Privacy Policy

PocketGrow is an Australian family money app operated by PocketGrow Pty Ltd (ABN TODO), of TODO — registered address. Parents and carers create the family account, then add child and teen profiles under their supervision. In this policy, "we", "us" and "PocketGrow" refer to PocketGrow Pty Ltd, the data controller for personal information you provide.

This policy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We collect the minimum information needed to run the service:

• Parent / carer account: name, email address, password hash, and (if you subscribe) billing identifiers returned by our payments provider. We do not store full card numbers.
• Child & teen profiles: first name or nickname, age or year level, avatar, and a parent-set passcode. Children do not provide an email address to us.
• Family activity: chores, jars, savings goals, allowance history, lesson progress and in-app rewards.
• Device & usage data: IP address, device type, browser, pages viewed and basic event timestamps, used for security, debugging and product improvement.
• Support correspondence: messages you send us via email or the contact form.

• Provide the service — run chores, jars, goals, lessons and the parent dashboard.
• Account & billing — create accounts, authenticate logins, process subscriptions and send receipts.
• Safety & integrity — detect abuse, prevent fraud, enforce our Terms and keep children's profiles private.
• Communications — the weekly family summary, transactional emails (password resets, receipts) and important service notices. Marketing emails are opt-in and you can unsubscribe at any time.
• Improvement — aggregated, de-identified analytics to understand which features help families and which need work.
• Legal compliance — meeting our obligations under Australian law, including tax and consumer protection.

PocketGrow is designed for families. Child and teen profiles are created and managed by a parent or carer, who is responsible for supervising their child's use of the app. We:

• do not knowingly collect children's data without parent action;
• do not show or sell child profile data for advertising;
• do not feature identifiable child profiles in marketing material;
• let the parent edit, export or delete any child profile at any time from Parent settings → Family.

We use a small number of trusted providers to operate PocketGrow. Each is bound by a data-processing agreement and processes data only on our instructions:

• Supabase — database, authentication and file storage (data hosted in Sydney / AWS ap-southeast-2 where available).
• Cloudflare — content delivery, DDoS protection and edge runtime for the website and API.
• Stripe — subscription billing and payment processing. Card data is handled by Stripe and never touches our servers.
• Resend — transactional and family-summary email delivery.
• Privacy-respecting analytics — aggregated product analytics (no cross-site advertising trackers).

We will update this list before adding any new subprocessor that handles personal data. You can request the current list at any time by emailing privacy@pocketgrow.app.

We store data in Australia where the option is available, and otherwise in regions operated by our subprocessors above (primarily Australia, the United States and the European Union). When data leaves Australia, we take reasonable steps to ensure overseas recipients handle it consistently with the Australian Privacy Principles.

• Encryption in transit (HTTPS / TLS) and at rest for our databases.
• Row-level access controls so families can only see their own data.
• Hashed passwords (never stored in plain text).
• Least-privilege access for staff, audited via our hosting providers.
• Regular dependency and security scanning.

No system is perfectly secure. If we become aware of a data breach that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

We keep personal information only for as long as we need it:

• Active accounts: retained while your family account is open.
• Account deletion: when you delete your family account from Parent settings, profiles and activity are soft-deleted immediately and permanently erased within 30 days, except where we must keep records for legal, tax or fraud-prevention reasons (typically up to 7 years for billing records under Australian tax law).
• Inactive accounts: if an account is inactive for 24 months, we'll email the parent and then schedule the account for deletion if there is no response within 30 days.
• Backups: encrypted backups roll off within 35 days of deletion.
• Support emails & logs: kept for up to 24 months for security and quality purposes, then deleted or de-identified.

We use strictly necessary cookies to keep you logged in and remember your preferences. We use privacy-respecting product analytics to understand aggregate usage. We do not run cross-site advertising trackers and we do not sell personal information.

Under the Australian Privacy Principles you may:

• request access to the personal information we hold about you;
• ask us to correct information that is inaccurate or out of date;
• request deletion of your account and associated data;
• export your family's activity data in a portable format (CSV/JSON) on request;
• complain about how we have handled your personal information.

To make any of these requests, email privacy@pocketgrow.app from the email address on the family account. We will verify your identity and respond within 30 days. If you're not satisfied with our response, you can contact the Office of the Australian Information Commissioner at oaic.gov.au.

We'll update the "Last updated" date at the top of this page when we make changes. Material changes will also be announced via email to the parent on the family account before they take effect.

Privacy & data requests: privacy@pocketgrow.app
General support: support@pocketgrow.app
Contact form: /contact

Postal: PocketGrow Pty Ltd — Privacy Officer, TODO — registered address, Australia.