Privacy Policy

Last updated: May 2026 | InnerPiece Pty Ltd

PRELIMINARY PROVISIONS

Document Title and Version Control

This document is titled Global Privacy Policy (GDPR + Australian Privacy Act) — Digital Services App (Policy).

This Policy applies from the Effective date stated above.

Version control:

Major version changes (e.g. 1.0 to 2.0) apply where there are material changes to: (a) categories of Personal Data collected; (b) Purposes of Processing; (c) Legal Bases; (d) International Transfers safeguards; or (e) Data Subject Rights handling.

Minor version changes (e.g. 1.0 to 1.1) apply for non-material changes, including clarifications, formatting, and administrative updates.

We maintain an internal change log recording: (a) version number; (b) date of change; (c) summary of changes; and (d) approvals.

Update notification procedures:

If changes are material, we notify Users through in-app notice and/or email (where we hold an email address) before the changes take effect, unless an urgent change is required for security or legal compliance (see section 17.4).

If changes are non-material, we may update this Policy by publishing the revised version in-app and on our website (if applicable).

Where the GDPR applies, this Policy is intended to meet the transparency requirements in Articles 12, 13 and 14 of Regulation (EU) 2016/679 (GDPR). Where Australian law applies, this Policy is intended to support compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Scope and Application

This Policy describes how we collect, hold, use, disclose, store, secure, transfer and otherwise process Personal Data when we provide our digital services app and related services (Services).

This Policy applies to:

Individuals who download, access or use the app (Users);

prospective Users who interact with our marketing or onboarding flows;

individuals who communicate with us (including customer support); and

individuals whose Personal Data we receive from third parties (where permitted).

Territorial scope:

Where the GDPR applies (including where we offer Services to individuals in the European Economic Area (EEA) and/or monitor their behaviour within the EEA), we process Personal Data in accordance with the GDPR.

Where the Privacy Act 1988 (Cth) applies, we handle Personal Information in accordance with the APPs.

This Policy is intended to operate as a single, cohesive global privacy policy. Where local law imposes additional requirements, section 18 applies.

This Policy does not cover third-party services that Users may access via links or integrations unless we expressly state otherwise. Users should review the privacy policies of those third parties.

DEFINITIIONS AND INTERPRETATION

GDPR-Specific Definitions

In this Policy, unless the context otherwise requires:

Automated decision-making has the meaning given in Article 22 GDPR and includes decisions based solely on automated processing that produce legal effects concerning a Data Subject or similarly significantly affect a Data Subject.

Controller has the meaning given in Article 4(7) GDPR and refers to the entity that determines the purposes and means of the Processing of Personal Data

Data Subject has the meaning given in the GDPR and refers to an identified or identifiable natural person to whom Personal Data relates.

EEA means the European Economic Area.

GDPR means Regulation (EU) 2016/679 (General Data Protection Regulation).

Personal Data has the meaning given in Article 4(1) GDPR and means any information relating to an identified or identifiable natural person.

Processing has the meaning given in Article 4(2) GDPR and includes any operation performed on Personal Data, whether or not by automated means (including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure or destruction).

Processor has the meaning given in Article 4(8) GDPR and refers to an entity that processes Personal Data on behalf of the Controller.

Profiling has the meaning given in Article 4(4) GDPR.

Pseudonymisation has the meaning given in Article 4(5) GDPR.

Special Categories of Personal Data has the meaning given in Article 9 GDPR.

Supervisory Authority has the meaning given in Article 4(21) GDPR.

UK GDPR means the retained version of the GDPR in the United Kingdom (if applicable to our operations).

Standard Contractual Clauses or SCCs means standard data protection clauses adopted by the European Commission for transfers of Personal Data to third countries pursuant to Article 46(2)(c) GDPR, as amended, replaced or superseded from time to time.

Transfer includes a disclosure or making available of Personal Data to a recipient in a country outside the EEA.

Australian Privacy Act Definitions

APPs means the Australian Privacy Principles in Schedule 1 to the Privacy Act 1988 (Cth).

Australian Privacy Act means the Privacy Act 1988 (Cth).

Collect has the meaning given in the Australian Privacy Act and includes gathering, acquiring or obtaining Personal Information from any source and by any means.

Consent under Australian privacy law means express or implied consent, depending on context; where we rely on Consent for GDPR purposes, we apply the GDPR standard (freely given, specific, informed and unambiguous, and explicit where required).

Disclosure has the meaning given in the Australian Privacy Act and includes making Personal Information accessible or visible to others outside our effective control.

Overseas recipient has the meaning used in APP 8 and includes a recipient located outside Australia.

Personal Information has the meaning given in the Australian Privacy Act and means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.

Sensitive Information has the meaning given in the Australian Privacy Act and includes (among other things) health information and certain other categories requiring higher protection.

Use has the meaning given in the Australian Privacy Act and includes handling Personal Information within our organisation.

Digital Services Terminology

App means our mobile application and any associated software development kits (SDKs) and application programming interfaces (APIs) we provide or use to deliver the Services.

Account means a User account created to access the Services.

Device Information means information about a User’s device and software environment, including device identifiers, operating system, app version, language, and network information.

Location Data means data indicating a User’s location, including precise geolocation (where enabled) and approximate location derived from IP address or device settings.

Usage Data means data about how Users interact with the App and Services, including feature usage, session events, clicks/taps, screens viewed, and performance telemetry.

