HomeAtlas — Privacy Policy

Effective date: 09 May 2026 · Version 1.0

This Privacy Policy explains how [Your full legal name], trading as HomeAtlas (ABN [ABN]) (“HomeAtlas”, “we”, “us” or “our”), collects, uses, shares, and protects your personal information when you use the HomeAtlas website, mobile applications, and related services (the “Service”).

We are committed to handling your personal information in line with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), the EU/UK General Data Protection Regulation (GDPR), the New Zealand Privacy Act 2020, the U.S. California Consumer Privacy Act / CPRA, the Children's Online Privacy Protection Act (COPPA), and Canadian privacy law (PIPEDA), to the extent each of these applies to you.

The short version. We collect the data you give us so HomeAtlas can run your kitchen, garage, garden, pets, family schedules, and chat. We share it only with the providers we need to deliver the Service (cloud hosting, payments, calendars, mapping, AI, analytics) and only as much as they need. We do not sell your data, do not use it for ad targeting, and do not train our own AI models on your data. You can access, correct, export, or delete your data at any time from Profile → Settings or by emailing privacy@[domain].

1. Who we are and how to contact us

HomeAtlas is operated by [Your full legal name], an Australian sole trader (ABN [ABN]) trading as HomeAtlas. We are the data controller (and, in Australian terms, the “APP entity”) for the personal information described in this policy.

Privacy contact: privacy@[domain]
Postal address: [Your registered street address]
Website: https://[domain]

For users in the EU/EEA or UK who prefer to write in their own language, you can also contact us at the same email — we will respond in English.

2. Information we collect

2.1 Account and profile information

Email address, password (stored hashed), display name, optional username, optional bio and phone number;
Authentication identifiers from Google, Apple, Microsoft, or Facebook if you choose Sign in with that provider — typically your email and a stable user ID;
Time zone, preferred currency, region, accent colour and other UI preferences;
Subscription tier, Stripe customer/subscription ID, Apple/Google in-app purchase receipt identifiers, credit balance, top-up history.

2.2 Household and location information

Home and garage names, postal addresses, and the latitude/longitude returned by Google Maps when we geocode an address you typed;
Garden, project, and event addresses and geocoded coordinates;
Household membership records, invite codes, roles (owner, co-parent, carer, viewer), and permissions you grant other members.

We do not collect continuous, background, or precise GPS location from your device. Location is only the address you type plus its geocoded coordinates.

2.3 Family and care records

Child profiles you create: preferred name, date of birth, gender, height, weight, school name, allergies, medical conditions, health notes, emergency contact, and any AI-generated avatar (a stylised illustration, not a photo);
Adult/household person profiles with similar fields, where you record them;
Care plans: medications, dosages, schedules, dose logs (taken/skipped/notes), and care tasks;
Documents you upload to the family paper inbox (school letters, consent forms, medical results, prescription labels) and the structured data we extract from them using AI vision;
Family events and tasks (calendars, reminders, checklists);
End-to-end encrypted family messages: we store ciphertext and metadata (participants, household, timestamps), but the content is decrypted only on your devices.

2.4 Kitchen, garage, garden, pets, and projects

Recipes, meal plans, dietary preferences, palate questionnaire answers, shopping lists, and cocktail recipes;
Pantry / fridge / freezer items, including barcode scans, expiry dates, brand and quantity, photos of groceries you upload;
Garage projects with materials, tools, tasks, budgets, timelines, and any reference photos you upload;
Garden, plant, lawn, and pet records, including pet vaccinations, parasite treatments, test results, and any photos or AI-generated avatars;
Event project details (venue, theme, guests, menu) and any AI-generated invitation images.

2.5 Chat content

Messages you send to the AI assistant (“Chat Atlas”) and the responses we generate, stored against the relevant project, recipe, or thread.

2.6 Calendar and tasks (when you connect them)

If you connect Google Calendar, Google Tasks, or Microsoft Outlook, we receive — at your direction — calendar IDs, event titles, times, descriptions, attendees, and similar fields, plus a refresh token (encrypted at rest with a Fernet key) so we can keep your HomeAtlas calendar in sync. You can disconnect at any time.

2.7 Payment information

For web subscriptions, Stripe processes your card directly. We never see or store your full card number; we receive metadata such as customer ID, plan, last four digits, country, and the result of the transaction.
For mobile in-app purchases, Apple or Google tells us the product purchased, the transaction/receipt ID, and the subscription state. They do not share your card details with us.

2.8 Device and technical information

IP address, user-agent, device type, OS version, app version, and timestamps for requests;
Authentication tokens (JWT access/refresh), session cookies, and a CSRF token;
Crash and error logs, basic performance metrics, push subscription identifiers (if you opt in to web/mobile push).

