Privacy Policy

Effective Date: September 23, 2025

Last Updated: September 23, 2025

The CareFlow project (the "Operator", "we", "us", or "our") operates the CareFlow calendar application and related services ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you in Australia and the United States.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. What We Collect

1.1 Information You Provide

• Account data (name, email, profile details)
• Calendar events, appointments, reminders, and notes
• Files or attachments you upload to calendar events
• App preferences and settings
• Support requests and communications

1.2 Information from Your Use of the Service

• Device identifiers and fingerprinting data used for security and fraud prevention
• Device type and user agent information
• Usage analytics and event logs
• IP address and approximate location

1.3 Third-Party Sources

• Stripe payment confirmations and status
• Authentication providers (Google, Facebook) limited to profile and authentication details you authorize

2. How We Use Information

We use information to:

• Provide and maintain the Service (authentication, authorization, device registry)
• Store and sync your calendar data across devices
• Send you reminders and notifications for your events
• Process payments and manage membership
• Improve and secure the Service (debugging, fraud prevention, analytics)
• Communicate updates, security alerts, and support messages
• Comply with legal obligations and enforce our terms

3. Legal Bases (Australia and U.S.)

• Consent: where you have consented (e.g., connecting a social auth provider)
• Contract: to perform our agreement with you
• Legal obligations: to comply with applicable laws
• Legitimate interests: to secure, improve, and grow our Service (balanced against your rights)

4. Data Security

We treat your calendar data with care and implement appropriate security measures. While CareFlow is designed for general calendar use, you should avoid storing highly sensitive or confidential information in calendar entries unless necessary.

5. Sharing and Disclosure

We may share information with:

• Service providers and subprocessors: Firebase (authentication, database, cloud storage), Stripe (payments), and infrastructure providers necessary to operate the calendar Service
• Professional advisors (legal, accounting) under confidentiality
• Law enforcement or regulators as required by law
• A successor entity in case of merger, acquisition, or asset sale

We do not sell your personal information.

6. International Data Transfers

We host and process data primarily in Firebase regions us-central1 (USA) and australia-southwest1 (Australia). Your information may be processed in these regions and, where necessary, in other locations where our service providers operate. We implement appropriate safeguards for cross-border transfers, such as contractual commitments and technical controls.

7. Data Retention

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Where possible, we de-identify or aggregate data.

8. Security

We implement administrative, technical, and physical safeguards appropriate to the risk, including:

• Authentication and access controls
• Encryption in transit and at rest (as supported by Firebase/Stripe)
• Device registry and allowlist enforcement
• Logging and monitoring

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

9.1 Australia (Privacy Act 1988, APPs)

9.2 United States

To exercise your rights, use the in-app contact form to submit privacy requests (access, correction, deletion). The Operator does not provide a public support email or physical address and does not intend to in the future. We will verify requests and respond within timeframes required by law.

10. Cookies, Local Storage, and Tracking

We use cookies and local storage for authentication state, session management, and preferences. You can adjust browser settings to manage cookies; certain features may not function without them.

11. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, please use the in-app contact form and we will take appropriate steps to delete it.

12. Complaints and Requests

12.1 Contact Us

The Operator does not provide a public support email or physical address and does not intend to in the future. All communications and privacy requests (access, correction, deletion) must be submitted via the in-app contact form. No alternative support channels are offered.

12.2 Australia

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/privacy/privacy-complaints

12.3 United States

You may have the right to appeal our decision regarding your privacy request. Instructions will be provided in our response.

13. Breach Notification

We will notify affected individuals and relevant authorities of data breaches as required by law, including the Notifiable Data Breaches scheme in Australia and applicable U.S. state breach notification laws.

14. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you by updating the Effective Date and providing notice through the Service or via email where appropriate.