Privacy Policy

Understanding Zoe Pty Ltd (ACN 679 740 044) of Woolooware, NSW 2230 (“Understanding Zoe”, “we”, “us” or “our”) is committed to respecting your privacy.

This privacy policy (“Privacy Policy” or “Policy”) sets out how we collect, use, process, store, share and disclose your Personal Information on our Website (https://understandingzoe.com/) and the Understanding Zoe mobile app, a neuroaffirming platform designed to help parents, guardians, and other trusted adults support neurodivergent children. The Services include tools for record-keeping, observation, care team coordination (our “Village” feature), educational resources, AI-assisted guidance (our “Pip” assistant), and reporting (together the “Services”). You can view our Terms and Conditions and contact us at hello@understandingzoe.com.

We are committed to protecting your privacy and respecting and upholding your rights under the Australian Privacy Principles (“APPs”) contained in the Privacy Act 1988 (Cth) and the General Data Protection Regulation (EU 2016/679) (the “GDPR”) and any other relevant laws pertaining to the privacy of individuals in jurisdictions which our Services are available (collectively, “Privacy Laws”). We are a data controller for the purposes of the GDPR. We ensure that we will take all necessary and reasonable steps to comply with the relevant Privacy Laws and to deal with inquiries or complaints from individuals about compliance with the relevant Privacy Laws.

By accessing and using our Services, you acknowledge our collection, use, processing, storage and disclosure of your Personal Information as set out in this Privacy Policy.

1. What information is collected by Understanding Zoe?

Personal information is any information or opinion relating, directly or indirectly, to an identified or reasonably identifiable natural person (“Personal Information”), whether the information or opinion is true or not or recorded in material form or not. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The type of Personal Information we collect from you includes the following:

• Identification and contact details:your full name, email address, telephone number(s), and your child(ren)’s full name, date of birth, and any diagnosis, assessment, or inkling.
• Sensitive information (including health information): see section 3 below.
• Billing and subscription information: subscription status, purchase history, and transaction identifiers we receive from the App Store, Google Play, or our payment processor. We do not collect or store credit or debit card numbers. Payment card details are handled directly by Apple, Google, or our payment processor.
• Traffic information: your device type, device identifiers, approximate location information, computer and connection information, screen resolution, site and app usage, session information, statistics on page views, traffic to and from the Services, IP address, and standard web log information.
• Product Information: details of the products and services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and services and respond to your enquiries.
• Provided Information: any additional information relating to you that you provide to us directly or indirectly through use of our Services or through other websites or accounts from which you permit us to collect information, such as related social media sites.
• User Content: any information which you publicly post to Understanding Zoe or social media sites via our Services.
• Survey and feedback information: information you provide to us through customer surveys or requests for feedback.
• Biographical information: information provided when you inquire about or apply for a position with Understanding Zoe.
• any other Personal Information that may be required in order to facilitate your dealings with us.

2. How Do We Collect Your Personal Information?

We will collect Personal Information only by lawful means. Generally, we will collect your Personal Information:

• directly from you, where you provide information to us or interact with us;
• automatically in the course of using our Services (for example, through analytics and attribution tools in our app); and
• from our business partners or other third-party sources that provide consumer data, such as information about your interests, demographic information, and marketing details.

You can deal with us anonymously or by using a pseudonym except where it is impracticable for you to do so. If you choose not to provide identifiable information to us, we may be unable to provide you with any or all of our Services as requested. If you wish to remain anonymous when you use our Services, do not sign into it or provide any information that might identify you.

We require individuals to provide accurate, up to date and complete Personal Information at the time it is collected.

3. Sensitive Information

We collect sensitive information, including health information, as defined under the Privacy Laws. Sensitive information is collected only where it is reasonably necessary for our business functions or activities, and:

• you have provided your explicit consent; or
• the collection is required or authorised by law; or
• another exception under the relevant Privacy Laws applies.

We collect sensitive information for purposes such as:

• providing you with the Services;
• managing and responding to your enquiries or concerns;
• complying with legal, regulatory, or professional obligations.

Sensitive information will be handled with the highest level of security and confidentiality. For more information on how we protect your sensitive information, please refer to sections 5, 6 and 7 below.

We collect health information provided by users in the course of their use of the Services. The types of health information we collect include:

• information relating to developmental, behavioural, or neurodivergent profiles;
• behavioural observations and notes, including information about emotional regulation, sensory needs and triggers, helpful strategies, and care approaches;
• external assessment reports, clinical letters, and similar supporting documentation that you choose to import or upload, including through our email import feature;
• progress updates, observations, and notes about a child’s development or wellbeing; and
• preferences or decisions about approaches to therapy, interventions, or care strategies.

