Privacy Policy - unlost.

Introduction

Apply Innovations Pty Limited ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains in clear terms how we collect, use, disclose, and protect your personal information when you use the Unlost app, Unlost website (https://unlost.ai), and related services ("Services"). It also outlines your rights and choices under various privacy laws, including the Australia Privacy Act 1988 (and the Australian Privacy Principles, or APPs), the New Zealand Privacy Act 2020, and the privacy laws of the United States (including the California Consumer Privacy Act (CCPA) and other applicable state laws). Our goal is to be transparent and accessible so that you understand how your information is handled.

Scope of this Policy

This Privacy Policy applies to all users of Unlost worldwide, with special provisions for residents of Australia, New Zealand, and the United States. It covers personal data collected through our mobile application, website, and any other interactions you have with Unlost. By using our Services, you agree to the practices described in this Policy, subject to the rights and choices outlined for your jurisdiction. If you do not agree with this Policy, please discontinue use of the Services.

Personal data we collect and how we use it

We collect various types of personal data to provide and improve the Unlost Services. Below, we explain the categories of information we collect, how we collect them, and the purposes for which we use them.

1. Account and contact information

What we collect: When you create an Unlost account or contact us, we collect personal identifiers such as your name, email address, phone number, and password. If you subscribe to a paid plan, we (through our payment processor) collect payment information such as name, address, payment details, invoices, and payment history.

How we collect: You provide this information directly when registering, updating your profile, or communicating with us. Sign-in via Apple or Google may share name and email with us.

Why we collect: We use account and contact information to create and manage your account, authenticate you, process payments, communicate with you about service updates or support requests, and send necessary notifications. This information is also used to respond to your inquiries or complaints and to provide customer support.

Lawful basis for processing: Contract and consent.

2. AI conversations and progress data

What we collect: Conversations with the AI, including user inputs, AI responses, and progress metrics (e.g., goal tracking, mindset insights). You may voluntarily provide mental health-related inputs at your discretion.

How we collect: This data is collected directly from your interactions within the app.

Why we collect: We use this data to provide core functionality of Unlost, such as AI-driven coaching, goal tracking, and personalized insights. This helps us improve the Services and develop new features. Aggregated data (stripped of personal identifiers) may be used for research and analytical purposes.

Lawful basis for processing: Contract and consent.

Important: All data provided should be non-sensitive. We do not provision special considerations for sensitive data, including mental health inputs. Users acknowledge that such disclosures are at their own discretion, and we take no responsibility for them. If discussing sensitive topics, consider resources like Lifeline (AU: lifeline.org.au), 1737 (NZ: 1737.org.nz), or the National Suicide Prevention Lifeline (US: suicidepreventionlifeline.org).

3. Device and usage information

What we collect: We gather data about how you use our app and website. This includes log data (such as the dates and times you access our servers, features or screens you use, and links or buttons you tap), usage patterns, error and crash reports, and other diagnostic data. We may also collect your IP address and infer your general location from it (city or country level) for security and analytic purposes. On our website, we use cookies and tracking pixels (e.g., Meta pixel, Google Analytics) for conversions and analytics.

How we collect: This data is collected automatically through our Services and third-party analytics tools integrated into the app. For example, we might use Google Analytics or similar services that collect usage events. If you use our website, we may use cookies or similar tracking technologies to gather usage data.

Why we collect: We use usage and analytics information to understand user engagement and interaction with Unlost. This helps us troubleshoot issues, improve the stability and security of our Services, plan new features, and tailor our interface to better suit user needs. For example, we might analyze which features are most popular or detect if the app frequently crashes on a certain screen, then use that information to make improvements. This data is generally analyzed in aggregate form. When we use analytics providers, they act on our behalf under strict data processing agreements and cannot use the data for their own purposes.

Lawful basis for processing: Consent.

4. Other information you provide

What we collect: Any other information you voluntarily provide to us. This might include profile information like a nickname or bio, feedback or survey responses, and communications with us (such as emails or in-app support chats). If Unlost allows you to add personal notes to goals, insights, or progress entries, or share your journey with others, those user-generated contents are also collected and stored as part of your account.

How we collect: We collect this information directly from you when you provide it. For example, updating profile settings, sending feedback, participating in surveys, or using features to annotate your goals, add notes to insights, or share progress.

