1. Introduction
Tinkl ("the App") is a social planning application operated by Daniel Buttacavoli, a sole trader based in Australia ("we", "us", "our").
This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Tinkl mobile application and related services. It applies to all users of Tinkl, regardless of location.
We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By creating an account and using Tinkl, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
2.1 Information You Provide
| Information | When Collected | Required? |
|---|---|---|
| Email address | Account registration | Yes |
| Password | Account registration | Yes |
| Display name | Account setup / profile editing | Yes |
| Bio | Profile editing | No |
| Profile photo | Profile editing | No |
| Calendar names and descriptions | Calendar creation | Name only |
| Event details | Event creation | Title & date |
| Chat messages | Group messaging | User-initiated |
| Event comments | Commenting on events | User-initiated |
| Availability selections | Event planning | User-initiated |
| RSVP responses | Responding to events | User-initiated |
| Poll responses | Group polls | User-initiated |
2.2 Information Collected Automatically
| Information | When Collected | Purpose |
|---|---|---|
| Push notification token | When you enable notifications | Deliver notifications to your device |
| Device platform (iOS/Android) | When you enable notifications | Route notifications correctly |
2.3 Information Collected With Your Permission
| Information | When Collected | Purpose |
|---|---|---|
| Device location (when in use only) | When you create a Shake | Identify your current location by place name |
About location data: When you create a Shake, your device's GPS coordinates are used locally to determine a place name (e.g., "Hyde Park, Sydney"). Only the place name and suburb are sent to our servers. Raw GPS coordinates are not stored. Location access is never used in the background.
2.4 Information We Do Not Collect
We do not collect:
- Precise GPS coordinates (only geocoded place names)
- Background location data
- Contacts or address book information
- Financial or payment information
- Health or fitness data
- Browsing or search history outside the App
- Advertising identifiers or device IDs for tracking
- Biometric data
3. How We Use Your Information
We use your personal information solely to provide and operate the Tinkl App:
| Purpose | Information Used |
|---|---|
| Create and manage your account | Email, password, display name |
| Display your profile to friends | Display name, bio, profile photo |
| Enable shared calendar planning | Calendar data, event details, availability, RSVPs |
| Deliver group messages | Chat messages, within calendar groups |
| Power the Shakes feature | Location place name (when you actively create a Shake) |
| Send notifications | Push token, notification content |
| Enforce user safety | Blocked user lists, notification preferences |
| Award badges and rank titles | Activity counts (aggregated) |
We do not use your information for:
Advertising or marketing. Profiling or automated decision-making. Sale to third parties. Any purpose unrelated to the App's core functionality.
4. How We Share Your Information
4.1 With Other Users
Your display name, profile photo, and bio are visible to users who are your accepted friends or members of the same calendars. Chat messages are visible to members of the calendar in which they are posted. Shake place names are visible to the friends you invite to that Shake.
4.2 With Service Providers
We use the following third-party service providers to operate the App. These providers process your information only as necessary to provide their services to us:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Pty Ltd | Database hosting, authentication, file storage | Sydney, Australia |
| Expo (650 Industries) | Push notification delivery | United States |
| Google LLC | Location autocomplete (Places API, proxied via our server) | United States |
4.3 Cross-Border Disclosure
Your personal information is primarily stored in Australia (Supabase Sydney region). However, some information is disclosed to service providers in the United States (Expo for push notifications, Google for location search) as described above. In accordance with Australian Privacy Principle 8, we take reasonable steps to ensure these overseas recipients handle your information consistently with the APPs.
4.4 When Otherwise Required
We may disclose your information if required to do so by law, regulation, legal process, or enforceable government request, or to protect the rights, safety, or property of Tinkl, our users, or the public.
4.5 What We Never Do
We never sell your personal information.
We never share your information with advertisers.
We never use third-party analytics or tracking services.
We never provide your information to data brokers.
5. Data Storage and Security
5.1 Where Your Data Is Stored
Your data is stored on Supabase infrastructure in the Sydney, Australia (ap-southeast-2) region. File uploads (profile photos, calendar cover images, stickers) are stored in Supabase Storage in the same region.
5.2 Security Measures
We implement the following security measures to protect your information:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
- Encryption at rest: All data at rest is encrypted by Supabase's infrastructure.
- Secure token storage: Authentication tokens are stored in the iOS Keychain (or Android equivalent), not in plaintext.
- Database access control: Every database table has Row Level Security (RLS) enabled, ensuring users can only access data they are authorised to see.
- API key security: Third-party API keys are stored server-side and never shipped in the app binary.
5.3 Data Retention
We retain your personal information for as long as your account is active. When you delete your account, all your data is permanently deleted (see Section 7). We do not retain copies of deleted data.
6. Your Rights
Under the Australian Privacy Principles, you have the following rights regarding your personal information:
6.1 Right of Access (APP 12)
You may request access to the personal information we hold about you. Most of your information is directly accessible within the App (profile, calendars, messages, friends). For a formal access request, contact us at support@tinkl.au.
6.2 Right of Correction (APP 13)
You may update or correct your personal information at any time through the App:
- Display name and bio: Settings > Edit Profile
- Profile photo: Settings > Edit Profile
- Password: Settings > Change Password
If you believe any information we hold is inaccurate and you cannot correct it through the App, contact us at support@tinkl.au.
6.3 Right of Deletion
You may permanently delete your account and all associated data at any time through the App (see Section 7).
6.4 Right to Complain
If you believe we have breached the Australian Privacy Principles or otherwise mishandled your personal information, you may:
- Contact us first: Email support@tinkl.au with details of your concern. We will investigate and respond within 30 days.
- Complain to the OAIC: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at www.oaic.gov.au or by calling 1300 363 992.
7. Account Deletion
You can permanently delete your account from within the App:
Settings > Delete Account
When you delete your account, the following is immediately and permanently removed from our servers:
- Your authentication credentials (email, password)
- Your profile (display name, bio, profile photo)
- All calendars you own
- All your calendar memberships
- All messages you have sent
- All event RSVPs and availability submissions
- All Shakes (beacons) you have created
- All your friendships and friend requests
- All your notifications and push tokens
- Your badges, titles, and stickers
- Your blocked user records and notification preferences
- All uploaded files (profile photos, calendar cover images)
Deletion is immediate and irreversible. There is no grace period or recovery option.
8. Children's Privacy
Tinkl is intended for users aged 13 years and older. We do not knowingly collect personal information from children under the age of 13.
If you are a parent or guardian and believe your child under 13 has created a Tinkl account or provided personal information to us, please contact us at support@tinkl.au. We will promptly delete the child's account and all associated information.
If you are aged between 13 and 18, we encourage you to discuss your use of Tinkl with a parent or guardian.
9. Third-Party Services
Tinkl may contain links to external services (e.g., opening a location in your maps application). These third-party services have their own privacy policies, and we are not responsible for their practices.
The third-party services integral to Tinkl's operation are:
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App (via an in-app notification or system announcement) before the changes take effect.
The "Effective" date at the top of this policy indicates when the most recent changes were made. Your continued use of Tinkl after changes are posted constitutes your acceptance of the updated policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information:
We aim to respond to all enquiries within 30 days.
support@tinkl.au12. Governing Law
This Privacy Policy is governed by the laws of the Commonwealth of Australia, including the Privacy Act 1988 (Cth). Any disputes arising from this policy will be subject to the jurisdiction of the courts of Australia.