Privacy Policy
Effective: 4 July 2026
1. Who we are
Guidelya ("Guidelya", "we", "us", "our") provides AI-guided onboarding for major life transitions. This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breaches (NDB) scheme, the Privacy and Other Legislation Amendment Act 2024, and — where they apply to you — the EU/UK GDPR, the California CCPA/CPRA, and the EU AI Act.
2. Information we collect
- Account data: name, email address, password hash, display name, preferences (locale, timezone, notifications).
- Journey data: the tasks you tick, custom notes, journey selections (e.g. Student, Parent), progress state.
- Assistant data: the messages you send to our AI chat, including any context you choose to share (e.g. suburb, visa status, due date).
- Technical data: IP address, device/browser type, cookies, referral/click data used to attribute partner referrals.
- Sensitive information (as defined by APP 3): collected only with your express consent when relevant to your journey (e.g. health or pregnancy details you volunteer to the assistant). You can decline and still use the service.
3. How we use your information
- To provide personalised guidance, checklists and progress tracking.
- To operate the AI assistant and improve prompt quality.
- To match you with verified partners you choose to engage.
- To send you account, security and service-related notices.
- To meet legal, tax, and safety obligations.
We do not sell your personal information. We do not use your data or chats to train third-party foundation models.
4. AI transparency (EU AI Act & global norms)
Guidelya uses large language models via the Lovable AI Gateway to generate suggestions and chat replies. You are always interacting with an AI — not a licensed professional. AI output can be wrong, incomplete or out-of-date. Guidelya does not provide legal, migration, medical or financial advice; we surface thought-provoking guidance and links to verified official sources.
We do not use your inputs to train the underlying models. Prompts are transmitted to the model provider strictly to generate your reply and are retained only as needed to run the service.
5. Legal bases (GDPR / UK GDPR)
Where GDPR applies, we rely on:
- Contract: to deliver the service you request.
- Consent: for optional analytics, marketing cookies, and any sensitive information.
- Legitimate interests: to secure the service, prevent fraud, and improve product quality.
- Legal obligation: to meet tax, safety and regulatory duties.
6. Sharing & disclosure
We share personal information only with:
- Trusted infrastructure providers (Supabase, Cloudflare, Lovable AI Gateway) under contract.
- Verified partners you explicitly click through to.
- Law-enforcement or regulators where required by Australian law.
7. Cross-border data transfers (APP 8)
Personal information may be processed outside Australia (e.g. in the US or EU) by our infrastructure providers. We take reasonable steps to ensure overseas recipients handle your data consistent with the APPs and apply GDPR Standard Contractual Clauses where relevant.
8. Data security & account protection
We use encryption in transit (TLS), encryption at rest, row-level security in our database, hashed passwords, least-privilege access, and audit logging. In addition, Guidelya gives every account the following protections you can manage under Settings → Security:
- Two-factor authentication (2FA): optional TOTP-based 2FA using any authenticator app (Google Authenticator, 1Password, Authy, etc.), with 10 single-use recovery codes stored only as one-way hashes.
- Strong-password enforcement: minimum 10 characters with a real-time strength check (zxcvbn); weak or commonly-breached passwords are rejected at sign-up and reset.
- Rate limiting: sign-in, sign-up and password-reset attempts are throttled per email and IP to slow credential-stuffing and brute-force attacks.
- Security activity log: review recent sign-ins, password changes, 2FA changes and session revocations, with a "This wasn't me" panic action that signs out every device and forces a password reset.
- Active session management: see every device and browser currently signed in and revoke any of them individually.
- Idle auto sign-out: configurable inactivity timeout (15 / 30 / 60 minutes, or never) so an unattended device doesn't stay logged in.
- Email privacy: your email address is masked in the UI (e.g.
h•••o@gmail.com) and is never exposed through the public API — other users only see your display name and avatar via a restricted public profile view.
No system is 100% secure — please use a strong, unique password and enable 2FA. If you suspect your account has been compromised, use the "This wasn't me" action in your security activity log immediately and contact privacy@goeasy.app.
9. Data retention
We keep personal information only as long as needed for the purpose it was collected, or as required by law. You can request deletion at any time (see Section 11).
10. Notifiable Data Breaches
If a data breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the NDB scheme.
11. Your rights
You have the right to:
- Access the personal information we hold about you.
- Correct information that is inaccurate or out-of-date.
- Request deletion ("right to be forgotten" under GDPR / CCPA).
- Withdraw consent, including for cookies and marketing.
- Object to automated decisions and request human review.
- Port your data in a machine-readable format.
- Lodge a complaint with the OAIC (oaic.gov.au) or your local data protection authority.
To exercise any right, email privacy@goeasy.app.
12. Cookies
We use strictly-necessary cookies to run the service and, only with your consent, optional analytics and preference cookies. See Cookie Settings.
13. Children
Guidelya is not directed to children under 15. We do not knowingly collect their personal information. Contact us if you believe a child has provided data.
14. Changes to this policy
When we make material changes, we will update the "Effective" date above and notify registered users by email at least 14 days before the changes take effect. Continued use after that date means you accept the updated policy.
15. Contact
Privacy Officer, Guidelya — privacy@goeasy.app