Privacy Policy
Last updated: 12 June 2026
theSMS Pty Ltd (“theSMS”, “we”, “us”) respects your privacy. This policy describes how we collect, hold, use, and disclose personal information in connection with our website and services at thesms.com.au and related domains we operate (including thesms.dev for non-production environments) (together, the “Service”). We handle personal information in accordance with the Privacy Act 1988 (Cth) (“Privacy Act”), including the Australian Privacy Principles (“APPs”) where they apply to us. If there is any inconsistency between this policy and the Privacy Act, the Privacy Act prevails.
1. Who we are and how to contact us
theSMS connects customers, massage businesses and brothels, and (where applicable) staff through discovery, profiles, roster features, messaging, and community features such as the forum.
Privacy enquiries and requests may be sent via our Contact page or to support@thesms.com.au. Postal address: Level 1, 63-73 Ann Street, Surry Hills, NSW 2010.
2. What we collect
We collect personal information that is reasonably necessary for our functions and activities. Depending on how you use the Service, this may include:
- Identity and account details: email address, username or display name, password (stored using one-way hashing - we cannot read your password), role (e.g. customer, business, staff, admin), and profile or business information you choose to provide.
- Verification and security: email verification status, tokens for password reset or email change (stored in hashed or otherwise protected form), session identifiers, sign-in or security-related timestamps where recorded, and similar metadata.
- Messaging: content you send through customer-business messaging, and related metadata (for example time sent, read state, conversation identifiers).
- Community content: posts, replies, attachments, and associated metadata (approved content may be visible to other users or the public, depending on how the feature is presented).
- Business content: shop profile, roster, services, images you upload, billing contacts where supplied, and related operational data.
- Payments and subscriptions: if you pay through our payment provider, we receive and store payment-related identifiers, subscription status, and billing records; payment card details are collected and stored by the payment provider (typically Stripe), not on our servers.
- Technical and usage data: IP address, browser type, device or application identifiers where available, pages or API paths accessed, approximate location derived from IP, and first-party analytics or diagnostic data we store to operate, secure, and improve the Service.
- Support and enquiries: information you provide when you contact us or submit forms.
- Contact numbers: mobile or phone numbers you provide (for example on a business request, account profile, or shop contact details), where you choose to supply them.
We do not ask you to provide sensitive information (such as health information) to use the core Service. If you voluntarily include sensitive information in a chat message, profile, community post, or attachment, we will handle it only for the purposes of providing the Service and as otherwise permitted or required under the Privacy Act.
3. Why we collect and use personal information
We use personal information for the primary purposes you would expect, including to:
- create and manage accounts, authenticate users, and secure the platform;
- operate discovery, profiles, roster features, favourites, messaging, the forum, and related functionality;
- process payments and subscriptions where applicable;
- send transactional and service communications needed to run your account and the Service (for example verification, password reset, security alerts, receipts, billing, and important account notices);
- send optional notifications you have not turned off (for example email or push alerts about new messages, roster activity, or community threads you follow);
- where permitted by law and, where required, with your consent or another lawful basis, send marketing and product communications about theSMS (see section 4);
- detect and prevent abuse or fraud, moderate content, enforce our Terms of Use, and comply with legal obligations;
- maintain first-party analytics and diagnostics to understand usage and improve reliability and performance;
- respond to enquiries and provide support.
4. Electronic communications, marketing, and consent
We may contact you by email, text message (SMS) where we have your mobile number and use that channel, browser push notifications where you enable them, and in-app messaging on the Service. This section explains how we handle consent and preferences. It does not cover messages you send or receive through customer-business chat on the platform, which are governed by how you use that feature and our Terms of Use.
Transactional and essential messages. We may send emails (and, where appropriate, other channels) that are reasonably necessary to provide the Service, protect your account, or meet legal obligations. Examples include email verification, password reset, sign-in or security notices, payment or subscription receipts, and responses to support enquiries. These are not marketing messages. You cannot opt out of receiving them while you maintain an account that requires them, but you may close your account as described in section 10.
