Privacy Policy

Effective Date: 14 January 2026

1. Introduction

Down Under Vault Pty Ltd ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our digital estate inventory service (the "Service").

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes how we comply with these obligations.

By using the Service, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

We collect the following types of information:

2.1 Account Information

  • Full name
  • Email address
  • Mobile phone number (optional)
  • Password (stored in encrypted form)
  • Account creation and verification dates

2.2 Vault Contents

Information you choose to store in your vault, including:

  • Item descriptions, locations, and instructions
  • Financial asset details
  • Property information
  • Estate documents and their metadata
  • File attachments you upload

2.3 Nominee Information

  • Names of people you designate as nominees
  • Their email addresses and phone numbers
  • Their relationship to you
  • Roles and access permissions you assign

2.4 Usage Data

  • Check-In response history
  • Login timestamps and session information
  • Feature usage patterns
  • Error logs and performance data

2.5 Device Information

  • IP address
  • Browser type and version
  • Device type and operating system
  • Time zone and language preferences

2.6 Consent Records

  • Terms and Conditions acceptance timestamps
  • Version of terms accepted
  • IP address at time of acceptance
  • Browser/device information at time of acceptance

3. How We Use Your Information

We use your personal information to:

3.1 Provide the Service

  • Create and manage your account
  • Store and organise your vault contents
  • Process nominee invitations and access
  • Execute vault releases when Check-In conditions are met

3.2 Communicate With You

  • Send Check-In notifications via email and SMS
  • Notify you of account activity and security events
  • Respond to your enquiries and support requests
  • Send service updates and policy changes

3.3 Communicate With Nominees

  • Send invitations on your behalf
  • Notify nominees of vault releases
  • Provide access instructions

3.4 Security and Fraud Prevention

  • Detect and prevent unauthorised access
  • Monitor for suspicious activity
  • Scan uploaded files for malware
  • Maintain audit logs

3.5 Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to lawful requests from authorities
  • Enforce our Terms and Conditions
  • Maintain consent records for regulatory compliance

4. Legal Basis for Processing

We process your personal information on the following legal bases:

4.1 Contractual Necessity

Processing necessary to perform our contract with you, including providing the Service, managing your account, and executing vault releases.

4.2 Legitimate Interests

Processing necessary for our legitimate interests, including security, fraud prevention, service improvement, and business operations, provided these interests do not override your rights.

4.3 Legal Obligations

Processing necessary to comply with our legal obligations, including maintaining records and responding to lawful requests.

4.4 Consent

Where required, we obtain your explicit consent for specific processing activities, such as marketing communications. You may withdraw consent at any time.

5. Information Sharing

We may share your personal information in the following circumstances:

5.1 With Your Nominees

When your vault is released (due to failed Check-Ins or your instruction), we share the relevant vault contents with your designated nominees according to your assignments.

5.2 With Service Providers

We use trusted third-party service providers to operate the Service, including:

  • Amazon Web Services (AWS) for cloud infrastructure and storage
  • Resend for email delivery
  • AWS SNS for SMS notifications

These providers are contractually obligated to protect your information and may only process it as instructed by us.

5.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and your options.

5.5 What We Do Not Do

We do NOT:

  • Sell your personal information to third parties
  • Share your vault contents with advertisers
  • Use your data for targeted advertising
  • Provide access to your vault without authorisation

6. Nominee Data

When you add nominees to your vault, we collect their contact information from you. We recognise that nominees have not directly provided us with their information.

6.1 What We Collect

  • Name (as provided by you)
  • Email address
  • Phone number (if provided)
  • Relationship to you

6.2 How We Use Nominee Data

We use nominee data only to:

  • Send invitations on your behalf (with your instruction)
  • Notify them of vault releases
  • Provide them access to assigned items

6.3 Spam Act 2003 Compliance

We comply with the Australian Spam Act 2003 when contacting nominees. For first-contact emails, we use a two-phase notification system:

  • Phase 1: Information-only notification without commercial links
  • Phase 2: Full invitation only after nominee acknowledgment

Nominees can opt out of communications at any time by replying to any email or contacting us.

