Privacy Policy
Effective date: 10 May 2025 · Last updated: 3 July 2026
Kin Tho (ABN 37 320 140 514) ("we", "us", "our") operates the For Samuel mobile application ("App"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our App. We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
1. Who we are
For Samuel is developed and operated by Kin Tho (ABN 37 320 140 514), an Australian sole trader. For privacy enquiries, contact us at privacy@forsamuel.com.au.
2. Information we collect
We collect information you provide directly, information generated through your use of the App, and limited technical information.
- Account information: Your name, email address, and password (stored as a hashed credential by our authentication provider).
- Care data: Care logs, shift records, family events (shared household reminders, family outings), appointments (therapy, GP, school, kinder, daycare, hospital visits) including any external provider name you choose to record, wall posts, inventory entries, the household Guidebook (equipment notes, routines, instructions you record for the people who care for your loved one), and any other data you choose to enter about a care recipient. This data is sensitive and is stored encrypted in transit and at rest in our hosted database. If you share a calendar subscription link with another calendar app (Apple, Google, Outlook), that link exposes event titles, child name, and external provider name to anyone who holds the link until you revoke it from Calendar Settings.
- Care Plan data (paid feature): If you subscribe to My Care Plan, we also store: plans you create (title, period, status), section bodies you draft, legislative citations you have selected as relevant, evidence links you create between plan sections and care logs / appointments / Guidebook entries, plan-level health scores, aggregated Care Snapshot summaries, and the structured documents and assessments you generate from your records — Lived Experience Statements, Annual Review submissions, Access Request letters, Variation request letters, Cover Letters of Joy, Care Snapshots, Wellbeing (Caregiver Strain Index) assessments, and Regulation monthly reports. These are compiled from your own logs, calendar, Guidebook, care stock, and plan content — For Samuel does not invent content and does not use your data to train AI models. All Care Plan data is treated as sensitive health and personal information and stored alongside your other care data.
- Provider / invoicing details (provider role only): If you use For Samuel as a support worker or sole-trader provider, we additionally collect your ABN, business name, address, bank account details (for inclusion on invoices you generate), funding scheme provider registration number where you choose to record one, and the invoices and line items you generate.
- Profile photos: Profile images you upload are stored in a private, access-controlled storage bucket.
- Device information: Device push token (for notifications), device platform (iOS/Android), app version, and—only if you choose to enable it—device-calendar write permission so For Samuel shifts can appear in your phone calendar. We do not read or import your existing device-calendar events.
- Voice input (optional): If you choose to use the voice-to-text shortcut to dictate care log entries instead of typing, your device microphone is activated only while you are actively dictating. The audio is transcribed by your operating system's built-in speech recognition service — on iOS this is Apple's
SFSpeechRecognizer, which may briefly transmit audio to Apple for transcription; on Android it is the on-device Google speech service. For Samuel does not record, save, or transmit the audio to our own servers — only the transcribed text you confirm becomes the saved log entry. The microphone is never accessed when you are not actively dictating, and voice input remains optional: every voice-enabled field can be completed by typing instead.
- Audit log: A record of sensitive operations (account deletion requested, household membership changes, invoice send / mark-paid, care plan delete, evidence-link create / delete, variation lifecycle changes) including a timestamp, the action you performed, and your source IP address. This audit log is kept to support customer-support investigations and meet our reasonable-steps obligation under APP 11. It is included in your data export. When your account is anonymised, the details that identify you — your account identifier and IP address — are removed from this log; a de-identified record that the action occurred may be retained for up to 7 years to meet disability-support audit obligations.
- Usage analytics: Pseudonymous usage events (such as screens visited and features used), linked to a one-way hashed app identifier so we can understand feature adoption and reliability without sending your name or contact details to analytics. This data does not include health or care record content, free-text notes, or document content. We do not sell or share this data.
- Crash reports: In production builds, anonymised crash reports and stack traces are collected to help us identify and fix bugs. These reports do not contain health or care record content.
