Privacy Policy

Our Commitment to Your Privacy

M. P. S. Bilo (ABN: [TBD]) ("LaityOS," "we," "us," or "our") is committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, disclose, and secure your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using LaityOS services, you agree to the collection and use of information as described in this policy.

1. What Information We Collect

We collect the following types of personal information:

Account Information

• Full name
• Email address
• Organization name (if applicable)
• Password (stored in encrypted form only)
• Profile information (avatar, bio, preferences)

Service Usage Information

• Posts and comments you create
• Event registrations and attendance
• Prayer requests (if you choose to share)
• Interactions with other community members
• Account settings and preferences

Technical Information

• IP address
• Device information (browser type, operating system)
• Log data (access times, pages viewed, errors)
• Session information
• Cookies (see Section 11)

Authentication Information

• Login attempts (successful and failed)
• Multi-factor authentication settings
• Session tokens

Optional Information

You may choose to provide:

• Phone number (for account recovery)
• Mailing address (for event correspondence)
• Dietary requirements (for event catering)
• Additional profile details (interests, skills)

We Do NOT Collect

• Payment card information (not stored on our systems)
• Government identifiers (tax file numbers, passport numbers)
• Biometric information
• Health information (except voluntarily shared in prayer requests)

2. How We Collect Information

Directly From You

• When you create an account
• When you update your profile
• When you post content or comment
• When you register for events
• When you contact our support team
• When you submit feedback or surveys

Automatically

• Web server logs when you access our services
• Cookies and similar tracking technologies
• Session data during your use of the platform
• Error logs when technical issues occur

From Third Parties

• Authentication providers (if you use single sign-on)
• Your organization (if they manage your account)
• Security services (to prevent fraud and abuse)

3. Why We Collect Your Information

Primary Purposes

• Provide our services: Enable community management, event coordination, communication tools
• Account management: Create, maintain, and secure your account
• Service delivery: Process event registrations, manage posts and comments
• Authentication: Verify your identity and prevent unauthorized access
• Customer support: Respond to your inquiries and resolve issues

Secondary Purposes (Related to Primary)

• Service improvement: Analyze usage patterns to enhance features
• Security: Detect and prevent fraud, abuse, and security threats
• Legal compliance: Meet obligations under Australian law
• Communications: Send service announcements and updates
• Analytics: Understand how our services are used (aggregated data)

We Will Not Use Your Information

• For purposes unrelated to those listed above without your consent
• To sell or rent to third parties
• For automated decision-making that significantly affects you

4. How We Use Your Information

Account Management

• Creating and maintaining your user account
• Authenticating your login
• Managing your organization membership
• Enforcing our Terms of Service

Service Delivery

• Displaying your profile to other organization members
• Publishing your posts and comments in your community
• Processing event registrations
• Sending event reminders and updates
• Facilitating community interactions

Communications

• Service announcements: Critical updates about our platform
• Account notifications: Password resets, security alerts
• Event updates: Confirmations, reminders, cancellations
• Support responses: Replies to your inquiries

Security and Compliance

• Monitoring for suspicious activity
• Investigating security incidents
• Enforcing our policies
• Complying with legal obligations
• Responding to law enforcement requests (when legally required)

Analytics and Improvement

• Understanding feature usage (aggregated data)
• Identifying technical issues
• Improving user experience
• Developing new features

5. When We Disclose Your Information

Within Your Organization

• Your profile, posts, and comments are visible to other members of your organization
• Organization leaders may access member lists and activity summaries
• Organization admins may manage user accounts within their organization

Service Providers

We use trusted third-party service providers who process personal information on our behalf:

All service providers are bound by confidentiality agreements and required to comply with Australian privacy standards or equivalent.