2.9 Information we do NOT collect

We do not knowingly collect biometric data, government identifiers, sexual orientation, religion, political opinions, or trade union membership;
We do not collect background or continuous device location;
We do not collect data from your device's contacts, photo library, microphone, or health records unless you actively pick a file to upload.

3. How we use your information

We use the information described above to:

Create and run your account, authenticate you, and keep your data in sync across devices;
Operate and personalise the Service — for example, display your pantry, generate shopping lists, sync your calendar, and remember your preferences;
Generate AI suggestions you ask for (recipes, project plans, care plan templates, images, document extraction);
Process payments, manage subscriptions, allocate credits, and prevent fraud;
Send transactional emails (verification, password reset, daily digests, billing receipts, household invites) and the in-app or push notifications you have enabled;
Provide customer support and respond to your queries;
Investigate misuse, enforce our Terms, and meet our legal obligations;
Improve the Service, including using de-identified or aggregated usage data for product analytics. We do not train our own AI models on your content, and we do not allow our AI providers to use your content to train their general-purpose models, where that option is available to us.

3.1 Legal bases (EEA / UK)

If GDPR applies to you, we rely on the following legal bases under Article 6:

Contract — to deliver the Service you signed up for (most processing).
Legitimate interests — security, fraud prevention, service improvement, analytics. We balance these against your rights.
Consent — for marketing emails (where applicable), optional features you turn on, sensitive AI features, and special-category data (such as health and child data — see below).
Legal obligation — tax records, lawful requests from authorities.

For special-category data (Article 9 GDPR) — such as health information you record in care plans, allergy notes, medication logs, or prescription label scans — we rely on your explicit consent, given when you choose to record that information. You can withdraw your consent at any time by deleting the data, or your account, in the app.

4. AI features and how data is sent to AI providers

HomeAtlas uses third-party AI providers to power features like the Chat Atlas, recipe suggestions, project planning, document extraction, and image generation (cocktail covers, event invites, child or pet avatars, DIY inspiration). When you use one of those features, the relevant input — for example your message, a project description, the photo you uploaded, or a child's profile fields needed for an avatar — is sent to our AI provider to produce the result.

How we limit what is shared:

We only send the data needed for the specific feature you used (data minimisation).
We use AI provider plans that, where offered, opt out of training the provider's general-purpose models on your content.
Image-generation prompts about a child or pet use the profile fields you have recorded (name, age range, interests). We do not send a child's photo to image-generation models for avatar generation.
Family E2E messages are never sent to AI providers — the plaintext exists only on your devices.

We currently engage one or more reputable third-party AI providers as sub-processors. The categories include large language models (for chat, recipes, planning, and document extraction) and image-generation models (for invite cards, avatars, and DIY inspiration). On request to privacy@[domain], we will provide the current list of named AI sub-processors and notify you when it changes.

5. Children's data and family records

HomeAtlas is designed for adults to manage their household, including records about children in their care. We do not allow direct sign-up by children under 13.

Parent-managed child profiles. A parent or guardian (the household administrator) creates and manages each child profile. The administrator may optionally enable a “kid-mode” sub-profile for the child to use a restricted view of the Service. Kid-mode profiles are not separate accounts: the parent remains the account holder, has full control of the data, and can disable the sub-profile at any time. Kid-mode profiles cannot make purchases, change subscriptions, or access general AI chat.

What we collect about a child. Only what the parent or guardian enters: preferred name, date of birth, gender, height, weight, school, allergies, health notes, emergency contacts, calendar entries, tasks, school documents, and care plan items. AI avatars are stylised illustrations generated from those profile fields — we do not send photos of children to image models for avatars.

Verifiable parental consent. By creating a child profile or enabling kid-mode, the household administrator confirms they are the child's parent or legal guardian (or have the parent's authority) and consents on the child's behalf to the processing described in this policy. We accept the administrator's payment method and account verification (including email verification, and where applicable Stripe / Apple / Google identity checks) as the verifiable consent under COPPA / GDPR-K.

Withdrawing consent. A parent or guardian can review, edit, export, or delete a child's records at any time from the family settings, or by emailing privacy@[domain]. Deleting a child profile removes the child's data on the same timeline described in section 13.

If you believe a child under 13 has registered an account directly — outside of a parent-managed profile — please contact privacy@[domain] and we will investigate and delete the account.

6. Sharing with household members

When you invite someone to your household, you choose what they can access — for example the family calendar, child records, the pantry, or shopping lists. Anything you grant access to becomes visible to that household member while their access is active. Household members may also create their own content (events, messages, dose logs) inside shared spaces. You are responsible for choosing who you invite. You can revoke access at any time from Profile → Settings → Home management.

