mangoe.
Get beta access
Legal

Privacy Policy

How Mangoe collects, uses, shares and protects your information across mangoe.co and zappybook.com.

Last updated: 16 June 2026  ·  Effective: 16 June 2026

In short: We only collect what we need to run our products and serve you. We never sell your personal information. We encrypt your data, host it securely, honour your rights under Australian, European and US privacy law, and make it easy to access or delete your information at any time.

1. Who we are

This Privacy Policy is issued by Mangoe (“Mangoe”, “we”, “us”, “our”), an Australian business with ABN 57 674 662 894, based in Beaconsfield, Victoria, Australia. Mangoe builds and operates software for entrepreneurs, including ZappyBook, an all-in-one online booking and business-management platform.

For any privacy question, you can reach our privacy team at info@mangoe.co or by post at Mangoe, Beaconsfield, VIC 3807, Australia.

2. Scope of this policy

This policy applies to personal information we handle through:

  • our websites at mangoe.co and zappybook.com and any subdomains;
  • the ZappyBook application and related services; and
  • our sales, support, marketing and business operations.

We aim to handle your personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and, where they apply to you, the EU and UK General Data Protection Regulation (GDPR) and US state privacy laws including the California Consumer Privacy Act (CCPA/CPRA). Third-party services we link to have their own privacy policies, which govern your use of them.

3. Our roles: when we are a “controller” and a “processor”

Privacy laws distinguish between the party that decides why and how data is handled (a controller or business) and a party that handles data on someone else’s behalf (a processor or service provider). Mangoe acts in both roles:

  • As a controller / business: for the personal information of our own account holders, website visitors, and prospects (for example, your account details, billing information, and how you use our marketing site).
  • As a processor / service provider: for the data that our business customers upload into ZappyBook about their own clients (for example, contact details, bookings, intake-form answers, uploaded photos and files, quotes and invoices). We process that “Customer Data” only on our customer’s instructions and only to provide the service, under a written agreement. If you are an end-client of a business that uses ZappyBook and want to exercise privacy rights over that data, please contact that business (the controller); we will assist them as required.

4. Information we collect

We collect the following categories of information:

Information you give us

  • Account & profile data: name, business name, email, phone, password, and preferences.
  • Booking & scheduling data: services, appointments, availability, locations and notes.
  • Customer & contact data: details of the clients you manage, including names, contact details, history and lifetime value.
  • Custom form data: information you collect through intake forms, which may include property-access details (such as lockbox or gate codes) and other instructions. You are responsible for handling such sensitive details lawfully.
  • Content & files: photos, videos, documents and galleries you upload or deliver.
  • Quotes, invoices & payment data: billing details and transaction records. Card payments are processed by our payment provider (Stripe); we do not store full card numbers.
  • Communications: messages, support requests and survey responses.

Information we collect automatically

  • Usage & device data: IP address, browser and device type, pages viewed, and actions taken, collected via cookies and similar technologies (see Cookies).
  • Log & security data: access logs and diagnostics used to keep the service secure and reliable.

Information from third parties

  • Connected services: when you link an integration (for example Google Calendar, Meta, or QuickBooks), we receive data from that service with your authorisation, limited to what is needed for the feature you enabled (see Sharing & integrations).

5. How we use information

We use personal information to:

  • provide, operate, secure and improve our websites and ZappyBook;
  • create and manage your account and process bookings, quotes, invoices and payments;
  • send service messages such as booking confirmations, reminders and delivery updates;
  • provide customer support and respond to your enquiries;
  • personalise and improve features, and develop new ones;
  • send you marketing about our products where you have consented or as otherwise permitted by law (you can opt out at any time);
  • detect, prevent and address fraud, abuse, security and technical issues; and
  • comply with our legal obligations and enforce our terms.

We do not use data accessed through third-party APIs (such as Google user data) to serve advertising, and we do not sell your personal information.

Where the GDPR applies, we rely on the following legal bases under Article 6:

  • Performance of a contract: to provide the service you sign up for.
  • Consent: for optional marketing, non-essential cookies, and certain integrations. You may withdraw consent at any time.
  • Legitimate interests: to secure, maintain and improve our services and communicate with customers, balanced against your rights.
  • Legal obligation: to comply with applicable laws (for example, tax and accounting records).

7. Cookies & tracking

We use cookies and similar technologies to run our sites, remember your preferences, and understand usage so we can improve. We classify them as:

  • Strictly necessary: required to operate the site and your session (always on).
  • Analytics & performance: help us understand how the site is used (set only with your consent).
  • Preference: remember your choices.

In regions where prior consent is required (such as the EU/UK under the ePrivacy Directive), we ask for your consent before setting non-essential cookies via our cookie banner, and you can change your choice at any time. We honour browser-based opt-out preference signals such as Global Privacy Control (GPC) where applicable. We keep third-party advertising trackers off our sites, so we can honestly say we do not “sell” or “share” your information for cross-context behavioural advertising.

8. Sharing & integrations (sub-processors)

We never sell your personal information. We share it only as needed to run our services, with trusted providers (“sub-processors”) under contracts that require them to protect it and use it only to provide services to us, and where required by law.

ProviderPurposeRegion
Amazon Web Services (AWS)Cloud hosting, storage & computeAustralia / global
Amazon SESTransactional & notification email deliveryUnited States (US West)
StripePayment processingGlobal
GoogleSign-in & Calendar sync (when enabled)Global
MetaMarketing & page integrations (when enabled)Global
Intuit QuickBooksAccounting sync (when enabled)Global

A current list of sub-processors and a Data Processing Addendum (DPA) are available to customers on request at info@mangoe.co.

