Privacy Policy

Effective date: 28 November 2025

Last updated: 28 November 2025

1. Who we are

This Privacy Policy explains how Alada ("Alada", "we", "us", "our") collects, uses, discloses and protects your personal information.

Alada is operated by Emmanuel Phiri (ABN 81 224 437 424), based in Perth, Australia.

Our services include:

Our website at alada.app and any subdomains
Our web application (the "Service")
SMS, email and other communications sent in connection with the Service.

We aim to align with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and—where relevant—international frameworks such as the EU/UK GDPR. While small businesses under AUD $3 million turnover are often exempt from the Privacy Act, we choose to model our practices on these standards as a matter of good practice and future-proofing.

If anything in this Policy conflicts with mandatory law that applies to you, that law will prevail to the extent of the conflict.

Contact details (privacy & support)

Privacy: privacy@alada.app

General support: support@alada.app

2. Who this Policy applies to

This Policy applies to:

Users of the Alada Service (e.g. students, professionals)
Visitors to our website and landing pages
Prospective customers who join waitlists or interact with our marketing content.

This Policy does not apply to third-party sites or services that we do not control, even if linked from our Service.

3. Minimum age and children's privacy

Alada is designed for older teens and adults, including:

Senior school students (typically Year 11–12)
University and TAFE students
Professionals.

You must:

Be at least 16 years old to create an account and use the Service on your own; or
Use the Service with the knowledge and consent of a parent or legal guardian if you are under 16 and local law permits that use.

We do not knowingly collect personal information from children under 16 without appropriate consent. If you believe a child has provided us with personal information in breach of this Policy, please contact privacy@alada.app and we will take reasonable steps to delete it.

4. What personal information we collect

"Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Depending on how you use the Service, we may collect:

4.1 Account and profile information

Name or display name
Email address
Password (stored as a salted, hashed value — never in plain text)
Mobile phone number (for SMS reminders)
Time zone
Preferred times for reminders and notifications
Optional profile details such as school, university or other affiliation.

4.2 Study / productivity data

To operate the Service, we store the information you enter, such as:

Tasks, goals, habits and study plans
Daily/weekly completions and streaks
Onboarding questions and preferences
Notes or reflections you choose to save.

Although we don't deliberately ask for health or similar sensitive information, you might choose to include such details in your notes or tasks. We treat user-generated content cautiously and protect it as personal information.

4.3 Usage, device and technical data

When you use the Service, we automatically collect:

Device and browser information (e.g. type, version, operating system)
IP address and general location (e.g. city/region level)
Dates and times of access
Pages viewed, buttons clicked and features used
Diagnostic and performance logs.

This data is used for security, analytics, performance and product improvement.

4.4 Communication data

We may collect:

Copies of emails or messages you send us (e.g. support enquiries, feedback)
Your preferences for SMS/email reminders and marketing
Responses you send back (where the product flow supports that).

4.5 Payment and billing data

We use Stripe to process payments. We do not store full payment card numbers on our own systems.

We may receive and store from Stripe:

Your billing name and email
Limited card details (e.g. last 4 digits, expiry)
Billing address or country
Transaction history, subscription plan and status.

Stripe's own privacy practices apply when they process your payment details.

5. Cookies and similar technologies

We use cookies and similar technologies to:

Keep you logged in
Store preferences (e.g. theme, time zone)
Measure traffic and usage patterns
Run analytics and A/B tests.

We currently use analytics tools such as PostHog and Google Analytics to understand how users interact with Alada and to improve the product. These tools may set cookies and process information such as your IP address and device details and may involve transfers of data outside Australia.

You can control cookies via your browser settings. Blocking some cookies may affect how the Service functions.

Where required by law (for example, in certain jurisdictions for non-essential cookies), we will seek your consent or provide appropriate opt-out mechanisms.

6. How we use personal information

We use personal information for the following purposes:

Providing and operating the Service

Creating and managing accounts
Sending SMS/email reminders, nudges and weekly recaps
Calculating streaks, completion rates and other statistics
Maintaining and improving core features and uptime.