Cookies means small text files and similar technologies stored on a device, including SDK identifiers, mobile advertising identifiers, local storage objects, and other tracking technologies (as applicable in an app context).

Tracking Technologies means Cookies and other technologies, whether predictive or based on determinations made by artificial intelligence, used to recognise devices, store preferences, measure performance, prevent fraud, and personalise content and advertising (where applicable).

Interpretation Clauses

Headings are for convenience only and do not affect interpretation.

A reference to:

a person includes an individual, body corporate, partnership, joint venture, association, government agency and any other entity;

a statute or regulation includes any subordinate legislation and any amendment, consolidation, re-enactment or replacement;

“including” means “including without limitation”.

Where a term is defined both under the GDPR and the Australian Privacy Act, the meaning applicable depends on the context and the jurisdictional application described in section 1.3.

If there is an inconsistency between this Policy and a specific in-app notice presented at the time of collection for a particular feature, the in-app notice prevails to the extent of the inconsistency for that feature (subject to section 18.3).

CONTROLLER IDENTIFICATION AND CONTACT DETAILS

Data Controller Information (Article 13(1)(a) GDPR)

For GDPR purposes, the Controller of Personal Data processed under this Policy is:

Controller name: InnerPiece Pty Ltd

ACN: 689 982 885

Registered office: 8 Piccadilly Crescent, Piccadilly SA, Australia.

Principal place of business: 8 Piccadilly Crescent, Piccadilly SA, Australia.

Where we act as a Processor for a business customer (for example, where the App is offered under an enterprise arrangement and we process Personal Data on the customer’s instructions), we will identify that customer as Controller in the relevant contract and/or in-product notices, and this Policy applies to the extent we act as Controller.

Contact Information

Policy contact channels:

Email: Contact@innerpieceapp.com

Postal address: 8 Piccadilly Crescent, Piccadilly SA, Australia

Telephone: +61413555148

Users may contact us to:

ask questions about this Policy;

exercise rights under section 6;

make a complaint under section 16; or

request further information about safeguards for International Transfers under section 7.

Data Protection Officer Details

Data Protection Officer (DPO): We have not appointed a DPO.

CATEGORIES OF PERSONAL DATA COLLECTED

Account Registration Data

We may collect the following Account Registration Data when a User creates or manages an Account:

name (or preferred name);

date of birth;

email address;

mobile number (if required for verification or account security);

username and profile details (where provided);

authentication credentials (e.g. password, password hash, or authentication tokens);

account status and administrative metadata (e.g. creation date, last login).

Where we use third-party sign-in (e.g. “Sign in with Apple/Google”), we may receive identifiers and basic profile information from that provider, depending on the User’s settings with that provider.

Device and Technical Information

We may collect Device and Technical Information, including:

device type and model;

operating system and version;

App version and build;

device identifiers and app instance identifiers;

IP address;

network and connectivity information;

language, time zone, and regional settings;

crash logs and diagnostic data.

We use this information to deliver the Services, maintain security, troubleshoot issues, and improve performance.

Usage and Analytics Data

We may collect Usage and Analytics Data, including:

interactions with features and screens;

timestamps, session duration, and navigation paths;

events such as clicks/taps, scrolls, and conversions;

in-app search queries (if provided);

performance telemetry (e.g. latency, load times);

aggregated or pseudonymised analytics outputs.

Collection methods may include in-app analytics SDKs, server logs, and event tracking configured within the App.

Location Information

We may collect Location Data where it is required for a feature or where a User enables it, including:

precise geolocation (e.g. GPS) where the User grants device permission;

approximate location derived from IP address or device settings.

Location Data may be treated as sensitive in practice due to its potential to reveal patterns and behaviours. We apply enhanced controls (see sections 9 and 10).

Users can generally control precise location collection via device settings and in-app controls (see section 14.2).

Communications and Content Data

We may collect Communications and Content Data, including:

Messages, images and other content Users submit through the App (where the Services include messaging, posting, uploads, or forms);

customer support communications (including email, in-app chat, and call notes);

voice recordings ( which are transcript using artificial intelligence and deleted immediately after transcription);

feedback, ratings, and survey responses;

attachments and metadata associated with communications.

We do not request that Users provide Special Categories of Personal Data or Sensitive Information through general free-text fields. If Users choose to provide such information, we handle it in accordance with applicable law and this Policy.

Marketing and Preferences Data

We may collect Marketing and Preferences Data, including:

marketing communication preferences (email, SMS, push notifications);

consent records (including timestamp, method, and scope);

campaign interaction data (opens, clicks, opt-outs);

preference settings within the App.

Where required by law, we will obtain Consent before sending direct marketing communications, and we provide opt-out mechanisms (see section 13).

PURPOSES OF PROCESSING AND LEGAL BASIS

Service Provision (Article 6(1)(b) GDPR)

We process Personal Data as necessary to perform a contract with the User or to take steps at the User’s request prior to entering into a contract, including to:

create and administer Accounts;

provide core App functionality and deliver requested digital services;

authenticate Users and manage sessions;

provide customer support and respond to enquiries;

process transactions or service requests initiated by the User (where applicable); and

send service-related communications (e.g. security alerts, transactional messages, changes to the Services).

Under Australian law, we collect Personal Information only where reasonably necessary for our functions or activities (APP 3), and we take reasonable steps to notify Users of collection matters (APP 5).