Google API Services & Limited Use

When you connect a Google account (for example, to sync your Google Calendar or sign in with Google), Mangoe’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

  • we limit our use of Google user data to providing or improving the user-facing features that are prominent in ZappyBook (such as calendar availability and booking sync);
  • we only transfer Google user data to others as needed to provide or improve those features, to comply with applicable law, or as part of a merger or acquisition with notice to users;
  • we do not allow humans to read Google user data unless you give consent for specific data, it is necessary for security or to comply with law, or the data is aggregated and anonymised for internal operations; and
  • we do not use or transfer Google user data for serving advertisements, including personalised, re-targeted, or interest-based advertising.

We request the narrowest Google permissions needed, show a clear in-product explanation before requesting access, and you can revoke our access at any time in your Google account settings or by disconnecting the integration in ZappyBook.

Meta

If you connect a Meta (Facebook/Instagram) account, we access only the data needed for the feature you enable, in line with Meta’s Platform Terms and Developer Policies. You can disconnect at any time, and you can request deletion of data associated with the connection via our Data Deletion page.

Intuit QuickBooks

If you connect QuickBooks, we access your QuickBooks data only to provide the accounting-sync features you enable, using OAuth 2.0. We will not use QuickBooks customer data for any purpose other than providing our service to you. When you disconnect QuickBooks, we stop accessing that data and delete or de-identify stored QuickBooks data we no longer need.

9. Email & communications

We use Amazon SES to deliver email. Our sending practices follow Australian and international anti-spam law, including the Spam Act 2003 (Cth) and the US CAN-SPAM Act:

  • we send email only to people who have a relationship with us or have requested it, we never buy, rent or share email lists;
  • we clearly identify ourselves as the sender and the purpose of the message;
  • marketing emails include a working one-click unsubscribe (List-Unsubscribe / RFC 8058) and a valid postal address, and we action opt-outs promptly;
  • we authenticate our mail with SPF, DKIM and DMARC; and
  • we monitor bounces and complaints and suppress addresses that bounce or complain.

Transactional messages essential to a service you use (such as booking confirmations or receipts) may still be sent even if you opt out of marketing.

10. International data transfers

We are based in Australia and use reputable global providers, so your information may be processed outside your country, including in Australia, the United States and other regions. Australia is not currently the subject of an EU “adequacy decision”. Where we transfer personal data from the EEA or UK, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum/IDTA, together with additional measures where needed. For Australian customers, we handle overseas disclosures consistently with APP 8.

11. Data retention

We keep personal information only as long as needed for the purposes described in this policy, then delete or de-identify it. Indicative periods:

  • Account & Customer Data: for the life of your account and for a reasonable wind-down period after closure so you can export it (typically up to 30–90 days), unless you ask us to delete it sooner.
  • Billing & tax records: as required by law (generally up to 5–7 years).
  • Marketing data: until you unsubscribe or ask us to delete it.
  • Logs & analytics: for a limited period for security and improvement.

Where exact periods can’t be specified, we use criteria such as the nature of the data, the purpose, and our legal obligations to determine retention.

12. How we protect data

We take security seriously. Measures include encryption of data in transit and at rest, least-privilege access controls, secure secret and token storage, network protections, monitoring and logging, and regular review. No method of transmission or storage is 100% secure, but we work hard to protect your data and to notify you of incidents where required. Learn more on our Security & Trust page.

13. Your privacy rights

Everyone

You can ask us to access, correct, update or delete your personal information, or to export it. Contact info@mangoe.co and we’ll respond within the timeframes required by law. You can also delete your account at any time, see Data Deletion.

Australia (Privacy Act & APPs)

You may request access to and correction of your personal information. If you’re concerned about how we’ve handled your information, contact us first; if you’re not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

EU/UK (GDPR)

You have the rights to access, rectification, erasure, restriction, data portability, and to object to processing, as well as to withdraw consent and to lodge a complaint with your local supervisory authority. We act on these rights without undue delay and within one month where required. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. If you are in the EU or UK and need to reach our data-protection representative, contact info@mangoe.co and we will direct your request appropriately.

United States (California & other states)

If you are a California resident, you have the right to know, access, delete, and correct your personal information, to opt out of any “sale” or “sharing,” to limit the use of sensitive personal information, and to non-discrimination for exercising your rights. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. We honour authorised-agent requests and recognised opt-out preference signals. Residents of other US states with privacy laws have comparable rights, including an appeal process for denied requests. To exercise any right, email info@mangoe.co.

14. Your privacy choices

  • Marketing: unsubscribe via the link in any marketing email, or email us.
  • Cookies: adjust your choice via our cookie banner or your browser settings.
  • Connected apps: disconnect Google, Meta or QuickBooks at any time in ZappyBook or in the provider’s settings.
  • Access, deletion & “Do Not Sell or Share”: contact info@mangoe.co. As noted, we do not sell or share personal information.

15. Data breaches

We maintain an incident-response process. If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the relevant regulator (such as the OAIC under the Notifiable Data Breaches scheme, and supervisory authorities under the GDPR) as required by law.

16. Children

Our services are intended for businesses and adults. They are not directed at children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, contact us and we’ll delete it.

17. Changes to this policy

We may update this policy from time to time. We’ll post the updated version here with a new “Last updated” date and, for material changes, provide additional notice (such as by email or in-product). Your continued use after changes take effect means you accept the updated policy.

18. Contact us

Questions, requests or complaints about privacy:

  • Email: info@mangoe.co
  • Post: Mangoe, Beaconsfield, VIC 3807, Australia
  • ABN: 57 674 662 894

See also our Terms of Service, Data Deletion instructions, and Security & Trust overview.