Personalisation and product improvement

Adapting reminder timing and content to your preferences
Understanding which features are used or ignored
Running analytics to improve UX and design.

Communications

Responding to support requests and questions
Sending important service announcements (e.g. policy changes, outages, security alerts)
Sending optional product updates and marketing where permitted by law and your preferences.

Legal, security and risk management

Detecting and preventing fraud, abuse or security incidents
Enforcing our Terms of Service
Complying with legal obligations (e.g. consumer, tax and electronic messaging laws).

Analytics and aggregated insights

Creating anonymised or aggregated statistics, such as average completion rates or streak lengths
Using these statistics to improve and market Alada, provided they do not identify you.

7. Legal bases (for EEA/UK residents)

If and when we actively offer the Service to individuals in the EEA/UK, we will rely on one or more of the following legal bases (where GDPR/UK GDPR applies):

Performance of a contract – to provide the Service you sign up for.
Consent – for certain marketing communications and non-essential cookies.
Legitimate interests – for analytics, product improvement and security, where these interests are not overridden by your rights.
Legal obligation – where we must process data to comply with laws (e.g. tax, accounting, data protection).

8. When we disclose personal information

We share personal information only as reasonably necessary for the purposes above and with appropriate safeguards, including:

8.1 Service providers (sub-processors)

We use third parties to help us deliver the Service, including:

Supabase – database and authentication services
Vercel – hosting and deployment of the web application
Twilio (or similar) – sending SMS reminders and notifications
Stripe – payment processing
Analytics tools such as PostHog and Google Analytics.

These providers may be located in Australia or overseas (including, for example, the United States or EU). They are contractually required to handle information securely and only for our specified purposes.

8.2 AI service providers

To help generate or personalise reminder content and similar features, we may use external AI providers such as OpenAI.

We send only the data reasonably necessary for the AI feature (for example, your first name, task summary or schedule context).

We configure our usage so that API data is not used to train or improve OpenAI's models by default, relying on OpenAI's published API data-use commitments.

We do not send your payment details or highly sensitive identifiers to AI providers.

8.3 Legal and regulatory

We may disclose information to:

Courts, regulators or law-enforcement agencies where required by law or to respond to valid legal process
The Office of the Australian Information Commissioner or other authorities in connection with privacy or data-breach obligations.

8.4 Business transfers

If Alada is involved in a merger, acquisition, restructuring or asset sale, your information may be transferred as part of that transaction, subject to confidentiality safeguards. We will use reasonable efforts to ensure any successor continues to handle your information consistently with this Policy.

We do not sell your personal information for money.

9. International data transfers

Because many of our service providers operate globally, your personal information may be transferred to and processed in countries other than Australia (for example, the US or EU).

Where we transfer data overseas, we take reasonable steps to ensure that recipients handle personal information in a way that is consistent with Australian privacy law, such as by choosing reputable providers with strong security and privacy controls and by using appropriate contractual protections where available.

If GDPR/UK GDPR applies, we will rely on mechanisms such as standard contractual clauses or equivalent safeguards for international transfers.

10. Direct marketing and SMS/email communications

We may send:

Service messages – necessary for delivering the Service (e.g. reminders, trial notices, security alerts).
Marketing messages – optional emails or SMS about new features, promotions or tips.

We comply with the Spam Act 2003 (Cth) and ACMA guidance, which generally require:

Consent for commercial electronic messages
Clear sender identification
A functional and easy-to-use unsubscribe or opt-out mechanism, honoured within a reasonable timeframe (typically within 5 business days).

You can opt out of marketing at any time by:

Clicking "unsubscribe" in marketing emails
Following SMS instructions (e.g. replying STOP) where available
Contacting us at privacy@alada.app.

You may still receive essential service and legal messages even after opting out of marketing.

Because new SMS Sender ID Register rules are being introduced in Australia (requiring registration of branded sender IDs and disrupting unregistered ones from late 2025 onwards), we will work with our SMS providers to register any branded sender ID like "ALADA" and comply with relevant rules.