3. How we use your information
- To provide and operate the For Samuel service.
- To send care-related notifications you have requested.
- To generate invoices and care reports on your instruction.
- To improve the App through aggregated, pseudonymous analytics.
- To respond to your support requests.
- To comply with legal obligations.
We do not use your personal information for direct marketing, and we do not sell or rent it (APP 7). Because For Samuel is a shared care record that links carers to the people they support, the service cannot be used anonymously or under a pseudonym — an identified account is required to attribute care entries and control who can access them (APP 2.2(b)).
4. Data sharing
We do not sell your personal information. We share data only with the following sub-processors who help us operate the service:
- Authentication provider (USA) — stores your email address and hashed authentication credentials. Compliant with international data protection standards including Standard Contractual Clauses.
- Database and file storage provider (data hosted in AWS ap-southeast-2, Sydney, Australia) — stores all care records, logs, and uploaded files. Your health and care data remains in Australia.
- Usage analytics platform (EU) — receives pseudonymous usage events only, linked to a one-way hashed app identifier. No health or care record content, free-text notes, document content, name, or contact details are shared. The EU maintains data protection standards broadly equivalent to the Australian Privacy Principles.
- In-app purchase platform (USA) — receives purchase receipts only. No health or care data is shared.
- Crash reporting service (USA) — receives anonymised crash logs and stack traces in production builds only. No intentionally included health data.
- Push notification relay (USA) — relays push notification messages to Apple and Google delivery services. Notification content (such as a reminder title that may include a care recipient's first name or an event name) transits this provider; it does not receive your care logs, records, or Care Plan content.
- App distribution platform (USA) — provides app hosting and over-the-air updates. No personal care data is processed.
All third-party service providers are contractually required to protect your data and use it only to provide services to us.
5. Sensitive information
Care data entered into For Samuel may constitute sensitive health information under the Privacy Act. We treat all care data as sensitive: it is stored in a household-scoped, access-controlled database, never used for advertising, never shared with third parties beyond the sub-processors listed above, and never used to train AI models.
6. Data retention
We retain data in accordance with the following schedules:
- Care records (health and support data): Retained for 7 years from the date of last entry, or until the care recipient turns 25 — whichever is later. This is required under applicable disability support standards.
- Shift and invoice records: Retained for 7 years for financial and audit compliance purposes.
- Audit log: The record of sensitive operations described in section 2 is retained for 7 years from the date of each event, then automatically purged. When you delete your account, the identifying details (your account identifier and IP address) are removed during the 30-day anonymisation, leaving only a de-identified record that the action occurred.
- Account deletion: When you delete your account from in-app Settings, your data enters a 30-day grace period during which you can cancel the deletion. After 30 days, your authentication record is hard-deleted, your profile name is replaced with "Former member" on care records you authored, and your email, business details, bank details, profile photo, funding scheme registration number, address, and any participant identifiers are removed. The underlying care records you created remain in the system to preserve evidence integrity (funding scheme audit requirement), but your name is no longer associated with them.
- Backups: Our database provider maintains automated rolling backups for operational recovery. Anonymised data ages out of the backup window within 30 days of anonymisation — no separate request is required to purge backups.
- Third-party service data: Data held by our third-party service providers — such as anonymised crash reports and pseudonymous usage analytics — is subject to those providers' own retention schedules, which may be shorter than the above. On account deletion, we issue right-to-be-forgotten requests to our analytics provider and in-app purchase provider as part of the same 30-day anonymisation flow. This data does not include health or care records.
- Inactive devices, expired invitations, and soft-deleted posts: Push notification tokens are deleted after 90 days of inactivity; unused invitation codes expire after 60 days; deleted Wall posts are permanently removed 30 days after deletion.
