Budgii PTY LTD ("Budgii", "we", "us", "our") is committed to protecting the privacy of all individuals who use the Budgii platform and associated services ("Platform"). This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the Privacy and Personal Information Protection Act 1998 (NSW), and where applicable, the UK General Data Protection Regulation (UK GDPR), the New Zealand Privacy Act 2020, and the Children's Online Privacy Protection Act 1998 (COPPA) of the United States.
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree, you must cease use of the Platform immediately.
1. Definitions
- Account Holder: The adult subscriber (18 years or older) who creates and manages a Budgii family account.
- Child User: A person under the age of 18 who is added to a Budgii family account by an Account Holder.
- Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined under the Privacy Act 1988 (Cth).
- Platform: The Budgii web and mobile application, website, API, and all related services operated by Budgii PTY LTD.
- Sensitive Information: Has the meaning given in the Privacy Act 1988 (Cth), including health information, biometric data, and information about racial or ethnic origin.
2. Who we are and how to contact us
Budgii PTY LTD is the entity responsible for the collection, use, and disclosure of personal information under this Privacy Policy. We are incorporated in New South Wales, Australia.
Privacy contact: legal@budgii.io
We will respond to all privacy-related enquiries within 30 days of receipt. For formal complaints, please refer to Section 17 of this Policy.
3. Information we collect
3.1 Account Holders
When you register as an Account Holder, we collect:
- Full name or display name
- Email address
- Password (stored in encrypted, hashed form. We do not store plain-text passwords)
- Billing information processed via Stripe Inc. (we do not store full payment card details on our systems)
- Subscription plan details and transaction history
- IP address and device information collected automatically
3.2 Child Users
We recognise that Child Users require additional protection. When an Account Holder adds a Child User to their family account, we collect only the following minimum data necessary for the Platform to function:
- A name (which may be a first name, nickname, or any name chosen by the Account Holder. We do not require or verify full legal names)
- An age bracket (not a precise date of birth)
- An email address, only where the Account Holder chooses to invite the Child User via email login
We do not knowingly collect sensitive information from Child Users. We do not collect precise geolocation data, biometric data, photographs, or government identifiers from any user.
3.3 Usage and Technical Data
We automatically collect the following data when you use the Platform:
- Log data including browser type, operating system, pages visited, and timestamps
- Device identifiers and IP address
- Feature usage patterns and interaction data
- Error and crash reports
3.4 AI-Generated Data (Nest Report)
The Nest Report is an AI-powered feature that generates personalised insights about a Child User's engagement with the Platform. This feature:
- Processes task completion, reward activity, and engagement data submitted by the Account Holder
- Sends this data to Anthropic, Inc. for AI processing via their Claude API, subject to Anthropic's privacy and data handling policies
- Does not include raw personal identifiers in AI prompts where avoidable
- Produces outputs that are stored against the relevant family account and accessible only to the Account Holder
Account Holders should be aware that use of the Nest Report involves data processing by a third-party AI provider. By using this feature, you consent to this processing as described.
4. How we use your information
We collect and use personal information only for purposes that are reasonably necessary for our business functions. Those purposes include:
- Providing, operating, and improving the Platform
- Creating and managing user accounts
- Processing subscription payments and managing billing
- Delivering AI-generated insights via the Nest Report feature
- Communicating with Account Holders regarding their subscription, account, or Platform updates
- Responding to support enquiries
- Complying with our legal obligations under applicable Australian and international law
- Detecting, investigating, and preventing fraud, abuse, or security incidents
- Conducting internal analytics to improve product performance and user experience
We do not use personal information for direct marketing without your express consent. We do not sell, rent, or trade personal information to third parties for their marketing purposes.
5. Legal basis for processing (UK and international users)
For users located in the United Kingdom, our lawful basis for processing personal information under the UK GDPR includes:
- Contract: Processing necessary to perform our agreement with you (providing the Platform)
- Legitimate Interests: Processing for the purpose of security, fraud prevention, and product improvement, where those interests are not overridden by your rights
- Legal Obligation: Processing required to comply with applicable law
- Consent: Where we rely on consent (e.g. optional communications), you may withdraw that consent at any time
6. Children's privacy
The protection of children's personal information is a priority for Budgii. The Platform is designed for use by families, and Account Holders, who must be 18 years of age or older, are responsible for managing access by Child Users.
6.1 Parental Consent
Account Holders, by adding a Child User to their family account, represent and warrant that they are the parent or legal guardian of that child, or that they have obtained appropriate parental consent. By doing so, they consent to the collection and use of the Child User's information as described in this Privacy Policy.
6.2 United States: COPPA Compliance
For users in the United States, we comply with the Children's Online Privacy Protection Act 1998 (COPPA). We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent obtained through the Account Holder registration process. Account Holders who add children under 13 to the Platform are providing that consent on the child's behalf.
If we become aware that we have inadvertently collected personal information from a child under 13 without appropriate consent, we will delete that information promptly. To report such a concern, please contact legal@budgii.io.
6.3 Minimisation Principles
We apply strict data minimisation principles to Child User data. We collect only what is necessary for the Platform to function. Child User data is not used for advertising profiling and is not shared with third parties for marketing purposes under any circumstances.