Legitimate Interests Processing (Article 6(1)(f) GDPR)

We may process Personal Data where it is necessary for our legitimate interests (or those of a third party), except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

Our legitimate interests include:

security and fraud prevention, including detecting suspicious activity, preventing unauthorised access, and maintaining the integrity of the App;

service improvement, including debugging, performance monitoring, and developing new features;

analytics and measurement, including understanding how Users engage with the Services to improve user experience;

business operations, including internal reporting, forecasting, and corporate governance;

legal risk management, including establishing, exercising or defending legal claims.

Where we rely on legitimate interests, we implement safeguards such as data minimisation, access controls, and (where appropriate) pseudonymisation (see section 10).

Users have the right to object to Processing based on legitimate interests (section 6.6).

Consent-Based Processing (Article 6(1)(a) GDPR)

We rely on Consent where required by law or where we choose to do so, including for:

optional features that require additional permissions (e.g. precise location, contacts, photos/media);

direct marketing in jurisdictions requiring opt-in;

certain Cookies/Tracking Technologies (see section 9); and

personalised advertising and profiling (where applicable and where required).

Where we rely on Consent:

Users may withdraw Consent at any time (section 6.8);

withdrawal does not affect the lawfulness of Processing before withdrawal; and

we provide in-app controls and/or device-level controls to manage permissions.

Legal Compliance Processing (Article 6(1)(c) GDPR)

We may process Personal Data where necessary to comply with a legal obligation, including to:

comply with lawful requests and legal processes;

meet record-keeping obligations;

comply with regulatory requirements applicable to our operations.

Under Australian law, we may use or disclose Personal Information where required or authorised by law (including under APP 6).

Vital Interests and Public Tasks

We may process Personal Data where necessary to protect the vital interests of a Data Subject or another person (Article 6(1)(d) GDPR), for example in urgent situations involving safety.

We do not generally process Personal Data to perform a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR), unless explicitly stated for a particular feature or regulatory context.

Business Purposes for Collection and Use (California)

Where we collect and use Personal Information of California consumers, we do so for the following business purposes:

providing the Services, including creating and administering Accounts, authenticating Users, managing sessions, and delivering core App functionality;

maintaining and servicing accounts, including processing transactions or service requests and providing customer support;

providing analytic services, including understanding how Users engage with the Services to improve user experience, debugging, and performance monitoring;

undertaking internal research for technological development and demonstration;

undertaking activities to verify or maintain the quality and safety of the Services, and to improve, upgrade, or enhance the Services;

detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that;

short-term, transient use, where the Personal Information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction;

performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, and providing similar services; and

sending service-related communications, including security alerts, transactional messages, and changes to the Services.

Commercial Purposes (California)

We may also use Personal Information for the following commercial purposes:

marketing and advertising, including delivering and measuring campaigns

personalised advertising and profiling, where applicable and where the consumer has not opted out;

campaign interaction measurement, including opens, clicks, and opt-outs.

Recharacterization of Legitimate Interests Processing for California Consumers:

The processing activities described in section 5.7 are, for California consumers, undertaken for the following purposes:

Security and fraud prevention: This constitutes a business purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible.

Service improvement and debugging: This constitutes a business purpose of undertaking activities to verify or maintain the quality and safety of the Services, and to improve, upgrade, or enhance the Services.

Analytics and measurement: This constitutes a business purpose of providing analytic services. However, to the extent that analytics data is used for cross-context behavioural advertising or is shared with third parties for advertising purposes, this may constitute "sharing" under California law, and the consumer's right to opt out applies (see section [new opt-out section]).

Business operations: This constitutes a business purpose of performing services on behalf of the business, including internal reporting, forecasting, and corporate governance.

Legal risk management: This constitutes processing that is reasonably necessary and proportionate to establish, exercise, or defend legal claims, or to comply with legal obligations.

Consent and Opt-Out Framework for California Consumers

Opt-out model for sale and sharing: Where we sell or share (as those terms are understood under California privacy law) the Personal Information of California consumers, consumers have the right to opt out. We do not require consumers to opt in to the sale or sharing of their Personal Information, except as described in paragraph (c) below.

Sensitive personal information: Where we collect or use sensitive personal information of California consumers (including precise geolocation data as described in section 4.4, and account log-in credentials as described in section 4.1.1(e)), consumers have the right to limit our use and disclosure of such information to purposes that are reasonably necessary and proportionate to provide the Services. We provide a mechanism for consumers to exercise this right [see new section reference].

Minors: We do not knowingly sell or share the Personal Information of consumers under the age of 16 without affirmative authorisation. For consumers aged 13 to 15, we obtain opt-in consent before selling or sharing their Personal Information. For consumers under 13, we obtain verifiable parental consent.

Financial incentives: If we offer financial incentive programmes (such as loyalty programmes, discounts, or other benefits in exchange for the collection, retention, sale, or sharing of Personal Information), we will provide a notice explaining the material terms of the programme, obtain opt-in consent, and allow consumers to opt out at any time.

Sale and Sharing of Personal Information (California)

We disclose Personal Information to the categories of third parties described in section 11 of this Policy. Some of these disclosures may constitute a "sale" or "sharing" of Personal Information under California privacy law.