Why we collect: We use this information to personalize and enhance your experience (like displaying a custom nickname or bio in your profile), to respond to your inquiries and support needs, and to improve our Services based on your feedback. User-generated content like personal notes or shared progress is stored so that you can access and manage them as part of your account, helping to create a more tailored and engaging experience.

Lawful basis for processing: Consent.

Summary of how we use personal data

We use the personal data we collect for the following purposes:

Providing and improving the service: To operate Unlost and provide AI coaching, goal tracking, and insights. This also includes improving and customizing your experience, such as tweaking the interface or building new features based on common usage patterns.
Account management: To create and maintain your account, verify your identity when you log in, process subscription payments, and communicate with you about your account or transactions (e.g., payment receipts or account changes).
Communications: To respond to your inquiries, provide customer support, and send service-related announcements (like changes to terms or important app updates). If you opt in, we may also send newsletters or promotional communications – and you can opt out of these at any time.
Security and fraud prevention: To protect the integrity of our Services and your data. For example, we use device and usage data to detect suspicious activity, implement anti-fraud measures, and prevent unauthorized access. Unusual access and data patterns might prompt us to verify that it's really you using the account.
Compliance with law: To comply with legal obligations, such as responding to lawful requests by authorities or fulfilling regulatory reporting requirements.
Research and development: To analyze usage trends and AI data in order to develop new features, enhance algorithms, and generally improve Unlost. Wherever possible, we use aggregated or anonymized data for these purposes so it no longer identifies you personally.
Automated decision-making: To the extent we use AI algorithms to generate responses or insights, we describe these in Automated Decision-Making and Profiling below.

Automated decision-making and profiling

Unlost uses automated processing for AI responses and basic personalization. This does not have legal or significant effects without human involvement. For example, the AI may generate coaching based on your inputs, but you can always override or provide feedback. If you believe automated processing affects you significantly, contact us for a human review.

How we share your personal data

We do not sell your personal data to third parties for profit. We only share your information in the following circumstances, with proper safeguards:

1. Service providers (processors)

We use trusted third-party companies to help us operate Unlost and provide the Services to you. These third parties process data on our behalf and are bound by contracts to protect your information and use it only for the agreed-upon purposes. Our key service providers include:

Apple: If you use the iOS app, Apple may process certain data such as crash reports via its operating system services, or payment transactions via Apple's App Store and in-app purchase system. If you use "Sign in with Apple" across our web or iOS platforms to create an account, we receive your name and email from Apple with your consent. Apple does not receive your Unlost AI conversations or progress data through us, but their platform may collect information about your app usage under your device's privacy settings (e.g., Apple may log that you downloaded or opened our app).
Google: We use Google services for sign-in and analytics. This includes 'Sign in with Google' for user authentication across our web, Android, and iOS platforms. Unlost uses Google Analytics for usage analytics (which may collect device identifiers, IP address, and usage data). When you use sign-in, Google may receive your name and email to authenticate you. Google processes this data under its own privacy terms as an independent service provider, but only as needed to provide the service to us (we do not allow Google to use our app data for their own advertising purposes).
OpenAI: We share anonymized conversation data with OpenAI to generate AI responses and completions for Unlost's coaching features. No user identifiers or personal data are shared with OpenAI; data is stripped of any identifying information before transmission. OpenAI acts as our AI processing provider and does not access your account data.
Payment processors:For subscriptions or in-app purchases, we use payment processors that handle your payment details securely in compliance with PCI-DSS standards. They may receive your name, email, and payment information to process transactions. We do not store your full credit card details on our servers.
Advertisers: We may share aggregated or hashed personal identifiers (e.g., email hashes) with advertisers to improve our marketing practices and optimize campaigns. This is not considered a sale under applicable laws, and we do not share data for targeted advertising without consent.

2. Affiliates

If Apply Innovations Pty Limited is part of a group of related companies, we may share data with our affiliates for internal administrative purposes and to provide our Services to you. Any such affiliate receiving your data will abide by this Privacy Policy.

3. Business transfers

If we undergo a business transaction such as a merger, acquisition, reorganization, or sale of some or all assets, your personal data may be transferred as part of that deal. We will ensure the new owner is bound to respect your personal data in a manner consistent with this Policy. We will also notify you (for example, via email or a notice in the app) of any such change in ownership or control of your personal information, along with any choices you may have.