7. Disclosure of personal information
We do not disclose personal information to third parties except in the following circumstances:
7.1 Service Providers
We engage trusted third-party service providers who assist us in operating the Platform. These include:
- Supabase Inc.: Database hosting and authentication infrastructure
- Stripe Inc.: Payment processing and subscription management
- Anthropic, Inc.: AI processing for the Nest Report feature
- Hosting and cloud infrastructure providers
These providers are engaged under contractual terms that require them to handle personal information in a manner consistent with this Policy and applicable law. They are not permitted to use your data for their own independent purposes.
7.2 Legal Requirements
We may disclose personal information where required or authorised to do so by law, including in response to a lawful request from a regulatory authority, court order, or law enforcement agency.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business, personal information may be transferred to the acquiring entity, subject to equivalent privacy protections.
7.4 With Your Consent
We may disclose your information in other circumstances with your express prior consent.
8. Cross-border data transfers
Budgii operates in Australia, New Zealand, the United Kingdom, and the United States. Your personal information may be stored and processed in any country where our service providers maintain infrastructure. We take reasonable steps to ensure that any cross-border transfer of personal information is made only to countries, or to entities, that provide an adequate level of protection comparable to Australian privacy law.
Where personal information is transferred from the United Kingdom, such transfers are made in compliance with UK GDPR Chapter V requirements.
9. Storage and security
We store personal information on secure servers hosted by Supabase Inc. We implement technical and organisational security measures appropriate to the sensitivity of the information, including:
- Encryption of data in transit using TLS/HTTPS
- Encryption of data at rest
- Hashed storage of passwords using industry-standard algorithms
- Access controls limiting staff access to personal information on a need-to-know basis
- Regular security assessments of our Platform and infrastructure
No method of transmission or storage is 100% secure. While we take all reasonable precautions, we cannot guarantee the absolute security of your information. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
10. Retention of personal information
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. In general:
- Account data is retained for the duration of an active subscription plus a period of 90 days following account closure, to allow for account recovery
- Billing and transaction records are retained for seven years in accordance with financial recordkeeping requirements under the Corporations Act 2001 (Cth)
- Support and correspondence records are retained for three years
- Child User data is deleted within 30 days of a Child User being removed from a family account, or upon closure of the Account Holder's account
You may request earlier deletion of your personal information subject to any overriding legal obligations. See Section 12 for how to exercise this right.
12. Your privacy rights
Subject to applicable law, you have the following rights in respect of your personal information:
12.1 Access
You may request access to the personal information we hold about you, or about a Child User for whom you are the Account Holder.
12.2 Correction
You may request that we correct personal information that is inaccurate, incomplete, or out of date.
12.3 Deletion
You may request deletion of your personal information (the "right to erasure" under UK GDPR, or the right to request deletion under applicable Australian and NZ law). We will comply unless retention is required by law or is necessary to protect our legitimate interests.
12.4 Portability (UK Users)
Where we process your personal information by automated means on the basis of your consent or a contract, you may request a copy of your data in a structured, commonly used, machine-readable format.
12.5 Objection and Restriction (UK Users)
You may object to processing based on legitimate interests, or request restriction of processing in certain circumstances.
12.6 Withdrawal of Consent
Where we rely on your consent to process personal information, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
To exercise any of these rights, please contact us at legal@budgii.io. We will respond within 30 days. We may need to verify your identity before processing your request.
13. New Zealand users
For users in New Zealand, this Privacy Policy is also subject to the Privacy Act 2020 (NZ). The New Zealand Privacy Commissioner has jurisdiction over complaints from New Zealand residents. You may contact the Office of the Privacy Commissioner at www.privacy.org.nz if you are not satisfied with our response to a complaint.
14. United Kingdom users
For users in the United Kingdom, Budgii processes personal information as a data controller under the UK GDPR. If you are dissatisfied with how we handle your personal information, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk.
15. Third-party links and services
The Platform may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access via the Platform.
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. Where changes are material, we will notify Account Holders by email or via a notice within the Platform at least 21 days prior to the changes taking effect. Continued use of the Platform after that date constitutes acceptance of the updated Policy.
The current version of this Privacy Policy is always available within the Platform and at budgii.io/privacy.
17. Complaints
If you believe we have breached this Privacy Policy or the Privacy Act 1988 (Cth), we encourage you to contact us first so that we can attempt to resolve the matter:
- Email: legal@budgii.io
- We will acknowledge your complaint within five business days and respond substantively within 30 days
If you are not satisfied with our response, you may lodge a complaint with:
- The Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
- The NSW Information and Privacy Commission (IPC): www.ipc.nsw.gov.au
- The UK Information Commissioner's Office (ICO): www.ico.org.uk (UK users)
- The New Zealand Privacy Commissioner: www.privacy.org.nz (NZ users)
18. Governing law
This Privacy Policy is governed by the laws of New South Wales, Australia. To the extent permitted by applicable law, any disputes arising under this Policy will be subject to the exclusive jurisdiction of the courts of New South Wales, Australia.
Last updated: 13 April 2026 | Budgii PTY LTD | ABN 50 696 945 169 | legal@budgii.io