11. Data security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, consistent with APP 11 and OAIC security guidance.

In summary (with more detail in our Security Policy):

All connections to the web app use HTTPS/TLS
Data is encrypted at rest by our cloud providers where available
Access to production systems is restricted on a need-to-know basis
Admin and cloud accounts use strong authentication, with multi-factor authentication where available
We maintain regular updates and patching for our infrastructure and dependencies
We use logging and monitoring tools to detect unusual activity
We rely on cloud backups and documented recovery procedures to restore data in case of loss.

No system can be 100% secure, but we work to implement and continually improve reasonable protections.

12. Data breaches and notifications

If we become aware of a data breach involving personal information, we will:

Investigate and contain the breach
Assess the risk of harm and whether notification is required under any applicable data-breach regime, including Australia's Notifiable Data Breaches (NDB) scheme where it applies
Where required, notify affected individuals and regulators
Where appropriate, provide recommendations to help you protect yourself.

13. Retention and deletion

We retain personal information for as long as reasonably necessary to:

Provide the Service to you
Meet legal, tax and accounting obligations
Resolve disputes and enforce our agreements.

When you delete your account:

Your account enters soft deletion for 30 days. During this period, your data is inactive and not visible in the app, but can be restored if the deletion was accidental.
After 30 days, we hard delete your account data from our production systems, subject to limited retention in backups and logs.
Backups and logs containing your data are kept only for the period reasonably necessary for security, audit and disaster-recovery purposes and then overwritten in the normal course of operations.

We may retain limited billing and transaction records for longer periods (e.g. up to 7 years) where required for tax and accounting.

You can request deletion or clarification of what remains by contacting privacy@alada.app.

14. Your rights

Depending on where you live and which laws apply, you may have rights such as:

Access – to request a copy of personal information we hold about you
Correction – to request correction of inaccurate or incomplete information
Deletion – to request deletion of certain personal information
Restriction or objection – to request that we stop or limit certain kinds of processing, such as direct marketing
Data portability – in some jurisdictions, to obtain a copy of certain data in a portable format.

Even where we are not legally required to grant a particular request (for example, if the Privacy Act's small business exemption applies), we will generally try to honour reasonable requests in line with our product and legal obligations.

To exercise your rights, contact privacy@alada.app. We may need to verify your identity before acting on your request.

If you are not satisfied with our response, you may have the right to contact your local privacy regulator (for Australians, the Office of the Australian Information Commissioner (OAIC)).

15. Changes to this Policy

We may update this Privacy Policy from time to time. When we do:

We will update the "Last updated" date; and
Where changes are material, we will take reasonable steps to inform you (for example, via email or in-app notice).

Your continued use of the Service after the updated Policy takes effect will constitute your acceptance of the changes.

16. Contact us

For privacy questions, requests or complaints:

Email: privacy@alada.app

General support: support@alada.app

Privacy Policy

Effective date: 28 November 2025

Last updated: 28 November 2025

1. Who we are

This Privacy Policy explains how Alada ("Alada", "we", "us", "our") collects, uses, discloses and protects your personal information.

Alada is operated by Emmanuel Phiri (ABN 81 224 437 424), based in Perth, Australia.

Our services include:

Our website at alada.app and any subdomains
Our web application (the "Service")
SMS, email and other communications sent in connection with the Service.

If anything in this Policy conflicts with mandatory law that applies to you, that law will prevail to the extent of the conflict.

Contact details (privacy & support)

Privacy: privacy@alada.app

General support: support@alada.app

2. Who this Policy applies to

This Policy applies to:

Users of the Alada Service (e.g. students, professionals)
Visitors to our website and landing pages
Prospective customers who join waitlists or interact with our marketing content.

This Policy does not apply to third-party sites or services that we do not control, even if linked from our Service.

3. Minimum age and children's privacy

Alada is designed for older teens and adults, including:

Senior school students (typically Year 11–12)
University and TAFE students
Professionals.