4. Legal compliance and protection

We may disclose personal information to courts, law enforcement, government or public authorities, or other third parties if required to do so by law or if we believe in good faith that such action is necessary to:

Comply with a legal obligation, process, or request (e.g., to respond to a court order or subpoena).
Enforce our Terms of Service or other agreements and investigate potential violations.
Detect, prevent, or address fraud, data breaches, security, or technical issues (for example, investigating suspicious activity on your account).
Protect the rights, property, or safety of Unlost, our users, or the public against harm, as required or permitted by law. We will only disclose the minimum amount of information necessary and will object to overbroad requests when appropriate.

5. With your consent

In situations other than those above, if we need to share your information, we will do so only with your consent. For example, if we ever want to share certain data with a partner for a new feature, we would present you with an opt-in notice and explanation so you can decide.

International data transfers

Unlost operates globally, and the personal data we collect may be transferred to and stored on servers in countries other than your own. In particular, data may be processed in Australia, New Zealand, the United States, and other locations where our service providers have facilities. When we transfer personal data across borders, we take steps to ensure appropriate safeguards are in place to protect your information in accordance with this Policy and applicable laws.

If you are in Australia or New Zealand, your personal information may be sent to or accessed from countries with different privacy standards (e.g., the United States). In such cases, we will take reasonable steps to ensure that any overseas recipient (like our cloud providers) will handle your information in a manner consistent with the APPs and NZ Privacy Principles. This often involves contractual agreements with those service providers that require similar levels of data protection.

We will only transfer data to third parties in jurisdictions that are deemed to have adequate data protection laws, or where we have put in place alternative measures to protect your privacy, such as the Standard Contractual Clauses (SCCs) for international transfers, confidentiality and security obligations in our contracts, and adherence to recognized frameworks (if applicable).

You acknowledge that personal data processed in another country may be subject to different laws and potentially accessible to law enforcement or national security authorities in those countries. However, our agreements with our service providers protect your data to the extent possible, and we will notify you of any transfer and obtain consent if required by law (for instance, some countries require user consent for transferring data overseas).

Our commitment is that no matter where your data is processed, we will treat it in line with the promises of this Privacy Policy. If you would like more information about cross-border data transfers or the specific safeguards we use, you can contact our Privacy Officer (see Contact Us section below).

Data retention and deletion

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law. We believe in data minimization and want you to be aware of how long your data is kept. Here are our general retention practices:

AI conversations and progress data: By default, we store your conversation history and progress metrics indefinitely for active users to access in the app, so you can review past interactions or track your goals at any time. You have control over this data:

In-app deletion: You can delete individual conversations, progress entries, or your entire history from within the app. When you delete data, it will be removed from your account view, and we will erase it from our active database. It may remain in our secure backups for a short period (e.g., up to 30 days) until those backups cycle out, after which it is completely removed.
Account deletion: If you delete your account, we will delete all AI conversations and progress data associated with your account within 30 days. Again, residual copies might remain in backups temporarily but will be purged according to our backup retention schedule.

Account information: Personal details like your name, email, contact info, and any subscription details are kept for as long as you have an active account. Once you delete your account, we generally remove these from our active systems within 30 days. However, we may retain certain information for a longer period if necessary:

Legal or financial recordkeeping: We might need to keep records of financial transactions (payments, invoices) for accounting and tax purposes, typically for 7 years (as required by law in some jurisdictions). This means your name, email, and transaction history might be kept in a secure archive separate from the main user database solely for these compliance reasons.
Dispute resolution: If you've ever had an issue or dispute with us, we may retain correspondence or records related to that dispute until it is resolved, and then for an appropriate period after (to ensure we have documentation in case of any legal matters).

Device and usage information: Crash logs and analytics data are generally retained only as long as they are useful for us to identify issues and trends. For example, raw crash reports might be kept for 1-2 years to track recurring issues. Aggregated analytics (which do not directly identify you) might be kept longer for historical analysis. Where possible, we either dissociate this data from user accounts or anonymize it over time. Server logs, including web-server access logs, API request logs, and error logs, are retained for the purpose of investigating security events, monitoring service health, and generating usage statistics without holding detailed logs indefinitely. Whenever feasible, we dissociate log data from individual user accounts or fully anonymize it after the primary retention window expires.
Backup storage: We periodically backup our databases to ensure resilience of the service. These backups are securely stored and encrypted. They are retained for a limited time (commonly 30-90 days) and then overwritten or deleted when no longer needed. If data is deleted from our live systems, it will be deleted from backups in the normal rotation.
Retention for legal obligations: If we are under a legal obligation to retain certain data (for example, in response to a law enforcement request or data relevant to a legal case), we will retain that data for as long as required by the obligation. Similarly, if the law mandates a minimum retention period for certain information, we will keep it at least that long (and not longer than necessary).

