Privacy · Little Lock Book

We take privacy as seriously as you do. This policy explains how and why we collect, use, share, and protect your personal information, and how you can check and control the information we hold about you. By using the Little Lock Book app or website, you agree to this policy. Questions? Email us at support@littlelockbook.com.

Who we are

In this policy, "we", "us", and "our" mean Little Lock Book Pty Limited, Sydney, Australia. Little Lock Book Pty Limited is the controller for the personal information you provide when using the app. You can reach us at support@littlelockbook.com.

Whenever we collect and handle personal information, we are bound by the Australian Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs).

Information we collect

We only collect information that is reasonably necessary to provide the app and the services described in this policy.

Information you provide

Required to use the app:

Email address.
First name and last name.
Phone number.
Country and suburb.

Optional — you choose whether to provide these:

City or region, state, and postcode.
Date of birth (month and year only — used for age-appropriate category access and to verify the minimum-age requirement).
Cards you create, including place names, your notes, optional locations, and optional photos.
Audience settings for each card and any groups you create.
Vouches, asks, replies, and other interactions you initiate.
Notification settings and other in-app preferences.
Gender, if you turn on the practitioner filter.
Any messages you send to support.

Information collected automatically

Limited technical details from our server logs, such as IP address and timestamps. As we introduce diagnostics and analytics features, this may extend to device model, operating system version, app version, and connection quality.
Server-side request logs, including the requests made and any errors.
Security audit records relating to account events such as deletions and administrative actions.
Push notification token, if you grant push notification permission. Used only to send notifications to your device.
Minimal local storage on your device to keep you signed in and remember your preferences. We do not use third-party advertising cookies or cross-site tracking.

Information from third parties

Place details and place photos from Google Places when you select a place from autocomplete.
Email delivery status from Resend (whether transactional emails were delivered).

Device contacts

When you tap "Pick from contacts" to invite people to your circle or send an Ask, we request your permission to read your local contact list. Contacts appear only in the picker on your device and are not uploaded to our servers. If you select a contact, we only collect the name, email, or phone number you choose to use for that invite or Ask.

How we use information

We use the information we collect for the following purposes.

Providing the app

To create and manage your account.
To deliver shares to people you choose and route notifications to your circle.
To send transactional and operational emails, including sign-in codes and invite emails.
To provide, operate, and improve the app and its features.
As we introduce analytics, to analyse usage patterns and improve product quality, including the relevance of recommendations.

Security and compliance

To detect, prevent, and respond to security events, fraud, and abuse.
To comply with legal obligations, respond to lawful requests, and enforce our terms.
To carry out business operations including audits, finance, accounting, and corporate transactions such as a merger, acquisition, or restructure.

Insights and analytics

Where we introduce analytics, to produce aggregated statistics and trend information about how the app is used and what is recommended. See "Aggregated and de-identified data" below.

Commercial activities — your opt-in controls this

This section describes commercial uses that go beyond operating the app. Inclusion in any of these activities is off by default. You opt in through Profile → Privacy. You can withdraw at any time.

Marketing communications about Little Lock Book and related products.
External commercial insight programmes: sharing de-identified, aggregated data with carefully selected third-party partners.
Advertising features within the app, where you have given consent or where permitted by law.
Partnerships and sponsorships with selected third parties.

Where we rely on your consent for any of the above, you can withdraw it at any time through Profile → Privacy or by emailing support@littlelockbook.com. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Aggregated and de-identified data

We use aggregated data (counts and statistics about groups of users) and de-identified data (records with direct identifiers removed) to improve the app, develop new features, analyse trends, and produce insights.

When we de-identify data, we apply technical safeguards (removal of direct identifiers, suppression of unique records, minimum group sizes for any output) and operational safeguards (manual review before any external publication), so that re-identification is not reasonably practicable. Aggregated and de-identified outputs are not personal data under most privacy laws.

Where outputs derived from your data are intended for external publication or partnership use, we offer an opt-in control in Profile → Privacy. Inclusion is off by default.

Sensitive information

Health and medical cards

Cards in the Health & Medical category are treated as sensitive personal information under the Australian Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024, and equivalent laws in other jurisdictions. Cards about individual practitioners are stored privately to you and are not shared.

By marking a card as Health & Medical and saving it, you consent to Little Lock Book storing this information under this policy. Our lawful basis for processing this sensitive information under the EU and UK GDPR is your explicit consent (Article 9(2)(a)).

You can withdraw your consent at any time by deleting the relevant card or your account. Deleting a Health & Medical card removes it immediately; account deletion removes all data within 30 days.

Gender data

If you enable the practitioner filter, we collect an optional gender preference to help personalise search results. Because gender data may constitute data concerning a person's sex life or sexual orientation under Article 9(1) of the EU and UK GDPR, we treat it as sensitive information. Our lawful basis for processing it is your explicit consent (Article 9(2)(a)).

