KeyHive is a licensed Western Australian real estate service. We collect the personal information we need to provide our services — including identity verification required by law — and we use field-level AES-256-GCM encryption to protect sensitive information at rest. We do not sell your personal information. We share it only where necessary to deliver our services or where required by law. You can contact our Privacy Officer at any time at privacy@keyhive.com.au.
This Privacy Policy explains how Keyhive.com.au Pty Ltd (ACN 677 972 922, ABN 51 677 972 922) ("we," "us," or "our") collects, uses, holds, and discloses your personal information in connection with our real estate services and supporting technology (the "Services"). We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Age requirement: You must be 18 years or older to use KeyHive. If we become aware that we have inadvertently collected personal information about a person under 18 (for example, where a property listing involves a minor), we will delete that information promptly unless we are required to retain it by law.
Anonymity and pseudonymity (APP 2): Where lawful and practicable, you may interact with us anonymously or under a pseudonym. However, because our services involve regulated real estate transactions and identity-verification obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Real Estate and Business Agents Act 1978 (WA), it is generally not practicable to provide our core services anonymously.
1. Information We Collect
Personal Information
When you register for an account or use our Services, we may collect:
Contact information (name, email, phone, postal address)
Identity verification details (driver's licence, passport, date of birth)
Property information (addresses, ownership details, listing descriptions)
Financial information related to transactions (deposit amounts, preferred settlement dates)
Communication records (messages, support requests, transaction correspondence)
Emergency contact details (name, phone, relationship), if you choose to provide them — stored with AES-256-GCM encryption
Sensitive Information
Some of the information above is sensitive information under section 6 of the Privacy Act 1988(Cth) — specifically:
Biometric information collected during identity verification (your selfie and the liveness check)
We collect sensitive information only with your consent and only where it is reasonably necessary for our functions. Identity verification is required to comply with our AML/CTF and real estate licensing obligations. You may withdraw consent at any time by contacting privacy@keyhive.com.au, but we may be unable to continue providing services that depend on verified identity.
Pre-Account Property Management Invitations
Where our agents create a property listing on your behalf before you have created a KeyHive account, we collect:
Your email address and phone number (encrypted with AES-256-GCM)
Your name and the property address for the listing
A record of how and when we collected your details
Why: to create your listing and keep you informed about offers and key updates while we manage your property sale.
APP 5 collection notice: We send you a privacy notice email at the time of collection explaining what we have collected, why, and your rights.
Retention: Encrypted contact information is deleted automatically when you create your account, or 12 months from the date of collection if no account is created.
Your rights: You can request access, correction, or deletion at any time by emailing privacy@keyhive.com.au. Creating a free KeyHive account gives you direct control over your listing and associated data.
Identity Verification
When you verify your identity, you provide:
A government-issued ID (driver's licence or passport)
A selfie with a liveness check
Device details for security purposes
Your consent and a record of when it was given
Verification is performed by our partner AplyID. AplyID processes your documents securely. KeyHive does not store your identity documents or biometric data — we retain only your verification status. Your verification remains active for 12 months.
Document Verification Service (DVS)
AplyID may use the Australian Government's Document Verification Service (DVS) to confirm the authenticity of your identity documents. This means:
Document details may be checked with the issuing authority (for example, a state transport authority for driver's licences)
AplyID accesses the DVS via approved Gateway Service Providers on our behalf
All verification checks are logged for compliance and audit purposes
We obtain your explicit consent before performing any DVS check
Social Login
If you create an account using a social login provider (Facebook, Google, or Apple), we may receive:
Basic profile information (name, email, profile picture)
An account identifier from the social platform (used to link your account)
Any additional information you authorise the social platform to share
We request only the minimum information needed. You can revoke our access at any time through your account settings on the relevant platform.
Referral Programme
When you sign up as a Referral Partner, we collect:
Your name, email, and phone number (for programme administration and reward processing)
Your referrer type (for example, friend/family, mortgage broker, conveyancer)
Your unique referral code and attribution history
Referral attribution cookie (__kh_attr): When a prospective seller clicks a referral link, we store the referral code in this first-party cookie alongside campaign parameters and ad-click identifiers. The cookie is httpOnly, contains no directly identifying personal information, and expires after 90 days.