Service and notification messages. With your agreement to these practices (including by creating an account and using the Service), we may send non-marketing alerts about activity on your account, such as new direct messages, roster updates for your business, or replies in community threads you follow. For email and push, you can turn categories on or off in Notifications & email in your account (or via unsubscribe links in our emails). If you unsubscribe from all non-essential emails, we will still send transactional emails when needed.
Marketing messages. We may send marketing or promotional content about theSMS (for example product news, tips, subscription or plan reminders, and business onboarding updates) by email, push, SMS, or other channels we introduce, but only where permitted by law. Where the law requires consent (including under the Spam Act 2003 (Cth) for commercial electronic messages and applicable rules for telemarketing or SMS), we rely on your consent or another permitted basis. Consent may be given when you sign up, opt in on a form, or leave relevant notification categories enabled after we have clearly described what you will receive. You may withdraw consent or opt out at any time by using Notifications & email, an unsubscribe link in an email, replying STOP to an SMS from us where that applies, disabling push in your browser or device settings, or contacting us via Contact.
SMS and phone. If you provide a mobile number, we may use it to contact you for the purposes above. Message and data rates may apply depending on your carrier. We do not sell your phone number. If we send marketing SMS, we will identify theSMS as the sender and include a functional opt-out where required by law.
Third-party delivery. We use service providers (for example email and notification platforms) to send messages on our behalf. They process contact details and message content only to deliver communications for us, in line with section 6.
5. Cookies and similar technologies
We use cookies and similar technologies that are necessary for session management, authentication, security (for example CSRF protection), and preferences. You can control non-essential cookies through your browser settings; disabling essential cookies may affect sign-in or certain features.
6. Disclosure and overseas recipients
We may disclose personal information to:
- Service providers who assist us (for example payment processing, email delivery, hosting, cloud infrastructure, maps or location services, optional AI or parsing features when enabled, and security or monitoring tools). They are authorised to use personal information only to provide services to us and in line with our instructions.
- Other users where the Service is designed to show information to them (for example chat messages to a business, or community content to participants).
- Professional advisers (for example lawyers, insurers) under confidentiality obligations.
- Law enforcement, regulators, or courts when required or permitted by law, or to protect our rights, users, or the public.
Some service providers may store or process personal information outside Australia (including in the United States and other regions where cloud providers operate). Where we disclose personal information to an overseas recipient, we take reasonable steps to ensure the recipient complies with the APPs in line with APP 8, except where an exception under the Privacy Act applies.
7. Security
We use administrative, technical, and organisational measures appropriate to the nature of the Service - including access controls, password hashing (bcrypt), HTTPS on our production and staging sites, session protections, rate limiting on sensitive endpoints, and database access limited to operational needs. No online service can be guaranteed completely secure; you should use a strong unique password and protect your devices.
Direct messages are visible to participants in that conversation under our access rules; they are stored like other account data and are not end-to-end encrypted by the application.
8. Data breaches
If we become aware of unauthorised access to or disclosure of personal information that is likely to result in serious harm, and the incident qualifies as an eligible data breach under the Privacy Act, we will assess the matter and comply with the Notifiable Data Breaches scheme (including notification to the Office of the Australian Information Commissioner and affected individuals where required).
9. Retention
We retain personal information for as long as your account is active and as needed to provide the Service, comply with law (including tax, accounting, or dispute resolution), resolve disputes, and enforce our agreements. When retention is no longer required, we take reasonable steps to delete or de-identify information, subject to backup and archival cycles.
10. Access, correction, and deletion
You may access and update certain information in your account settings. You may contact us to request access to other personal information we hold about you or to correct inaccurate information. You may request deletion or deactivation of your account; we will action requests where reasonable and subject to legal or legitimate retention requirements (for example billing records, security logs, or content we are required to retain).
11. Anonymity, pseudonymity, and children
Where lawful and practicable, you may interact with us without identifying yourself (for example browsing limited public pages). Most account features require identifiable information. The Service is not directed at children under 16; if you believe we have collected information from a child without appropriate authority, contact us and we will take reasonable steps to address it.
12. Complaints
If you believe we have mishandled your personal information, contact us first via Contact or support@thesms.com.au. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
13. Changes
We may update this policy from time to time. The “Last updated” date will change; for material changes we will provide additional notice if required by law (for example via email or a notice on the Service).