You can withdraw consent and delete this data at any time in your Profile settings. If you do not enable the practitioner filter, we do not collect gender data.

Sub-processors

We use the following service providers to operate the app. Each provider is bound by a data processing agreement or equivalent contractual terms that require them to handle your data consistently with this policy and applicable law.

Google / Firebase — authentication, database, file storage, Cloud Functions, and push notification delivery (Firebase Cloud Messaging routes through Apple Push Notification Service on iOS). Data stored in the Sydney region (australia-southeast1). Google's standard data processing terms apply.
Resend — transactional email delivery. Resend's data processing agreement applies.
Google Places — place autocomplete, place details, and place photos.
Apple and Google — app distribution and any future App Store / Play Store billing.

We will update this list before any new service provider that handles your personal data begins processing. Where the change introduces a new category of data, we will notify you in the app at least 14 days before the change takes effect, so you have time to object or delete your account.

Where your data is stored

Your personal data is stored on Firebase (Google Cloud) in the Sydney region. Email delivery and some operational services may transit outside Australia.

When data is transferred outside your country, we rely on appropriate safeguards. For transfers to the United States, we rely on Google's and Resend's participation in the EU–US Data Privacy Framework where applicable, and on the European Commission's Standard Contractual Clauses or the UK International Data Transfer Agreement where those apply. For transfers to other jurisdictions, we rely on the most appropriate safeguard available.

For Australian Privacy Principle 8 purposes, we take reasonable steps to ensure that overseas recipients of your personal data do not act in a way that is inconsistent with the APPs. Our primary mechanism is the contractual commitments described above.

Who can see what you share

The visibility of each card you create is determined by the audience option you choose: Only me, On request, Specific people or groups, or Whole circle.

Members of your circle do not see the tier you have privately placed them in, and do not see the full list of who else is in your circle.

If you turn on discoverability beyond your circle, your cards may surface anonymously to people one or two hops out in your network (the Extended Friends and Network tiers). The card content is shown without your name, profile photo, or identifying notes attached. You can opt out at any time in Profile → Privacy.

Your rights

Subject to your local law, you may have the following rights in relation to your personal information.

Access — request a copy of the personal data we hold about you.
Correction — correct inaccurate personal data. Most fields can be corrected directly in the app.
Deletion — delete your account and the personal data associated with it.
Restriction — ask us to pause processing your data while we address a concern, without requiring you to delete it entirely. For example, if you contest the accuracy of data we hold, you can ask us to restrict processing while we verify it.
Objection — object to processing carried out on the basis of our legitimate interests.
Withdrawal of consent — withdraw consent at any time for any processing we carry out on the basis of consent.
Portability — receive your personal data in a structured, machine-readable format.
Complaint — lodge a complaint with your local data protection authority.

To exercise any right, email support@littlelockbook.com from the address associated with your account. We will respond within 30 days, or sooner where required by your local law.

Supervisory authorities: In Australia: Office of the Australian Information Commissioner (oaic.gov.au). In the United Kingdom: Information Commissioner's Office (ico.org.uk). In the EU: your national data protection authority.

How long we keep your data

We keep personal data while your account is active. When you delete your account, we delete personal data within 30 days, including from backups, subject to limited retention required by law or for the establishment, exercise, or defence of legal claims.

Account and profile data

While your account is active. Deleted within 30 days of account deletion, including from backups.

Cards, notes, and photos

While your account is active. Archived cards deleted after 30 days in archive.

Circle and sharing data

While your account is active. Deleted within 30 days of account deletion.

Sign-in (OTP) codes

10 minutes from issue.

Pending invite codes

90 days if unused.

Interaction and usage logs

Up to 12 months from the date of the event.

Security audit records

Up to 24 months.

Opt-in / opt-out preferences

Retained for as long as needed to honour them.

Aggregated and de-identified outputs

Indefinitely. These are not personal data.

Records required by law (e.g. tax)

For as long as the relevant law requires.

Security

We use industry-standard safeguards to protect personal data, including encryption in transit and at rest, database-level access controls, rate limiting, and re-authentication for irreversible actions such as account deletion.

No system is perfectly secure. If you believe you have found a security issue, email support@littlelockbook.com with the subject line "Security".

If there is a data breach

A data breach is a security event that compromises the confidentiality, integrity, or availability of personal data. Under Australia's Notifiable Data Breaches scheme, we are required to notify the OAIC when we have reasonable grounds to believe an eligible data breach has occurred — this threshold applies regardless of whether serious harm has resulted. The requirement to notify affected individuals is triggered when there are reasonable grounds to believe the breach is likely to result in serious harm.

If a security event puts your personal data at risk, we will:

Notify the relevant supervisory authority where required by law, including the OAIC in Australia and the relevant national data protection authority in the UK and EU.
Notify affected users without undue delay, with a clear description of what happened, what data was affected, and what steps you can take.
Provide an updated incident notice on this page if the event is material.