Legal Obligations

We may disclose your information when required by law:

• In response to court orders or subpoenas
• To law enforcement agencies (when legally required)
• To comply with regulatory investigations
• To protect our legal rights or defend against legal claims
• To prevent serious threats to safety or security

Business Transfers

If LaityOS is acquired, merged, or reorganized:

• Your personal information may be transferred to the new entity
• The new entity must continue to comply with this Privacy Policy
• We will notify you before any transfer (30 days' notice)

With Your Consent

• When you explicitly authorize disclosure to a third party
• When you use integrated third-party features
• When you share information publicly (e.g., public events)

6. Direct Marketing

Marketing Communications

We may send you marketing communications about:

• New features and service updates
• Upcoming events (beyond your organization)
• Platform tips and best practices
• Partner offerings (with your consent)

Your Consent

We will only send marketing communications if:

• You have opted in (checked the box during signup or in settings), OR
• You are an existing customer and the marketing relates to similar services

How to Opt Out

You can opt out of marketing at any time:

• Click "Unsubscribe" in any marketing email
• Update your preferences in Account Settings
• Email us at [email protected]

We will process opt-out requests within 5 business days.

7. Overseas Disclosure

Data Storage Location

Your personal information is primarily stored in Australia:

• Database: AWS Sydney (via Supabase)
• Application: Auto-routed based on your location (Australian users → Australia)

Overseas Service Providers

Some service providers may access your information from overseas:

Countries We May Disclose To

We only disclose information to countries with:

• Adequate privacy protections (e.g., EU/GDPR, UK, Canada, NZ, Singapore), OR
• Standard contractual clauses ensuring APP-equivalent protections, OR
• Your explicit consent for the specific disclosure

8. Data Security

We take reasonable steps to protect your personal information:

Technical Controls

• ✅ Encryption in transit: TLS 1.3 for all connections
• ✅ Encryption at rest: AES-256 encryption for stored data
• ✅ Password protection: Bcrypt hashing (cannot be reversed)
• ✅ Multi-factor authentication: Optional for all users, required for admins
• ✅ Access controls: Row-level security on database
• ✅ Session management: Automatic timeout after inactivity
• ✅ Rate limiting: Prevents brute-force attacks

Organizational Controls

• ✅ Access restrictions: Only authorized personnel can access personal information
• ✅ Audit logging: All data access is logged and monitored
• ✅ Security training: Staff trained on privacy and security
• ✅ Incident response plan: Documented breach response procedures
• ✅ Regular audits: Quarterly security reviews
• ✅ Penetration testing: Annual external security assessment

Infrastructure

• ✅ Secure hosting: Tier-1 providers (AWS, Vercel)
• ✅ Automated backups: Daily database backups
• ✅ Disaster recovery: Tested restoration procedures
• ✅ Monitoring: 24/7 security monitoring and alerts

Your Responsibility

Please help us protect your information:

• ✅ Use a strong, unique password
• ✅ Do not share your password with others
• ✅ Enable multi-factor authentication
• ✅ Log out when using shared devices
• ✅ Report suspicious activity immediately

9. Data Retention

How Long We Keep Your Information

Active Accounts

• Data is retained indefinitely while your account is active
• You can delete content at any time (see Section 10)

Closed Accounts

• After account closure, we retain data for audit and legal purposes (7 years)
• To prevent re-registration abuse
• To comply with legal obligations
• After retention period, data is permanently deleted

Anonymization

• Where possible, we anonymize data after the retention period
• Anonymized data may be retained for analytical purposes
• Anonymized data cannot be linked back to you

10. Your Rights

Under the Australian Privacy Principles, you have the following rights:

Right to Access (APP 12)

You can request a copy of your personal information:

• Submit request via Account Settings → Privacy → "Download My Data"
• Or email [email protected]
• We will provide your data within 30 days (may extend if complex)
• Format: JSON export with all your data
• No charge for reasonable requests

What You'll Receive:

• Account details
• Profile information
• Posts and comments
• Event registrations
• Audit log (summary of your account activity)

Right to Correction (APP 13)

You can correct inaccurate personal information:

• Self-service: Update most information in Account Settings
• Request correction: Email [email protected] for other data
• We will respond within 30 days
• If we refuse correction, we'll provide reasons and note your request

Right to Deletion

You can delete your personal information:

• Self-service: Delete individual posts/comments via the UI
• Account deletion: Account Settings → "Delete My Account"
• Request deletion: Email [email protected]

Right to Complain

If you believe we've mishandled your information:

• Contact our Privacy Officer (see Section 14)
• We will investigate and respond within 30 days
• If unsatisfied, you can complain to the OAIC (see Section 15)

Right to Anonymity

• You can interact anonymously where practical
• However, creating an account requires name and email for identity verification, account security, and service delivery

11. Cookies and Tracking

What Are Cookies?

