Privacy Policy

1. What Information Do We Collect?

Information you provide to us

We collect personal information that you voluntarily provide to us, including when you:

• Create an account: name, email address, username, and password.
• Subscribe to a paid plan: billing name, billing address, and payment card details (processed securely by Stripe — see Section 3).
• Contact us for support: name, email address, and the content of your communications.
• Use features of the Services: any content, data, or files you upload or create within the platform.

All personal information you provide must be true, complete, and accurate. Please notify us of any changes.

Information collected automatically

When you access our Services, we automatically collect certain technical and usage information, including:

• IP address and approximate location (country/region)
• Device type, operating system, and browser
• Pages visited, features used, and time spent on the platform
• Referring URLs and clickstream data
• Error logs and performance data

This information is used to maintain the security and performance of our Services, diagnose technical issues, and improve the user experience. It is stored via Supabase (see Section 4).

Information from third-party sources

We may receive information about you from third parties, such as social login providers (e.g. Google, GitHub) if you choose to register or sign in using a third-party account, or marketing analytics platforms, if applicable.

2. How Do We Use Your Information?

We process your personal information for the following purposes:

• To provide the Services: creating and managing your account, enabling features, and delivering the functionality you have subscribed to.
• To process payments: facilitating subscription billing and payment transactions through Stripe.
• To communicate with you: sending service updates, security notices, support responses, and (where you have opted in) marketing communications.
• To improve our Services: analysing usage patterns, diagnosing bugs, and developing new features.
• For security and fraud prevention: monitoring for suspicious activity, protecting user accounts, and safeguarding our platform.
• To comply with legal obligations: meeting our obligations under Australian law and other applicable laws, including responding to lawful requests from authorities.
• With your consent: for any other purpose where we have obtained your prior consent.

We will only process your personal information where we have a lawful basis to do so. For users in the EEA/UK, our lawful bases include performance of a contract, compliance with legal obligations, legitimate interests, and consent.

3. Payment Processing — Stripe

We use Stripe, Inc. ("Stripe") to process all payment transactions. When you make a payment through our Services, your payment card information is submitted directly to Stripe and is not stored on our servers. Stripe is a PCI DSS-compliant payment processor.

Stripe may collect and process your name, billing address, email address, payment card details, and transaction history in accordance with their own privacy policy, available at stripe.com/privacy. By making a payment through our Services, you agree to Stripe's terms and privacy policy.

We receive from Stripe only limited transaction data necessary to manage your subscription (e.g. subscription status, last four digits of your card, and payment confirmation).

4. Data Storage and Infrastructure — Supabase

We use Supabase, Inc. ("Supabase") as our backend infrastructure provider. Supabase provides database, authentication, and storage services that power our platform. Your account information, usage data, and any content you create or upload within our Services may be stored on Supabase's infrastructure.

Supabase stores data on Amazon Web Services (AWS) infrastructure. By default, this data is stored in the United States, though Supabase offers regional hosting options. Please refer to Supabase's privacy policy at supabase.com/privacy for further details.

We have data processing agreements in place with Supabase that require them to process your personal information only in accordance with our instructions and applicable privacy laws.

5. When and With Whom Do We Share Your Information?

We may share your personal information in the following circumstances:

• Service providers: We share information with third-party vendors who assist us in operating our Services, including Stripe (payments) and Supabase (infrastructure). These providers are contractually obligated to protect your data and may not use it for their own purposes.
• Legal compliance: We may disclose your information where required by law, court order, or a request from a regulatory or government authority.
• Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, your information may be transferred as part of that transaction. We will notify you of any such change.
• Protection of rights: We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding illegal activity, suspected fraud, or threats to the safety of any person.
• With your consent: We may share your information with other third parties where you have given us explicit consent to do so.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (such as local storage and session tokens) to:

• Keep you logged in to your account
• Remember your preferences and settings
• Understand how users navigate and use our Services
• Detect and prevent security threats

We may also use third-party analytics tools that collect anonymised or aggregated usage data to help us improve our platform.