The following disclosures may constitute "sharing" for cross-context behavioural advertising:

disclosure of device identifiers and usage data (to advertising technology partners for the purpose of personalised advertising;

disclosure of campaign interaction data to marketing partners for campaign measurement and optimisation.

California Users have the right to opt out of the sale and sharing of their Personal Information pursuant to the terms and processes set out in this Policy;

we do not sell or share the Personal Information of consumers we know to be under the age of 16 without affirmative authorisation as described in section 5.9.3;

we do not use or disclose sensitive personal information for purposes other than those reasonably necessary to provide the Services, unless the consumer has not exercised their right to limit such use.

Purpose Limitation (California)

We do not collect additional categories of Personal Information or use Personal Information collected for additional purposes that are materially different from, or incompatible with, the purposes described in this Policy without providing California consumers with notice.

Where we intend to use previously collected Personal Information for a purpose materially different from the purpose for which it was collected, we will provide direct notice to the consumer and, where required, obtain consent before such use.

Service Provider, Contractor, and Third-Party Distinctions (California)

Where we disclose Personal Information to a service provider (as that term is understood under California privacy law), we enter into a written contract that:

specifies the business purpose for which the Personal Information is disclosed;

requires the service provider not to sell or share the Personal Information;

requires the service provider not to retain, use, or disclose the Personal Information for any purpose other than the specified business purpose or as otherwise permitted;

requires the service provider to comply with applicable California privacy obligations and to grant the business rights to take reasonable and appropriate steps to help ensure compliance; and

requires the service provider to notify us if it can no longer meet its obligations.

Where we disclose Personal Information to a contractor, we enter into a written contract with substantially similar restrictions as described in section 5.12.1.

Where we disclose Personal Information to a third party (including marketing and advertising partners described in section 11.5), such disclosure may constitute a "sale" or "sharing" under California privacy law, and the consumer's right to opt out applies as described in section 5.10.

DATA SUBJECT RIGHTS

Right of Access (Article 15 GDPR)

Data Subjects may request confirmation as to whether we process their Personal Data and, where we do, request access to that Personal Data and information required by Article 15 GDPR.

Access requests may be made using the contact details in section 3.2 or via in-app tools where available.

We may request information to verify identity before providing access, particularly where disclosure could expose Personal Data to unauthorised parties.

Where feasible, we provide access in a secure electronic format.

Right to Rectification (Article 16 GDPR)

Data Subjects may request correction of inaccurate Personal Data and completion of incomplete Personal Data.

Users can rectify certain information directly in the App via account settings (section 14.2).

Where we have disclosed Personal Data to third parties, we take reasonable steps to notify those third parties of rectification where required by the GDPR and where practicable.

Right to Erasure (Article 17 GDPR)

Data Subjects may request erasure of Personal Data in the circumstances set out in Article 17 GDPR, including where:

the Personal Data is no longer necessary for the purposes for which it was collected;

the Data Subject withdraws Consent and there is no other legal basis;

the Data Subject objects under Article 21 GDPR and there are no overriding legitimate grounds;

the Personal Data has been unlawfully processed; or

erasure is required to comply with a legal obligation.

Erasure is not absolute. We may retain Personal Data where an exception applies, including where Processing is necessary for:

exercising the right of freedom of expression and information;

compliance with a legal obligation;

reasons of public interest in the area of public health (where applicable);

archiving in the public interest, scientific or historical research, or statistical purposes (where applicable); or

establishment, exercise or defence of legal claims.

Where erasure is granted, we apply secure deletion and de-identification practices consistent with section 8.4.

Right to Restrict Processing (Article 18 GDPR)

Data Subjects may request restriction of Processing in the circumstances set out in Article 18 GDPR, including where:

accuracy is contested (restriction applies for a period enabling verification);

Processing is unlawful and the Data Subject opposes erasure;

we no longer need the Personal Data but it is required for legal claims; or

the Data Subject has objected under Article 21 GDPR pending verification of overriding grounds.

Where Processing is restricted, we store the Personal Data and only process it with Consent or for limited purposes permitted by the GDPR.

Right to Data Portability (Article 20 GDPR)

Where Article 20 GDPR applies, Data Subjects may request to receive their Personal Data in a structured, commonly used and machine-readable format, and to transmit that data to another controller, where:

Processing is based on Consent or contract; and

Processing is carried out by automated means.

Portability applies to Personal Data provided by the Data Subject and does not adversely affect the rights and freedoms of others.

Where technically feasible, we may transmit the data directly to another controller at the Data Subject’s request.

Our Services have functionality which allows a Data Subject to action an export of all their Personal Data.

Right to Object (Article 21 GDPR)

Data Subjects may object to Processing based on legitimate interests (Article 6(1)(f) GDPR) on grounds relating to their particular situation.

Where a valid objection is made, we stop Processing unless we demonstrate compelling legitimate grounds overriding the interests, rights and freedoms of the Data Subject, or the Processing is necessary for legal claims.

Data Subjects have an absolute right to object to Processing for direct marketing purposes. If a Data Subject objects, we stop Processing for direct marketing.

Rights Related to Automated Decision-Making (Article 22 GDPR)

Where applicable, Data Subjects have rights in relation to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect them.

If we conduct such processing for a feature, we will provide:

meaningful information about the logic involved;

the significance and envisaged consequences; and

the right to obtain human intervention, express a point of view, and contest the decision, where required by the GDPR.

