About this policy
KeyDrops Pty Ltd (KeyDrops, we, us, our) is bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs) in schedule 1 to that Act. This policy explains what personal information we collect, how we handle it, and the rights you have in respect of it.
This policy applies to all personal information we collect through the KeyDrops website, mobile and email services, our drops, our membership, our consignment programme, and our partner network. It should be read alongside our Terms of Use.
We collect what we need to run the drops, pay the prize, verify age and residency, meet our AUSTRAC obligations and comply with state gambling regulators. We do not sell your personal information. You can access, correct or delete your data at any time, subject to the record-keeping obligations described below.
What personal information we collect
The kinds of personal information we collect depend on how you interact with us. We only collect information that is reasonably necessary for one or more of our functions or activities (APP 3).
Account & membership
- full legal name, preferred display name;
- email address, mobile number;
- date of birth (to verify you are 18 or over);
- residential address and state of residence (to verify you are an Australian resident and to exclude residents of Excluded Jurisdictions — see Terms);
- account credentials, passkeys, and login session data.
Verification documents & outcomes
- government-issued photo identification (for example, Australian driver licence, passport, or Medicare card) for the purposes of age, identity and residency verification;
- selfie or liveness capture, used solely to match to the identification document at the point of KYC;
- the outcome of each verification check (pass / fail / referred), the reference number issued by our verification provider, and our internal decision — all retained for AML/CTF record-keeping purposes;
- source-of-funds declarations for vehicle consignors and for credit-pack purchases above a defined threshold.
Payment & billing
- payment-card tokens issued by our payment-services provider (we do not store your full card number or CVV);
- billing address, merchant reference numbers;
- refund, chargeback and dispute history.
Entry & draw records
- allocation of complimentary entries, credit-pack entries and Free Route entries across drops;
- draw data, including the committed seed, the reveal and the entrant allocation resulting from the draw (retained as a draw-integrity record so the result can be independently verified, for the periods described in Retention below);
- winner contact logs and identity-verification outcomes.
Consignors
- identification and ABN, motor-dealer licence number (where applicable);
- vehicle details, PPSR search results, inspection reports, title documents and service history;
- bank account details for the fixed consignor payout.
Communications
- emails, SMS, phone and support-chat correspondence with us;
- recordings of phone calls where lawful, for staff training and verification — you will be informed before any recording starts;
- content you post to any KeyDrops community surface.
Device & usage
- IP address, device fingerprint, user-agent, approximate geolocation derived from IP (used to enforce Excluded Jurisdictions);
- pages visited, interactions, referring URLs, and timestamps;
- fraud-prevention signals such as device velocity and repeated-account indicators.
Sensitive information
We do not seek or require sensitive information (as defined in the Privacy Act — including health, biometric, racial, political or religious information) in order to use the Service. The biometric match between your identity document and a liveness-check selfie is handled by our KYC provider; the underlying biometric template is not retained by KeyDrops beyond the verification transaction.
How we collect
We collect personal information (APP 3 & 5) from:
- you, directly, when you create an account, update your profile, subscribe to a membership, purchase merchandise, purchase a credit pack, enter a drop, contact support, attend an event, submit a consignment application, or correspond with us;
- our verification providers, when they verify your identity, age or residency on our behalf;
- our payment-services provider, when you make or receive a payment;
- PPSR, state motor-registry databases and insurers, when a consignor submits a vehicle;
- analytics and advertising partners, where you have consented (see Cookies & tracking below);
- public sources, such as government registers, where we need to verify published information (for example an ABN).
Where we collect information about you from a third party, we take reasonable steps to notify you of that collection if notification is required by APP 5 and has not already been given by that third party.
Why we collect & use it
We use personal information for the following purposes and, where a purpose is secondary, we only use it for a purpose you would reasonably expect (APP 6):
- to create and administer your account and membership;
- to verify eligibility — age, residency, identity and non-excluded jurisdiction — before a prize is awarded and, where required, before an entry is accepted or a credit pack is purchased;
- to allocate complimentary entries, process free-route entries, run draws, contact winners, award prizes, and arrange delivery;
- to process payments, refunds and chargebacks, and to manage merchandise credit and partner discounts;
- to operate the consignor programme and make payouts;
- to publish winner details as required by state permit conditions, including, for drops with a major prize value above AUD $5,000 awarded to a Northern Territory resident, publication of the winner’s name in a local or national newspaper as required by the Gaming Control (Community Gaming) Regulations 2006 (NT);
- to meet our legal obligations, including under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), state trade-promotion permits, and record-keeping obligations imposed on promoters;
- to prevent, detect and investigate fraud, account sharing, automated abuse, and breaches of our Terms;
- to send you service communications (required even if you have opted out of marketing — for example, a notice that you have won a drop);
- to send you marketing material, where you have not opted out, about drops, events, partner offers and content;
- to improve the Service, including through analytics, A/B testing and user research; and
- to respond to lawful requests from regulators, law enforcement, or courts.