We do not collect or use genetic information or government-issued healthcare identifiers (such as Medicare numbers).

4. Information about Children and Minors

The Services are designed to be used by adults: parents, guardians, and members of a child’s village (such as family, educators, allied health professionals, and support workers). Children are not direct users of the Services.

Personal information about a child is provided by their parent or guardian, who represents that they have the authority under applicable law to share that information and to consent to its use as described in this Privacy Policy. Adults acting as members of a village may only view or contribute to a child’s profile with the explicit invitation and permission of the parent or guardian.

We treat children’s Personal Information with heightened care. We minimise the information we collect, rely on the explicit consent of the parent or guardian, and will permanently delete a child’s records when the associated account is deleted.

If any user of the Services is a minor in the jurisdiction in which they reside (generally under the age of 18), that minor must have the permission of, and be directly supervised by, their parent or guardian to use the Services. If you are a minor, you must have your parent or guardian read and agree to our Terms and Conditions.

5. How your Personal Information is used

We use, process and disclose your Personal Information for the purposes for which the information is collected, or for a directly related purpose, including:

• providing our Services to you;
• collating information for more effective use by your care team;
• providing AI-assisted guidance through our Pip assistant, which processes your messages and relevant context (such as profile information and recent observations) to generate neuroaffirming responses. Pip provides general guidance and is not medical advice, and is not used to make automated decisions that produce legal or similarly significant effects on you;
• generating searchable representations of the records, documents, and knowledge base articles in your account so that Pip and search features can retrieve relevant information;
• administering, protecting, improving, or optimising our Services (including performing data analytics, conducting research, and for advertising and marketing purposes);
• managing, operating, and improving our services and growing our business, including understanding our customer base and the effectiveness of our marketing, events, promotional campaigns and publications, and diagnosing or fixing technology problems;
• creating industry reports from de-identified data;
• verifying your age and ensuring appropriate consent for Personal Information relating to a minor;
• billing you for purchasing our products and services;
• conducting draws, contests, surveys, rewards and other promotional activities sponsored or managed by us;
• informing you about our Services, draws, products, services, rewards, surveys, contests, or other promotional activities or events sponsored or managed by us;
• responding to any inquiries or comments that you submit to us;
• verifying your identity and managing permissions for people you invite to access your health information;
• any other purpose you have consented to; and
• any use which is required or authorised by Privacy Laws, including detecting, investigating and preventing conduct which may violate our policies, is fraudulent or illegal, and to protect the rights of Understanding Zoe or you.

6. Who we may need to disclose your Personal Information to

We will only disclose your Personal Information as required for the purposes listed in section 5 above. We may disclose your Personal Information to:

• Service Providers: third parties we ordinarily engage to perform functions on our behalf for the purposes set out in section 5. We disclose only the Personal Information required for the relevant function.
• Consented Parties: any person or entity to whom you have expressly consented to us disclosing your Personal Information. This may include:
  • Educators: classroom teachers and support staff you invite who may access information you choose to share for classroom support and reasonable adjustments.
  • Allied Health Professionals: therapists and clinicians you invite who may access relevant information to coordinate strategies, track progress and support care planning.
  • Support Workers: individuals you invite who assist with daily living or behavioural support.
  • Family Members:parents, guardians, or other family members you nominate who may access information to coordinate care and collaborate with the individual’s team.
  • Researchers: academic or research partners engaged under a formal data-sharing agreement and ethics approval to receive de-identified or aggregate data.
• Analytics Providers: as part of providing, measuring, and improving the Services, we engage analytics providers who receive information about how the Services are used. We limit the information disclosed to analytics providers, and any analytics involving health information is de-identified.
• Related Bodies: we may share information with other entities in the Understanding Zoe corporate group, for purposes consistent with this Privacy Policy and, where health information is involved, on a need-to-know basis.
• External Advisors: our external business advisors, auditors, lawyers, insurers, and financiers where reasonably necessary. Health information will be limited or de-identified where practicable to do so.
• Payment Providers: our payment processing service providers to enable billing transactions.
• Legal: any person or entity to whom we are required or authorised to disclose your Personal Information in accordance with the relevant Privacy Laws.

