Privacy Policy.

Digital Guardian Suite ("Digital Guardian", "we", "us", "our") operates a unified set of applications — Velvet Vault, Shadow Guard, QuickShield, and Guardian Mind — designed to protect what matters most: your time, your money, your family, and your peace of mind.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you hold over it. We have drafted this document to be plain-language and human first; where regulatory language is required, it appears below in clearly marked sections.

We comply with the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth), and where applicable, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

As an Australian-aligned service, we observe the 13 Australian Privacy Principles. Each is paraphrased below with our specific practice:

• APP 1 — Open management. This policy is freely accessible. Updates are version-stamped.
• APP 2 — Anonymity / pseudonymity. You may interact with our marketing site anonymously. Account-bound features require identifying information.
• APP 3 — Collection of solicited information. We collect only what is necessary for the function you request.
• APP 4 — Unsolicited information. If we receive personal information we did not request, we will destroy or de-identify it where lawful.
• APP 5 — Notification of collection. You are notified at every point of collection, either inline or via this policy.
• APP 6 — Use & disclosure. Your data is used only for the primary purpose collected, or a directly related secondary purpose you would reasonably expect.
• APP 7 — Direct marketing. We do not engage in direct marketing without opt-in consent. Unsubscribe is one click.
• APP 8 — Cross-border disclosure. Data may transit through service providers in the United States, the EU, and Australia. All such providers are bound to APP-aligned contractual standards.
• APP 9 — Government identifiers. We do not use government identifiers as our primary keys.
• APP 10 — Quality. We take reasonable steps to keep your data accurate, current, and complete.
• APP 11 — Security. Encryption in transit (TLS 1.2+) and at rest (AES-256). See section 04.
• APP 12 — Access. You may request a copy of the personal information we hold about you at any time.
• APP 13 — Correction. You may correct any personal information we hold. We will action within 30 days.

a. Information you provide directly

• Name, email, billing address, and payment method (processed by Stripe — we never store your full card number)
• Family member contacts you add to QuickShield (with their consent)
• Journal entries, mood signals, voice notes, and reflection prompts you submit to Velvet Vault or Guardian Mind
• Financial accounts you link to Shadow Guard (read-only via secure aggregators)

b. Information we collect automatically

• Device type, operating system, browser, IP address, and approximate location
• Usage patterns inside the apps (which features you engage, when, and for how long)
• Anonymous telemetry for crash reporting and performance

c. Information from third parties

• Stripe (payment confirmation + fraud signals)
• Resend (email delivery confirmation)
• Financial aggregators you authorise (e.g., Plaid, Basiq)

Security is the product. The following measures are not aspirational — they are baseline:

• Encryption in transit: TLS 1.2 or higher across every endpoint and integration. No exceptions.
• Encryption at rest: AES-256 across our primary databases, document stores, and backups.
• Vault-grade fields: Particularly sensitive fields (journal text, financial credentials, family contact PII) are double-encrypted with per-tenant keys.
• Access controls: Least-privilege role-based access. Every administrative action is logged and reviewable.
• Key management: Customer-segment keys are rotated periodically. Master keys are stored in hardware-backed key vaults.
• Penetration testing: Annual third-party penetration tests; ongoing automated vulnerability scanning.
• Incident response: 72-hour notification to affected users in the event of a confirmed breach, in line with the Notifiable Data Breaches scheme.

Several features within the Digital Guardian Suite are powered by artificial intelligence. We believe you have the right to know when you are interacting with an AI system, and what it can and cannot do for you.

• Guardian Mind uses large language models and on-device signal processing to infer mood, suggest reflection prompts, and surface patterns. It does not provide medical, psychological, psychiatric, or therapeutic advice. See our Terms of Service for the full clinical disclaimer.
• Velvet Vault uses AI to summarise journal entries, structure tasks, and propose schedules. All AI-generated suggestions can be edited, declined, or deleted.
• Shadow Guard uses machine-learning anomaly detection on transactions you authorise it to monitor. It does not initiate financial transfers.
• Training: We do not use your personal content to train our underlying AI models, except where you have explicitly opted in to a research program. Anonymous, aggregated signals may be used to improve model quality.
• Third-party AI providers: Some features rely on OpenAI, Anthropic, or Google AI. We send only the minimum prompt context required for the feature to function. Provider-specific data-retention policies apply.
• Right to human review: Any automated decision that materially affects you (e.g., risk classification) can be appealed for human review by emailing privacy@digital-guardian.info.

We use your information to deliver, maintain, and improve the suite — and for nothing else without your explicit consent. Specifically:

• Provide and personalise the apps you've subscribed to
• Authenticate you and protect your account
• Process payments via Stripe
• Send transactional emails (welcomes, receipts, security alerts) via Resend
• Detect, prevent, and respond to fraud, abuse, and security threats
• Comply with legal obligations under Australian, EU, and US law
• Generate de-identified, aggregated analytics that cannot be linked back to you

We do not sell your personal information. We do not engage in behavioural advertising. We do not share content from your vaults with advertisers, data brokers, or affiliates.

We retain your personal information for as long as your membership is active, and for a reasonable period afterwards in case you reactivate. Typical retention windows:

• Account & profile: lifetime of membership + 30 days grace
• Billing records: 7 years (Australian tax law)
• Vault contents (journal / financial / family): until you delete them, or 90 days after cancellation
• Anonymous telemetry: 24 months

You may request full account deletion at any time by writing to privacy@digital-guardian.info. We will action within 30 days, subject to lawful retention obligations.

Depending on your jurisdiction, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Request deletion of your data
• Restrict or object to certain processing
• Receive your data in a portable format (GDPR Art. 20)
• Withdraw consent at any time without penalty
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local data-protection authority

To exercise any of these rights, contact privacy@digital-guardian.info. We respond within 30 days.

Digital Guardian is designed for adults aged 18+. QuickShield may be used by family-account owners to protect children, but children do not hold accounts directly with us. We do not knowingly collect personal information from anyone under 13. If you believe we have, please contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email and surfaced in-app at least 30 days before they take effect. The "Last updated" date below reflects the most recent revision.

For privacy enquiries, requests, or concerns:

Privacy Officer
Digital Guardian Suite
privacy@digital-guardian.info