7. Data Storage and Security

7.1 Data Location

All data is stored on servers located in Australia (AWS Sydney region, ap-southeast-2). Your data does not leave Australian jurisdiction unless you explicitly request an export.

7.2 Encryption

  • All data is encrypted at rest using AES-256 encryption
  • All data in transit is encrypted using TLS 1.2 or higher
  • Passwords are hashed using industry-standard algorithms

7.3 Access Controls

  • Strict role-based access controls for our staff
  • Multi-factor authentication required for administrative access
  • Regular access reviews and audit logging

7.4 Security Measures

  • Regular security assessments and penetration testing
  • Automated malware scanning for uploaded files
  • Intrusion detection and monitoring
  • Incident response procedures

8. Data Retention

8.1 Active Accounts

We retain your data for as long as your account is active. Your vault contents are stored until you delete them or close your account.

8.2 Closed Accounts

When you close your account, we delete your vault contents within 30 days. Some information may be retained for legal compliance purposes (such as consent records and financial transaction history) for up to 7 years.

8.3 Backup Retention

Backups containing your data may be retained for up to 90 days after deletion for disaster recovery purposes, after which they are permanently deleted.

8.4 Legal Hold

If we are required to preserve data for legal proceedings, we may retain relevant information beyond normal retention periods.

9. Your Rights

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the following rights:

9.1 Right to Access

You can request access to the personal information we hold about you. We will provide this information within 30 days of your request.

9.2 Right to Correction

You can request correction of inaccurate or incomplete personal information. You can also update most information directly through your account settings.

9.3 Right to Deletion

You can request deletion of your personal information by closing your account. Some information may be retained for legal compliance as described in Section 8.

9.4 Right to Data Portability

You can export your vault data in a machine-readable format through your account settings.

9.5 Right to Withdraw Consent

Where we process your information based on consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing prior to withdrawal.

9.6 Right to Complain

If you believe we have breached the Australian Privacy Principles, you can lodge a complaint with us (see Section 14) or with the Office of the Australian Information Commissioner (OAIC).

10. Cookies and Tracking

10.1 Session Management

We use session storage (not cookies) to maintain your authenticated session. This data is stored in your browser and cleared when you close the browser window.

10.2 No Third-Party Tracking

We do not use third-party tracking cookies, advertising pixels, or social media trackers. We do not share your browsing behaviour with advertisers.

10.3 Analytics

We may collect anonymised usage analytics to improve the Service. This data cannot be used to identify individual users.

11. International Users

The Service is primarily designed for Australian users and is governed by Australian law. If you access the Service from outside Australia:

  • Your data will be transferred to and stored in Australia
  • You consent to this transfer by using the Service
  • Australian privacy laws will apply to your data
  • You may have additional rights under your local laws

For users in the European Economic Area (EEA), we endeavour to comply with GDPR requirements where applicable, including providing data subject rights and maintaining appropriate safeguards for international transfers.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on the Service
  • Sending you an email notification
  • Displaying a prominent notice when you log in

The "Effective Date" at the top of this policy indicates when it was last updated. We encourage you to review this policy periodically.

Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

14. Contact Us and Complaints

14.1 Privacy Enquiries

For questions about this Privacy Policy or our privacy practices, contact us:

14.2 Complaint Process

If you have a privacy complaint:

  1. Contact us using the details above with a description of your complaint
  2. We will acknowledge your complaint within 5 business days
  3. We will investigate and respond within 30 days
  4. If you are not satisfied with our response, you can escalate to the OAIC

14.3 Office of the Australian Information Commissioner

If you are not satisfied with our response to your complaint, you can contact the OAIC:

This Privacy Policy was last updated on 14 January 2026.

For questions or concerns, please contact us at privacy@downundervault.com.