Disclosure of your Personal Information to Service Providers

We will only disclose any Personal Information you have provided to any entity other than Understanding Zoe where it is necessary and appropriate to facilitate the purpose for which your Personal Information was collected pursuant to this Privacy Policy. This may include, but is not limited to, disclosing information to the following categories of service providers:

• Infrastructure and data hosting providers: the cloud platforms that host our databases, file storage, authentication, and backend services. Primary data hosting is located in Australia. Our database and backend services are provided by Supabase, running on Amazon Web Services.
• Artificial intelligence providers: Anthropic, PBC provides the large language model that powers our Pip assistant, and Voyage AI provides the embeddings used to enable search and retrieval. These providers process your information only to return AI responses or embeddings, and do not train their models on your data.
• Voice synthesis provider:ElevenLabs is used to convert Pip’s text replies into spoken audio when you use the voice feature. We send only the text of the reply we want spoken; we do not send your account identifier, your child’s profile, or any of your stored observations or documents. Audio is generated on demand and is not retained by ElevenLabs beyond what is required to deliver the response to your device.
• Transactional email provider: Resend is used to deliver account-related emails (sign-up confirmations, password resets, security notices). We share only the email address and the contents of the specific message being sent.
• Subscription and payment providers: Apple, Google, Stripe, and RevenueCat together process in-app purchases, web purchases, and subscription status. We do not receive or store credit or debit card numbers.
• Customer communications provider:Klaviyo is used to send service, onboarding, and (where you have consented) marketing communications. We do not share children’s health information with this provider.
• Product analytics provider:Mixpanel is used to understand how the Services are used. We send limited account identifiers (such as your name and email, used to identify your profile within Mixpanel) and event data about your interactions with the Services. We do not share children’s health information, observation content, Pip messages, or documents with this provider.
• Error and performance monitoring provider: Sentry is used to diagnose and fix problems. Personal and health-related content is scrubbed from error logs before they are sent.
• Mobile attribution provider: AppsFlyer is used to understand which marketing channels introduced users to the app. We do not share health information with this provider.
• Internal collaboration tools: platforms such as Slack and Google Workspace are used for our internal team communications and operations.

(collectively, Recipients).

We take steps reasonably necessary to ensure your Personal Information is treated securely and in accordance with this Privacy Policy. We use reasonable endeavours to ensure that each Recipient receiving your Personal Information is bound by Privacy Laws (including, where applicable, the standard contractual clauses approved by the European Commission). The standard contractual clauses are available on the European Commission’s website at https://ec.europa.eu/info/law/law-topic/data-protection_en.

A current list of our primary service providers is available on request by contacting hello@understandingzoe.com.

7. How We Store, Protect, and Retain Your Personal Information

We use all reasonably necessary measures to protect the Personal Information we collect through our Services. Your Personal Information is stored in electronic form and protected by a combination of physical, organisational, personnel, and technical measures, including encryption in transit and at rest, access controls, row-level database security, and regular security testing.

We retain your Personal Information only for as long as is necessary to provide the Services and to comply with our legal obligations. Subject to legal retention requirements:

• when you request account deletion, we permanently and immediately delete your account and associated Personal Information from our systems, and notify our communications and analytics providers to delete the information they hold about you;
• authentication tokens automatically expire after short periods;
• we retain Personal Information required for tax, financial, or compliance obligations for the period required by law.

You can delete your account at any time directly from within the Understanding Zoe app by going to Settings and selecting “Delete account”, or by contacting us at hello@understandingzoe.com.

If we no longer need your Personal Information for any of the purposes set out in this Privacy Policy, or as otherwise required by the relevant Privacy Laws, we will take such steps as are reasonable in the circumstances to destroy your Personal Information or to de-identify it.

8. What is our legal basis?

Under the GDPR, we must have a legal basis to process Personal Information collected from individuals residing in the European Union. We rely on several legal bases to process your Personal Information, including:

• where it is necessary to provide you with access to, and use of, products, services, and websites;
• for our legitimate interests to provide, operate, and improve our Services;
• where you have freely and expressly consented to the processing of your Personal Information by us, which you may withdraw at any time; or
• where we are under a legal obligation to process your Personal Information.

9. Cross-Border Disclosure of Personal Information

This section explains where in the world your Personal Information goes when you use the Services, and the legal protections we put in place when it leaves Australia. We give you this detail because Australian Privacy Principle 8 and Chapter 5 of the GDPR both require us to tell you which countries your information is disclosed to, and on what legal basis.

Where your information is processed

Our primary database, file storage, authentication, and backend services are hosted in Australia (specifically in the Sydney region of Amazon Web Services, operated by our infrastructure provider Supabase). Most of your information, including all observations, uploaded records, and Pip conversations, is stored in Australia.

Some of our service providers process information outside Australia. As at the date of this Privacy Policy, those providers and their countries of processing are:

• United States of America: Anthropic, Voyage AI, ElevenLabs, Klaviyo, Mixpanel, Sentry, Stripe, RevenueCat, Resend, Apple, Google, and Google Workspace.
• Israel, member states of the European Union, and the United States: AppsFlyer (multi-region attribution platform).

