Privacy Policy

KINSHIP is a family-services marketplace operated by Inevara Pty Ltd (ABN [TBD — confirm with Inevara Pty Ltd before public launch]), a company incorporated in Australia (“Inevara”, “we”, “us”, or “our”). KINSHIP is one of the SINGULARITY family of marketplace platforms operated by Inevara.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use the KINSHIP platform and associated mobile applications (collectively, the “Platform”).

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”). For users in the European Economic Area or United Kingdom, additional rights under the GDPR and UK GDPR may apply as described in Section 12 below.

By creating an account or using the Platform you acknowledge you have read this Policy. If you do not agree, please do not use the Platform.

2.1 Account information

When you register, we collect:

• Full name and display name
• Email address
• Password (stored as a salted cryptographic hash — never in plain text)
• Mobile phone number (optional, used for booking notifications)

2.2 Household profile

To enable personalised matching for your family, we collect:

• Household name and primary contact details
• Home address (suburb-level, used to surface nearby providers)
• Household member records: names, ages, roles, and special care needs
• Annual budget range for family services

2.3 Sensitive information — care needs

KINSHIP allows you to record care needs for household members (for example, autism spectrum, mobility support, or dietary requirements). This information is classified as sensitive personal information under the Privacy Act. We collect it only with your explicit consent and use it solely to match you with appropriately qualified care providers. It is never disclosed to providers without your action.

2.4 Provider profile information

If you register as a care provider, we also collect:

• Business name and ABN or ACN (where applicable)
• Professional credentials: Working With Children Check (WWCC), First Aid certification, and licence details
• Service types, areas, and pricing
• Service area postcodes
• Bank account details for payment disbursement (held by our payment processor)

2.5 Booking and transaction records

For every booking, we record:

• Date, time, service type, and duration
• Consumer and provider identifiers
• Booking status history
• Payment metadata (amount, reference, last four card digits — we do not store full card numbers)

2.6 Device and analytics data

We automatically collect technical information including:

• IP address (truncated where feasible)
• Browser type and version, operating system
• Pages visited, time spent, navigation paths
• Session identifiers (stored in secure HTTP-only cookies)

We use this data for security monitoring, fraud detection, and aggregate analytics. We do not sell it to third-party advertisers.

We use personal information only for the following purposes:

We do not sell your personal information. We disclose it only in the following circumstances:

4.1 With care providers upon booking

When you confirm a booking, we share your name, contact information, and relevant care requirements with the provider. Providers are not permitted to use this information outside the context of delivering services.

4.2 Payment processors

Payments are processed by third-party providers including Stripe and/or Paddle. These processors operate under their own privacy policies and PCI-DSS obligations.

4.3 Infrastructure and hosting providers

We host on Amazon Web Services (AWS) infrastructure in Australia (Sydney region, ap-southeast-2) under data processing agreements.

4.4 Legal and regulatory requirements

We may disclose personal information if required by law, court order, or to prevent harm to any person.

4.5 Business transfers

In the event of a merger or acquisition, personal information may be transferred to the successor entity. We will notify you before any such transfer.

• Account and profile data: retained for the life of your account plus 24 months after closure.
• Booking and transaction records: retained for 7 years from the date of the transaction (Tax Administration Act 1953).
• Household member care needs: retained until you remove them from your household profile or close your account.
• Device and analytics logs: retained for 13 months in identifiable form, then aggregated and de-identified.

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for sensitive fields
• Passwords stored using cryptographic hashing (never in plain text)
• Role-based access controls — staff access personal data only where required for their role
• Multi-factor authentication required for administrative access
• Data stored in AWS ap-southeast-2 (Sydney) — Australian soil

In the event of a data breach likely to result in serious harm, we will notify the OAIC and affected individuals under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC).

• Essential cookies: Maintain your session and authentication state. Strictly necessary and cannot be disabled.
• Preference cookies: Remember your settings and search filters.
• Analytics cookies: Help us understand Platform usage. Used with your consent where required by law.

The Platform is not directed at individuals under the age of 18 for account creation. However, household members of any age may be recorded in a household profile by a parent or legal guardian. We do not knowingly collect personal information directly from anyone under 18 for account registration. If you believe we have inadvertently collected such information, please contact us immediately.

• Access: Request a copy of personal information we hold about you. We respond within 30 days.
• Correction: Ask us to correct inaccurate, out-of-date, or misleading information. Update most information directly in account settings.
• Deletion: Request deletion of your account and personal information. Go to Settings → Account → Delete Account, or contact us.
• Withdrawal of consent: Withdraw consent for marketing emails or sensitive data processing at any time through account settings.
• Restriction and objection (GDPR): Request restriction of processing or object to processing based on legitimate interests.
• Data portability (GDPR): Request a copy of personal data in a machine-readable format.
• Complaint to a regulator: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC). We encourage you to contact us first.

Our primary infrastructure is in Australia. Some service providers (including analytics and monitoring tools) are based overseas. Where personal information is transferred overseas, we ensure adequate protection via contractual data processing agreements and recognised security frameworks (e.g. SOC 2 Type II).

If you are in the European Economic Area or United Kingdom, Inevara Pty Ltd acts as a data controller under the GDPR and UK GDPR respectively. The legal bases for processing are set out in Section 3. You may lodge a complaint with your local supervisory authority (e.g. the Information Commissioner’s Office in the UK or your national Data Protection Authority in the EEA).

Questions about this Privacy Policy, or to exercise your privacy rights:

We aim to respond within 30 days.

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email and/or by displaying a prominent notice on the Platform at least 14 days before the changes take effect.