Updated December, 2025
Privacy Policy
Effective Date: December 2025
Version: Pilot 1.0
Last Updated: December 2025
QUICK SUMMARY
We take your privacy seriously. This policy explains how we collect, use, protect, and share your information.
Key Points:
We collect health information about your child to provide tracking services
We use security measures to protect your data
We will NEVER sell your personal or health information
You can access, correct, or delete your data at any time
You have rights under Australian privacy law
Read the full policy below for details.
1. ABOUT THIS POLICY
1.1 Who We Are
This Privacy Policy is provided by:
Entity: Raffy Allergy
Email: raffy@raffyallergy.com
1.2 What This Policy Covers
This policy explains how we handle your personal information and health information when you use Raffy, including:
What information we collect
Why we collect it
How we use and protect it
Who we share it with
Your privacy rights
1.3 Laws We Follow
We comply with:
Privacy Act 1988 (Cth) - Australian Privacy Principles (APPs)
Health Records Act 2001 (Vic) - Victorian health information privacy
Notifiable Data Breaches (NDB) scheme
Australian Consumer Law
1.4 Changes to This Policy
We may update this policy. If we make material changes, we will notify you by:
Email to your registered email address
In-app notification
At least 30 days' notice
Your continued use after changes means you accept the updated policy.
2. WHAT INFORMATION WE COLLECT
2.1 Personal Information
About You (the parent/guardian):
Name
Email address
Phone number (if you provide it)
Communication preferences
About Your Child:
Name or nickname
Age/date of birth
Gender (optional)
Food allergies and allergens
Medical notes you choose to enter
2.2 Health Information
Tracking Data:
Dose amounts and types
Dose dates and times
Reaction descriptions (symptoms, severity, duration)
Reaction timing and context
Notes about illness, exercise, medications
Patterns and trends (calculated from your entries)
Photos and Documents (if you upload them):
Photos of reactions
Medical documents you choose to share
Screenshots or notes
2.3 Usage Information
How You Use Raffy:
Features you access
Pages you view
Time spent in the app
Frequency of use
Navigation patterns
Search terms used
Technical Information:
Device type (iPhone, Android phone, tablet)
Operating system and version
App version
IP address (general location only)
Browser type (for web version)
Unique device identifiers
Error and Performance Data:
Crash reports
Error messages
Performance metrics
Bug reports you submit
2.4 Feedback and Communications
Survey responses
Feedback you provide
Support requests and conversations
Feature suggestions
Bug reports
2.5 Information We Do NOT Collect
We do NOT collect:
❌ Credit card or payment information (pilot is free)
❌ Social Security or Medicare numbers
❌ Precise GPS location (only general city/region from IP)
❌ Information from other apps on your device
❌ Access to your contacts, photos, or other files (unless you explicitly share)
3. HOW WE COLLECT INFORMATION
3.1 Information You Provide Directly
Most information comes directly from you when you:
Create an account
Enter doses and reactions
Upload photos or documents
Complete surveys
Contact support
Provide feedback
3.2 Information Collected Automatically
Some information is collected automatically when you use Raffy:
Usage patterns (what features you use)
Technical information (device type, OS version)
Error logs (if the app crashes)
Performance data (loading times, etc.)
3.3 Information from Third Parties
We do NOT currently collect information about you from third parties, but in the future we may integrate with:
Healthcare provider systems (with your explicit consent)
Pharmacy services (with your explicit consent)
Electronic health records (with your explicit consent)
We will always notify you and get your consent before collecting information from third parties.
