1. Data We Collect
We collect minimal personal data to run the service. This includes:
- Account Info: Your name and email address when you register.
- Financial & Demographic Data: Income entries, bill schedules, envelopes, vehicle logs, State of residence, Australian citizenship/residency status, and housing status (rent, mortgage, outright) that you input.
- OCR & Media Data: Receipt files, vehicle odometer pictures, or documents you upload to analyze with OCR.
- OAuth Info: Basic profile identifiers if you choose to sign in with Google or Apple.
- Biometric Data: When signing in via Apple Sign-In on native iOS devices using Face ID or Passcode, all biometric verification is processed locally by your device's operating system. Money Maze Fintech does not access, collect, or store your biometric credentials.
- AI Chatbot Memory: The AI Assistant features an opt-in memory function (`ai_memory`) that extracts non-financial planning facts from your queries to personalize future budget advice. You can view and delete these memories at any time in the settings. Sessions conducted in Incognito Mode bypass memory extraction and are not logged.
- Geographical & Location Bookmarks: If you use the fuel station or route planner features, the app stores your manually entered bookmarked fuel stations (`saved_stations`) and frequent destinations (`saved_places`). This coordinate and name data is stored securely and is never shared, used for background location tracking, or sold.
- Income Disruption & Insurance Information: Data related to temporary or permanent income changes, including state-based workers' compensation details (WorkCover/WorkSafe/icare), private income protection insurance (waiting periods, benefit limits), Total and Permanent Disability (TPD) lump-sum estimates, and government safety net programs (Disability Support Pension, JobSeeker, Commonwealth Rent Assistance).
- Hardship & Provider Status: User-reported verification checks regarding credit and utility hardship applications (such as status of negotiations with energy, telco, and financial institutions).
2. How We Store Your Data
For registered users, data is synced in real-time and stored securely using Supabase database infrastructure. For guest trial users, data is stored strictly in your local browser cache (localStorage) and never uploaded to our servers.
For offline use, Money MazeĀ® utilizes local browser caching (localStorage) and client-side database storage (IndexedDB) to queue database mutations. This data is synchronized securely with Supabase once an active internet connection is restored.
3. Analytics and Diagnostics
To help us monitor app performance, track system crashes, and improve the user experience, we collect anonymous usage telemetry and error logs using third-party services:
- PostHog: We use PostHog to analyze user interactions, feature usage, and navigation paths. This data is aggregated and does not contain personal financial details. Telemetry collected via PostHog utilizes sensitive element masking rules; financial inputs, passwords, and currency values are masked client-side and are not captured in session recordings.
- Sentry: We use Sentry to log software exceptions, performance issues, and runtime crashes. Sentry logs help us fix bugs quickly.
4. Payment Processing (Web Only)
On our web application, subscription payments are processed securely through Stripe. Money Maze Fintech does not store or have access to your full credit card number or CVV on our servers. All transaction data is handled directly by Stripe in compliance with PCI-DSS standards.
Note: Stripe integrations and billing checkouts are completely disabled within our native mobile applications (iOS and Android) to comply with mobile app store distribution guidelines.
5. AI Assistant & Data Processing
If you choose to use our built-in AI assistant or chat features, your queries and a summary of your budgeting data (incomes, bills, and goals) will be sent to the Google Gemini API to generate responses. This data is processed in real-time solely to power the AI budgeting features. According to Google's API terms, data sent via the Generative Language API is kept secure and is not used to train Google's machine learning models. In-app AI chat memory retention features securely keep local summaries to maintain conversation context.
6. Data Sharing & Third Parties
We do not sell, trade, or share your personal or financial data with third-party advertisers or data brokers. Outside of processing your data for diagnostics (Sentry), analytics (PostHog), secure billing (Stripe), and AI analysis (Google Gemini) as detailed above, your data remains strictly private.
Household Sharing: If you choose to create or join a shared Household (cooperative budgeting), any incomes, bills, savings goals, and vehicle logs that are flagged with your Household ID will be visible to and editable by all other verified members of that Household. Please exercise caution when sharing access to your financial configurations.
7. Security
We employ secure HTTPS transport encryption, database row-level security (RLS) policies, and Supabase security protocols to protect your credentials and data. However, no internet transmission is 100% secure, and you use the service at your own risk.
Session Cookies and Tokens: We use secure local tokens and cookies strictly to authenticate your login sessions and prevent unauthorized access to your account. We do not use cookies to track your behavior across third-party websites or for advertising purposes.
8. Your Rights
You can view, edit, or delete any budgeting logs directly inside the app interface. If you wish to delete your account entirely, you can do so at any time using the secure, re-authenticated data-deletion utility inside the settings panel. This performs a complete database wipe of all your budget profiles, personal records, and billing mappings from our servers. Upon account deletion, your active personal data is permanently and immediately purged from our production databases. Residual data stored in secure, encrypted system backups will be permanently overwritten within a maximum of 30 days.
9. Third-Party Data Processors
To deliver our service, we share anonymized or scoped data with trusted third-party sub-processors. All processing is carried out in accordance with their respective security and privacy guidelines:
- Supabase Inc.: Provides our secure Postgres database hosting, row-level security enforcement, and encrypted user authentication management.
- Google LLC / Gemini Generative API: Processes real-time assistant chats and Boardroom debate queries. Google's API terms dictate that data sent via the Generative Language API is kept secure and is never used to train Google's machine learning models.
- Stripe Inc.: Handles PCI-DSS compliant payment card processing and subscription billing on web platforms. Financial credentials are held exclusively by Stripe.
- PostHog Inc.: Captures user interaction metrics, telemetry, and page flows. All session recordings utilize sensitive element masking client-side; financial inputs, currency variables, and password fields are fully redacted.
- Functional Software Inc. / Sentry: Logs system performance metrics, software exceptions, and uncaught script errors to assist in diagnostic debugging.
10. Notifiable Data Breaches (NDB) Scheme
We comply with the Notifiable Data Breaches (NDB) scheme established under the Australian Privacy Act 1988 (Cth). In the event of any unauthorized access, loss, or disclosure of personal information that is likely to result in serious harm to affected individuals, we will immediately take action to contain the breach, notify the Office of the Australian Information Commissioner (OAIC), and contact affected users with clear remediation steps.
11. Children's Privacy
Money MazeĀ® is designed and intended for users who are at least 16 years of age. We do not knowingly collect, request, or maintain personal information from individuals under the age of 16. If we solicit or discover that we have inadvertently collected personal data from a child under 16 without verifiable parental consent, we will purge that information from our servers immediately.
12. Contact and Dispute Resolution
If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data rights, or compliance with the Australian Privacy Principles (APPs), you may submit an inquiry to our privacy coordinator at privacy@moneymaze.au. We will review your query and respond within a reasonable timeframe (typically within 30 days).