You must:

Be at least 16 years old to create an account and use the Service on your own; or
Use the Service with the knowledge and consent of a parent or legal guardian if you are under 16 and local law permits that use.

4. What personal information we collect

"Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Depending on how you use the Service, we may collect:

4.1 Account and profile information

Name or display name
Email address
Password (stored as a salted, hashed value — never in plain text)
Mobile phone number (for SMS reminders)
Time zone
Preferred times for reminders and notifications
Optional profile details such as school, university or other affiliation.

4.2 Study / productivity data

To operate the Service, we store the information you enter, such as:

Tasks, goals, habits and study plans
Daily/weekly completions and streaks
Onboarding questions and preferences
Notes or reflections you choose to save.

4.3 Usage, device and technical data

When you use the Service, we automatically collect:

Device and browser information (e.g. type, version, operating system)
IP address and general location (e.g. city/region level)
Dates and times of access
Pages viewed, buttons clicked and features used
Diagnostic and performance logs.

This data is used for security, analytics, performance and product improvement.

4.4 Communication data

We may collect:

Copies of emails or messages you send us (e.g. support enquiries, feedback)
Your preferences for SMS/email reminders and marketing
Responses you send back (where the product flow supports that).

4.5 Payment and billing data

We use Stripe to process payments. We do not store full payment card numbers on our own systems.

We may receive and store from Stripe:

Your billing name and email
Limited card details (e.g. last 4 digits, expiry)
Billing address or country
Transaction history, subscription plan and status.

Stripe's own privacy practices apply when they process your payment details.

5. Cookies and similar technologies

We use cookies and similar technologies to:

Keep you logged in
Store preferences (e.g. theme, time zone)
Measure traffic and usage patterns
Run analytics and A/B tests.

You can control cookies via your browser settings. Blocking some cookies may affect how the Service functions.

Where required by law (for example, in certain jurisdictions for non-essential cookies), we will seek your consent or provide appropriate opt-out mechanisms.

6. How we use personal information

We use personal information for the following purposes:

Providing and operating the Service

Creating and managing accounts
Sending SMS/email reminders, nudges and weekly recaps
Calculating streaks, completion rates and other statistics
Maintaining and improving core features and uptime.

Personalisation and product improvement

Adapting reminder timing and content to your preferences
Understanding which features are used or ignored
Running analytics to improve UX and design.

Communications

Responding to support requests and questions
Sending important service announcements (e.g. policy changes, outages, security alerts)
Sending optional product updates and marketing where permitted by law and your preferences.

Legal, security and risk management

Detecting and preventing fraud, abuse or security incidents
Enforcing our Terms of Service
Complying with legal obligations (e.g. consumer, tax and electronic messaging laws).

Analytics and aggregated insights

Creating anonymised or aggregated statistics, such as average completion rates or streak lengths
Using these statistics to improve and market Alada, provided they do not identify you.

7. Legal bases (for EEA/UK residents)

If and when we actively offer the Service to individuals in the EEA/UK, we will rely on one or more of the following legal bases (where GDPR/UK GDPR applies):

Performance of a contract – to provide the Service you sign up for.
Consent – for certain marketing communications and non-essential cookies.
Legitimate interests – for analytics, product improvement and security, where these interests are not overridden by your rights.
Legal obligation – where we must process data to comply with laws (e.g. tax, accounting, data protection).

8. When we disclose personal information

We share personal information only as reasonably necessary for the purposes above and with appropriate safeguards, including:

8.1 Service providers (sub-processors)

We use third parties to help us deliver the Service, including:

Supabase – database and authentication services
Vercel – hosting and deployment of the web application
Twilio (or similar) – sending SMS reminders and notifications
Stripe – payment processing
Analytics tools such as PostHog and Google Analytics.

8.2 AI service providers

To help generate or personalise reminder content and similar features, we may use external AI providers such as OpenAI.

We send only the data reasonably necessary for the AI feature (for example, your first name, task summary or schedule context).

We configure our usage so that API data is not used to train or improve OpenAI's models by default, relying on OpenAI's published API data-use commitments.

