Legal
Nightshift Media Group Pty Ltd
ABN: 83 696 072 483
This policy explains how we collect, use, and protect your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Last updated: April 2026
This Privacy Policy applies to Nightshift Media Group Pty Ltd (ABN 83 696 072 483) ("we", "us", "our"), the brand owner and promoter of "MESSY" student nights. We are committed to protecting your privacy and ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Purchase Information: When you purchase a ticket, we collect your full name, email address, phone number (optional), postcode (optional), and university (optional). Payment card data is processed directly by Stripe and is never stored on our servers.
Marketing Consent: If you opt into 'PERKS & UPDATES', we record your explicit consent, timestamp, and IP address to maintain an audit trail for compliance with Australian Communications and Media Authority (ACMA) regulations.
Ticket & Entry Data: We generate a unique QR code linked to your order. Door staff scan this at entry. We record scan time and entry status.
Device & Usage Data: We collect standard web analytics data (browser type, pages visited, referring URL) to improve site performance. This data is aggregated and not linked to your identity.
PCI-DSS Compliance: Your payment information is processed via Stripe, a PCI-DSS Level 1 compliant payment processor. Your credit card data never touches our servers. We do not store card numbers, expiry dates, or CVV codes.
3D Secure (3DS): Stripe automatically applies 3D Secure verification to high-risk transactions to prevent fraud and unauthorized chargebacks.
What We Store: We store only Stripe Payment Intent IDs, Stripe Customer IDs, transaction dates, amounts, and ticket quantities. No payment method details are retained.
Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS encryption.
Encryption at Rest: Customer data stored in our database is encrypted at rest, including email addresses, phone numbers, postcodes, and university information.
Database Location: Your data is stored on Manus infrastructure hosted on AWS (Amazon Web Services), prioritizing the Sydney region (ap-southeast-2) for Australian Privacy Act compliance.
Access Controls: Access to customer data is restricted to authorized MESSY administrators with multi-factor authentication (MFA) enabled, automated systems for ticket delivery, and trusted third-party providers.
Ticket Fulfilment: We use your name and email to send ticket confirmations and QR codes via email.
SMS Delivery: If you opt in, we use your phone number to deliver your ticket via SMS and send exclusive event updates and perks.
Event Operations: Your name and ticket status are used for door management and entry verification on the night.
Audience Segmentation: Your postcode and university information help us target campus-specific marketing and event planning.
Marketing (with consent): With your consent, we send information about future MESSY events via email and SMS. You can unsubscribe at any time.
Legal & Compliance: We retain transaction records as required by Australian tax law and for refund/chargeback dispute resolution.
We share your information only with trusted third-party providers who help us operate the platform. Each provider is bound by their own privacy obligations.
Stripe: Payment processing. Receives your name, email, and payment details. PCI-DSS Level 1 certified. See stripe.com/privacy.
Twilio: SMS delivery (if opted in). Receives your phone number and message content. Complies with Australian carrier regulations. See twilio.com/legal/privacy.
Resend: Transactional email delivery. Receives your name and email address. See resend.com/privacy.
Manus: Platform infrastructure and database hosting. See manus.im/privacy.
Meta / TikTok (where active): If advertising pixels are active, hashed email addresses and event data may be shared for ad measurement and retargeting. Opt out via your Meta or TikTok ad settings.
Retention Period: We retain your personal information for 48 months (4 years) from the date of ticket purchase. This allows us to process refunds, resolve disputes, comply with tax requirements, and maintain audit trails.
Automatic Deletion: After 48 months, your personal information is automatically deleted from our systems, except where we are required to retain it by law or where you have an outstanding dispute.
Right to be Forgotten: You have the right to request deletion of your personal information at any time. Email us at [email protected] with 'Data Deletion Request' in the subject line. We will process your request within 14 days.
SMS Consent & Audit Trail: When you opt into 'PERKS & UPDATES', we record your explicit consent, timestamp, IP address, and device information to comply with ACMA regulations and prove consent if required.
SMS Opt-Out: You can unsubscribe from SMS communications at any time by replying 'STOP' to any SMS or emailing [email protected]. We will process your opt-out within 24 hours.
Email Marketing Compliance: All promotional emails include an 'Unsubscribe' link. We comply with the Spam Act 2003 (Cth) by obtaining explicit consent, providing clear unsubscribe options, and honoring opt-out requests within 48 hours.
We comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). You have the right to access, correct, or delete your personal information. You also have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Privacy Act.
Technical Safeguards: HTTPS/TLS encryption, database encryption at rest, multi-factor authentication (MFA) for admin accounts, access logs, and regular security audits.
Data Minimization: We collect only the information necessary for our services and do not store sensitive payment or card details.
Incident Response: If we believe your information has been compromised, we will notify you immediately and take appropriate remedial action.
Under the Privacy Act, you have the right to access the personal information we hold about you, request corrections to inaccurate data, request deletion of your data (subject to legal retention requirements), and opt out of direct marketing at any time. To exercise any of these rights, contact us at [email protected].
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via a notice on our website. Continued use of the platform after changes constitutes acceptance of the updated policy.
For privacy enquiries or to exercise your privacy rights, contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or call 1300 363 992.
MESSY is a brand of Nightshift Media Group Pty Ltd · ABN 83 696 072 483
Privacy enquiries: [email protected]