What each provider processes, and what we do not share with them, is set out in Section 6.

We may add new providers, or existing providers may add new countries of processing, after this Privacy Policy is published. Where we do, we will update this Section in the next revision of the Policy. The current list of providers and processing countries is also available on request by contacting hello@understandingzoe.com.

Legal basis for overseas disclosure

For each overseas recipient, we ensure that at least one of the following is in place before your information is disclosed:

• Standard Contractual Clauses:a written agreement with the recipient that includes the European Commission’s Standard Contractual Clauses (or the equivalent UK Addendum where applicable), binding the recipient to data-protection obligations equivalent to those required under the GDPR.
• Adequacy decision: where the recipient operates from a country that has been formally recognised by the European Commission as providing an adequate level of data protection.
• Your explicit consent: in the limited circumstances where you have provided informed, explicit consent to a specific overseas disclosure and no other safeguard is available.

For users in Australia, where we disclose your Personal Information to an overseas recipient, we take steps that are reasonable in the circumstances to ensure the recipient does not breach the Australian Privacy Principles in relation to your information. This typically takes the form of a written agreement that binds the recipient to data-protection obligations consistent with the APPs. In the limited circumstances where a recipient operates from a country whose laws or binding scheme provide a level of protection substantially similar to the APPs, we may rely on that scheme.

Our responsibility for overseas recipients

Section 16C of the Privacy Act 1988 (Cth) makes us accountable for the acts and practices of overseas recipients that handle your Personal Information as if we had performed those acts ourselves, except in limited circumstances. Where we rely on a contractual or adequacy-based safeguard, we still retain responsibility under Australian law for how that recipient handles your information.

Where we will not disclose

We will not disclose children’s health information, observation content, Pip messages, or uploaded clinical records to any of our analytics, attribution, or marketing providers. Those providers receive only the categories of information identified in Section 6 for each provider.

10. Direct marketing and Communications

Where we:

• have your express consent (which you may withdraw at any time by contacting us in writing at hello@understandingzoe.com);
• have a legal basis; or
• are otherwise permitted by relevant Privacy Laws,

we may use and process your Personal Information to send you information about products and services we believe are suited to you and your interests, or we may invite you to attend special events.

We will not use or disclose your sensitive information (including health information) for direct marketing unless you have given your explicit consent.

At any time, you may opt out of receiving direct marketing communications from us. Unless you opt out, your consent to receive direct marketing communications from us and to the handling of your Personal Information as detailed above will continue. You can opt out by following the unsubscribe instructions included in the relevant marketing communication, or by contacting us in writing at hello@understandingzoe.com.

11. Cookies and App Tracking Technologies

Website cookies

We use cookies, web beacons, and similar technologies (collectively “Cookies”) on our Website. By accessing or using our Website, you agree that we can store and access Cookies in accordance with this Privacy Policy. You will be able to accept or reject the collection of Cookies by us.

Cookies are small files that can be stored on and accessed from a user’s device when the user accesses a website. They enable authorised web servers to recognise you across different websites, services, devices, and browsing sessions.

We may use Cookies to enable users to access and use our Website, including to:

• identify users of our Website;
• process user requests;
• improve user experience;
• remember user preferences;
• monitor the use of our Website and analyse our user base;
• facilitate communication with users;
• control access to certain content; and
• protect our Website.

You can delete and refuse to accept browser Cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of the Website. Unless you have adjusted your browser setting so that it will refuse Cookies, our system will issue Cookies when you direct your browser to our Website.

Mobile app tracking technologies

The Understanding Zoe mobile app does not use browser cookies. Instead, the app uses:

• secure device storage (iOS Keychain and Android Keystore) for authentication tokens;
• analytics software development kits (SDKs) that measure how the app is used;
• attribution SDKs that use device identifiers to understand which marketing channel introduced you to the app; and
• crash reporting tools that collect technical error logs with personal and health-related content scrubbed before transmission.

You can reset or limit the advertising identifier used by these SDKs from within your device’s operating system settings (iOS: Settings > Privacy & Security > Tracking; Android: Settings > Privacy > Ads). You may also request that we delete the information our analytics and communications providers hold about you by deleting your account from within the app, or by contacting us at hello@understandingzoe.com.

12. Choices Regarding Your Privacy

You may be provided with choices on how we collect and process your information, including:

• opting out of, or adjusting preferences for, cookies when your device accesses the Website;
• customising your browser settings to disable or reject cookies across the internet (this may affect the functionality of our Services);
• using your mobile device’s operating system settings to limit how the app collects and uses information for advertising and attribution purposes;
• unsubscribing from marketing communications via the link included in each email; and
• deleting your account from within the app (Settings > Delete account), which triggers deletion of your information held by our analytics and communications providers.

