Privacy Policy

1. Scope and Applicability

This policy applies to personal and health information collected through the indi platform and related services. We align our practices with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR) for UK/EU users, and HIPAA-aligned safeguards for U.S.-based users where applicable.

Depending on the context, indi may act as a “controller” or a “processor” under privacy laws. For example, when you enter observations or upload documents, we act as a controller. In some settings (for example, where an organisation provides indi to users under an agreement), we may act as a processor for that organisation.

Anonymity and pseudonymity

Because indi involves personalised child and family health information, we generally need certain identifying details to create and maintain your account and to ensure data integrity and safety. In most cases you cannot use indi anonymously. However, where it is lawful and practical to do so (for example, browsing certain public pages or resources), you may interact with indi without identifying yourself.

2. What We Collect and How We Collect It

We may collect the following types of information:

• Parent and caregiver account details (name, email, contact information).
• Child-related developmental data, observations, milestones, and documents.
• Appointment history, care notes, and communications within the platform.
• Device data (e.g., IP address, approximate location inferred from IP, browser type) for security and functionality.
• Usage data for analytics and feature improvement.
• Mobile advertising identifiers (Apple IDFA on iOS where you grant permission, and Google Advertising ID on Android) and related attribution data, used solely to measure which marketing campaigns bring families to indi. See "Attribution and analytics partners" below.

We collect information in several ways, including:

• Directly from you when you create an account, complete forms, enter observations, upload documents, book appointments, or communicate with us.
• From others you authorise, such as healthcare providers or educators who you connect to your indi account.
• Automatically when you use the platform, through technologies such as cookies, SDKs and similar tools that help us keep the service secure, understand usage patterns, and improve performance. For details on the cookies our website uses, the tracking technologies our app uses, and how to control them, see our Cookie & Tracking Policy.

You are responsible for ensuring you have appropriate authority to share information, especially when adding details about another person (e.g., your child, a partner, or an educator).

When we collect personal information, we aim to do so directly from you and to let you know, at or before the time of collection (or as soon as practicable afterwards), what we are collecting, why we are collecting it, and how it will be used and disclosed. This may be done through this Privacy Policy, in-app notices, just-in-time prompts, or other communications.

3. How We Use and Share Information

We use personal information to:

• Deliver personalised developmental support and milestone tracking.
• Support care appointment scheduling, reminders, and secure messaging.
• Improve the platform based on de-identified or aggregated usage patterns.
• Improve, evaluate, and refine indi's AI-enabled features using de-identified or aggregated information, in accordance with this Privacy Policy.
• Respond to your requests or provide customer support.
• Comply with legal obligations, such as health record access rights or court orders.

We do not sell or rent your data.

Use of De-Identified Data to Improve AI Features

indi may use limited portions of information entered into the platform to improve the quality, safety, and reliability of its AI-enabled features. This process is designed to improve system performance generally and is not used to make automated decisions about your child without appropriate safeguards.

Where information is used for this purpose, it is first de-identified or aggregated so that it cannot reasonably be used to identify you or your child. This means direct identifiers are removed or transformed, and the data is used only in a form intended to reduce re-identification risk.

We do not use identifiable personal information to train AI models. Where child-related information is used for AI improvement, it is used only in de-identified or aggregated form as described above.

Participation in this model improvement process is optional. You can opt out at any time through your account settings. If you cannot access your account settings, you can request this via privacy@projectindi.com. Opting out will not affect your ability to use indi's core services.

We may share your information with trusted third parties where necessary to provide our services, including:

• Cloud hosting and storage providers that securely store data.
• Analytics and monitoring services that help us understand platform performance and usage in a de-identified or aggregated way.
• Communication and notification providers that support email, SMS, or in-app messaging.
• Healthcare providers or organisations you explicitly connect to your indi account, in line with your instructions and consent.
• Professional advisors and insurers, where required for legal, regulatory, or risk management purposes.
• Law enforcement or regulatory authorities, where we are legally required to do so, or where disclosure is necessary to prevent or lessen a serious threat to life, health, or safety.

These third parties only receive the minimum information reasonably necessary for their role and are contractually required to handle your information securely and in line with applicable privacy laws.

Any data shared with third-party services (e.g., secure storage, analytics) is limited, contractually governed, and subject to privacy safeguards.

Attribution and analytics partners

We use AppsFlyer, an SDK provided by AppsFlyer Ltd., in our mobile apps to measure the effectiveness of our marketing. AppsFlyer helps us understand which campaigns and referral sources bring families to indi, so we can reach more parents who would benefit from the service.

