Alpha You're using an early version of Still Kicking. Things may break or change. Please don't rely on this as your only safety plan yet — and tell us if anything looks wrong.

Legal

Privacy policy

How we collect, store, use and share your information

Last updated 8 May 2026 · Governed by the Privacy Act 1988 (Cth)

Who we are

Still Kicking is a wellness check-in service operated in Australia. This policy explains how we collect, use, store, and disclose personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

What we collect

  • Your account: email, password (bcrypt-hashed — we never see, store, or transmit your plain-text password), phone numbers (optional mobile and secondary), full name, timezone, and a residential address. The address is optional — if your emergency contacts already know where you live, you can leave it blank to minimise the data we hold.
  • About dependents and pets: whatever you choose to tell us so your emergency contacts can act quickly. If you include health-related details (medical conditions, medications, allergies, dietary needs), we treat that as sensitive information under the Privacy Act. We collect sensitive information only with your express consent and only where reasonably necessary to provide the service, and we disclose it only to your nominated emergency contacts during an escalation.
  • Emergency contact details: their name, phone, email, and an optional personal note from you. By providing these details you confirm you have the authority to give them to us for this purpose. We email them (and SMS too if you're on the SMS tier) — including a short notice about how their details will be used — asking them to confirm they agree to be your emergency contact before we'll use their details in an escalation.
  • Final messages: short messages you compose for delivery to nominated recipients on confirmed death or after a long silence. The message body is encrypted at rest using libsodium and only decrypted at the moment of delivery — administrators cannot read final messages prior to release.
  • Check-in records: timestamp and method (web / email / SMS / phone).
  • Audit log: every sensitive action taken on your account, with timestamp and IP address.
  • Billing: handled by Stripe; we only store a customer reference, never card data.

Why we collect it

To deliver the wellness check-in service you signed up for, including contacting you and your contacts during escalations. We also use it to bill you, prevent fraud and abuse, keep the service secure, support you when you ask for help, and meet our legal obligations. We don't use it for advertising or unrelated commercial purposes.

How it's stored

In an Australian-hosted MySQL database on Amazon AWS infrastructure in Sydney (ap-southeast-2). Backups are encrypted. Access is limited to the operator and required automated processes. Passwords are bcrypt-hashed. Secrets are stored outside the code repository.

Who we share it with

  • Your emergency contacts during an escalation — exactly the fields they need to find and help you. What they receive is limited to what you have provided us.
  • Final message recipients — the specific messages you nominated, to the specific people you nominated.
  • Service providers: Twilio (SMS / voice), Amazon SES (email), Stripe (billing). Each is bound by their own privacy terms and a processing agreement. These providers are based in (and may process data in) the United States — your account data is stored in Australia, but contact details and message content may be transmitted overseas to enable email / SMS delivery and payment processing.
  • We do not sell or share your data for advertising or analytics. We may disclose data only when required by law (for example a court order or law-enforcement request) or in the event of a business transfer (e.g. acquisition or insolvency), in which case we will notify affected users.

Overseas disclosure consent: by using the service and submitting information, you consent to us storing, transmitting, and processing your personal information with the overseas service providers listed above (currently located in the United States) for messaging, storage, and payment processing. We choose providers with strong data-protection commitments, but overseas recipients may not be subject to the same legal protections as Australian law.

Your rights under the Privacy Act

You can ask us for:

  • A copy of all personal information we hold about you
  • Correction of any inaccurate information
  • Deletion of your account and associated data

To make a request, email the support address on our contact page from the email address registered on your account, so we can confirm the request is yours. We don't charge a fee. Under the Privacy Act we respond within 30 days.

Some limits apply. We may retain a small amount of information after deletion where law requires us to (for example, audit records used in fraud or financial-compliance investigations — see "Data retention" below). The Privacy Act also allows us to decline access in limited circumstances (for example, where granting it would unreasonably impact someone else's privacy, or where it relates to legal proceedings); if we ever decline a request, we will explain why.

If you're not satisfied with how we've handled your information or your request, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Children

Account holders and emergency contacts must be at least 18 years old. Dependents listed on an account can be minors — by listing a child as a dependent, you confirm you are authorised to provide their information to us and, where legally permitted, to consent on their behalf to us storing it and disclosing it to your nominated emergency contacts during an escalation. If you become aware that a minor has registered an account, please contact us and we'll close it and delete the data.

Deceased accounts

If we receive credible notice that an account holder has died, we may retain limited records for audit and accounting purposes, and may disclose limited information where reasonably necessary to administer the service and where permitted by law. In practice, each consented emergency contact receives a practical handoff email — the deceased's address, dependents and pets who need care, and the names of the other contacts who were notified — so they can coordinate. We don't send emergency contacts a full data export; broader requests for access from someone claiming to act for the estate (for example, an executor) are handled case-by-case after we are satisfied the requester has appropriate authority. Annual review identifies accounts past the data-retention threshold for deletion.

Data retention

We retain personal information only for as long as reasonably necessary for the purposes set out in this policy, unless a longer period is required or permitted by law. Our usual retention periods are:

  • Active accounts: we keep your data while your account is open and for as long as you keep using the service.
  • Self-deleted accounts: personal information (name, email, phone, address, notes, emergency contacts, dependents, final messages) is removed within minutes of deletion. A small audit record of the deletion event itself is retained for compliance under the Privacy Act.
  • Deceased accounts: retained for up to 7 years to meet tax, accounting, dispute-limitation, and fraud-prevention obligations, after which an annual review flags them for deletion.
  • Audit logs (who did what, when, from which IP — used for fraud / abuse investigations and Privacy Act compliance): retained for 7 years from the event.
  • Notification records (who we sent what, when): metadata is retained for up to 7 years for billing reconciliation, dispute resolution, fraud prevention, and audit, unless we are required to keep it longer; the message bodies are purged 30 days after sending.
  • Backups: daily encrypted database snapshots, retained for 30 days, then permanently deleted.

Cookies & tracking

On stillkicking.com.au we use one cookie: your session cookie, which keeps you logged in (our anti-CSRF protection rides on it too). We don't set analytics or advertising cookies, and we don't load third-party scripts that track you across the web. When you visit Stripe-hosted billing pages (e.g. checkout or the customer portal), Stripe may set its own cookies on stripe.com under their privacy policy.

Direct marketing

We don't use your information for marketing. The only emails or SMSs you'll receive from us are service-essential — check-ins, escalation notifications, billing, security alerts, and account-status updates. You can stop all service communications by closing your account from the dashboard, subject to any messages we're required to send for legal, security, billing, or account-administration reasons (for example, account deletion confirmations or data-breach notices).

Data breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If a breach is likely to result in serious harm, we will notify affected users and the OAIC as required by law.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of the page will always reflect the most recent change. We will notify users by email of any material changes — for example, changes to who we share data with, what we collect, or how long we retain it — at least 14 days before they take effect, where reasonable to do so.

Contact & complaints

See our contact page. For unresolved complaints you can contact the OAIC (oaic.gov.au) in Australia.