4. HOW WE USE YOUR INFORMATION
4.1 To Provide Raffy Services
Primary Purpose:
Store and display your tracking data
Sync data across your devices
Calculate patterns and trends
Generate reports and summaries
Enable you to export your data
Provide app functionality
4.2 To Improve Raffy
Product Development:
Identify and fix bugs
Understand which features are useful
Develop new features
Improve user experience
Test new functionality
Optimize performance
Research and Analysis:
Analyze de-identified, aggregated usage patterns
Understand how families track doses and reactions
Identify common challenges
Measure feature effectiveness
Inform product decisions
Example: "On average, users log reactions within 2 hours of doses" - helps us design better notification timing
4.3 To Communicate With You
Essential Communications:
Account confirmations
Security alerts
Data breach notifications
Service updates
Pilot program updates
Optional Communications:
Feedback surveys (you can opt out)
Tips for using Raffy (you can opt out)
New feature announcements (you can opt out)
Pilot program news (you can opt out)
4.4 To Provide Support
Respond to your questions
Troubleshoot problems
Process feedback
Resolve complaints
Fulfill data access requests
4.5 To Ensure Security
Detect and prevent fraud
Identify security threats
Monitor for unauthorized access
Investigate suspicious activity
Protect against cyber attacks
4.6 To Comply With Law
Respond to legal requests (subpoenas, court orders)
Report child safety concerns if required
Comply with regulatory requirements
Protect our legal rights
Enforce our Terms of Use
4.7 For Research and Publications
We may use de-identified, aggregated data for:
Academic research on OIT tracking
Conference presentations
Journal publications
Grant applications
Product case studies
Important: We will NEVER publish identifiable information without your explicit separate consent.
You can opt out: Email raffy@raffyallergy.com to opt out of research use
5. HOW WE PROTECT YOUR INFORMATION
5.1 Technical Security Measures
Encryption:
Data encrypted in transit (HTTPS/TLS)
Data encrypted at rest (AES-256 or equivalent)
Encrypted backups
Access Controls:
Strong password requirements
Multi-factor authentication for admin access
Role-based access for team members
Principle of least privilege
Regular access reviews
Infrastructure Security:
Secure cloud hosting ([AWS/Google Cloud/Azure])
Data stored in Australian data centers
Firewalls and intrusion detection
Regular security updates and patches
Automated security monitoring
Backups:
Daily automated backups
Backup encryption
Geographic redundancy
Regular restoration testing
5.2 Limitations
No system is 100% secure. Despite our efforts:
Cyber attacks are possible
Data breaches can occur
Unauthorized access may happen
You can help protect your account by:
Using a strong, unique password
Not sharing your password
Logging out on shared devices
Reporting suspicious activity immediately
Keeping your device secure
6. WHO WE SHARE YOUR INFORMATION WITH
6.1 We Do NOT Sell Your Information
We will NEVER:
❌ Sell your personal or health information
❌ Rent your information to third parties
❌ Trade or barter your information
❌ Share identifiable data for marketing purposes
6.2 Service Providers (Third Parties Who Help Us)
We share information with trusted service providers who help us operate Raffy:
Cloud Hosting:
Provider: [Amazon Web Services / Google Cloud / Microsoft Azure]
Purpose: Store and host your data
Location: Australia (Sydney region)
What they access: All data (secured and encrypted)
You can opt out: Settings > Privacy > Disable Analytics
Email Services:
Provider: [e.g., SendGrid, Mailgun]
Purpose: Send you emails (account notifications, support)
What they access: Email address, name, email content
Customer Support Tools (if used):
Provider: [e.g., Zendesk, Intercom]
Purpose: Manage support tickets and conversations
What they access: Name, email, support conversation content
All service providers:
Are contractually required to protect your data
Can only use data for specified purposes
Must comply with Australian privacy laws
Are carefully selected for security and privacy practices
6.3 Healthcare Providers (With Your Explicit Consent)
Currently: We do NOT share information with healthcare providers
In the future: We may add the ability to share reports with your allergist/immunologist
This will be OPT-IN only (you must explicitly enable it)
You will control what is shared and with whom
You can revoke permission at any time
Additional consent will be required
6.4 Legal Requirements
We may disclose information if required by law:
Court orders or subpoenas - We will notify you unless prohibited
Law enforcement requests - Only if legally required
Child safety concerns - If we believe a child is at risk of harm
Legal proceedings - To defend our rights or comply with legal process
We will only disclose the minimum information necessary and will notify you when permitted by law.