- If For Samuel discontinues: If we permanently discontinue the App, you will receive at least 90 days' written notice (by email and in-app notification) before any of your records are deleted. During that notice period you can continue to use the App and download a complete copy of your data via Settings → Sync & Data → "Download my data." Within the final 30 days of the notice period the App switches to read-only mode — you can still view and export your records, but no new entries can be created. At the end of the notice period, the personal information held in connection with your account will be deleted or anonymised in line with the retention schedules above. Audit-trail records may be retained in de-identified form for up to 7 years where this is required to meet disability-support audit obligations. The discontinuation process is described in section 8 of the Terms of Use.
7. Data security
All data is encrypted in transit using TLS 1.2+. Data at rest is encrypted using AES-256 by our infrastructure providers. Access to your care data is restricted to members of your household using authenticated sessions and row-level security policies enforced at the database layer.
In addition:
- App Lock: You can require a PIN and/or biometric (face or fingerprint) authentication every time you re-open the app, with a configurable timeout. Your PIN is hashed and stored in the device's secure keychain — we never see it.
- Sensitive-operation audit: Account deletion, household membership changes, invoice send, care plan delete and other sensitive operations are recorded in a tamper-evident audit log. This both helps customer support investigate any unexpected state and meets our reasonable-steps obligation under APP 11.
- Re-authentication on destructive actions: Account deletion and leaving the last household in a care hub require you to re-enter your password (or use biometric re-authentication) so that someone holding your unlocked phone can't trigger destructive changes.
- Cross-household authorisation: Server-side checks confirm that the household your request targets is one you actually belong to, regardless of any value sent from the device.
8. Your rights
Under the Privacy Act 1988 and the APPs you have the right to:
- Access the personal information we hold about you (APP 12). You can download a complete, machine-readable copy of your data yourself at any time from Settings → Sync & Data → "Download my data" (a short cooldown applies between downloads). The same export is available to developers by calling
GET /api/account/data-export while signed in. If you are unable to sign in, contact us at the email below and we'll help you regain access so you can download it yourself.
- Correction of inaccurate information (APP 13). Your profile, care records, calendar, invoicing and Care Plan content are editable in-app. Your care hub's details — its name, who it is for, and location — can be corrected by a care-hub administrator at Settings → Care Hub → Household. If you spot something you can't edit yourself, contact us and we'll correct it or show you how.
- Deletion of your account and associated data — Settings → Danger Zone → Delete my account. Your data enters a 30-day grace period (cancellable in the same screen) and then anonymises automatically per section 6 above.
- Opt out of analytics collection in App Settings.
- Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached your privacy.
For anything you can't do in-app, contact us at privacy@forsamuel.com.au. We will respond within 30 days.
9. Children and children's data
For Samuel is directed at adults. Its subject matter is care coordination and record-keeping by carers; its features (shift schedules, invoicing, care plans, funding paperwork) are adult tasks; its visual design, language, and marketing are aimed at adults; it is not listed in any app-store "Made for Kids" or "Made for Families" category; and it contains no advertising of any kind. The App is intended for use by adults (18+) or by minors under the direct supervision of a parent or guardian who holds the account; by creating an account you confirm you are 18 or older, or that a parent or guardian is supervising your use.
We do not ask your age. Account creation deliberately collects no date of birth — a data-minimisation choice: an adult-directed service does not need it, so we do not hold it.
Care data about a child is entered by their authorised carers (parents or guardians), who hold responsibility for that data. The account-holding adult controls those records as far as our service is concerned, including their correction, export, and deletion.
United States (COPPA). Because the App is directed at adults and any information about a child is provided by the responsible adult account holder, we do not knowingly collect personal information directly from a child under 13. If you become aware that a child under 13 has independently created an account, contact us at privacy@forsamuel.com.au and we will delete the account and its data.
Privacy by default for every account (this also reflects the UK Children's Code and the California Age-Appropriate Design Code): only data you choose to record is stored; profiling for advertising is never performed; geolocation is never collected; there are no dark-pattern nudges to share more; and the highest-privacy protections (App Lock, biometric re-authentication on destructive actions, household-scoped access only) are available to every user without an upgrade.
