Privacy Policy v2026-05-14

Effective date: 2026-05-14

JoeyMate is a baby and family care tracking application operated by Grimstac (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By creating an account you confirm you have read and agree to this policy.

1. Who we are

Grimstac operates JoeyMate from Victoria, Australia. Contact: [email protected]

2. What personal information we collect

We collect personal information that is reasonably necessary to provide the service:

• Account information: username, display name, and email address.
• Health and care information (sensitive): feeding records, sleep records, nappy changes, growth measurements, medication/medical notes, and any notes you enter about your child. This is treated as sensitive information under the Privacy Act.
• Child profile data: child’s first name, date of birth, gender, and birth weight — provided voluntarily by you.
• Photos and notes: optional profile images, care record attachments, family-feed posts, comments, and media you choose to upload.
• Push notification tokens: device tokens stored to deliver in-app alerts you opt into.
• Subscription records: product ID, store platform, transaction or receipt identifiers, purchase status, and expiry dates for JoeyMate Plus. We do not receive or store your card or bank details.
• Technical and security logs: truncated (last-octet anonymised) IP address, request timestamp, and browser/device type, retained for up to 90 days for security monitoring purposes only.

We do not collect precise geolocation, government identifiers, financial information, or advertising identifiers.

3. How we collect personal information

We collect information directly from you when you register, create or update a child profile, log care events, or contact us. We do not collect information from third parties.

4. Why we collect and how we use it

Personal information is collected and used only to:

• Create and maintain your account;
• Display care records and analytics to you and co-carers you invite;
• Send you push notifications you have explicitly enabled;
• Send transactional emails (account verification, password reset) — no marketing emails;
• Detect and prevent fraudulent or abusive activity; and
• Comply with legal obligations.

We do not use your personal information for direct marketing, advertising, or any purpose beyond operating this service.

5. Disclosure to third parties

We do not sell, rent, or share personal information with third parties for advertising or commercial resale. Information is disclosed only where needed to operate JoeyMate:

• To hosting, infrastructure, email, and security providers that process data on our behalf;
• To Apple App Store and Google Play for subscription purchase validation and subscription management;
• Where required or authorised by Australian law;
• To prevent a serious and imminent threat to life or safety; or
• To co-carers that you explicitly invite into your account via the Invite feature.

6. Cross-border disclosure

Primary app data is stored on servers located in Australia. Some service providers, including app store, email, and infrastructure providers, may process limited account, device, transaction, or support data outside Australia. Where this occurs, we take reasonable steps to ensure those providers protect personal information consistently with this policy and applicable law.

7. Children’s data

JoeyMate is intended for use by adults (18+) who are parents or carers. Children’s health and care information is entered by, and accessible only to, the parent or carer account holders who created and manage that child’s profile. We do not knowingly allow children under 18 to create accounts. If you believe a minor has created an account, contact us and we will delete it promptly.

Child profile data is treated as sensitive information and afforded the highest level of protection we apply.

8. Data storage and security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure, including:

• All data transmitted via HTTPS/TLS encryption;
• Passwords hashed using bcrypt (cost factor 12);
• Authentication tokens (JWT) stored only on your device and rotated on logout;
• Rate limiting and account lockout on login attempts;
• Audit logging of security-relevant actions;
• IP anonymisation in server logs; and
• Access to production systems limited to authorised personnel only.

9. Data breach notification

If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act, generally within 72 hours of becoming aware of the breach. We will notify you via the email address on your account.

10. Data retention and deletion

Your data is retained while your account is active. You may permanently delete your account and associated personal data at any time from Account → Delete Account in the app, from our account deletion page, or by emailing [email protected]. Deletion is irreversible. We may retain records that we are legally required to keep, limited subscription transaction records needed for tax/accounting or fraud prevention, and anonymised security logs for up to 90 days after account deletion.

11. Your rights — access and correction

Under the Australian Privacy Principles you have the right to:

• Access the personal information we hold about you — use Account → Export My Data for a full JSON export, or email [email protected];
• Correct inaccurate or out-of-date personal information — update it directly in the app’s Account settings, or contact us; and
• Complain about how we handle your personal information (see section 12 below).

We will respond to access or correction requests within 30 days.

12. Complaints

If you have a concern about how we handle your personal information, please contact us first:

Email: [email protected]
We aim to resolve complaints within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

13. Anonymity and pseudonymity

Where lawful and practicable, you may use a pseudonym (username) rather than your real name. However, a valid email address is required to verify your account and enable password recovery.

14. Changes to this policy

We may update this policy from time to time. Significant changes will be notified by email and/or a prompt in the app. Continued use of the service after notification constitutes acceptance of the updated policy.