We use automated decision making for Data security and these systems may apply restrictions and other limitations to Users accounts without input from a human decision maker. If a User’s account is subject to an permanent ban that ban is not an automated decision and is the product of a human decision within our organisation.

Request Procedures and Response Timeframes

Requests may be submitted via:

the contact details in section 3.2; and/or

in-app privacy tools (where available).

We respond to GDPR rights requests within one month of receipt, subject to extensions permitted by the GDPR for complex or numerous requests.

We may refuse to act on a request where permitted by the GDPR (for example, where requests are manifestly unfounded or excessive), and in that case we will provide reasons and information about complaint rights.

Under the Australian Privacy Act, individuals may request access to and correction of Personal Information, and we respond within a reasonable period and in accordance with applicable requirements.

Identity verification: we may request additional information to verify identity and/or authority to act (e.g. where an agent submits a request).

Consent withdrawal mechanisms:

Users can withdraw marketing consent via unsubscribe links, in-app settings, or by contacting us.

Users can withdraw device permission-based consents (e.g. location) via device settings and in-app controls.

INTERNATIONAL DATA TRANSFERS

Transfers from EU to Australia

We are an Australian organisation and may store and process Personal Data in Australia and other locations where we or our service providers operate.

Our service provides currently operate within the following regions:

Australia;

United States; and

Europe.

Where the GDPR applies and we transfer Personal Data from the EEA to Australia (a “third country”), we implement appropriate safeguards under Chapter V GDPR unless an exception applies.

We inform Data Subjects that Australia may not be the subject of an adequacy decision for all Processing contexts, and therefore we rely on safeguards described in section 7.2 and supplementary measures in section 7.3.

Standard Contractual Clauses Implementation

For relevant transfers, we use Standard Contractual Clauses (SCCs) approved by the European Commission as an appropriate safeguard under Article 46 GDPR.

SCCs are implemented:

between us and relevant EEA-based exporters (where we receive Personal Data from an EEA entity); and/or

between us and our Processors/Sub-processors where they receive or access EEA Personal Data.

We maintain contractual governance to ensure SCCs are:

incorporated into relevant data processing agreements;

flowed down to sub-processors where required; and

supported by technical and organisational measures.

Additional Safeguards and Security Measures

In addition to SCCs, we apply supplementary measures appropriate to the risk profile of the transfer, which may include:

encryption in transit and at rest;

access controls, least privilege, and strong authentication;

logging and monitoring of access to systems processing EEA Personal Data;

data minimisation and pseudonymisation where feasible; and

contractual commitments regarding government access requests, transparency, and challenge procedures to the extent legally permissible.

Transfer Impact Assessments

Where required, we conduct and maintain a Transfer Impact Assessment (TIA) process to evaluate:

the nature of the Personal Data;

the purposes of Processing;

the likelihood and severity of risks to Data Subjects;

the laws and practices of the destination country relevant to access by public authorities; and

the effectiveness of SCCs and supplementary measures.

We review TIAs periodically and upon material changes to transfer arrangements.

Cross-Border Disclosure Under Australian Privacy Act

Where we disclose Personal Information to an overseas recipient, we take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the information (APP 8), unless an exception applies.

We may disclose overseas where:

it is necessary to provide the Services (e.g. cloud hosting, support tooling);

Users have consented (where required); or

the disclosure is required or authorised by law.

We remain accountable for overseas disclosures to the extent required by the Australian Privacy Act.

We remain accountable for overseas disclosures to the extent required by the Australian Privacy Act.

DATA RETENTION POLICIES

General Retention Principles

We retain Personal Data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Retention decisions consider:

the nature and sensitivity of the data;

the purposes of Processing;

legal and regulatory requirements;

limitation periods for legal claims;

security and fraud prevention needs; and

whether the data can be de-identified.

Where feasible, we de-identify or aggregate data rather than retain identifiable Personal Data.

If a User requests deletion of their Personal Data that request will be actioned such that any Personal Data we hold will be destroyed with in 30 calendar days.

Category-Specific Retention Periods

Account Registration Data: retained for the life of the Account and for a reasonable period after account closure to: (a) enable reactivation where requested; (b) address disputes; (c) comply with legal obligations; and (d) prevent fraud.

Device and Technical Information: retained for as long as needed for security, diagnostics, and service improvement, subject to periodic review and minimisation.

Usage and Analytics Data: retained for analytics and service improvement for a period proportionate to those purposes, with preference for aggregation and pseudonymisation.

Location Data: retained only as long as needed for the feature requiring it, with minimisation and user controls applied.

Communications and Content Data: retained for as long as needed to provide the Services, manage support, and maintain records of interactions, subject to deletion requests and legal holds.

Marketing and Preferences Data: retained until the User opts out or withdraws consent and thereafter retained only as necessary to maintain suppression lists and demonstrate compliance.

Where a User requests erasure, we apply section 6.3 and delete or de-identify data unless an exception applies.

Legal and Regulatory Retention Requirements

We may retain Personal Data to comply with legal obligations, including record-keeping obligations and responding to lawful requests.

Where we are subject to a legal hold (e.g. litigation or regulatory investigation), we preserve relevant data until the hold is lifted.

Secure Deletion Procedures

We implement secure deletion procedures appropriate to the storage medium and system architecture, which may include:

(a) logical deletion and secure wiping;

(b) cryptographic erasure where encryption is used;

(c) deletion from active systems and, within a reasonable cycle, from backups (or rendering backups inaccessible through key destruction);

(d) access restriction during backup retention cycles.