6.5 De-identified, Aggregated Data
We may share de-identified, aggregated data with:
Research partners
Academic institutions
Conference audiences
Grant reviewers
Industry reports
This data cannot identify you or your child. Example: "80% of pilot users logged at least one reaction per week"
7. YOUR PRIVACY RIGHTS
7.1 Right to Access
You can access your information at any time:
In the app:
View all doses and reactions: History tab
View photos and notes: Individual entries
View account information: Settings > Account
Export your data:
Go to: Settings > Account > Export Data
Formats available: CSV, PDF, JSON
Includes: All doses, reactions, notes, photos
Download to your device for backup
Request a copy:
Email: raffy@raffyallergy.com
Subject: "Data Access Request"
We will provide within 30 days
Free of charge (first request)
7.2 Right to Correction
If information is inaccurate or incomplete:
Correct yourself:
Edit entries directly in the app
Update account information in Settings
Request correction:
Email: raffy@raffyallergy.com
Subject: "Data Correction Request"
Specify: What's incorrect and what it should be
We will correct within 30 days
If we disagree:
We will explain why
We will attach your statement to the record
You can complain to OAIC if unsatisfied
7.3 Right to Deletion
You can request deletion of your data:
Delete your account:
Settings > Account > Delete Account
Confirm deletion (this is permanent)
Export your data first (if you want to keep it)
Request deletion:
Email: raffy@raffyallergy.com
Subject: "Delete My Account"
We will delete within 90 days
Confirmation email sent when complete
What gets deleted:
Your account and login credentials
Your personal information
Your child's health information
All doses, reactions, notes, photos
Usage history
What may be retained:
De-identified data in research databases
Aggregated statistics (not identifiable)
Legal compliance records (5-7 years as required)
Backup archives (deleted in next backup cycle)
7.4 Right to Restrict Processing
You can limit how we use your information:
Opt out of research use:
Email: raffy@raffyallergy.com
Subject: "Opt Out of Research"
Your de-identified data won't be used for research
Does NOT prevent bug fixes or feature improvements
Opt out of analytics:
Settings > Privacy > Disable Analytics
Stops collection of usage patterns
May limit our ability to improve the app
Opt out of communications:
Click "Unsubscribe" in emails
Settings > Notifications > Disable optional emails
Essential emails (security, legal) cannot be disabled
7.5 Right to Data Portability
You can receive your data in portable formats:
CSV: Spreadsheet format (opens in Excel, Google Sheets)
JSON: Machine-readable complete data structure
PDF: Human-readable summary reports
To export:
Settings > Account > Export Data
Select format and date range
Download to your device
To transfer to another service:
Export your data
We will provide in formats compatible with common allergy apps
You are responsible for importing to other services
8. DATA RETENTION
8.1 How Long We Keep Your Information
While you use Raffy:
All data retained to provide services
Available for you to access anytime
If you stop using Raffy (but don't delete account):
Data retained for 12 months of inactivity
Then we may contact you about deletion
Deletion after 24 months of inactivity (with notice)
After you delete your account:
Identifiable data deleted within 90 days
De-identified data may be retained for research
Backups purged in next backup cycle (30-90 days)
Legal retention requirements:
Some data must be kept 5-7 years for:
Privacy Act compliance (5 years)
Health Records Act compliance (7 years)
Tax and accounting laws (7 years)
Potential legal proceedings
8.2 De-identified Data
After de-identification:
Data cannot reasonably identify you or your child
May be retained indefinitely for research
Used to improve Raffy and inform research
You can opt out: raffy@raffyallergy.com
9. SPECIAL CONSIDERATIONS
9.1 Children's Privacy
Raffy collects health information about children with parental consent.
As a parent or legal guardian:
You provide information about your child
You control your child's information
You can access, correct, or delete it
You can opt out of research use
We do NOT:
Collect information directly from children under 18
Allow children to create accounts
Market to children
Share children's information for marketing
9.2 Sensitive Information
Health information is considered sensitive under Australian privacy law.