7. Service providers and data sharing

We share personal information only with service providers who process it on our behalf under written agreements that require confidentiality, security, and use restricted to our instructions. We do not sell personal information and we do not share it for cross-context behavioural advertising.

Category	Providers (examples)	What is shared	Why
Cloud hosting & CDN	Amazon Web Services (Sydney region by default); Cloudflare	All Service traffic and stored data	Run the Service securely
Authentication / identity	Google, Apple, Microsoft, Facebook	Email and a stable user ID, where you choose social sign-in	Let you log in with an existing account
Payments — web	Stripe	Email, payment token, plan, country	Process card payments and subscriptions
In-app purchases — mobile	Apple App Store, Google Play	Receipt / transaction identifiers, subscription state	Process iOS and Android purchases
AI providers	Reputable third-party large language and image models (current named list available on request)	The specific input you submitted to that AI feature (text and / or image)	Generate the AI result you asked for
Maps & addresses	Google Maps Platform (Geocoding, Places)	Addresses you type, partial address text during autocomplete	Convert addresses to coordinates and show them on a map
Calendar sync (optional)	Google Calendar, Google Tasks, Microsoft Graph	Calendar events, task lists you choose to sync	Two-way sync with your existing calendar
Email delivery	Configured SMTP / transactional email provider	Email address, message contents (verification, digests, receipts)	Deliver transactional email
Product data & commerce	Open Food Facts, USDA FDC, Bunnings API, Amazon PA-API, retailer feeds (e.g. Woolworths, Coles, Tesco, Mitre 10 NZ)	Barcode numbers, item names, shopping queries	Look up products and prices for your shopping list
Push notifications	Web Push (VAPID), Apple Push Notification service, Firebase Cloud Messaging	Push subscription identifiers, notification content (no sensitive medical detail in the body)	Deliver notifications you opted in to
Customer support	Email — privacy@[domain]	The contents of your support message and account context	Help you resolve issues

We may also disclose information where required by a binding legal request, to enforce our Terms, or to protect the safety of users or the public — and, if HomeAtlas is sold, merged, or restructured, to a successor entity that takes on this policy's obligations.

8. International data transfers

By default we host your data in Australia (see section 9). Some service providers above are based in other countries (for example AI providers and payment processors in the United States or the European Union). When personal information is transferred outside of Australia or the EEA / UK, we rely on lawful transfer mechanisms, which may include the European Commission's Standard Contractual Clauses, the UK's International Data Transfer Addendum, equivalent provisions for Switzerland, or the recipient's adherence to a recognised certification (for example the EU-U.S. Data Privacy Framework, where applicable). For Australian users, we take reasonable steps to ensure overseas recipients handle your information consistently with the Australian Privacy Principles, as required by APP 8.

9. Where your data is stored

HomeAtlas's primary data store is hosted in Australia (Sydney region). Backups, logs, and certain caches may be stored in additional regions managed by the same provider. Our AI sub-processors and our payment processor host data outside Australia (typically in the United States or the European Union). Calendar data syncs with the regions chosen by Google or Microsoft for your account.

10. Cookies and similar technologies

We use a small number of cookies and similar technologies on the website:

Strictly necessary — session cookie, CSRF token, JWT refresh token, load-balancer cookies. Without these the site cannot work securely.
Functional — UI preferences such as your accent colour, dismissed hints, and selected calendar.
Analytics — aggregated, privacy-respecting product analytics. We do not use third-party advertising or behavioural-tracking cookies.

You can manage cookies through your browser settings. Mobile apps do not use browser cookies but use the equivalent local storage and secure keychain entries to keep you logged in.

11. Marketing and notifications

We send transactional messages by default — for example email verification, password reset, billing receipts, household invites, and the daily/expiry digests you have configured.

We do not send promotional or newsletter emails unless you have opted in (for example by ticking a marketing box during sign-up or in Profile → Settings → Notifications). You can unsubscribe from any marketing email by following the unsubscribe link or by emailing privacy@[domain]. Withdrawing marketing consent does not stop transactional messages required to operate the Service.

Push notifications and in-app reminders are controlled per-device in your operating system settings and per-feature in Profile → Settings.

12. Security

We use a combination of technical and organisational safeguards, including:

HTTPS for all traffic between your device and the Service;
Hashing of passwords using industry-standard algorithms;
Encryption at rest for sensitive tokens (for example calendar refresh tokens, encrypted with a Fernet key not exposed to the application);
End-to-end encryption for family messaging — message content is encrypted on the sender's device and decrypted only on the recipient's device, so we never see the plaintext;
Strict access controls inside HomeAtlas and with our service providers;
Regular dependency updates, monitoring, and incident response procedures.