8.4.2 We maintain records of deletion activities where appropriate for accountability.

Retention Policy Reviews and Updates

We review retention settings and practices periodically and when:

we introduce new features;

we change service providers;

applicable law changes; or

we identify new risks through DPIAs/TIAs.

We update this Policy where retention practices change materially (section 17).

COOKIES AND TRACKING TECHNOLOGIES

Cookie Categories and Classification

In an app context, “cookies” may include mobile identifiers and SDK-based tracking. We classify Tracking Technologies as:

Strictly necessary: required to provide core functionality, security, and session management.

Performance/analytics: used to measure performance and understand usage.

Functionality: used to remember preferences and enhance features.

Targeting/advertising: used to personalise advertising and measure campaigns (where applicable).

Some Tracking Technologies may be first-party (set by us) or third-party (set by service providers integrated into the App).

Consent Management and Cookie Banners

Where required by applicable European law, we present Users with clear choices for non-essential Tracking Technologies, including:

an initial notice identifying categories and purposes;

the ability to accept or reject non-essential categories; and

the ability to change preferences at any time via in-app settings.

We maintain consent records, including the scope of consent, timestamp, and method. We currently record the date and time consent and Data is provided in respect of the following:

Terms of Service acceptance timestamp;

Privacy Policy acceptance timestamp;

Version of Terms of Service acceptance;

Version of Privacy Policy accepted;

Date of birth / age verification;

Account creation timestamp;

Account deletion request timestamp; and

Push notification permission consent.

Where consent is withdrawn, we stop the relevant Tracking Technologies and/or cease related Processing to the extent required and technically feasible.

Third-Party Cookies and Tracking

We may use third-party service providers for analytics, crash reporting, performance monitoring, customer support, and (where applicable) advertising measurement.

Where third-party Tracking Technologies are used, we:

identify the category and purpose in our cookie/tracking disclosures;

ensure appropriate contractual protections; and

configure settings to minimise data collection where feasible.

Alternative Tracking Technologies

We may use technologies including:

SDK identifiers and app instance IDs;

mobile advertising identifiers (where available and permitted);

local storage and secure storage;

pixels and similar technologies in emails (subject to marketing preferences); and

device fingerprinting only where necessary for security and fraud prevention, and subject to applicable law.

User Control and Opt-Out Mechanisms

Users can control Tracking Technologies through:

in-app privacy settings;

device operating system privacy controls (including advertising identifier settings); and

cookie/tracking consent tools (where presented).

Users can opt out of direct marketing at any time (section 13).

We use Tracking Technologies to maintain a safe and functional service, as a result users cannot disable certain Tracking Technologies as these are essential to maintaining the security and functionality of our App.

SECURITY MEASURES AND DATA PROTECTION

Technical Security Measures

We implement technical measures appropriate to risk, which may include:

encryption in transit (e.g. TLS) and encryption at rest where appropriate;

encryption which is aligned the requirements of our Service Providers (including the Apple App Store);

secure key management;

access controls and role-based access;

secure authentication and session management;

logging, monitoring, and alerting;

secure software development practices, including code review and dependency management; and

segregation of environments (development/test/production) and data minimisation in non-production environments.

Artificial Intelligence

We use artificial intelligence as described in this Policy to deliver the Services.

Our artificial intelligence Service Providers are commercially engaged such that Personal Data you provide in receiving the Services:

is subject to the data processing terms of our artificial intelligence Service Providers; and

is not permitted to be used by our artificial intelligence Service Providers for their internal training purposes.

Organisational Security Measures

We implement organisational measures including:

staff training and confidentiality obligations;

access provisioning and deprovisioning processes;

vendor security due diligence (section 15.4);

incident response planning (section 10.4);

governance oversight (section 15.1).

Data Protection by Design and Default

We apply privacy-by-design and privacy-by-default principles, including:

collecting only data necessary for stated purposes;

using privacy-protective default settings;

embedding security controls into feature design;

conducting DPIAs where required (section 15.3).

Security Incident Response

We maintain processes to detect, investigate, contain, remediate, and document suspected or confirmed security incidents involving Personal Data.

Where the GDPR applies, we assess whether an incident constitutes a Personal Data breach and whether notification is required under Articles 33 and 34 GDPR.

Where the Australian Privacy Act applies, we assess whether an incident constitutes an eligible data breach and whether notification is required under the Notifiable Data Breaches scheme.

We maintain internal records of incidents and remediation actions.

Regular Security Assessments

We conduct periodic security assessments appropriate to our risk profile, which may include:

vulnerability scanning and remediation;

penetration testing;

access reviews;

audits of key controls;

supplier assurance reviews.

DATA SHARING AND THIRD-PARTY DISCLOSURES

Service Provider Relationships

We may share Personal Data with service providers who assist us to provide the Services, including providers of:

cloud hosting and infrastructure;

analytics and performance monitoring;

crash reporting and diagnostics;

customer support tooling;

communications delivery (email/SMS/push);

payment processing (where applicable);

authentication providers (including Apple and Google);

artificial intelligence services.

Where service providers act as Processors, we implement contractual protections consistent with Article 28 GDPR where the GDPR applies and take reasonable steps to ensure appropriate handling under the APPs where Australian law applies.

