we store them so vendors can match your brand on packaging, cupcakes, signage, and the like.
• Payment information: card brand, last four digits, and expiry. Full card numbers are handled directly by our payment processor (Stripe) and never stored on Lembra's systems.
• Usage information: log data, IP address, browser type, device type, and pages visited, collected via standard web analytics and error monitoring.

On Celebrations specifically

• Team member details: names, birthdays, work start dates, dietary requirements, department, and (optional) email addresses for the team members you add so we can schedule reminders and prepare the right celebration on the right day.
• Celebration and order information: celebration type (birthday, anniversary, welcome, farewell), gift preferences (cake, hamper, flowers, voucher, workshop, spa, etc.), special instructions, and order history.

On Catering specifically

• RSVP details: if you're a recipient on someone else's event, your name, email, dietary requirements, allergies, and RSVP status. The buyer who invited you can see this; we can see it; vendors only receive the slice they need to fulfil their leg (e.g. the bakery sees "3 gluten-free", not your name).
• Vendor briefs: the multi-vendor briefs we compose on your behalf, including allocation of parts of the event across caterers, beverage providers, bakers, and other vendors in our network.

We use personal information to:

• Provide the Lembra platforms, including scheduling celebration reminders, composing catering briefs, processing orders, and coordinating with our vendor partners.
• Process payments and issue invoices.
• Communicate with you about your account, orders, service changes, and support queries.
• Improve the platforms' reliability and performance (error tracking, aggregated usage analytics).
• Comply with our legal obligations, including record-keeping and tax compliance under Australian law.

Dietary requirements can indicate religious or health information, which is treated as sensitive information under the Privacy Act. We collect dietary details only with the intent of ensuring recipients receive food that is safe and appropriate for them. For food-based orders (cakes, hampers, catered events, and similar), we share only the specific dietary details the vendor needs to produce or serve the order. We don't pass dietary information to non-food vendors (florists, spa, workshops, vouchers, signage providers) since it's not relevant to their fulfilment.

We share personal information only in the following circumstances:

• Vendor partners: when you place an order or confirm a catering brief, the relevant vendor (bakery, hamper maker, florist, caterer, beverage provider, spa, workshop, voucher provider, etc.) receives the recipient or event details they need to fulfil their leg. That includes the relevant dietary requirements, delivery address, date and time window, and any special instructions. It does not include unrelated data.
• Service providers: we use a small number of trusted third parties to operate the platform: Supabase (database and authentication; data hosted in the Singapore region), Stripe (payment processing; data handled under Stripe's own privacy policy), Resend (transactional email delivery), Sentry (error monitoring; EU region), and Lovable (hosting of the web applications).
• Legal and safety: where we are required by law, by a court order, or where we reasonably believe it is necessary to protect our rights, safety, or the rights and safety of others.

We do not sell your personal information to anyone, and we do not use it to train advertising models.

Some of our service providers store or process data outside Australia (e.g. Supabase's Singapore region; Sentry's EU region). By using the platforms you consent to this transfer. We take reasonable steps to ensure each provider handles your data with a level of protection comparable to that required under Australian law.

We retain personal information only for as long as we need it for the purposes described in this policy or as required by law. Order, brief, and payment records are kept for a minimum of seven years to comply with Australian tax and accounting rules. When you close your account, we delete or de-identify personal data except where retention is required by law.

We use industry-standard security measures including TLS encryption in transit, encryption at rest on our database, row-level security policies to isolate each company's data, restricted access to production systems, and logged audit trails for administrative actions. No system is perfectly secure; if we become aware of a data breach that is likely to cause serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

You have the right to:

• Access the personal information we hold about you.
• Request correction of information that is inaccurate, incomplete, or out of date.
• Request deletion of your personal information, subject to the retention obligations in section 8.
• Withdraw consent where we rely on consent to process your information.
• Make a privacy complaint.

To exercise any of these rights, email support@lembra.com.au. We will respond within 30 days.

We use a small number of cookies to keep you signed in and to understand how the platforms are used. You can block cookies in your browser settings, but some features (including login) may stop working.

If you believe we have mishandled your personal information, please contact us at support@lembra.com.au. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We may update this policy from time to time. Material changes will be communicated to you by email or through a notice on the platforms before they take effect.