Automated decisions
Some aspects of the Service use automation to protect the integrity of the draws and to comply with our AML/CTF obligations. Automated signals (such as device fingerprint, velocity, repeated-account indicators and KYC-check results) may lead to a Free Route submission being blocked, an account being placed in review, or an entry being voided. Where an automated decision materially affects your eligibility for a prize, you may request human review by emailing privacy@keydrops.com.au; we aim to respond within 30 days.
AML / CTF and AUSTRAC
KeyDrops is registered as a reporting entity with AUSTRAC (RE number IE-400118) and operates an AML/CTF Programme as required by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). As part of that programme we:
- apply customer identification and verification (KYC) before paying out a prize and for credit-pack purchases above the applicable thresholds;
- conduct ongoing customer due diligence and transaction monitoring;
- submit threshold transaction reports (TTRs), international funds transfer instruction reports (IFTIs) and suspicious matter reports (SMRs) to AUSTRAC where required; and
- retain customer identification records and transaction records for at least 7 years, as required by the AML/CTF Act.
Providing an SMR, or any document provided to AUSTRAC, does not breach the Privacy Act. We cannot tell you (and are generally prohibited by law from telling you) whether a suspicious matter report has been filed in respect of your activity.
Direct marketing
With your consent, or where you would reasonably expect it, we may use your name, email address, mobile number, membership tier and interaction history to send you marketing communications about drops, events, partner offers and content (APP 7, Spam Act 2003 (Cth)).
Opting out
- Every marketing email includes a one-click unsubscribe link.
- Every marketing SMS includes
STOPreply opt-out. - You can toggle marketing preferences at any time from your account settings, or by emailing privacy@keydrops.com.au.
Opting out of marketing does not affect service communications (for example, billing notices, winner notifications, or legal updates) which are necessary for us to provide the Service.
We do not sell personal information. We do not share personal information with third-party advertisers for their own marketing. We do not trade in, or permit, any form of “list rental” involving your personal information.
Who we share it with
We disclose personal information only for the purposes described in this policy and only to the categories of recipients set out below (APP 6).
| Recipient | Purpose |
|---|---|
| Payment-services provider | Processing subscription billing, credit-pack checkouts, refunds and chargebacks; tokenising card details. |
| Identity verification provider | Age, identity and document verification; liveness check. |
| Cloud hosting & infrastructure | Running the website, application servers, databases, object storage, email and SMS delivery. |
| Draw integrity auditors | Independent scrutiny of commit-reveal seed publication, algorithm integrity and result reproduction. |
| Vehicle inspectors & transporters | Inspection, photography, vehicle-in-care insurance arrangements and delivery to the winner. |
| State motor registries | Transfer of registration, stamp-duty lodgement. |
| Newspaper wire service | Publication of NT-resident winners’ names in a local or national newspaper where required by NT regulations. |
| Partners (merchandise & discount) | Redemption of member-only benefits that you elect to use. Only the information required to redeem is shared. |
| Professional advisers | Legal, accounting, audit and insurance advisers bound by duties of confidentiality. |
| Regulators & law enforcement | VGCCC, CBS (SA), NSW Fair Trading, ACT Gambling and Racing Commission, OLGR (Qld), DLGSC (WA), Licensing NT, Tasmanian Gaming Commission, AUSTRAC, ACCC, OAIC, ATO, and Australian courts — each of which has statutory information-gathering powers with which we must comply. |
Our contracts with service providers require them to handle personal information consistently with the APPs and to use it only for the purpose we have engaged them for.
Overseas disclosure
Some of our service providers store or process personal information outside Australia. Before disclosing information to an overseas recipient we take the steps required by APP 8, including satisfying ourselves that the recipient is bound by law or contract to protect the information in a way substantially similar to the APPs.
At the date of this policy, personal information may be processed in:
- United States — cloud infrastructure, email, transactional SMS, and analytics (typically in de-identified form);
- European Union / United Kingdom — identity verification, draw-integrity auditing;
- Singapore — regional cloud redundancy.
We do not disclose personal information to any recipient in a jurisdiction whose data-protection regime is incompatible with the APPs without either (a) your explicit consent after advising you of that incompatibility, or (b) another exception under APP 8.2 applying.
Cookies & tracking
We use a small number of cookies and similar local-storage technologies:
- Strictly necessary — session, authentication, CSRF protection, shopping-cart state, age-gate acknowledgement. These cannot be disabled without breaking the Service.