We authorise sub-processors where necessary and maintain oversight through contractual and governance measures.

Business Partner Integrations

Where the App integrates with third-party services at the User’s request (e.g. via APIs), we may disclose Personal Data to those third parties to enable the integration.

We provide information in-app about the integration and, where required, obtain Consent.

Third parties receiving data through integrations may act as independent controllers. Their privacy practices are governed by their own policies.

Legal Disclosure Requirements

We may disclose Personal Data to courts, law enforcement, regulators, or government agencies where required or authorised by law, including in response to lawful requests.

We review requests for validity and scope and respond in accordance with applicable law.

Where permitted, we may notify affected Users of such requests.

Corporate Transactions

If we undergo a merger, acquisition, restructuring, or sale of assets, Personal Data may be disclosed to advisers and prospective counterparties as part of due diligence and transferred as part of the transaction.

We apply confidentiality and security protections and, where required, provide notice to Users.

Marketing and Advertising Partners

Where applicable, we may share limited data with marketing and advertising partners to:

deliver and measure campaigns;

suppress marketing to Users who have opted out; and

(where permitted) personalise advertising.

Where required by law, we obtain Consent before enabling targeting/advertising Tracking Technologies (section 9).

Users can object to direct marketing and manage preferences (section 13).

CHILDREN'S PRIVACY PROTECTION

Age Verification and Parental Consent

The Services are not intended for children under 18, unless expressly stated for a specific product offering.

Where Article 8 GDPR applies and we rely on Consent for Processing in relation to information society services offered directly to a child, we implement age-gating and parental consent mechanisms where required by applicable Member State law.

If we become aware that we have collected Personal Data from a child in a manner not permitted by applicable law, we will take steps to delete or de-identify it.

Enhanced Protection for Children's Data

Where we process children’s data, we apply enhanced safeguards, including:

data minimisation;

restricted profiling and marketing;

heightened access controls;

shorter retention where appropriate.

Educational and Safety Considerations

We may provide age-appropriate privacy information and safety resources within the App where relevant.

We may provide reporting channels for safety concerns and inappropriate content.

MARKETING AND COMMUNICATIONS

Email Marketing Consent and Management

We may send marketing communications by email (and other channels) where permitted by law and in accordance with User preferences.

Users can opt out at any time by:

using the unsubscribe link in marketing emails;

changing in-app communication preferences; or

contacting us (section 3.2).

We maintain suppression lists to ensure we respect opt-out requests.

Push Notification Controls

We may send push notifications for:

service and security messages; and

marketing messages (where enabled).

Users can control push notifications through device settings and in-app preferences.

Where required, we obtain Consent for marketing push notifications.

Personalised Advertising and Profiling

Where applicable, we may use data to personalise content and advertising, including through Profiling.

Where required by applicable law, we obtain Consent for advertising Tracking Technologies and provide opt-out controls (section 9).

Users may object to Processing for direct marketing at any time (section 6.6).

Direct Marketing Under Australian Privacy Act

We comply with APP 7 in relation to direct marketing.

We do not use Sensitive Information for direct marketing unless the individual has consented (where required).

We provide a simple means to opt out of direct marketing communications.

USER ACCOUNT MANAGEMENT

Account Creation and Verification

Users must provide certain information to create an Account (section 4.1).

We may use verification measures (e.g. email verification, SMS verification) to protect Accounts and prevent fraud.

We may log account creation and verification events for security and audit purposes.

Account Settings and Privacy Controls

We provide in-app settings to enable Users to:

update profile information;

manage marketing preferences;

manage certain permissions (where supported);

access privacy information and submit rights requests (where available).

Device permissions (e.g. location, camera, contacts) can generally be controlled via device operating system settings.

Where feasible, we provide granular controls so Users can enable optional features without enabling unrelated data collection.

Account Suspension and Termination

We may suspend or terminate Accounts in accordance with our terms of service (if applicable), including for security reasons or misuse.

Upon termination or closure, we handle Personal Data in accordance with section 8 (retention) and section 6.3 (erasure), subject to legal holds and other lawful retention needs.

We may retain limited data to prevent fraud, enforce terms, and comply with legal obligations.

Account Security Features

We may offer security features such as:

multi-factor authentication;

session management and device management;

account recovery processes;

suspicious login detection.

Users should keep credentials confidential and notify us of suspected unauthorised access.

COMPLIANCE MONITORING AND GOVERNANCE

Privacy Governance Framework

We maintain a privacy governance framework appropriate to our size and risk profile, including:

assignment of privacy responsibilities;

policies and procedures supporting this Policy;

oversight of high-risk processing activities;

periodic reporting to senior management.

Staff Training and Awareness

We provide privacy and security training to staff and contractors with access to Personal Data, including training on:

GDPR principles and obligations (where applicable);

APP requirements;

incident reporting and response;

secure handling of Personal Data.

Privacy Impact Assessments

Where required by Article 35 GDPR, we conduct Data Protection Impact Assessments (DPIAs) for processing likely to result in a high risk to the rights and freedoms of individuals, including where we introduce new technologies or large-scale profiling.

DPIAs consider:

necessity and proportionality;

risks to individuals;

measures to address risks and demonstrate compliance.

We maintain DPIA records and review DPIAs when processing changes.