Age requirement

Little Lock Book is for people aged 16 and over. This aligns with the digital age of consent under Article 8 of the EU GDPR and Australia's social media minimum age under the Online Safety Amendment (Social Media Minimum Age) Act 2023. We do not knowingly collect personal data from anyone under 16.

If you believe we have collected information from someone under 16, contact us at support@littlelockbook.com and we will delete the account and all associated data within 7 days.

For users outside Australia

Little Lock Book is operated from Sydney, Australia, and your personal data is stored in Australia. Depending on your country of residence, you may have additional rights under your local privacy law.

UK and EU (GDPR)

Controller: Little Lock Book Pty Limited.

Lawful bases: We process personal data on one or more of the following bases, depending on the specific activity.

Performance of a contract (Article 6(1)(b)) — creating and managing your account, delivering shares and notifications.
Consent (Article 6(1)(a)) — optional features, Health & Medical cards, and any inclusion in external insight or commercial programmes.
Legitimate interests (Article 6(1)(f)) — product improvement, security, and fraud prevention, and analytics where introduced. We have conducted a Legitimate Interests Assessment (LIA) for each of these purposes and concluded that our interests are not overridden by your rights and interests. Copies of our LIAs are available on request by emailing support@littlelockbook.com. You have the right to object to any processing on this basis.

Data minimisation: We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes described in this policy.

Your rights: Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You also have the right to lodge a complaint with your local supervisory authority.

Retention: Retention periods for all categories of personal data are set out in the table under "How long we keep your data" above.

Cross-border transfers: Personal data is stored in Australia. Where data is transferred to providers in the United States or other jurisdictions, we rely on the most appropriate available safeguard: the EU–US Data Privacy Framework where the recipient is certified, the UK Extension where applicable, the European Commission's Standard Contractual Clauses, or the UK International Data Transfer Agreement.

Automated decision-making: We do not use solely automated decision-making that produces legal or similarly significant effects on you. Our recommendation features sort and present cards from your circle and network but do not make decisions that affect you legally or in similarly significant ways.

Data Protection Officer: We have assessed our obligation to appoint a DPO and concluded that one is not currently required, as our processing of special category data (Health & Medical cards) does not occur on a large scale. We monitor this as the app grows.

EU representative. Little Lock Book is established in Australia and processes personal data of EU residents when they use the app (Article 3(2) of the GDPR). We have assessed whether we are required to appoint a representative in the EU under Article 27.

The obligation to appoint a representative does not apply where processing is occasional, does not include large-scale processing of special categories of data (Article 9(1)), and is unlikely to result in a risk to the rights and freedoms of natural persons (Article 27(2)(a)). Our current EU-resident user base is small and our processing of EU resident data — including Health & Medical cards — is not carried out on a large scale. On that basis, we have assessed that we meet the Article 27(2)(a) exemption at this time.

We review this assessment as our EU user base grows. If our processing volume or risk profile changes such that the exemption no longer applies, we will appoint a representative before that change takes effect and update this policy accordingly.

California (CCPA / CPRA)

Categories of personal information collected: Identifiers; geolocation at suburb-to-country level (suburb, city or region, state, postcode, country, and the latitude and longitude of any place you save); and sensitive personal information you choose to provide (such as gender preference or Health & Medical card information). As we introduce analytics, this may extend to internet or other electronic network activity and inferences drawn from your interactions.

Purposes: As described in "How we use information" above.

Sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. These are distinct categories under the CPRA and we confirm neither applies. If we begin to do either, we will notify you in the app at least 14 days before the change takes effect, provide a "Do Not Sell or Share My Personal Information" option in the app, and honour any opt-out you have set.

Do Not Track: Our app does not respond to browser-based Do Not Track signals because we do not perform the cross-site tracking they are designed to limit.

Your CCPA / CPRA rights: Right to know, delete, correct, limit use of sensitive personal information, opt out of any sale or sharing, opt out of automated decision-making, and non-discrimination.

Automated decision-making. Under the CPRA, you have the right to opt out of automated decision-making, including profiling, that produces legal or significant effects. Our recommendation features present cards from your network but do not produce decisions with legal or similarly significant effects on you. If you have questions about how recommendations work or wish to limit personalisation, contact us at support@littlelockbook.com.

How to exercise: Email support@littlelockbook.com from the address associated with your account. We will verify your identity and respond within 45 days. Where reasonably necessary, we may extend this period by a further 45 days and will notify you of the extension within the initial 45-day period.

Changes to this policy

We may update this policy from time to time. Where the change is material, we will notify you in the app before it takes effect. The effective date at the top of this policy shows when the current version was published.

Contact

For any privacy enquiries, email support@littlelockbook.com.