13. Notices Specific to Certain Jurisdictions

We are dedicated to ensuring that individuals in certain jurisdictions have access to their privacy rights as provided by the Privacy Laws of your jurisdiction. We have set out details below dependent on your location.

Australia

You have the right to both ask:

• for access to Personal Information that we hold about you; and
• that we correct Personal Information we hold about you.

If you ask, we must within a reasonable timeframe give you access to your Personal Information and take reasonable steps to correct it if we consider it is incorrect, unless there is a legal basis preventing us from doing so. We will notify you in writing and explain our reasons if we refuse to give you access to, or correct, your Personal Information. We do not charge a fee for making a request and will not charge an excessive fee for providing access to your Personal Information.

European Economic Area

For the purposes of the GDPR, we are a “data controller” of your Personal Information. Under the GDPR, an individual residing in the European Union has enhanced privacy rights, including the right to:

• require us to correct any Personal Information held about you that is inaccurate or incomplete;
• require the deletion of Personal Information concerning you in certain situations;
• data portability for Personal Information you provide to us;
• object or withdraw your consent at any time to the processing of your Personal Information;
• object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you; or
• otherwise restrict our processing of your Personal Information in certain circumstances.

Should we decline you access to your Personal Information, we will provide a written explanation setting out our reasons for doing so. These rights are limited in some situations, for example, where we can demonstrate that we have a legal requirement to process your Personal Information. In some instances, this means that we may retain some data even if you withdraw your consent.

We may charge a reasonable fee that is not excessive to cover the charges of retrieving your Personal Information from our customer account database. We will not charge you for making the request.

If you believe that we hold Personal Information about you that is not accurate, complete, or up to date, then you may request that your Personal Information be amended. We will respond to your request to correct your Personal Information within a reasonable timeframe, and you will not be charged a fee for correcting your Personal Information.

14. Access, Management, or Deleting your Personal Information

Subject to some exceptions provided by the relevant Privacy Laws, you may request access to your Personal Information in our customer account database, or seek correction of it, by contacting us at hello@understandingzoe.com. You can also delete your account and all associated Personal Information directly from within the Understanding Zoe app by going to Settings and selecting “Delete account”.

Should we decline you access to your Personal Information, we will provide a written explanation setting out our reasons for doing so. We may charge a reasonable fee that is not excessive to cover the charges of retrieving your Personal Information from our customer account database. We will not charge you for making the request.

If you believe that we hold Personal Information about you that is not accurate, complete, or up to date, then you may request that your Personal Information be amended. We will respond to your request to correct your Personal Information within a reasonable timeframe, and you will not be charged a fee for correcting your Personal Information.

If we no longer need your Personal Information for any of the purposes set out in this Privacy Policy, or as otherwise required by Privacy Laws, we will take such steps as are reasonable in the circumstances to destroy your Personal Information or to de-identify it.

15. Third Party Sites and Services

Our Services may contain links to other third party websites and services including social media networks. This Privacy Policy applies solely to information collected by us via our Services.

16. Data Breach Notification

Understanding Zoe is committed to protecting your Personal Information. If we become aware of a data breach that is likely to result in serious harm to any individual whose Personal Information is affected, we will comply with our obligations under the Notifiable Data Breaches scheme in the Privacy Act 1988 (Cth) and the equivalent breach notification provisions of the GDPR. This includes notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) or the relevant supervisory authority within the timeframes required by law.

17. Contacting Us

If you require further information regarding our Privacy Policy or wish to make a privacy complaint, please contact us in writing at hello@understandingzoe.com. We will make every effort to investigate and respond to your complaint in a timely manner, and within 30 days where practicable.

If you are dissatisfied with the outcome of our investigation, you may take your privacy-related complaint to the Office of the Australian Information Commissioner (OAIC). For information on making a complaint to the OAIC, please visit the OAIC’s website Privacy Complaints or phone 1300 363 992. You can also contact the OAIC by:

• visiting www.oaic.gov.au;
• forwarding an email to enquiries@oaic.gov.au; or
• writing to OAIC at GPO Box 5218, Sydney NSW 2001.

18. Notices and Revisions

We reserve the right to modify this Privacy Policy in whole or in part from time to time without notice. Non-material changes and clarifications will take immediate effect, and material changes will take effect 30 days after the posting of the amended Privacy Policy on the Website.

19. Enforcement

We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personally identifiable information that cannot be resolved between us and the individual.