After the applicable retention period ends, we will securely delete or anonymize your personal data. When we anonymize data, we remove or alter information that could identify you so it can no longer be linked to you and is no longer personal information. We may use anonymized data (for example, aggregated usage patterns) for research or analysis without further notice to you since it no longer contains personal data.

Regardless of the above default retention practices, you always have the right to request deletion of your personal data sooner (see Your Rights below for how to exercise this). We will honor such requests in accordance with applicable law. Keep in mind that deleting certain data (like your conversation history) may mean you lose access to that information permanently, so please backup any data you wish to keep before requesting deletion of your account.

Your rights and choices

We respect your rights over your personal data. Depending on where you live, you have certain legal rights regarding your information. Unlost aims to extend key privacy rights to all users, regardless of jurisdiction, as part of our commitment to privacy. These rights include:

Access: You have the right to request a copy of the personal data we hold about you. This includes information like your account details, contact information, and data we've collected such as your conversation logs. We will provide this in a commonly used format. For example, we can export your AI conversations and progress metrics in a CSV or JSON file upon request. (Under some laws, this is called the "Right to Know" or "Data Access" request.)
Correction (Rectification): If any personal data we have about you is inaccurate or incomplete, you have the right to have it corrected. For example, if your name is misspelled in our records, or a conversation is logged with an incorrect timestamp due to a bug, you can ask us to fix it. In many cases, you can correct most basic information yourself via the Unlost application. For things you cannot change yourself, contact us and we will make the correction if possible, or add a note if not (some historical data might not be editable, but we can append a correction).
Deletion (Erasure): You have the right to request deletion of your personal data. This is sometimes called the "Right to Erasure" or "Right to be Forgotten." You can delete certain data on your own (such as removing a conversation log or deleting your entire account via the app's account settings). For any data you cannot delete yourself, you can send us a deletion request. We will then erase your personal data from our systems, unless we have a lawful reason to keep it (as described in the Data Retention section, e.g., for legal compliance). We will also direct our service providers to delete the data they hold on our behalf, to the extent required.
Objection to Processing: In certain jurisdictions, you may have the right to object to specific types of processing of your data. You might object to your data being used for research purposes or for direct marketing. If you object, we will consider your request and stop or limit the processing unless we have a compelling legitimate ground to continue (or if it's legally exempted). For direct marketing, note that we only send marketing emails if you've opted in, and you can opt out anytime (see Your Choices below).
Withdrawal of Consent: Where we rely on your consent to process data, you have the right to withdraw that consent at any time. The most common example is analytics tracking – you give consent by enabling it in settings. You can withdraw it by disabling analytics in your app settings. Withdrawing consent won't affect processing already done, but it will stop future processing of the aspect you withdraw consent from. Another example is if you consented to receive newsletters, you can unsubscribe, which withdraws that consent.
Data Portability: You have the right to receive certain data in a portable format. This typically applies to information you provided to us or that was generated by your use of the service, which we process by automated means. In Unlost, this could include your conversation logs, progress metrics, and associated data. Upon request, we can compile your data (for example, all your AI interactions and stats) into a commonly used machine-readable format (like CSV, JSON, or XML) so that you can store it or use it elsewhere. We will provide this free of charge up to once (or a few times) per year as legally required.
California Privacy Rights: If you are a California resident, you have specific rights under the CCPA (as amended by CPRA):

Right to Know: You can ask us to disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share it. (This is fulfilled by the Access right above and the information in this Policy.)
Right to Delete: (Covered above as Deletion right.)
Right to Correct: (Covered above as Correction right.)
Right to Opt-Out of Sale or Sharing: Unlost does not sell or share your personal information as those terms are defined under California law (we don't provide your data to third parties for monetary value or for targeted advertising uses). Therefore, there is no need for you to opt out of sale/sharing.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. That means we won't deny you our Services, charge you a different price, or provide a lesser quality of service just because you made a privacy rights request. (However, note that deleting certain data might affect how features work, but that's a consequence of the service not having the data, not a punitive action. We will inform you of any such impacts if relevant.)
Authorized Agent: You may designate an authorized agent to make requests on your behalf. We will take steps to verify the legitimacy of any request made by an agent to ensure security (for example, we might ask you to confirm that you did give them permission).