Most browsers allow you to control or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Services.

7. International Data Transfers

We are an Australian company, but our Services are used worldwide and our key infrastructure providers (Stripe and Supabase) operate primarily in the United States. As a result, your personal information may be transferred to, stored in, and processed in countries other than Australia.

Under the Australian Privacy Principles (APP 8), we take reasonable steps to ensure that any overseas recipient handles your personal information in a manner consistent with the APPs. We do this by:

• Entering into data processing agreements with overseas providers that include privacy protections consistent with Australian law.
• Selecting providers who are certified under recognised privacy frameworks (e.g. Stripe's compliance with PCI DSS and applicable US privacy laws).

For users in the European Economic Area (EEA) or United Kingdom (UK), we rely on appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses (SCCs), where applicable.

8. How Long Do We Keep Your Information?

We retain personal information for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law (such as for tax, accounting, or legal record-keeping purposes).

When you close your account, we will delete or anonymise your personal information within a reasonable period, subject to any legal retention obligations. Some information may be retained in backup archives for a limited period before it is permanently deleted.

9. Do We Collect Information From Minors?

Our Services are intended for use by individuals who are at least 18 years of age. We do not knowingly collect, solicit, or process personal information from children under 18. If you believe we have inadvertently collected information from a minor, please contact us immediately using the details in Section 15 and we will take prompt steps to delete that information.

10. Your Privacy Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, as well as applicable laws in other jurisdictions, you have certain rights with respect to your personal information. These are described in Sections 11 and 12 below.

11. Australian Privacy Rights

If you are located in Australia, you have the right to:

• Access: Request access to the personal information we hold about you.
• Correction: Request that we correct personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
• Complaints: Lodge a complaint with us about a breach of the APPs. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise these rights, please contact us using the details in Section 15. We will respond to your request within 30 days, as required by the Privacy Act 1988 (Cth).

12. Additional Rights for International Users

European Economic Area (EEA) and United Kingdom (UK) — GDPR

If you are located in the EEA or UK, you have the following additional rights under the General Data Protection Regulation (GDPR) or UK GDPR:

• Right to erasure ("right to be forgotten"): Request that we delete your personal information in certain circumstances.
• Right to restriction: Request that we restrict processing of your personal information.
• Right to data portability: Receive your personal information in a structured, commonly used format.
• Right to object: Object to processing of your personal information based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.

To exercise your GDPR rights, contact us at the details in Section 15. You also have the right to lodge a complaint with your local data protection authority.

California (USA) — CCPA

If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA) to:

• Know what personal information we collect, use, disclose, and sell about you.
• Request deletion of your personal information (subject to certain exceptions).
• Opt out of the sale of your personal information (note: we do not sell personal information).
• Non-discrimination for exercising your CCPA rights.

To exercise your CCPA rights, please contact us using the details in Section 15.

13. Do-Not-Track Features

Some web browsers include a Do-Not-Track ("DNT") setting. There is currently no uniform standard for recognising and responding to DNT signals. We do not currently alter our data collection practices in response to DNT signals. If a standard is adopted in the future, we will update this Privacy Policy accordingly.

14. Do We Update This Policy?

We may update this Privacy Policy from time to time. The updated version will be identified by a revised "Last updated" date at the top of this policy. Where changes are material, we will notify you by email or by displaying a prominent notice within the Services prior to the change taking effect. We encourage you to review this policy periodically.

15. How Can You Contact Us?

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, you may contact our Privacy Officer at:

We will endeavour to respond to all enquiries within 30 days.

16. How Can You Access, Update, or Delete Your Data?

You may request access to, correction of, or deletion of your personal information by contacting us using the details in Section 15. You can also update certain account information directly through your account settings within the Services.

Upon a verified request to delete your account and data, we will deactivate your account and delete or anonymise your personal information from our active systems within a reasonable timeframe, subject to any legal obligations to retain certain records.