We handle it with extra care:
Collected only with your consent
Used only for purposes you'd reasonably expect
Protected with enhanced security
Shared only as described in this policy
Never sold or used for marketing
9.3 International Data Transfers
Primary storage: Australia (Sydney region)
Some service providers may involve international transfer:
We use providers with adequate data protection
We ensure appropriate safeguards (Standard Contractual Clauses)
We assess privacy laws of destination countries
List of countries: None currently
If you're concerned about international transfer:
Contact raffy@raffyallergy.com
We can explain which services involve transfer
You may be able to opt out of some services
10. DATA BREACHES
10.1 Our Commitment
If a data breach occurs that is likely to result in serious harm:
We will:
Contain the breach immediately
Investigate what happened
Notify you as soon as practicable (generally within 72 hours)
Notify the Office of the Australian Information Commissioner (OAIC)
Explain what data was affected
Advise on steps you should take
Provide support and assistance
Notification will include:
Description of the breach
Type of information involved
Date or period of breach
Steps we've taken
Recommendations for you
Contact information for questions
10.2 Your Actions After a Breach
If you're notified of a breach:
Change your Raffy password immediately
Monitor accounts for suspicious activity
Consider credit monitoring (if financial info affected)
Report any suspicious activity
Contact us with questions: privacy@raffyallergy.com
10.3 Prevention
We work to prevent breaches through:
Regular security audits
Penetration testing
Staff training
Incident response planning
Monitoring and alerting
Rapid response procedures
11. COOKIES AND TRACKING
11.1 Cookies (Web Version)
If you use Raffy on the web, we may use cookies:
Essential cookies:
Keep you logged in
Remember your preferences
Enable core functionality
Cannot be disabled (app won't work without them)
Analytics cookies (optional):
Understand how you use the site
Identify popular features
Measure performance
You can disable: Settings > Privacy > Disable Analytics
We do NOT use:
Advertising cookies
Third-party tracking cookies
Cross-site tracking
Cookies to build profiles for marketing
11.2 Mobile App Tracking
The mobile app does NOT use cookies but does collect:
Anonymous usage data (what features you use)
Error and crash reports
Performance metrics
You can opt out:
Settings > Privacy > Disable Analytics
This may limit our ability to improve the app
11.3 Do Not Track
We respect Do Not Track (DNT) browser settings:
If DNT is enabled, we disable optional tracking
Essential functionality tracking continues
We don't share data with third-party advertisers (we never do anyway)
12. THIRD-PARTY LINKS
Raffy may contain links to external websites for educational purposes.
We are NOT responsible for:
Privacy practices of external sites
Content on external sites
Security of external sites
When you click external links:
You leave Raffy
External sites have their own privacy policies
External sites may collect your information
Read their privacy policies before providing information
We try to:
Link only to reputable sites
Clearly indicate when you're leaving Raffy
Provide context for why we're linking
13. UPDATES TO THIS POLICY
13.1 How We Update This Policy
We may update this Privacy Policy to:
Reflect changes in privacy laws
Add new features or services
Improve clarity and transparency
Respond to user feedback
13.2 How We Notify You
For material changes:
Email to your registered address (30 days notice)
In-app notification when you log in
Prominent notice on our website
Updated "Last Updated" date
For minor changes:
Updated "Last Updated" date
Changes noted in version history
Available in Settings > Privacy Policy
13.3 Your Acceptance
Your continued use after changes means you accept the updated policy.
If you don't agree:
You can delete your account
Export your data first
Contact us with concerns: raffy@raffyallergy.com
14. CONTACT US
14.1 Privacy Questions or Concerns
Data Protection Officer: Privacy Team
Email: raffy@raffyallergy.com
Response times:
General inquiries: 3-5 business days
Access requests: 30 days
Urgent matters: 1 business day
14.2 Requests
For privacy-related requests, email raffy@raffyallergy.com with:
Data access: Subject: "Data Access Request"
Correction: Subject: "Data Correction Request"
Deletion: Subject: "Delete My Account"
Opt-out research: Subject: "Opt Out of Research"
Complaints: Subject: "Privacy Complaint"
Include in your request:
Your name and account email
Clear description of your request
Specific information (for correction/deletion requests)
Preferred contact method
15. ADDITIONAL INFORMATION
15.1 Our Commitment to Privacy
We are committed to:
Transparency about our practices
Respecting your privacy rights
Protecting your information
Complying with privacy laws
Continuous improvement of privacy practices
15.2 Privacy by Design
We build privacy into Raffy:
Collect only necessary information
Provide strong security measures
Give you control over your data
Make privacy settings easy to find
Default to privacy-protective options
15.3 Your Trust
Your trust is essential to us. If you have concerns about privacy:
Please contact us: raffy@raffyallergy.com
We will listen and respond
We will investigate thoroughly
We will take action when needed
We will learn and improve
This Privacy Policy was last updated on December 2025.
Version: Pilot 1.0
Questions? Email raffy@raffyallergy.com
KEEP A COPY OF THIS PRIVACY POLICY FOR YOUR RECORDS