- Preferences — remembering your display and notification preferences.
- Analytics — aggregated, de-identified measurement of page views, feature usage and performance.
- Fraud prevention — device fingerprinting and velocity signals used to protect the integrity of the free-entry route and prevent automated abuse.
We do not currently run behavioural advertising or cross-site tracking cookies. If this changes, we will update this policy and notify you before any new tracking takes effect. You can control non-essential cookies from the preferences banner or your browser settings; disabling strictly-necessary cookies will prevent parts of the Service from working.
Data quality
We take reasonable steps (APP 10) to ensure the personal information we collect is accurate, up-to-date, complete and relevant for the purpose of use. You can update your own details at any time from your account profile, and we will take reasonable steps to correct other information on request (see Access & correction).
Security
We take reasonable steps (APP 11) to protect personal information from misuse, interference, loss and from unauthorised access, modification or disclosure. Our controls include:
- encryption in transit (TLS 1.2+) and at rest for account databases and document storage;
- least-privilege access to production systems, with multi-factor authentication mandatory for staff;
- segregation of the commit-reveal draw system, which holds only pseudonymous entry identifiers; draws do not need direct access to entrant personal information;
- periodic review of third-party service providers and independent security assessment at appropriate intervals;
- incident-response procedures aligned to the Notifiable Data Breaches scheme (Privacy Act, Part IIIC).
No online service is completely secure. We rely on you to keep your password confidential, enable multi-factor authentication, and tell us immediately if you suspect unauthorised access to your account.
Retention
We retain personal information only for as long as it is reasonably necessary for the purpose for which it was collected, or for as long as we are required to keep it by law.
- Account, membership and billing records — for the life of the account and for 7 years after closure, consistent with tax and AML/CTF requirements.
- Entry and draw records — for 7 years after the draw (or longer where state permit conditions require; for example, NT requires at least 2 years, WA at least 12 months).
- Draw-integrity record (committed seed, reveal and entrant identifiers) — retained for at least 7 years, and longer where permit or statutory requirements apply, to enable independent verification of a draw.
- Identity-verification records & outcomes — for 7 years after the customer relationship ends, as required by the AML/CTF Act.
- Marketing preferences — for the life of the account, plus a suppression list for 7 years after closure to prevent re-marketing.
- Server and access logs — generally 90 days; security-relevant logs up to 365 days.
Where information is no longer required, we take reasonable steps to destroy it or irreversibly de-identify it (APP 11.2).
Access & correction
You have the right to request access to the personal information we hold about you (APP 12) and to request correction of information that is inaccurate, out-of-date, incomplete, irrelevant or misleading (APP 13).
To make a request, email privacy@keydrops.com.au with the subject line “Access/correction request”. We aim to respond within 30 days. Before responding we will verify your identity. Most requests are free; in rare cases, for example an unusually voluminous request, we may charge a reasonable cost-recovery fee and will explain it to you in advance.
There are limited circumstances in which we may refuse access or correction (for example, where doing so would unreasonably impact another person’s privacy, reveal a fraud investigation, or breach a legal obligation). If we refuse, we will explain why and how you can complain.
Account deletion
You can close your account at any time from your profile. On closure, we retain only the minimum information required to meet the retention obligations set out above; all other information is destroyed or de-identified.
Data breaches
KeyDrops is subject to the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act. If we become aware of a data breach that is likely to result in serious harm to an individual, and we cannot remediate the likely harm within the timeframe required by the Act, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.
If you suspect a data breach involving KeyDrops, email security@keydrops.com.au immediately with any information you can share.
Children
The Service is not intended for, and is not directed to, persons under 18 years of age. We do not knowingly collect personal information from a person we know to be under 18. If we learn that we have collected such information we will delete it promptly.
Complaints
If you believe we have breached the APPs or mishandled your personal information, please tell us first so we can try to fix it:
- Email the Privacy Officer at privacy@keydrops.com.au. Describe the conduct you are concerned about and the outcome you are seeking.
- We aim to acknowledge within 7 days, investigate in good faith, and respond within 30 days.
- If you are not satisfied with our response, you can refer the complaint to the Office of the Australian Information Commissioner at oaic.gov.au or by calling 1300 363 992.
Changes to this policy
We may update this policy from time to time to reflect changes to our practices or the law. The version number and last-updated date at the top of this page always reflect the current version. Where changes are material, we will notify active members by email at least 14 days before the changes take effect.
Contact
KeyDrops Pty Ltd — Privacy Officer
PENDING
privacy@keydrops.com.au
The Office of the Australian Information Commissioner (OAIC) can be reached at oaic.gov.au, by phone on 1300 363 992, or by post to GPO Box 5218, Sydney NSW 2001.