Technical Information
We automatically collect:
Device information (IP address, browser type, operating system)
Usage data (pages visited, time spent, features used)
Location data (only if you enable location services)
Cookies and similar tracking technologies (see Section 6)
2. How We Use Your Information
We use your personal information to:
Provide our services: deliver consultation, property analysis, and transaction management through our licensed agents
AI-assisted analysis: generate property valuations, market analysis, pricing recommendations, and listing content (always reviewed by a licensed agent before use)
Process transactions: handle offers, contracts, and settlement coordination
Verify identity: comply with legal obligations and prevent fraud
Coordinate service partners: engage photographers, settlement agents, inspectors, and brokers on your behalf
Communicate with you: send service updates, notifications, and respond to support requests
Marketing: send property alerts and KeyHive updates, only where you have opted in. You can unsubscribe at any time via the link in any email or in your account settings
Advertising measurement:measure the effectiveness of advertising campaigns by sending pseudonymised (SHA-256 hashed) personal information — such as email, phone, and name — to advertising platforms including Google and Meta. The hash cannot be reversed to obtain your original information
Comply with the law: meet our obligations under Australian privacy, AML/CTF, and WA real estate regulations
Administer the Referral Programme: track attributions, calculate rewards, process payments at settlement, and send programme updates
Direct marketing: We send marketing communications only with your consent, and you can unsubscribe at any time. We do not sell or rent your email address or phone number to third parties.
Withdrawing consent: To withdraw consent for any processing (including AI-assisted analysis) email privacy@keyhive.com.au. Where withdrawal prevents us from delivering a service, we will tell you.
AI-Assisted Processing
Property valuation and market analysis: your property details may be processed by AI tools to generate valuations, comparable-sales analysis, and market insights. A licensed agent reviews all AI output before it is provided to you or used in marketing.
Content generation: property descriptions, marketing content, and listing enhancements may be drafted with AI assistance and reviewed by a licensed agent.
No training on your personal data: your personal information is not used to train AI models. Aggregated, anonymised market data may be used for service improvement.
Opt-out of AI processing: you can request manual analysis only by contacting privacy@keyhive.com.au.
3. When We Share Your Information
We share your personal information with:
Our licensed real estate agents: to deliver consultation, market analysis, and transaction management
Other users: your property listings and messages when you are buying or selling
Service partners we engage on your behalf: professional photographers, licensed settlement agents, qualified inspectors, and mortgage brokers
Essential service providers:
AplyID— identity verification (does not store your documents on our behalf)
Gateway Service Providers— DVS access for document verification
Supabase— database hosting (Australian region)
SendGrid— email delivery
Google Maps— property location services
Google Gemini— AI processing for property analysis
Financial partners: only when arranging deposits, loans, or settlement
Where required by law: to comply with legal processes or government requests, protect our rights or the safety of users, prevent fraud, or meet AML/CTF and identity verification obligations
A current list of our service providers is available on request from privacy@keyhive.com.au. We will update this Privacy Policy when material changes occur.
4. How We Protect Your Information
Encryption
AES-256-GCM field-level encryption at rest for sensitive personal information, including names, phone numbers, addresses, financial details, offer information, and message content
TLS 1.3 for data in transit
Cryptographic erasure for encrypted data at the end of its retention period
Access Controls
Multi-factor authentication required for staff and available for all user accounts
Role-based permissions: agents, users, and AI systems each have appropriately scoped access
API rate limiting and role-based access controls for AI, property, and admin operations
Sessions automatically expire after 30 days of inactivity, with enhanced monitoring for staff access
Operational Security
Hosted on infrastructure with SOC 2 Type II certification (Supabase)
Row-level security policies in our database
Automated security monitoring and alerting
Regular security patches and code reviews
Daily encrypted backups with point-in-time recovery
Audit logs of data access and modifications
Notifiable data breaches: If we suspect an eligible data breach has occurred, we will assess it as soon as practicable and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.
No online system is completely secure. We use industry-standard practices to reduce risk, but cannot guarantee absolute security.
5. Your Privacy Rights
Under the Privacy Act 1988 (Cth) you can:
Access the personal information we hold about you
Correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading
Request deletion of your information (where legally permitted)
Restrict or object to certain processing
Receive your data in a portable format
Withdraw consent to processing that relies on consent
Data Deletion (Social Login Users)
If you signed up using Facebook, Google, or Apple login:
You can request deletion of data we received from the social login provider
You can permanently delete your KeyHive account and associated data
You can request removal of specific categories of information, where legally permitted
We retain a record of deletion requests (separate from your account data) to demonstrate compliance with our obligations
Facebook users: Email us from your registered email address to request data deletion. We will verify your identity and respond within 30 days.
How to Make a Request
Email privacy@keyhive.com.au from your registered email address. We will verify your identity and respond within 30 days. Your first request each calendar year is free.
