Privacy Policy
Effective Date: April 18, 2026
Last Updated: April 18, 2026
Data Controller: SedhaiGroup Pty Ltd, New South Wales, Australia
This Privacy Policy explains how SedhaiHub ("Platform", "Service", "we", "us") collects, uses, stores, and protects personal information in compliance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), the United States Children's Online Privacy Protection Act (COPPA), and the European Union General Data Protection Regulation (GDPR).
1. Information We Collect
| Data Type | Examples | Purpose |
|---|
| Account Information | Name, username, email, mobile, PIN/password | Authentication, account management |
| Family Data | Family name, family slug, member roles | Core service functionality |
| Activity Data | Chore completions, points, rewards redeemed | Gamification and tracking features |
| Usage Data | IP address, user agent, login timestamps | Security, anti-bot protection, audit logging |
| Biometric Hashes | WebAuthn public keys (NOT raw biometric data) | Passwordless authentication (FaceID/TouchID) |
| Device Information | Browser type, operating system | Security verification, login validation |
Note: We do NOT collect raw biometric data (fingerprints, face scans). WebAuthn stores only cryptographic public keys; actual biometric matching occurs exclusively on-device.
2. How We Use Your Information
- To provide, maintain, and improve the Platform's core functionality.
- To authenticate identity and secure user accounts.
- To communicate important service updates and security alerts.
- To detect, prevent, and respond to fraud, abuse, or security threats.
- To comply with legal obligations.
We do NOT sell, rent, or trade personal information to third parties. We do NOT use personal data for advertising or profiling.
3. Regional Compliance
π¦πΊ Australia β Privacy Act 1988 (APPs)
- APP 1 (Open & Transparent): This policy details all data handling practices.
- APP 6 (Use & Disclosure): We only use data for the primary purpose it was collected.
- APP 8 (Cross-Border Disclosure): Our primary servers are hosted within Australia via Hostinger's Australian data center infrastructure. In the event data is processed outside Australia, we ensure the recipient adheres to equivalent privacy standards.
- APP 11 (Security): We implement encryption (HTTPS, hashed authentication), access controls, and automated security auditing.
- APP 12 (Access): You may request access to your personal information at any time by contacting us.
- APP 13 (Correction): You may request correction of inaccurate personal data.
πΊπΈ United States β COPPA Compliance
- We do not knowingly collect personal information from children under 13 without verifiable parental consent.
- Kid/Child accounts can ONLY be created by a verified Adult/Parent account holder, constituting verifiable parental consent.
- Parents may review, modify, or delete their child's information at any time through their Parent dashboard.
- Parents may revoke consent and request deletion of their child's data by contacting us directly.
- We collect only the minimum information necessary for the service to function (name, points, chore log).
- We do NOT serve behavioural advertising to children. We do NOT require a child to disclose more information than reasonably necessary.
πͺπΊ European Union β GDPR Compliance
- Lawful Basis: We process data under Consent (account creation), Contractual Necessity (service provision), and Legitimate Interest (security).
- Data Minimization: We collect only data essential to operate the Service.
- Purpose Limitation: Data is used only for the purposes stated in this policy.
- Storage Limitation: Inactive accounts are purged after 24 months of inactivity.
Your GDPR Rights:
Right to Access (Art. 15): Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate personal data.
Right to Erasure / "Right to be Forgotten" (Art. 17): Request complete deletion of your account and all associated data. We will process deletion requests within 30 days.
Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format (JSON/CSV export).
Right to Object (Art. 21): Object to processing of your data for specific purposes.
Right to Withdraw Consent: You may withdraw consent at any time by deleting your account or contacting us.
4. Account Deletion Procedure
To exercise your "Right to be Forgotten" or delete your account:
- Self-Service: Parents can delete their family and all associated Kid accounts from the dashboard Settings panel.
- Email Request: Send a verified request to admin@sedhai.com with the subject "Account Deletion Request".
- Processing Time: All deletion requests are processed within 30 calendar days.
- Scope: Deletion includes all personal data, activity logs, points history, and associated family records.
- Backups: Residual data in encrypted backups is automatically purged within 90 days of deletion.
5. Data Security
- All connections are encrypted via HTTPS/TLS.
- Passwords/PINs are stored securely. Sensitive credentials are never stored in plaintext in transit.
- CSRF token protection on all authenticated requests.
- Automated IP-based threat detection and blacklisting.
- Daily automated security audits and file integrity monitoring.
- Two-Factor Authentication (TOTP) available for administrative accounts.
- WebAuthn biometric authentication (public key only; no biometric data leaves the device).
6. File Upload Security
When users upload files (such as photo evidence for chore completion):
- All EXIF metadata is stripped from uploaded images to protect location and device data.
- Filenames are replaced with UUIDs to prevent path traversal attacks.
- Uploaded files are stored in non-executable directories with restricted server permissions.
- File types are validated server-side against an allowlist.
7. Cookies & Tracking
We use only essential session cookies required for authentication and security (CSRF tokens). We do NOT use:
- Third-party tracking cookies
- Analytics tracking pixels
- Advertising identifiers
- Social media tracking scripts
8. Data Retention
| Data Type | Retention Period |
|---|
| Active account data | Until account deletion |
| Inactive accounts | 24 months, then purged |
| Security/audit logs | 12 months |
| Database backups | 14 days (auto-purged) |
| Deleted account residuals | 90 days (backup purge cycle) |
9. Third-Party Services
We may use the following third-party services:
- Hostinger: Web hosting infrastructure (data processed in accordance with their GDPR-compliant DPA).
- Cloudflare: DDoS protection and CDN (processes IP addresses for security).
- Google Charts API: Used for rendering TOTP QR codes (no personal data transmitted).
10. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated through the Platform. Your continued use after changes constitutes acceptance.
11. Contact & Data Protection Officer
For privacy inquiries, data access requests, or deletion requests:
- Email: admin@sedhai.com
- Subject Line: "Privacy Request β [Your Name]"
- Response Time: Within 30 calendar days
For complaints regarding privacy practices, Australian residents may contact the Office of the Australian Information Commissioner (OAIC).