Privacy Policy

Privacy Policy

Effective date: 26 August 2025

1. Who we are

Laneway Analytics Pty Ltd (ABN 80 600 277 781), trading as Joey, of Level 1, 41-43 Stewart Street, Richmond VIC 3121, Australia ("Joey", "we", "us"). Contact: privacy@joeyfamily.com.

2. Scope

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use Joey websites, apps, and services (the Services). It applies to parents/guardians who create accounts and to data about the children they add to Joey.

3. The roles we play

You (the parent/guardian) decide what accounts to connect and direct Joey's processing.

Joey acts as your service provider/processor to deliver the Services on your instructions.

4. What we collect

4.1 Parent/guardian data

Account details (name, email), authentication logs (via Auth0), subscription/billing data, settings, and support correspondence.

4.2 Child data (when you add a child)

Identifiers (e.g., child first name or nickname you provide), device/account identifiers, and message content and metadata from connected sources (e.g., iMessage via Joey Desktop). For MVP we ingest Messages data and essential metadata; we do not ingest full photo/video libraries unless you enable such a feature later.

4.3 Telemetry (non-content; opt-out)

De-identified metrics such as feature usage counts, detector performance, error/crash logs, app versions, and anonymised domain/indicator tallies. Telemetry never includes readable message content or media.

5. How we collect data

Directly from you (account creation, settings, support).

From connected sources you authorise (e.g., Apple backup via Joey Desktop).

Automatically through the apps (e.g., telemetry, security logs).

6. Why we use data (purposes)

Provide, operate, and secure the Services (including Apple backup orchestration via Joey Desktop).

Detect and highlight potential safety risks in connected accounts.

Communicate with you about sync status, alerts, and account matters.

Maintain and improve the Services using de''identified, non''content telemetry (opt''out available).

Comply with law and enforce our Terms.

7. AI & model training

We do not use your child's message content to train our models. We may use de''identified, non''content telemetry to monitor performance and improve reliability. If we later introduce an optional, explicit opt''in program to share de''identified, redacted snippets for improvement, we will present clear controls and safeguards at that time.

8. Legal bases

Australia (APPs): We handle personal information to provide the Services you request; you consent to processing your child's data for safety purposes by adding them and connecting sources.

EEA/UK (GDPR/UK GDPR): Legal bases include performance of a contract (to provide Services you request), consent (parental authority for child data), and legitimate interests (security, telemetry and service improvement with opt''out). Where required, we rely on your explicit consent for processing certain child data.

9. Storage region & cross''border disclosure

We host primary data in Australia (AWS ap''southeast''2). Some sub''processors may process limited data in other countries. Where we disclose personal information overseas, we take reasonable steps to ensure recipients protect it in line with APP 8/GDPR (e.g., SCCs/IDTA or equivalent safeguards).

10. Sharing & sub''processors

We share data with service providers under contract, only as needed to provide the Services:

  • Auth0 (Okta) - authentication and 2FA
  • Amazon Web Services (AWS, Sydney) - hosting and storage
  • OpenAI - model inference only (no training on your data)
  • Amazon SES - transactional email
  • Sentry - error logging
  • PostHog (self''hosted) - product analytics (telemetry only; no message content)

We do not share personal information for third''party advertising.

11. Retention

Raw message content: retained by default for up to 90 days to support analysis and troubleshooting.

Derived alerts/metrics: retained for up to 12 months.

Backups: deleted from rolling backups within 30-90 days.

We may retain minimal records as required by law (e.g., invoices, security logs).

12. Your choices & controls

Telemetry opt''out: Settings ' Privacy ' "Improve Joey (Telemetry)'".

Email preferences: Service emails are required; marketing emails are optional and can be unsubscribed.

13. Access, correction & deletion (DSRs)

To request access, correction, or deletion, email support@joeyfamily.com from your account email. We will take reasonable steps to verify your identity before acting on your request.

Identity verification via Auth0: We use Auth0 to send a one''time 2FA code to your verified login channel; you must complete this step to confirm control of the account. For sensitive requests (e.g., delete all data), we may ask for an additional verification factor. We will respond within a reasonable time and, for deletion, remove data from active systems promptly and from backups within 30-90 days.

14. Security

We implement technical and organisational measures including encryption in transit and at rest, role''based access controls, audit logging, least''privilege access, and regular security reviews. No method of transmission or storage is 100% secure.

15. Children's privacy

We provide the Services to parents/guardians. Children/teens do not create accounts. We process child data only when a parent/guardian adds the child and connects sources for safety purposes.

16. Cookies & low''tracking analytics

Our marketing site uses a low''tracking approach. In regions where required, we present consent controls. We do not use advertising pixels.

17. Breach notification

If we become aware of a data breach likely to cause serious harm, we will assess promptly and notify affected individuals and regulators in accordance with applicable laws (e.g., AU Notifiable Data Breaches scheme; 72 hours in the EEA/UK where required).

18. International users

Nothing in this Policy limits your non''excludable consumer rights. If you are in the EEA/UK, you may also have GDPR/UK GDPR rights (access, rectification, erasure, restriction, portability, objection). You can exercise these by emailing support@joeyfamily.com.

EU/UK representatives: [If/when appointed, we will update this section with contact details.]

EU ODR: If you are an EU consumer, information about the European Commission's Online Dispute Resolution (ODR) platform is available at https://ec.europa.eu/consumers/odr/ .

15. Children's privacy

We provide the Services to parents/guardians. Children/teens do not create accounts. We process child data only when a parent/guardian adds the child and connects sources for safety purposes.

19. Changes to this Policy

We may update this Policy from time to time. The "Effective date'" above shows when the latest version started. Material changes will be notified (e.g., email or in''app notice).

20. Contact & complaints

Questions or concerns: support@joeyfamily.com.

Australia: If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC). See www.oaic.gov.au.