Privacy Policy

1. INTRODUCTION

SteadySelf Pty Ltd ("SteadySelf", "we", "our" or "us") is committed to protecting your privacy and handling your personal information responsibly and transparently. This Privacy Policy explains how we collect, use, disclose, protect, and manage your personal information when you use the SteadySelf voice assistant and related services (the "Service").

This policy complies with:

• Privacy Act 1988 (Cth)

• Australian Privacy Principles (APPs)

• Notifiable Data Breaches (NDB) scheme

• Privacy Amendment Act 2024 (automated decision-making transparency)

By using the Service, you consent to the practices described in this policy and our Terms & Conditions.

2. WHAT INFORMATION WE COLLECT

Depending on how you interact with us, we may collect:

2.1 Personal Details

When you register or contact us, we may collect:

• Name (first name and/or nickname)

• Email address

• Contact phone number (optional)

• Age or age range (required for age verification and mature minor assessment)

• Country of residence

• Any other information you voluntarily provide

We do not require your full legal name, exact date of birth, or residential address for account creation.

2.2 Voice and Interaction Data

When you interact with the voice assistant, we collect:

• Audio recordings of your voice queries and responses

• Transcripts generated from your voice input

• Your responses to voice prompts and self-reflection questions

• Session timestamps and duration

• Interaction sequence and content selected

Note: All voice data collection requires your explicit consent as detailed in Section 2.8 below.

2.3 Usage Information

We collect information about how you use the Service:

• Sessions completed (dates and times)

• Prompts listened to or engaged with

• Features accessed

• Time spent on each session

• Interaction frequency and patterns

• Device type and app version

• IP address (last octet may be masked)

• Referring source (how you found SteadySelf)

• Geographic region (city/state level, not exact address)

2.4 Device and Technical Data

We collect information about your device:

• Device model and hardware specifications

• Operating system and version

• Unique device identifier (IDFA, Android Advertising ID)

• Mobile network information (carrier name only, not phone number)

• Crash reports and error logs (to fix technical issues)

• Cookies and similar tracking technologies (browser-based if applicable)

2.5 Information You Choose to Provide

You may optionally choose to share:

• Your feelings, moods, or emotional state

• Personal goals or intentions for using the Service

• Feedback about the Service

• Demographic information (gender identity, relationship status, cultural background)

• Information about your interests or preferences for content

We ask that you avoid including highly sensitive personal information in free-text responses:

• Full legal name (use first name or nickname)

• Exact date of birth (age range is acceptable)

• Residential address

• Medicare number or other health identifiers

• Financial information

• Identification numbers from government-issued ID

• Detailed health diagnoses or medical information

• Medication names and dosages

• Information about trauma or abuse

See Section 3.2 of our Terms & Conditions for detailed guidance on sensitive information.

2.6 Information from Integrations

If you authorize SteadySelf to integrate with another application, we may collect information you permit from that service:

• Calendar availability or schedule information (if you integrate with calendar apps)

• Mood or health tracking data (if you integrate with health apps like Apple Health or Google Fit)

• Sleep or activity data (if you integrate with fitness tracking apps)

• Any other data you explicitly authorise us to access

You control what information is shared through integration settings. Integration is optional and does not affect core Service functionality.

2.7 Aggregated and De-Identified Data

We create aggregated or de-identified datasets by:

• Removing details that could reasonably identify individuals

• Combining information from many users to identify trends

• Analyzing patterns in wellbeing content engagement

• Reporting statistics on Service usage (anonymously)

De-identified data cannot reasonably be used to identify you and is not subject to privacy restrictions.