6. Cookies and Tracking
We use cookies and similar technologies to deliver and improve our Services:
Vercel Web Analytics— anonymous page-view data (pages visited, referral source, device type). No personally identifying information is collected.
Google Ads conversion tracking— when you visit our site after clicking a Google ad, a Google tracking tag records the visit. If you submit a lead form, we may send your hashed email and hashed phone number to Google for conversion measurement (Enhanced Conversions for Leads), and we may upload the related Google click identifier when a lead progresses to a signed listing or settlement. Google's privacy policy applies to its processing of this data.
Meta Pixel and Conversions API— the Meta Pixel records page views and interactions. When you submit a form, we send hashed lead information to Meta via the Conversions API for advertising measurement. This may include hashed email, phone, first name, last name, city/suburb, state, and postcode. Meta's privacy policy applies to its processing.
Attribution cookie (__kh_attr) — a first-party cookie storing campaign tracking parameters and identifiers (UTM values, referral codes, first-touch and last-touch ad-click IDs, landing page, and referring URL). It contains no directly identifying personal information and expires after 90 days.
You can control cookies through your browser settings. Disabling certain cookies may affect site functionality.
7. How Long We Keep Your Information
Data category
Retention period
Active account data
While your account is active and you are receiving services
Real estate service records
6 years after service completion (Real Estate and Business Agents Act 1978 (WA))
Property transaction records
7 years (real estate regulations)
AI processing data
Anonymised after 12 months; oversight records retained 7 years
Pre-account invitation data
Deleted on account creation, or 12 months from collection if no account is created
Identity verification status
12 months from verification; 7 years for completed transactions
DVS audit logs
7 years
Marketing preferences
Until you unsubscribe
Support communications
2 years
Referral Partner records
6 years after the last settled transaction; partners with no attributions after 24 months are eligible for deletion with notice
Erasure request records
Retained separately from account data for compliance purposes
After these periods, we securely delete your information, including by cryptographic erasure for encrypted data, unless a legal obligation requires longer retention.
8. Service Partner Privacy
We coordinate with licensed and qualified service partners to deliver our Services. These include professional photographers, licensed settlement agents, qualified inspectors, and mortgage brokers — each governed by their own privacy policies and professional obligations. Google Gemini processing is governed by Google's privacy policy with our additional contractual data protection terms. We encourage you to review these providers' privacy practices.
9. Overseas Disclosure of Personal Information
We disclose personal information to the following overseas recipients:
AplyID— identity verification (international processing facilities)
Google LLC— Google Maps, Google Gemini AI, Google Ads conversion tracking (United States)
Meta Platforms, Inc.— advertising measurement via the Conversions API (United States)
Personal information sent to advertising platforms (Google and Meta) is SHA-256 hashed before transmission; the recipients cannot reverse the hash to obtain your original information.
Our APP 8 basis: We rely on Australian Privacy Principle 8.1. Before disclosing personal information overseas, we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information, including by entering into contractual data protection terms that bind the recipient to standards consistent with the APPs. We are accountable under section 16C of the Privacy Act 1988 (Cth) for acts or practices of overseas recipients of personal information we disclose to them.
Supabase, our database provider, hosts KeyHive data on Australian infrastructure; this is not an overseas disclosure.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on our Platform. Your continued use of our Services after changes take effect constitutes acceptance of the updated policy.
Mail: Privacy Officer, Keyhive.com.au Pty Ltd, PO Box 3344, Success WA 6164, Australia
12. Complaints
If you are concerned about how we have handled your personal information, please contact our Privacy Officer at privacy@keyhive.com.au.
Our process:
We will acknowledge your complaint within 5 business days of receipt.
We will investigate and provide a substantive response within 30 days. If your complaint is complex and we need more time, we will tell you and explain why.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.
13. AI Data Processing Transparency
AI provider:Google Gemini may process your property information to generate market analysis, property descriptions, and valuation insights. Processing occurs under Google's privacy protections and subject to our contractual data protection terms.
Data minimisation: we send only the minimum property data necessary to AI services. Directly identifying personal information is removed or tokenised before AI processing where practicable.
Human oversight: all AI output is reviewed and validated by a licensed agent before being used in your service.
No training on personal data: your personal information is not used to train AI models. Aggregated, anonymised market data may be used for service improvement.
Opt-out:you can request that your data not be processed by AI tools — a licensed agent will provide manual analysis instead. Contact privacy@keyhive.com.au.
14. Regulatory Framework
We are committed to complying with Australian privacy and real estate laws, including:
Privacy Act 1988(Cth) and the Australian Privacy Principles (APPs 1–13)
The Notifiable Data Breaches scheme
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
