Privacy Policy

1. Personal information we collect

We collect only what we need to operate the Service. Categories include:

• Account information — your email address, display name, password (stored only as a one-way salted hash), role, package, billing status, trial end dates, and sign-up source.
• Authentication & session data — login timestamps, session IDs, password-reset tokens, and cookies required to keep you signed in.
• Usage data — pages and races you view, buttons you click, models you run, video analyses you request, refresh actions you trigger, and timestamps of each.
• User-generated content — notes, blackbook entries, debriefs, ratings, feedback labels, tags, and any text you save against races, dogs, or trainers.
• Device & technical data — IP address, approximate location derived from IP, browser type and version, device type, operating system, screen size, referring URL, and diagnostic logs.
• Billing data — plan, billing period, invoice history, and limited payment metadata. Full card numbers are not stored on our servers and are handled directly by our PCI-DSS compliant payment processor.
• Communications — emails, support tickets, and any feedback you send us, plus our replies.

We do not deliberately collect sensitive information (such as health, racial or ethnic origin, political opinions, or biometric data). Please do not submit sensitive information to the Service.

2. How we collect it

• Directly from you when you register, sign in, configure settings, save notes or blackbook entries, request video analysis, or contact us.
• Automatically as you interact with the Service (server logs, cookies, local storage, and analytics events).
• From third parties only where you have authorised it (for example, our payment processor returning a transaction outcome).

Where it is reasonable and practicable to do so, we collect personal information directly from you. If we ever collect information about you from a third party, we will (where APP 5 requires) take reasonable steps to make sure you are aware of that collection.

3. Why we collect it (purposes of use)

• To create and operate your account and provide the Service you have requested.
• To authenticate you, secure your account, prevent and investigate fraud or abuse, and maintain audit trails.
• To process subscriptions and payments, issue receipts, and manage trials, renewals, and cancellations.
• To personalise the Service, surface relevant suggestions (for example, blackbook candidates), and remember your preferences.
• To improve, debug, and develop the Service and our models, including by analysing aggregated and de-identified usage patterns.
• To communicate with you about service updates, billing, outages, security, and changes to these documents.
• To meet legal, regulatory, accounting, dispute-resolution, and risk-management obligations.

We will not use your personal information for a secondary purpose unless you would reasonably expect us to, you consent, or another exception under APP 6 applies.

4. Marketing communications

We may send you transactional and service-related messages (for example, billing receipts, security alerts, and policy updates) — these are not marketing and you cannot opt out while you have an account. We will only send you marketing or promotional content with your consent or where otherwise permitted by the Spam Act 2003 (Cth). Every marketing email will include an unsubscribe link.

5. Who we disclose personal information to

We do not sell your personal information. We disclose it only where necessary to run the Service, and only to recipients who are bound to keep it confidential and to use it only for the purpose we share it. Categories of recipients include:

• Hosting and infrastructure providers that store and serve the Service (web servers, databases, file storage, backup, and content-delivery networks).
• Payment processors that handle subscription billing, refunds, and chargebacks.
• AI / model providers we use to perform certain analyses (for example, large-language-model APIs for race summaries or video-frame interpretation). Where we send content to these providers we send the minimum necessary, do not send your password or full payment details, and select providers that contractually agree not to retain or train on the data.
• Email and communications providers used for transactional and support email.
• Analytics, error-reporting, and security tools that help us understand performance and fix bugs.
• Professional advisers (lawyers, accountants, auditors, insurers) under duties of confidentiality.
• Regulators, courts, and law-enforcement where required by law, court order, or to protect our rights, property, or safety, or that of any other person.
• A successor entity in connection with a sale, merger, restructure, or acquisition of all or part of our business — in which case we will require the recipient to honour this policy.

6. Overseas disclosure

Some of our service providers (notably AI-model providers, error-reporting tools, and email infrastructure) are located outside Australia, including in the United States and the European Union / United Kingdom. Where we disclose personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the APPs, including by using contractual protections. By using the Service you consent to your personal information being stored and processed overseas for these purposes.

7. Cookies, sessions & analytics

The Service uses cookies and similar technologies for:

• Strictly necessary functions (authentication sessions, CSRF protection, load-balancing). These cannot be turned off without breaking the Service.
• Functional preferences (remembering UI state and recent selections).
• Analytics and error reporting to help us understand performance and reliability. We use only aggregated, low-granularity data for this and we do not use third-party advertising trackers.

You can clear or block cookies in your browser, but doing so will prevent you from logging in to the Service.

8. Children

The Service is for adults and is not directed at anyone under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided information to us, contact us and we will take steps to delete it.

9. How we store and protect personal information

• Data is held on access-controlled servers in production-grade data centres.
• Traffic is encrypted in transit using TLS / HTTPS.
• Passwords are stored as one-way salted hashes; we cannot recover your plaintext password and never display it back to you.
• Access by our personnel is restricted on a need-to-know basis.
• We keep audit logs of significant account events (sign-in, billing changes, data exports).
• We periodically review our security controls and follow industry-standard practice.

No method of transmission or storage is 100% secure. While we take security seriously, we cannot guarantee absolute security and you use the Service at your own risk.

10. How long we keep your information

We retain personal information for as long as you have an account and for as long as we need it to provide the Service, comply with our legal, accounting, tax, or regulatory obligations, resolve disputes, and enforce our agreements. Backups and audit logs may persist for a reasonable additional period after deletion. When we no longer need information that identifies you we will de-identify or destroy it.

11. Your rights

Subject to law, you have the right to:

• Access the personal information we hold about you.
• Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• Withdraw consent for any processing that depends on consent (without affecting prior lawful processing).
• Close your account and request deletion of personal information that is no longer needed for a lawful purpose.
• Receive a copy of personal information you have provided in a commonly used machine-readable format, where reasonably practicable.
• Make a complaint about how we have handled your personal information.

Send any request to [email protected]. We will need to verify your identity before acting and will respond within a reasonable time (usually within 30 days). We may charge a reasonable fee for access requests where permitted by law and will let you know up front if so. If we refuse a request, we will tell you why and explain how you can complain.

12. Notifiable data breaches

If a breach affecting your personal information is likely to result in serious harm and is not adequately remediated, we will notify you and the Office of the Australian Information Commissioner ("OAIC") in line with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

13. Complaints

If you believe we have breached the APPs or this policy, please write to [email protected] with the subject line "Privacy complaint". We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If you are not satisfied with our response you may complain to the OAIC at oaic.gov.au or by phone on 1300 363 992.

14. Changes to this policy

We may update this policy from time to time. The "Effective" date and version number at the top show when it was last revised. We will notify you of material changes through the Service or by email. Continued use of the Service after the new effective date constitutes acceptance of the updated policy.

15. Contact

To contact our Privacy Officer for any matter under this policy, email [email protected].