2.8 Voice Recording Consent Framework

Voice data collection operates on a tiered consent model:

Tier 1 – Essential (Required for Service Operation):

• Voice recording and transcription for immediate Service delivery

• Required to use voice interaction features

• Recordings retained for 30 days

• Cannot be opted out (voice interaction cannot function without this)

Tier 2 – Improvement (Optional):

• Using voice interactions to improve Service quality

• Training AI models to provide better recommendations

• Identifying and fixing errors in transcription or responses

• Optional – you can consent or decline

• Recordings retained for 30 days then deleted unless you opted in

Tier 3 – Research (Optional):

• Using de-identified voice data in research

• Sharing de-identified data with research partners or academic institutions

• Contributing to mental health research

• Optional – you can consent or decline

• Recordings may be retained longer if de-identified and consent given

Tier 4 – Third-Party Sharing (Optional):

• Sharing voice interactions with trusted service providers (e.g., for analytics or technical support)

• Optional – you can consent or decline

• Service providers bound by confidentiality agreements

• You can withdraw this consent anytime

You manage these consent preferences in your account settings and can change them at any time.

2.9 Children and Minors

We do not knowingly collect personal information from children under 14.

For users aged 14–17:

• Parental/guardian consent or notification is required (see Terms & Conditions Section 2)

• Mature minor assessment may apply if the young person is deemed capable of understanding the consequences of using the Service

• Parent/guardian email is linked to the account

• Annual recertification of consent is required

• If we become aware a minor provided information without proper consent, we will delete it

3. HOW WE COLLECT INFORMATION

3.1 Direct Collection

We collect information directly from you when you:

• Register for an account

• Update your profile information

• Interact with the voice assistant

• Provide feedback or contact us

• Opt into data collection for specific purposes

• Integrate third-party applications

3.2 Automatic Collection

We collect information automatically through:

• Cookies and local storage (to remember your preferences and session)

• Device identifiers (to prevent fraud and manage accounts)

• Server logs (to track technical performance and errors)

• Analytics tools (to understand how the Service is used)

• Crash reporting (to identify and fix problems)

You can control cookie preferences in your browser settings.

3.3 Third-Party Sources

We may collect information from third parties if you authorize us:

• Calendar or fitness app integrations (with your permission)

• Email service for account verification

• Payment processors (if applicable for premium features)

• Analytics providers (aggregated data only)

4. HOW WE USE INFORMATION

We use the information we collect for:

4.1 Service Operation

• Operating the voice assistant and delivering prompts/recommendations

• Responding to your queries and voice interactions

• Debugging technical issues and improving performance

• Ensuring the Service functions correctly

• Personalizing your experience (session-to-session adaptation)

4.2 Service Improvement and Development

• Analyzing usage patterns to enhance features

• Identifying which prompts or content are most helpful

• Developing new products and services

• Understanding users' needs and preferences

• Improving speech recognition and AI accuracy

• Testing new features before full deployment

4.3 Communications with You

• Sending transactional emails (account confirmation, password reset, billing)

• Service announcements (downtime, major updates)

• Responses to your inquiries or support requests

• Marketing communications (only if you opt-in; you can unsubscribe anytime)

4.4 Safety and Misuse Prevention

• Detecting and preventing fraud or account abuse

• Identifying potential security breaches

• Enforcing our Terms & Conditions

• Protecting SteadySelf, users, and the public

• Investigating violations of our Terms

Note: We do NOT use content analysis to detect crisis language or assess suicidality. See Terms & Conditions Section 3.4.

4.5 Aggregation and De-Identification

• Creating aggregated datasets for research

• Generating anonymized statistics about Service usage

• Contributing to mental health research initiatives

• Publishing research findings (without identifying individuals)

4.6 Legal Obligations

• Complying with subpoenas, court orders, or legal requests

• Responding to government agencies or regulators (e.g., OAIC)

• Fulfilling notifiable data breach obligations

• Investigating potential crimes or harm

4.7 Automated Decision-Making (Artificial Intelligence)

SteadySelf uses AI to make or substantially assist in the following decisions:

Prompt Sequencing Decision:

• Personal information used: Your previous responses, stated mood, interaction history

• Decision: Which mindfulness prompt or self-reflection exercise to offer next

• Impact: Affects content you receive during sessions

• Your right: You can request information about this decision, request human review, or request to be shown random prompts instead

Content Prioritization Decision:

• Personal information used: Your engagement history, content preferences, prior interactions

• Decision: Which wellbeing content (breathing exercises, journaling, body scan) to prioritize