Other U.S. state laws: If you reside in a state with its own privacy law (such as Virginia, Colorado, Connecticut, Utah, etc.), you generally have similar rights to those described above (access, correction, deletion, data portability, and the right to opt out of certain processing like targeted advertising or profiling). Unlost's practices of not selling data and not engaging in targeted advertising without consent means many of those opt-out rights might not be directly needed. Nevertheless, if you have any privacy request under any state law, we will treat it with equal diligence. Some states also grant a right to appeal if you disagree with our decision on your privacy request - if we ever deny a request, we will let you know how you can appeal that decision.
Australia and New Zealand: Under the Australian Privacy Act and NZ Privacy Act, you have the right to access the personal information we hold about you and to request corrections of any inaccuracies. We will provide access except in limited circumstances where we might be permitted to refuse (for example, if giving you access would unreasonably affect someone else's privacy or if it relates to legal proceedings). We will also take reasonable steps to correct any information you show to be wrong. While these laws don't explicitly give a right to deletion or data portability in the same way as some other jurisdictions, we honor deletion and portability requests as a matter of good practice (unless restricted by law). If for some reason we cannot comply with a request under Australian/NZ law, we will provide you with the reasons.
Response time: We will respond to your privacy rights requests as soon as we can, generally within the timeframe your law requires. For example:

California/US law: within 45 days (and we can extend once by another 45 days if necessary, but we'll let you know if so).
Australia/NZ: we aim for within 20 working days for access or correction requests.
If it's a simple request like opting out of emails, we'll act on it promptly (usually within a few days). If we need more time or if we cannot fulfill your request, we will inform you in writing.

Verification: For certain requests (access, deletion, etc.), we will need to verify your identity to make sure we are providing data to the right person or deleting the correct account. We may ask you to verify information that we already have (for example, responding from your account email, or providing a recent conversation detail that only you would know) to ensure the request is legitimate. We appreciate your cooperation on this, as it's for your privacy protection.
No Fee Usually Required: We will not charge you a fee for exercising your rights. However, if a request is repetitive, manifestly unfounded, or excessive, we might charge a reasonable fee or refuse to act on it (as allowed by law). If that happens, we will explain why.

To exercise any of these rights or if you have questions about your rights, you can contact us using the information in the Contact Us section at the end of this Policy. We will guide you through the process. For some requests (like data access or deletion), we may provide self-service options if available (for instance, an in-app data export or delete function), or handle it directly via our support team.

Your choices and consent management

We want to make sure you are in control of your data. Here are ways you can manage your preferences and consents regarding Unlost:

Privacy settings in the app: Unlost provides a settings menu where you can adjust certain privacy-related preferences. For example, you may find toggles to enable/disable features like analytics tracking, conversation logging, or progress metrics collection. You can also disconnect integrated services (like revoking sign-in access) from the settings. By adjusting these settings, you directly control what data is collected or shared by specific features.
Analytics and tracking: You have control over analytics collection. If you do not want Unlost to collect usage data via analytics tools, you can disable it in the app's privacy settings. On our website, you can manage cookies via your browser settings (see Cookies and Tracking below). Keep in mind that disabling analytics might limit our ability to improve the service, but core features will remain functional.
Notifications: We may send push notifications for things like AI insights, goal reminders, or important account notices. You can manage these notifications in two ways: through the app's own notification settings and via your device's notification settings for Unlost (for example, you can turn off all Unlost notifications in your phone settings). If you disable notifications, you might not receive timely reminders, but you can always check the app.
Marketing communications: If you've opted in to receive newsletters or promotional emails (for example, tips for using Unlost or new feature announcements), you can opt out at any time. Every marketing email will have an "unsubscribe" link at the bottom – clicking that will stop further promotional emails. You can also manage your email preferences in the app or website account settings, or simply contact us to be removed from marketing lists. Note that we will still send you important service emails, like subscription confirmations, security alerts, or policy updates, as these are not promotional but part of our contractual or legal obligations.
Third-party opt-outs: In cases where our service providers offer their own opt-out or privacy choices, we want you to be aware of them. For example, Google provides options to control personalized ads in your Google account (though we don't use Google ads in Unlost). If we ever used an analytics or AI service that allowed user opt-out, we would integrate that option. Currently, our third-party processors use your data only to help run our service, not for their independent marketing.
Do Not Track (for website use): Our primary service is a mobile app, not a web service, so "Do Not Track" signals from web browsers are not deeply applicable. On our website, we currently do not use any tracking cookies beyond essential analytics, and we do not respond to DNT signals because there is no profiling or cross-site tracking to stop. If this changes in the future, we will update our practices and honor standardized signals like the Global Privacy Control (GPC) as required by law (for example, in California). Additionally, if your device has a "Limit Ad Tracking" or similar setting, it generally signals apps not to use certain identifiers.
Consent for new features: Whenever we introduce a new feature that collects additional personal data or wants to use your data in a new way, we will ask for your consent before you use that feature. For example, if in the future Unlost offers integrations with health apps, we would clearly explain what data sharing is involved and let you opt in or out.
Cookies and Tracking: On our website (unlost.ai), we use cookies for essential functions like session management and analytics. We also use tracking pixels (e.g., Meta pixel for conversions, Google Analytics for usage). You can control cookies via your browser settings (e.g., disable third-party cookies). For more details, see our website's cookie policy or contact us.

