Compliant with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs)
Last updated: 28 April 2026
TOPDOG Pizza (operated by NOTFAR Group Pty Ltd) respects your privacy and is committed to protecting the personal information you share with us when you order through our website, mobile app, in-store point-of-sale system, or third-party delivery partners.
This policy explains what we collect, why we collect it, how we use and protect it, and your rights under Australian privacy law. Where relevant, the disclosures below correspond directly to the Data Safety declarations published on our Google Play Store listing.
1. Information we collect
We only collect personal information needed to take, process, deliver and fulfil your orders. Categories include:
Delivery information: street address, suburb, postcode, optional delivery instructions, approximate location (when you use address autocomplete).
Order details: items ordered, modifiers, special requests, scheduled time, order history, in-app interactions (e.g. screens viewed, items added to cart).
Payment information: card payments are processed directly by Stripe Inc. — TOPDOG Pizza never sees or stores full card numbers, CVV codes, or full bank details. We only retain a tokenised reference and the last four digits. Stripe also collects a device fingerprint at checkout for fraud prevention.
Device & technical identifiers (mobile app and web): these are required for security, fraud prevention, push notifications and basic functionality.
Push notification token — a unique token issued by Firebase Cloud Messaging (Google) on Android, or Apple Push Notification Service (Apple) on iOS, used solely to send you order-status notifications.
Firebase Installation ID (Android) — assigned by Google's Firebase SDK when the app is installed.
Android ID / Advertising ID — accessed by some embedded SDKs (Firebase, Stripe) for fraud, analytics and crash diagnostics. We do not use this for advertising or third-party ad tracking.
Device fingerprint — generated by the Stripe SDK at payment for fraud prevention.
IP address, app version, device model, OS version — sent with each request for routing, debugging, and security.
2. How we use your information
To prepare and fulfil your order (in-store, pickup, or delivery).
To communicate with you about your order — order confirmations, delivery updates, and service issues — by SMS, email, or push notification.
To process payments through our PCI-compliant payment provider.
To dispatch couriers via third-party delivery networks (e.g. Uber Direct, DoorDash) when you choose delivery.
To prevent fraud, abuse, and misuse of the service.
To diagnose crashes and maintain app reliability (analytics on app interactions, error reports).
To comply with our legal obligations, including Australian taxation and consumer law.
With your express consent, to send you occasional promotional offers. You may opt out at any time.
3. Who we share information with
We do not sell, rent, or trade your personal information. We share it only with the limited set of providers needed to run the service. All transfers occur over TLS 1.2+ encrypted connections.
Stripe Inc. — payment processing and payment-related fraud prevention (receives card details, device fingerprint, IP).
Twilio Inc. — SMS delivery for order updates and verification codes (receives phone number, message body).
Google LLC — Maps / Places APIs for address autocomplete and geocoding; Firebase Cloud Messaging for Android push notifications (receives address strings, FCM tokens, Firebase Installation ID).
Apple Inc. — Apple Push Notification Service for iOS push notifications (receives APNs tokens).
Uber Technologies Inc. (Uber Eats Marketplace, Uber Direct) — when you order via Uber Eats, or when we dispatch an Uber driver to deliver your order.
DoorDash Inc. — when you order via the DoorDash Marketplace.
Hosting & infrastructure providers — secure servers located in Australia.
Law enforcement or government agencies — only when legally required.
4. Data retention
We keep order records for the period required by Australian taxation and accounting law (currently seven years from the end of the financial year). Identity and contact details linked to inactive accounts are anonymised after 24 months of inactivity unless deletion is requested earlier. Payment tokens are retained only for the duration of an active subscription or recurring order setting. Push notification tokens and device identifiers are deleted automatically when you uninstall the app or sign out.
5. Your rights
Under the Australian Privacy Principles you have the right to:
Request access to the personal information we hold about you.
Request correction of any information that is inaccurate or out of date.
We use industry-standard security measures to protect your personal information, including TLS 1.2+ encryption in transit, encrypted database storage, IP-restricted admin and POS interfaces, parameterised database queries, and routine staff training on customer data handling. While no system is perfectly secure, we treat protecting your data as a core responsibility.
7. Cookies & tracking
Our website uses essential cookies to keep your shopping cart and login session active. We do not currently use third-party advertising trackers, and we do not sell user behaviour to ad networks. Analytics are limited to anonymised performance metrics and crash diagnostics, and are not used to build cross-site advertising profiles.
8. Children
Our service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.
9. Mobile app — Google Play Data Safety alignment
The following table mirrors the Data Safety declaration we publish on the Google Play Store for the TOPDOG Pizza Android app, so you can see at a glance what is collected, why, and whether it is shared with third parties.
Personal info — Name, Email, Phone, Address: collected, shared with Stripe / Twilio / Uber / DoorDash as required for the order. Required. Encrypted in transit. Deletion supported.
Financial info — User payment info: collected by Stripe (not by us). Required. Encrypted in transit. Tokenised in our system.
Location — Approximate location: collected via address autocomplete. Required for delivery orders. Not shared beyond Google Maps APIs.
App activity — App interactions: collected for in-app analytics (push notification routing, crash diagnostics). Optional. Not shared with advertisers.
Device or other IDs: Firebase Installation ID, FCM push token, APNs token, Stripe device fingerprint, Android ID/Advertising ID accessed by embedded SDKs. Required for push notifications and fraud prevention. Shared with Google (FCM), Apple (APNs), and Stripe. Encrypted in transit. Deletion supported via uninstalling the app or contacting us.
None of the categories above are used for third-party advertising or to build user profiles for sale.
10. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top will reflect the latest revision. Material changes will be highlighted on our website home page.