• Impact: Affects the order and frequency of content suggestions

• Your right: You can opt out and request a default randomized content rotation

Feature Recommendations Decision:

• Personal information used: Your usage patterns, feature adoption, demographic information

• Decision: Which Service features or content types to recommend to you

• Impact: Affects notifications and in-app suggestions

• Your right: You can disable feature recommendations in settings

Session Adaptation Decision:

• Personal information used: Your current session interactions, response times, engagement level

• Decision: Whether to adjust session length, break frequency, or exercise intensity

• Impact: Affects your immediate user experience

• Your right: You can manually adjust these settings at any time

We will NOT use your information to make automated decisions that:

• Determine your access to essential features (all users have equal access)

• Affect your legal rights

• Provide medical diagnoses or psychiatric assessment

• Assess your suicide risk or mental health status

5. WHEN WE SHARE INFORMATION

We may share your information in the following circumstances:

5.1 Service Providers

We engage trusted third-party service providers to:

• Host our servers and cloud infrastructure

• Operate voice processing and speech-to-text functionality

• Provide analytics and usage reporting

• Send emails and notifications

• Process payments (if applicable)

• Provide customer support

These providers are bound by confidentiality and data protection agreements. They can only use your information to provide services to SteadySelf.

Current service providers available upon request at hello@steadyself.ai

5.2 Legal and Safety Purposes

We may disclose information if:

• Required by law (subpoena, court order, government request)

• Necessary to prevent harm to you or others

• Needed to enforce our Terms & Conditions

• Responding to investigations by OAIC or other regulators

• Required by the Notifiable Data Breaches scheme

5.3 Business Transfers

If SteadySelf is involved in a merger, acquisition, asset sale, bankruptcy, or similar transaction:

• Your information may be transferred as part of that transaction

• We will notify you of the change and any new privacy choices you may have

• The acquiring company must honor this Privacy Policy or provide equivalent protections

5.4 Aggregated or De-Identified Data

We may share aggregated or de-identified data with:

• Research partners and academic institutions

• Mental health organizations and advocacy groups

• Analytics platforms and business intelligence tools

• External AI model developers (for improvement purposes)

De-identified data cannot reasonably be used to identify you and is not subject to privacy restrictions.

5.5 What We Do NOT Do

• We do not sell your personal information to third parties. Period.

• We do not share voice recordings with advertisers

• We do not sell your name, email, or contact information

• We do not share your interaction history with marketing companies

• We do not use your data for targeted advertising without explicit consent

6. INTERNATIONAL DATA TRANSFERS

6.1 Where Your Data Is Stored

SteadySelf is based in Australia. However, our cloud and hosting providers may be located in other countries, including:

• United States (AWS, Google Cloud, Microsoft Azure)

• European Union (some backup providers)

• Other countries as required for technical resilience

6.2 Data Protection for International Transfers

When we transfer personal information outside Australia, we:

• Ensure recipients are bound by privacy obligations equivalent to Australian law

• Use Standard Contractual Clauses (SCCs) or equivalent legal mechanisms

• Conduct due diligence on providers' security practices

• Obtain your explicit consent where legally required

6.3 Your Rights

You have the right to:

• Know where your data is stored

• Request confirmation that international transfers comply with Australian law

• Request data not be stored internationally (though this may limit Service functionality)

Contact privacy@steadyself.ai to discuss international data transfer preferences.

7. DATA SECURITY AND RETENTION

7.1 Security Measures

SteadySelf uses technical and organizational measures to protect your information:

• Encryption in transit (TLS 1.3 or higher)

• Encryption at rest (AES-256 or equivalent)

• Access controls and authentication (passwords, two-factor authentication)

• Regular security audits and penetration testing

• Staff training on data protection

• Incident response procedures for data breaches

• Regular backups of critical data

• Monitoring for unauthorized access

We encourage you to:

• Use strong, unique passwords

• Protect your device from unauthorized access

• Keep your software updated

• Report suspicious activity immediately

However, no system can be 100% secure. We cannot guarantee absolute security of your information.

7.2 Data Retention Periods