We strive to make all privacy options user-friendly and easy to find. If you are unsure how to exercise a particular choice, please refer to our FAQs or reach out to our support team for guidance. We will be happy to assist you in configuring the app to your comfort level regarding privacy.

Data security measures

We take the security of your personal data very seriously. Unlost implements a variety of technical and organizational measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption: We use encryption to protect data in transit and at rest. When data is sent between your device and our servers, it's encrypted using HTTPS (TLS). This applies to all personal data, including conversation data and login credentials. Sensitive information like passwords is stored in hashed or encrypted form in our database. For example, your password is never stored in plain text - only a secure cryptographic hash of it is kept.
Access controls: Access to our systems and databases is restricted to authorized personnel with a legitimate need. We employ role-based access control so that, for instance, a support agent can see your account email to assist you, but cannot access your conversation data without further authorization. Administrative access to servers is protected by strong authentication (including multi-factor authentication) and is limited to a small number of our team.
Secure development practices: Our development and operations follow industry best practices. We regularly update software libraries and apply security patches. We also use code reviews and security testing (including occasional third-party security audits or penetration testing) to catch vulnerabilities. The Unlost app is submitted through app store reviews which include certain security checks as well.
Network security: We utilize firewalls and monitoring to protect our infrastructure. Services like Cloudflare help us in mitigating malicious traffic. Our servers are configured to minimize open ports and we continuously monitor for suspicious activities or unauthorized access attempts.
Data minimization: We strive to collect only the data that we need. By holding less data, we reduce the risk exposure in case of any security issue as well as reduce processing and storage costs. For example, if we don't need a piece of information (like your IP after initial access), we won't collect or store it. We also pseudonymize data where feasible – separating personal identifiers from conversation content, so that analyzing usage patterns can be done on anonymized data.
Training and policies: We train our employees about the importance of data privacy and security. We have internal policies and procedures for handling data securely. For example, employees are instructed not to download personal data to unsecured devices, and we require the use of encryption on employee laptops. Regular training helps our team stay vigilant about phishing and other security threats.
Incident response: Despite best efforts, if an incident were to occur, we have a plan (see Data Breach Notification below) to respond swiftly and effectively to minimize any harm.

While we cannot promise that a security breach will never happen (no service can), we can promise that we work hard to protect your data and that we will act promptly and transparently if an issue arises.

Data breach notification and incident handling

In the event of a data breach that involves your personal data, Unlost is prepared with a response plan to address and mitigate the incident. Our procedures include:

Internal incident response: Upon discovering or suspecting a security incident, we immediately activate our incident response protocol. A dedicated team will investigate the scope and nature of the breach, contain it (for example, by isolating affected systems or revoking unauthorized access), and work to remediate the root cause (such as patching a vulnerability). We log all incidents and our responses to them for accountability and review.
Assessment of impact: We will quickly assess what personal data (if any) was involved in the breach, whose data was affected, and the risk level to users. This helps determine our next steps, including who needs to be informed and what measures users might need to take.
Notification to users: If a data breach is likely to result in a risk of harm to you (for example, risk of identity theft, financial loss, or any significant inconvenience), we will notify you as soon as possible. Notification will be made through appropriate channels, such as email, in-app alerts, and/or our website. We will provide you with:

A summary of what happened (to the extent we know at the time).
The data involved (e.g., "email addresses and hashed passwords, but no conversation data" or whatever is applicable).
What we have done or are doing to respond to the breach.
Any steps you should take to protect yourself (for example, reset your password, watch out for phishing attempts, etc.).
Contact details for further information (so you can ask questions or get more assistance).