10. Your rights by region
The rights described in section 8 reflect the Australian Privacy Principles. If you reside outside Australia, the following additional or equivalent rights apply.
- United States. California residents have the rights in the CCPA/CPRA: to know what personal information we hold, to request deletion and correction, and to opt out of any sale or sharing of personal information. We do not sell or share personal information, we do not use "financial incentives" tied to personal information, and we will not discriminate against you for exercising any right. Residents of other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Texas, and Oregon) have substantially similar rights of access, deletion, and correction, which we honour for all US residents through the same routes: the in-app data export and account deletion flows in section 8, or privacy@forsamuel.com.au. Care and health information is sensitive-category data under several of these laws; we process it only at your direction, to provide the service you signed up for — never for advertising, profiling, or sale. For Samuel is not a HIPAA covered entity or business associate; records you keep in the App are your own consumer records, not medical records held by a health provider.
- European Economic Area & United Kingdom (GDPR / UK GDPR). Where GDPR or UK GDPR applies, our lawful basis for processing your data is performance of a contract with you (Article 6(1)(b) — providing the care coordination service) and your consent for optional analytics. Care records are health data (special category, Article 9): we process them on the basis of your explicit consent (Article 9(2)(a)) — you provide that consent by deliberately entering care information into the App for your household's coordination purposes, and you can withdraw it at any time by deleting the relevant records or your account (section 8). Where you record information about another person (the person you care for), you confirm you are entitled to do so — for a child, through parental responsibility; for an adult, with their knowledge and agreement wherever they are able to give it. You have rights of access, rectification, erasure, restriction, portability, and objection; data export (section 8) provides portability in a machine-readable format. Complaints may be lodged with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
- Canada (PIPEDA / provincial equivalents). Canadian users have rights of access and correction equivalent to those in section 8, and may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca). British Columbia, Alberta, and Quebec residents are additionally covered by provincial private-sector privacy laws with substantially equivalent rights.
- New Zealand (Privacy Act 2020). NZ users have access and correction rights equivalent to section 8 under the New Zealand Information Privacy Principles, and may complain to the Office of the Privacy Commissioner (privacy.org.nz).
We do not respond to legacy Do-Not-Track browser signals (no widely-adopted standard exists), but we do not engage in cross-site tracking or sale of personal information, which is what those signals were intended to address.
11. International transfers
Your care records and health data are stored at rest in Australia (Sydney region). Our application server, which processes your requests in transit, may be hosted in the United States; data is encrypted with TLS during transmission and is not retained on the application server beyond the duration of the request. Some of our service providers are located outside Australia, including in the United States and the European Union. Pseudonymous usage analytics are processed in the European Union, which maintains data protection standards broadly equivalent to the Australian Privacy Principles. Where personal data is transferred to the United States, we ensure it is protected by contractual arrangements at least equivalent to the Australian Privacy Principles, including Standard Contractual Clauses where applicable. For users in the UK and the European Economic Area: your data is transferred outside the UK/EEA (to Australia, and to the service providers listed in section 4) under appropriate safeguards, including the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and/or the UK Extension to the EU-U.S. Data Privacy Framework, as applicable to each provider.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or email. Continued use of the App after the effective date constitutes acceptance of the updated policy.
13. Contact us
For privacy questions, to exercise your rights, or to report a suspected security issue or data breach affecting your information:
Email: privacy@forsamuel.com.au
Kin Tho (ABN 37 320 140 514), Australia
Security researchers and members of the public who identify a vulnerability that could affect personal information held in For Samuel are invited to email the same address. We respond to good-faith disclosures within five business days and will not take adverse action against researchers who follow responsible disclosure practice. If your report triggers our obligations under the Notifiable Data Breaches scheme, we will notify affected users and the Office of the Australian Information Commissioner within the statutory timeframe.
See also: Terms of Service ·
Refund Policy ·
Return to For Samuel