Cookies are small text files stored on your device by your web browser. We use cookies to:

• Maintain your login session
• Remember your preferences
• Analyze site usage (aggregated)
• Improve user experience

Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for the platform to function:

• Session cookies: Keep you logged in
• Security cookies: Prevent CSRF attacks
• Load balancing: Route requests efficiently

You cannot disable these cookies without losing core functionality.

Functional Cookies (Optional)

These cookies enhance your experience:

• Preference cookies: Remember your language, theme
• Analytics cookies: Understand feature usage (anonymized)

You can disable these cookies in your browser settings.

Third-Party Cookies

We do not use third-party advertising or tracking cookies.

Our service providers (e.g., Vercel) may use cookies for performance monitoring, error tracking, and analytics (anonymized).

How to Control Cookies

Browser Settings:

• Chrome: Settings → Privacy → Cookies
• Firefox: Options → Privacy → Cookies
• Safari: Preferences → Privacy
• Edge: Settings → Privacy → Cookies

Our Settings: Account Settings → Privacy → Cookie Preferences

Note: Disabling essential cookies will prevent you from using LaityOS.

Do Not Track

• We respect Do Not Track (DNT) signals
• If your browser sends DNT, we will not use optional tracking cookies

12. Children's Privacy

Age Requirement

LaityOS is not intended for children under 13 years of age.

• We do not knowingly collect personal information from children under 13
• If you are under 13, do not create an account or provide any personal information

Parental Consent

For users aged 13-17:

• Parental consent is required before creating an account
• During signup, we collect parent/guardian contact information
• We verify consent via email confirmation
• Parents can request access, correction, or deletion of their child's data

If We Discover Children's Data

If we learn we have collected information from a child under 13 without parental consent:

• We will delete the account immediately
• We will notify the parent (if contact info available)
• We will purge all data within 7 days

Parents' Rights

Parents/guardians can request access to, correction of, or deletion of their child's data by contacting [email protected].

13. Changes to This Policy

How We Update This Policy

We may update this Privacy Policy to:

• Reflect changes in our practices
• Comply with new legal requirements
• Improve clarity and transparency
• Add new features or services

Notification of Changes

Minor changes (clarifications, formatting):

• Updated on this page
• "Last Updated" date changed
• No notification required

Material changes (new data collection, uses, disclosures):

• Email notification to all users (30 days before effective date)
• Prominent notice on platform homepage
• Consent required for continued use (if legally required)

Your Options

If you don't agree with changes:

• You can delete your account before the changes take effect
• You can contact us with concerns
• Continued use after the effective date = acceptance

14. Contact Us

14. Contact Us

General Inquiries

• Support Email: [email protected]
• Website: https://laityos.com

Business Details

• Legal Name: M. P. S. Bilo
• ABN: [To Be Determined]
• ACN: [To Be Determined]
• Registered Address: [To Be Determined]

15. Complaints

Internal Complaint Process

If you believe we have breached the Privacy Act or APPs:

Step 1: Contact Our Privacy Officer

• Email: [email protected]
• Subject: "Privacy Complaint"
• Include: Your name and contact details, description of the issue, what outcome you're seeking, any relevant dates or documentation

Step 2: Investigation

• We will acknowledge your complaint within 5 business days
• We will investigate and respond within 30 days
• If we need more time, we'll notify you and explain why

Step 3: Resolution

We will provide a written response with:

• Findings of our investigation
• Actions taken or proposed
• Reasons for our decision

Step 4: External Complaint (if needed)

Office of the Australian Information Commissioner (OAIC)

If you're not satisfied with our response, you can complain to the OAIC:

What the OAIC Can Do:

• Investigate your complaint
• Attempt conciliation between you and LaityOS
• Make a determination if conciliation fails
• Award compensation (in some cases)

Note: The OAIC will usually require you to complain to us first before accepting your complaint.