When you use our mobile app, AppsFlyer may receive your mobile advertising identifier (Apple IDFA on iOS, where you have granted App Tracking permission, or Google Advertising ID on Android), device type and operating system, IP address, a pseudonymous account identifier we assign to your indi account, and a limited set of in-app events (such as sign-up, subscription start, and in-app purchase) for attribution purposes. AppsFlyer does not receive children's health information, observations, documents, or other content you enter about your family.

AppsFlyer processes this data on our behalf under a data processing agreement. Their privacy practices are available at appsflyer.com/legal/services-privacy-policy. You can opt out of AppsFlyer attribution at appsflyer.com/optout.

On iOS, we will not access your IDFA unless you allow App Tracking when prompted. You can change this at any time in your device Settings under Privacy & Security → Tracking. On Android, you can reset or limit ad personalisation in your device Settings under Google → Ads.

4. Unsolicited and Inappropriate Information

indi is designed for specific, family-related health and developmental purposes. If we receive personal information that we did not request, or that appears unrelated to our services:

• We will assess whether we are permitted to retain it in line with this Privacy Policy and applicable law.
• If we are not permitted to keep it, we will take reasonable steps to destroy or de-identify the information as soon as practicable.

If we become aware that information has been entered without appropriate authority or consent, we may seek verification, limit access, or remove that information in accordance with applicable laws.

5. International Data Transfers

indi is an Australian company. Data is currently stored in the United States using secure cloud infrastructure.

We take reasonable steps to ensure that any such transfers are handled in a manner consistent with relevant cross-border data laws, including:

• Contractual and technical safeguards designed to support cross-border data transfers for EU/UK users.
• Appropriate safeguards for U.S. users where health information may be handled in a manner that brings HIPAA or other U.S. privacy requirements into scope.

Where we transfer personal information overseas, we take reasonable steps to ensure that the recipient handles that information in a way that is consistent with this Privacy Policy and with privacy protections comparable to the Australian Privacy Principles. indi remains responsible, under the Australian Privacy Act, for personal information we disclose overseas, except in limited circumstances permitted by law.

6. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access your data and receive a copy in a portable format.
• Correct or update information about you or your child.
• Request deletion of your account or specific data points, subject to legal and clinical record-keeping obligations.
• Withdraw consent for certain types of data processing.
• Object to automated decision making or profiling, where used.
• Lodge a complaint with your local privacy authority (see "Complaints and Contact" below).
• Opt out of the use of de-identified or aggregated data for AI model improvement.

To exercise any of these rights, please contact us via the details provided below. We may require verification of your identity before fulfilling requests. We aim to respond within a reasonable period (typically within 30 days) and will inform you if we are unable to comply with your request and explain why.

7. Children's Data

indi is specifically designed to support parents and legal guardians. We do not permit direct use by children under 16. All child-related data must be entered by a verified parent, guardian, or authorised caregiver. You must not enter information about a child without proper authority and consent.

If we become aware that child data has been entered without appropriate consent, we will take steps to verify or remove the data in accordance with applicable laws.

8. Data Security, Retention, and Destruction

We use encryption, role-based access controls, and secure cloud infrastructure to safeguard your information. We take reasonable steps to protect personal information from loss, misuse, unauthorised access, modification, or disclosure.

We retain personal information only for as long as it is reasonably necessary to:

• provide the indi services you have requested,
• support your ongoing relationship with us, and
• meet legal, regulatory, and clinical record-keeping requirements.

When personal information is no longer required for these purposes, we take reasonable steps to destroy it or permanently de-identify it, unless we are required by law to retain it for a longer period.

Despite our efforts, no digital service is completely immune to risks. You are also responsible for keeping your account credentials confidential and ensuring secure use on your devices.

Where data has been de-identified or aggregated and used to improve AI features, it may not be possible to fully remove its influence from existing models. This data does not identify you or your child. Where feasible, we will respect opt-out requests for future use.

9. Responsible Use Reminder

indi is a powerful tool to assist with early developmental observations and coordination, but it is not a diagnostic service or a replacement for professional advice. Please use the platform ethically, with care and respect for the privacy of those you're recording information about.

Misuse of the platform, including entering unverified or inappropriate content, may lead to account suspension or legal action under applicable health and privacy laws.

10. Complaints and Contact

If you have questions, feedback, or would like to exercise your rights, please reach out:

Email: privacy@projectindi.com

We take privacy concerns seriously and will work with you to resolve any complaint.

If you are not satisfied with our response, you may lodge a complaint with the relevant privacy authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC):

• Web: oaic.gov.au
• Phone (within Australia): 1300 363 992

For users in other jurisdictions, you may also have the right to contact your local data protection authority.

11. Updates to This Policy

We may update this Privacy Policy to reflect changes in law or service offerings. Significant changes will be communicated via the app or email. Your continued use of indi after any update constitutes acceptance of the new terms.