What we collect,
and what we don't.

1. Who we are

This Privacy Policy applies to Bryndis, a personal safety mobile application and the bryndis.com.au website (collectively, "Bryndis," "we," "us," "our").

Bryndis is operated by Adam Johnson, trading as BRYNDIS (a registered business name with the Australian Securities and Investments Commission, registered 12 May 2026), Australian Business Number 73 260 832 724. Our place of business is Adelaide, South Australia.

We are bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles contained in that Act, regardless of our annual turnover, because we provide a health and safety-adjacent service involving sensitive information.

2. What we collect

Account information

• Email address
• First name (or a chosen display name)
• Mobile phone number (verified by SMS)
• Authentication credentials (password, securely hashed; or Apple Sign-In identifier)

Trusted contacts

• The names you assign to your trusted contacts
• Their mobile phone numbers
• The priority order you set

We do not import your full address book. You enter trusted contacts manually. When you add a contact, we send a one-time SMS to that number, in your name, notifying the person they have been added and offering them the option to be removed.

Location information

• GPS coordinates with accuracy radius
• Device magnetic heading (used by the AR compass)

Location is captured only when you actively use a feature that requires it — triggering an SOS, starting a check-in timer, dropping a car pin, or running a Rideshare Tracker session. Bryndis does not collect background location. iOS will only ever expose location while the app is active or while a relevant timer is running.

Safety event records

• Timestamp, type, and outcome of each SOS, check-in, or tracker event
• The location snapshot at the moment the event was triggered
• Which trusted contacts were notified, and whether they acknowledged the alert

Subscription & payment information

• Subscription tier and status, received from Apple via RevenueCat

We do not collect or store your payment card details. All in-app purchases are processed by Apple under their billing terms.

Device & diagnostic information

• Device model, iOS version, app version, language and region
• Anonymous crash logs and basic performance diagnostics

Diagnostic data is aggregated and does not identify individual users.

What we do not collect

• Your address book or contact list
• Background location, when no Bryndis feature is active
• Microphone, camera, or photo library content (the AR compass uses the camera feed in real time but does not store or transmit it)
• Browsing history, advertising identifiers, or behavioural profiles
• Health, biometric, or fitness data

3. How we collect it

We collect personal information directly from you, when you:

• Create an account and verify your phone number
• Add or edit a trusted contact
• Trigger a safety feature (SOS, check-in, car pin, rideshare or date module)
• Subscribe to a paid module
• Contact our support team

We may collect information indirectly through Apple (subscription state) and RevenueCat (entitlement status). We do not collect personal information about you from data brokers, social networks, or other third parties.

4. Why we collect it

We collect personal information for the following primary purposes:

• To deliver the service. Sending alerts to your trusted contacts, running check-in timers, dropping car pins.
• To authenticate you. Verifying your identity by phone number and protecting your account against takeover.
• To process subscriptions. Confirming your entitlement to paid modules.
• To improve the app. Diagnosing crashes and identifying reliability issues, using aggregated data.
• To meet legal obligations. Where required to comply with Australian law, including responding to lawful requests from law enforcement made via valid Australian process.

5. Who we share with

We share personal information only as strictly necessary to deliver the service, and only with the following categories of recipients:

Service providers

• Supabase Inc. — database, authentication, and storage. Bryndis uses a Supabase project hosted in Sydney, Australia. Supabase acts as a processor on our behalf.
• Twilio Inc. — SMS delivery (verification codes and safety event SMS to your trusted contacts).
• Apple Inc. — push notifications (via Apple Push Notification service), App Store distribution, and in-app purchase processing.
• RevenueCat Inc. — subscription entitlement management.
• Sentry / crash diagnostics provider — anonymised crash logs.

Trusted contacts you choose

When you trigger a safety feature, the relevant trusted contact will receive your name, your live location, and a link to view your event in a browser. This disclosure is made on your direction, by you, using the app.

Law enforcement and regulators

We may disclose personal information where required by Australian law — for example, in response to a valid subpoena or warrant — or where we reasonably believe disclosure is necessary to prevent a serious threat to the life, health, or safety of any individual, in accordance with Australian Privacy Principle 6.

What we will never do

• Sell or rent your personal information.
• Share your location data with advertisers, data brokers, analytics partners, or any third party for marketing purposes.
• Use your trusted contacts list for any purpose other than delivering safety events you trigger.
• Provide your information to commercial third parties as part of any merger, acquisition, or asset sale without first notifying you and giving you a reasonable opportunity to delete your account.

6. Overseas data flows

Your core personal information — account, trusted contacts, safety event records, and location snapshots — is stored in Supabase's Sydney, Australia region.

Some of our service providers are based outside Australia (Twilio, Apple, RevenueCat, and our crash diagnostics provider are headquartered in the United States) and process limited information in the course of delivering their part of the service. Before using any overseas service provider, we take reasonable steps to confirm that the recipient does not breach the Australian Privacy Principles in relation to the information.

By using Bryndis, you acknowledge that some routine processing of your personal information may occur outside Australia, principally in the United States, for the limited purposes described above.

7. Storage and security

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. These steps include:

• Encryption of all data in transit (TLS 1.2+).
• Encryption of data at rest in our Supabase database.
• Row-level security policies, so one user cannot read another user's records under any circumstance.
• Phone-number verification on every account.
• Internal access on a strict need-to-know basis. Adam Johnson is currently the sole operator with administrative database access.

No method of internet transmission or electronic storage is completely secure. We cannot guarantee absolute security but we take our obligations seriously, including notifying you and the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach, as required by the Notifiable Data Breaches scheme.

8. Retention and deletion

We retain personal information only for as long as needed for the purposes for which it was collected, or as required by Australian law.

• Active account data — held while your account exists.
• Safety event records — held for 12 months from the event, then automatically purged. You may delete individual events from the app at any time.
• Anonymous diagnostic data — held for up to 90 days.

You may delete your account at any time from within the app — Settings → Account → Delete account. Account deletion is one-tap and irreversible. All personal information associated with your account is permanently erased from our active systems within 30 days. Backup copies are overwritten on a rolling 35-day cycle.

9. Your rights

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you (APP 12).
• Correct information that is inaccurate, out-of-date, or incomplete (APP 13).
• Be informed about how we handle your information (this policy).
• Withdraw consent to non-essential processing, by deleting your account or by emailing us at privacy@bryndis.com.au.

Most access and correction requests can be handled within the app. For anything that can't, email privacy@bryndis.com.au. We will respond within 30 days.

10. Website data

The bryndis.com.au website uses minimal, privacy-respecting analytics to understand how visitors use the site. We do not use Google Analytics. We do not set advertising cookies. We do not track you across other sites.

The website uses essential cookies for basic functionality (such as remembering whether you have dismissed a banner). No personal information is collected from you simply by visiting bryndis.com.au.

11. Children

Bryndis is intended for users aged 16 and over. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us with personal information, please contact privacy@bryndis.com.au and we will delete the account.

12. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or the law. We will publish the updated policy at this URL and update the "Last updated" date at the top. For material changes — for example, the addition of a new category of recipient — we will notify you in the app and by email at least 14 days before the changes take effect.

13. Contact and complaints

For privacy questions, access or correction requests, or to make a complaint:

• Email: privacy@bryndis.com.au
• Post: Privacy Officer, BRYNDIS, Adelaide, South Australia (email us for the postal address)

We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you are not satisfied with our response, you are entitled to make a complaint to the Office of the Australian Information Commissioner:

• OAIC website: www.oaic.gov.au
• OAIC phone: 1300 363 992