Vendor Management and Due Diligence

We assess vendors that process Personal Data on our behalf, including their:

security posture;

privacy compliance measures;

sub-processing arrangements;

location of processing and transfer safeguards.

We contractually require vendors to implement appropriate technical and organisational measures and to notify us of incidents.

Regulatory Engagement and Reporting

We maintain processes to engage with regulators and Supervisory Authorities where required.

We maintain records of processing activities where required by the GDPR and appropriate internal records to support APP compliance.

COMPLAINT PROCEDURES AND DISPUTE RESOLUTION

Internal Complaint Procedures

Individuals may lodge a privacy complaint by contacting us via section 3.2.

Complaints should include sufficient details for us to investigate (e.g. account identifier, description of concern, relevant dates).

We will:

acknowledge receipt within a reasonable time;

investigate and respond within a reasonable time; and

take steps to address substantiated issues.

Regulatory Complaint Rights

Where the GDPR applies, Data Subjects may lodge a complaint with a Supervisory Authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement.

Where the Australian Privacy Act applies, individuals may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Alternative Dispute Resolution

Where appropriate, we may offer or participate in alternative dispute resolution processes to resolve privacy complaints efficiently.

Legal Remedies and Compensation

Where the GDPR applies, Data Subjects may have rights to judicial remedies and compensation in accordance with the GDPR, including Article 82 GDPR.

Under Australian law, enforcement mechanisms may apply under the Australian Privacy Act and associated regulatory processes.

POLICY UPDATES AND NOTIFICATION PROCEDURES

Policy Review and Update Procedures

We review this Policy at least annually and when:

we introduce new features or materially change data practices;

we change vendors or hosting arrangements in a way that affects Processing;

laws or regulatory guidance change;

we identify new risks through DPIAs/TIAs or incidents.

User Notification of Changes

We notify Users of material changes via in-app notice and/or email where appropriate.

Where required, we obtain Consent for changes that expand Processing activities requiring Consent.

Version Control and Historical Records

We maintain historical versions of this Policy and make prior versions available upon request where reasonably required for accountability.

Emergency Update Procedures

We may implement urgent updates without advance notice where necessary to:

address a security risk;

comply with a legal requirement; or

prevent misuse or harm.

Where practicable, we will notify Users as soon as reasonably possible after an emergency update.

JURISDICTION-SPECIFIC PROVISIONS

European Union Member State Variations

Some GDPR requirements may vary by Member State (for example, in relation to children’s consent age thresholds and certain employment or health contexts).

Where such variations apply to our Processing, we implement feature-level notices and controls to meet local requirements.

Australian State and Territory Considerations

Additional privacy and surveillance obligations may apply in Australian states and territories in specific contexts (e.g. health information handling, workplace surveillance).

Where such obligations apply to our operations, we implement supplementary procedures and notices.

Conflict of Laws Provisions

This Policy is intended to be read to give effect to both GDPR and Australian privacy requirements.

Where there is a direct conflict between mandatory requirements:

for EEA Data Subjects and GDPR-scoped Processing, we apply the GDPR standard to the extent required;

for Australian-scoped Processing, we apply the Australian Privacy Act and APPs to the extent required; and

we apply the higher standard where feasible to maintain a single global approach.

APPENDICES AND REFERENCE MATERIALS

Standard Contractual Clauses

We use SCCs as described in section 7.2.

A copy of the SCCs (as executed for relevant transfers) may be requested via section 3.2, subject to redaction of confidential commercial information where permitted.

Cookie Policy Detail

We maintain a current list of Tracking Technologies used in the App, including:

category;

purpose;

provider (first/third party);

duration/expiry (where applicable);

data elements collected;

consent status (required/not required depending on jurisdiction and category).

Users can request the current list via section 3.2 and/or access it in-app where provided.

Contact Forms and Request Templates

We may provide templates for:

access requests;

rectification requests;

erasure requests;

restriction requests;

portability requests;

objection requests;

complaints.

Requests may be submitted without using a template provided they contain sufficient information for us to verify identity and locate relevant data.

Legal References and Citations

Key GDPR provisions referenced in this Policy include: Articles 12–22, 27, 28, 33–35, 37, 44–49, 82 GDPR.

Key Australian privacy instruments referenced include: Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Glossary of Technical Terms

API: Application Programming Interface enabling software components to communicate.

Encryption: A security method that encodes data to prevent unauthorised access.

SDK: Software Development Kit, often used for analytics, crash reporting, or feature enablement.

Pseudonymisation: Processing that reduces identifiability by separating identifiers from data.

Telemetry: Automated collection of performance and usage signals for reliability and improvement.

EXECUTION AND EFFECTIVE DATE

Policy Authorisation

This Policy is approved for use by the organisation and is authorised by:

the Board (or delegated committee) where applicable; and/or

an authorised executive responsible for risk and compliance.

Internal approvals and sign-off records are maintained as part of our governance framework (section 15.1).

Effective Date and Implementation

This Policy takes effect on the Effective date stated at the beginning of this document.

We implement this Policy by:

publishing it in-app and making it accessible during onboarding;

training relevant staff (section 15.2);

configuring consent and privacy controls (sections 9 and 14);

implementing vendor contractual safeguards (section 11 and 15.4).

Supersession of Previous Policies

This Policy supersedes all prior privacy policies and privacy notices issued by us in relation to the App and Services to the extent of any inconsistency, from the Effective date.

EXECUTION

Dated