Privacy Policy
1 March 2026
Pinny (the "App") is committed to protecting your privacy. This Privacy Policy is drafted in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") and explains how we collect, hold, use and disclose your personal information. It also describes how you can access and correct your personal information, and how you can make a complaint if you believe your privacy has been breached.
1. Information We Collect
1.1 Information You Provide
| Collection Point | Information Collected | Purpose |
|---|---|---|
| Account registration | Email address, display name, profile photo (optional), social login identifier | User identification and service provision |
| Service usage | Trip itinerary data, checklists, budget records, journal entries | Core service functionality |
| Location information | Device location data (with your consent) | Map-based services |
1.2 Information Collected Automatically
- Device information (device model, operating system version, app version)
- App usage logs (access timestamps, features used, error information)
- Advertising identifiers (IDFA on iOS / GAID on Android, for advertising delivery and analytics)
- FCM push notification tokens
1.3 How We Collect Information
- From social login providers (Apple, Google, Kakao) during authentication
- Directly from you when you input information into the App
- Automatically through analytics and crash-reporting tools (Firebase Analytics, Crashlytics)
2. Purposes of Collection, Use and Disclosure (APP 6)
We collect and use your personal information for the following purposes:
- Service provision: Trip itinerary management, map-based recording, checklists, budget management, AI-powered itinerary recommendations
- Account management: Identity verification, registration and account deletion processing, customer support
- Service improvement: Usage analytics, new feature development, service quality enhancement
- Advertising: Delivery of personalised advertisements and measurement of advertising effectiveness via Google AdMob
- Safety and security: Prevention of fraudulent use, dispute resolution, complaint handling
- Notifications: Travel reminders, service-related announcements
We will not use or disclose your personal information for a purpose other than the purpose for which it was collected (the "primary purpose"), unless:
- you have consented to the secondary use or disclosure;
- the secondary purpose is related to the primary purpose (or, for sensitive information, directly related) and you would reasonably expect us to use or disclose your information for that purpose; or
- the use or disclosure is required or authorised by or under Australian law.
3. Retention of Personal Information
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Information Type | Retention Period | Basis |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Trip data | Until account deletion | Service provision |
| Access logs | 12 months | Security and troubleshooting |
| Advertising identifiers | 12 months from collection | Advertising analytics |
When personal information is no longer needed, we will take reasonable steps to destroy or de-identify it in accordance with APP 11.
4. Disclosure to Third Parties (APP 6)
We do not sell your personal information. We may disclose your personal information to third parties in the following circumstances:
- Where you have provided your consent;
- To our data processors and service providers as described in Section 5 below, solely for the purposes of providing the Service;
- Where required or authorised by or under Australian law or a court or tribunal order; or
- Where disclosure is reasonably necessary for the enforcement of criminal law, a law imposing a pecuniary penalty, or for the protection of public revenue.
5. Data Processors
We engage the following third-party service providers to assist in delivering the Service:
| Service Provider | Services | Information Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication services | Account information, trip data | Singapore |
| Google LLC | Maps API, advertising (AdMob), analytics (Firebase) | Location data, advertising identifiers, usage logs | United States |
| OpenAI Inc. | AI itinerary recommendation service | Trip itinerary data (de-identified) | United States |
| Railway Corp. | Server hosting | Service operational data | United States |
6. Cross-Border Disclosure of Personal Information (APP 8)
As described in Section 5, your personal information may be disclosed to overseas recipients located in Singapore and the United States.
Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to that information, in accordance with APP 8. These steps include:
- Conducting due diligence on the recipient's privacy and data protection practices;
- Entering into contractual arrangements requiring the recipient to handle personal information in accordance with the APPs;
- Verifying that the recipient is subject to a law or binding scheme that provides substantially similar protections to the APPs; and
- Ongoing monitoring of the recipient's compliance.
| Recipient | Country | Information Transferred | Transfer Method |
|---|---|---|---|
| Supabase Inc. | Singapore | Account information, trip data | Encrypted network transmission |
| Google LLC | United States | Location data, usage logs | Encrypted network transmission |
| OpenAI Inc. | United States | Trip itinerary data (de-identified) | Encrypted API transmission |
| Railway Corp. | United States | Service operational data | Encrypted network transmission |
7. Access and Correction (APP 12, APP 13)
You have the right to access and correct the personal information we hold about you.
- Access your information: You can view your personal information via the App at Settings > Profile.
- Correct your information: You can update your display name and profile photo via the App at Settings > Profile.
- Request deletion: You can delete all your personal information by deleting your account via Settings > Delete Account.
- Other requests: For any other access or correction requests, please contact us at the address below. We will respond to your request within 30 days.
If we refuse to provide access to, or correct, your personal information, we will provide you with a written notice setting out the reasons for the refusal and the mechanisms available to you to make a complaint.
8. Data Security
- Technical safeguards
- TLS/SSL encryption for all data in transit
- Encryption of sensitive data at rest
- Access controls and role-based permission management
- Regular security updates and vulnerability assessments
- Organisational safeguards
- Minimisation of personnel with access to personal information
- Regular security audits and reviews
9. Notifiable Data Breaches
In the event of an eligible data breach (as defined in Part IIIC of the Privacy Act 1988), we will:
- Carry out a reasonable and expeditious assessment of whether the breach is likely to result in serious harm to any individual;
- If the breach is assessed as an eligible data breach, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable; and
- Include in the notification a description of the breach, the kinds of information involved, and recommendations about steps individuals should take in response.
10. Cookies
The App is a mobile application and does not use web browser cookies. However, we store secure authentication tokens in the device's secure storage (Secure Store) for the purpose of maintaining your login session.
11. Advertising
The App displays advertisements via Google AdMob. You may limit advertising tracking through your device settings:
- iOS: Settings > Privacy & Security > Tracking > Disable tracking for Pinny
- Android: Settings > Google > Ads > Delete advertising ID
12. Children's Privacy
The App does not knowingly collect personal information from children under 15 years of age. If we become aware that personal information has been collected from a child under 15 without appropriate consent, we will take reasonable steps to delete that information promptly.
13. Privacy Officer
If you have any questions about this Privacy Policy or our privacy practices, please contact our Privacy Officer:
14. Complaints
If you believe we have breached the APPs or this Privacy Policy, you may lodge a complaint with us by contacting our Privacy Officer at the address above. We will investigate your complaint and respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
15. Changes to This Privacy Policy
This Privacy Policy is effective from 1 March 2026. We may update this policy from time to time. Any material changes will be notified via in-app notice or push notification prior to the changes taking effect. We encourage you to review this policy periodically.