We do not send your payment details or highly sensitive identifiers to AI providers.

8.3 Legal and regulatory

We may disclose information to:

Courts, regulators or law-enforcement agencies where required by law or to respond to valid legal process
The Office of the Australian Information Commissioner or other authorities in connection with privacy or data-breach obligations.

8.4 Business transfers

We do not sell your personal information for money.

9. International data transfers

Because many of our service providers operate globally, your personal information may be transferred to and processed in countries other than Australia (for example, the US or EU).

If GDPR/UK GDPR applies, we will rely on mechanisms such as standard contractual clauses or equivalent safeguards for international transfers.

10. Direct marketing and SMS/email communications

We may send:

Service messages – necessary for delivering the Service (e.g. reminders, trial notices, security alerts).
Marketing messages – optional emails or SMS about new features, promotions or tips.

We comply with the Spam Act 2003 (Cth) and ACMA guidance, which generally require:

Consent for commercial electronic messages
Clear sender identification
A functional and easy-to-use unsubscribe or opt-out mechanism, honoured within a reasonable timeframe (typically within 5 business days).

You can opt out of marketing at any time by:

Clicking "unsubscribe" in marketing emails
Following SMS instructions (e.g. replying STOP) where available
Contacting us at privacy@alada.app.

You may still receive essential service and legal messages even after opting out of marketing.

11. Data security

In summary (with more detail in our Security Policy):

All connections to the web app use HTTPS/TLS
Data is encrypted at rest by our cloud providers where available
Access to production systems is restricted on a need-to-know basis
Admin and cloud accounts use strong authentication, with multi-factor authentication where available
We maintain regular updates and patching for our infrastructure and dependencies
We use logging and monitoring tools to detect unusual activity
We rely on cloud backups and documented recovery procedures to restore data in case of loss.

No system can be 100% secure, but we work to implement and continually improve reasonable protections.

12. Data breaches and notifications

If we become aware of a data breach involving personal information, we will:

Investigate and contain the breach
Assess the risk of harm and whether notification is required under any applicable data-breach regime, including Australia's Notifiable Data Breaches (NDB) scheme where it applies
Where required, notify affected individuals and regulators
Where appropriate, provide recommendations to help you protect yourself.

13. Retention and deletion

We retain personal information for as long as reasonably necessary to:

Provide the Service to you
Meet legal, tax and accounting obligations
Resolve disputes and enforce our agreements.

When you delete your account:

Your account enters soft deletion for 30 days. During this period, your data is inactive and not visible in the app, but can be restored if the deletion was accidental.
After 30 days, we hard delete your account data from our production systems, subject to limited retention in backups and logs.
Backups and logs containing your data are kept only for the period reasonably necessary for security, audit and disaster-recovery purposes and then overwritten in the normal course of operations.

We may retain limited billing and transaction records for longer periods (e.g. up to 7 years) where required for tax and accounting.

You can request deletion or clarification of what remains by contacting privacy@alada.app.

14. Your rights

Depending on where you live and which laws apply, you may have rights such as:

Access – to request a copy of personal information we hold about you
Correction – to request correction of inaccurate or incomplete information
Deletion – to request deletion of certain personal information
Restriction or objection – to request that we stop or limit certain kinds of processing, such as direct marketing
Data portability – in some jurisdictions, to obtain a copy of certain data in a portable format.

To exercise your rights, contact privacy@alada.app. We may need to verify your identity before acting on your request.

If you are not satisfied with our response, you may have the right to contact your local privacy regulator (for Australians, the Office of the Australian Information Commissioner (OAIC)).

15. Changes to this Policy

We may update this Privacy Policy from time to time. When we do:

We will update the "Last updated" date; and
Where changes are material, we will take reasonable steps to inform you (for example, via email or in-app notice).

Your continued use of the Service after the updated Policy takes effect will constitute your acceptance of the changes.

16. Contact us

For privacy questions, requests or complaints:

Email: privacy@alada.app

General support: support@alada.app