U
UtilyBack

Legal

Privacy Policy

Utily Privacy Policy

Last updated: 2025-12-07 Operator: Raven Amiatu (ABN 28 271 300 438) — contact: support@utily.me

1. Overview

  • This Privacy Policy explains how Utily ("we", "us") collects, uses, discloses, and protects personal information when you use the Service.
  • This Policy is designed to align with the Australian Privacy Principles (APPs) and to prepare for GDPR/CCPA readiness for overseas users.

2. What We Collect

  • Account data: email, password hash.
  • Billing data: payer contact details, plan selection, payment status (via payment provider).
  • Service data: uploaded/forwarded utility invoices and derived usage/billing insights.
  • Technical data: IP address, timestamps, request metadata, error logs; minimal cookies as described in the Cookie Notice.
  • Support communications: messages you send to us.

3. How We Use Data

  • Provide and operate the Service, including parsing invoices and generating insights.
  • Secure the Service, detect abuse, and debug issues.
  • Communicate about your account, updates, and support.
  • Improve features (in aggregated or de-identified form where possible).
  • Comply with legal obligations and enforce Terms.

4. Legal Bases (GDPR readiness)

  • Contract necessity: to provide the Service you request.
  • Legitimate interests: service security, fraud prevention, product improvement (balanced against your rights).
  • Consent: where required for optional analytics or marketing (not enabled by default).

5. Sharing and Transfers

  • Service providers: cloud hosting, email, storage, and analytics vendors bound by confidentiality and data-protection obligations.
  • Legal: disclosures required by law, court order, or to protect rights and safety.
  • Business transfers: in the event of a merger, acquisition, or asset sale, subject to safeguards.
  • Cross-border transfers: we may process data outside Australia. Where required, we will use appropriate safeguards (e.g., SCCs) for EEA/UK data.

5.1 Key Service Providers (Sub-processors)

Utily uses third-party providers to operate the Service. Depending on your region and configuration, these may include:

  • Hosting/compute: Fly.io
  • Database: Neon (PostgreSQL)
  • File storage (S3-compatible): Tigris (via Fly)
  • Email ingestion/delivery: Mailgun
  • Payments: Stripe
  • Caching/queues: Upstash/Redis (and job queue infrastructure)
  • Analytics: PostHog
  • Error monitoring: Sentry (if enabled)

6. Cookies and Tracking

  • See the Cookie Notice for details on cookies and similar technologies.
  • Analytics: Utily uses PostHog (a third-party analytics provider) to measure product usage and improve the Service. PostHog may use cookies/localStorage/sessionStorage to recognise returning sessions. We aim to send pseudonymous identifiers (e.g., internal user ID) and avoid sending invoice PDF contents or raw invoice text.
  • Operational events: we may send limited system events (e.g., mail ingestion started/succeeded/failed) to help monitor reliability. Where possible, we avoid sending direct identifiers (for example, by hashing inbound recipient addresses).
  • No third-party marketing trackers are enabled by default.
  • You can disable product analytics in-app (Settings → Data & Privacy). When disabled, analytics events are not sent from that device. Disabling analytics does not automatically delete past analytics events; you can request deletion via support@utily.me.

7. Data Retention

  • Account and billing data: kept while your account is active and for a reasonable period thereafter for compliance and record-keeping.
  • Invoice data: retained while your account is active. PDF documents and derived artifacts may be retained for model training/quality and service integrity even if you delete invoice records, unless you request full removal and it is technically and legally permissible. Backups may persist until natural rotation.
  • Logs: kept for security and diagnostics for a limited period, then deleted or aggregated.

8. Security

  • Transport encryption (HTTPS in production), access controls, least-privilege for operations, and monitoring for abuse.
  • No system is perfectly secure; notify us promptly of any suspected incident.

9. Your Rights

  • Access and correction: request access to or correction of your personal information.
  • Deletion: request deletion of your account and associated personal data, subject to legal retention requirements, backups, and any retained documents kept for model training/quality where permissible. If you need full removal of documents/files, contact us to discuss feasibility.
  • Objection/Restriction/Portability (GDPR readiness): where applicable, you may object to certain processing, request restriction, or request a copy of your data.
  • CCPA/CPRA readiness: California residents may request deletion or information about categories of personal information and may opt out of sale/share (Utily does not sell personal information).
  • Submit requests via support@utily.me. We may need to verify identity before responding.

10. Children's Data

  • The Service is not directed to children under 16. If you believe a child has provided personal data, contact us to delete it.

11. Data Breaches (APP Notifiable Data Breaches readiness)

  • We will assess suspected breaches promptly and, where required, notify affected individuals and regulators in line with the APP Notifiable Data Breaches scheme and any applicable overseas regimes.

12. Changes

  • We may update this Policy. Material changes will be notified; continued use after the effective date constitutes acceptance.

13. Contact

  • Privacy queries and requests: support@utily.me (or the contact channel listed in the app).