No internet service can be 100% secure. If we become aware of a personal-data breach that creates a likely risk of serious harm to you, we will notify you and the relevant regulator (for example the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme, your supervisory authority under GDPR, or the Office of the Privacy Commissioner of New Zealand) within the timeframes required by law.

13. Retention

We keep your personal information for only as long as we need it for the purposes described in this policy. In practice that means:

Account and content data — kept while your account is active. When you delete your account, we delete or de-identify your personal data within 30 days, except for items in the next two bullets.
Tax, billing, and fraud records — retained for the period required by law (typically up to 7 years in Australia under tax law).
Backups and logs — backups rotate out on a fixed schedule (typically up to 35 days for daily backups). Application logs are kept for short windows for troubleshooting and security and then deleted or de-identified.
Encrypted family messages — stored as ciphertext while the conversation is active. When you leave a household or delete your account, the encrypted record is removed on the same 30-day timeline.
Short-lived caches — for example barcode lookups or one-off document-extraction evidence files are deleted within hours to days.

14. Your rights and choices

Subject to your country's law, you have the right to:

Access the personal information we hold about you;
Correct data that is inaccurate or incomplete;
Delete your data (the “right to be forgotten” under GDPR, the right to erasure / opt-out of sale or sharing under the CCPA/CPRA, etc.);
Export a portable copy of your data in a machine-readable format;
Object to certain processing or restrict it;
Withdraw consent at any time, where processing is based on consent (this does not affect the lawfulness of processing before withdrawal);
Lodge a complaint with a privacy regulator (see section 18).

We do not sell your personal information and we do not use it for cross-context behavioural advertising. We do not subject you to decisions made solely by automated means that produce legal or similarly significant effects on you.

15. How to access, export, or delete your data

You can exercise the rights above as follows:

In-app deletion — go to Profile → Settings → Delete account. You will be asked to confirm. We will delete or de-identify your data within 30 days, subject to the carve-outs in section 13.
In-app export — go to Profile → Settings → Download my data to receive a JSON archive of your data within a reasonable timeframe.
By email — write to privacy@[domain] with the subject line “Privacy request”. We may need to verify your identity (for example by emailing your registered address). We will respond within the timeframes required by your law (within 30 days under GDPR / Australian Privacy Act, 45 days under the CCPA, extendable as permitted).

Requests are free, except where they are manifestly unfounded or excessive (for example repetitive), in which case we may charge a reasonable fee or refuse to act, as permitted by law.

16. Region-specific notices

16.1 EEA / UK (GDPR / UK GDPR)

We act as the data controller for personal data we collect through the Service. The legal bases we rely on are described in section 3.1. You have the rights listed in section 14. You can lodge a complaint with your local supervisory authority — for the UK, that is the Information Commissioner's Office (ICO) at ico.org.uk.

16.2 Australia (Privacy Act 1988)

We handle your personal information in line with the Australian Privacy Principles. You can ask us to access or correct your information at privacy@[domain]. If you are unhappy with our response, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

16.3 New Zealand (Privacy Act 2020)

We comply with the Information Privacy Principles. You can complain to the Office of the Privacy Commissioner at privacy.org.nz.

16.4 California (CCPA / CPRA)

We do not sell your personal information and we do not share it for cross-context behavioural advertising. You have the right to know, delete, correct, and limit the use of sensitive personal information; we honour these rights without discrimination. You can designate an authorised agent to make a request on your behalf — we will require proof of authorisation. The categories of personal information we collect (mapped to CCPA categories) are: identifiers; commercial information; internet/network activity; geolocation (general); audio/visual content (the photos and documents you upload); inferences (preferences); and sensitive personal information including health information, account log-in credentials and information about a person under 16 collected with consent.

16.5 Children under 13 (United States — COPPA)

HomeAtlas does not allow children under 13 to register a HomeAtlas account directly. A parent or guardian may create a child profile inside their own account and optionally enable kid-mode (see section 5). The parent's identity-verified account, payment method (where used), and accepted invitation flow constitute verifiable parental consent. Parents can review, modify, or delete a child's data at any time, or revoke consent by deleting the child profile or contacting privacy@[domain].

16.6 Canada (PIPEDA)

We comply with the Personal Information Protection and Electronic Documents Act and applicable provincial laws. You can contact our Privacy Officer at privacy@[domain], or complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

17. Changes to this policy

We may update this policy from time to time. If a change is material we will notify you by email and / or in-app at least 30 days before it takes effect (or the minimum period required by your local law, if longer). The “Last updated” date at the top of this policy tells you when we last revised it. Continuing to use the Service after the change means you accept the updated policy.

18. Complaints

If you have a privacy complaint, please email us first at privacy@[domain]. We aim to respond within 30 days. If you are not satisfied with our response, you can refer the complaint to your local privacy regulator (see the relevant region-specific notice in section 16).