Notification to authorities: We will comply with all laws regarding breach notification:

In Australia, if the breach is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and follow the process under the Notifiable Data Breaches scheme.
In New Zealand, we will notify the Office of the Privacy Commissioner if the breach has caused or is likely to cause serious harm (as required under the Privacy Act 2020).
In the United States, we will follow state-specific data breach laws. This typically means notifying affected individuals without unreasonable delay and, in some cases, notifying state attorneys general or other regulators, especially if a large number of individuals are affected. We are aware of our obligations in states like California and others concerning data breach response.
We may also notify other relevant regulatory bodies if appropriate (for instance, if Unlost were subject to any industry-specific regulations).

Ongoing communication: Sometimes, investigations take time. If we cannot answer all questions initially, we may send follow-up notices when more information is available. We want you to be fully informed.
Post-incident measures: After handling the immediate aftermath, we review the incident to understand how to prevent a similar event in the future. This could involve strengthening security measures, providing additional training to staff, or updating our policies. We document these changes and ensure they are implemented. Our goal is continuous improvement of our security posture.

Your trust is extremely important to us, and part of earning that trust is being forthright if something goes wrong. We are dedicated to handling any such event with transparency and care for your protection.

Third-party links and integrations

The Unlost app and website may contain links to third-party websites or services, as well as integrations that involve third-party systems. Examples include:

External websites: If our website links to an article, a partner's site, or an external resource (like a blog or social media page), clicking those links will take you outside of Unlost. We are not responsible for the privacy practices of those external sites. We recommend you review the privacy policy of any website you visit.
In-app integrations: Unlost allows sign-in through third parties like Apple or Google, and uses OpenAI for AI processing. Such interactions may share some data with the partner at your direction.
App store purchases: Transactions via Apple App Store or Google Play may share data with them.

This Privacy Policy does not cover how those third-party services collect or use your data. We only cover what we do with data. So, whenever you leave our app or website or engage with a third-party integration, be mindful of their privacy policies and terms. We try to make it clear when you are doing this - for example, we might show a prompt like "Signing in with Google..." or require you to confirm before connecting.

Children's privacy

Unlost is not intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have unknowingly collected personal data from a child under 16, we will take steps to delete that information promptly. Parents or guardians: if you discover that your child under 16 has created an account or provided us with personal data without your consent, please contact us immediately so we can take appropriate action, including deleting the data and closing the child's account.

For California residents under 18, while our service isn't aimed at minors, if any content was posted publicly, California law allows removal of that content upon request.

If discussing sensitive topics, consider helplines: Lifeline (AU: lifeline.org.au), 1737 (NZ: 1737.org.nz), or National Suicide Prevention Lifeline (US: suicidepreventionlifeline.org).

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other considerations. When we make a significant change, we will notify you by appropriate means, for example, by sending an email to the address associated with your account, or by placing a prominent notice within the app - before the changes take effect, unless the changes are minor or not material, in which case we might just update the effective date at the top.

We include an "Effective Date" at the top of this Policy to indicate when the latest changes went into effect. For major updates, we may also include a brief summary of what's new either in the notification or in an 'Update Note' within the policy itself so you can easily see what's changed.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use Unlost after any changes to the Privacy Policy become effective, it constitutes your acceptance of the updated terms (to the extent permitted by law). If you do not agree to the changes, you should stop using the Services and can request deletion of your data.

Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. We have appointed a Privacy Officer, who is responsible for overseeing questions in relation to this Policy and our data practices.

Contact Details for Privacy Inquiries:

Email: privacy@unlost.ai

We will do our best to respond to all legitimate requests or questions within a reasonable timeframe. For example, if you email us with a general question, we aim to reply within a few business days. If you are contacting us to exercise a privacy right or to lodge a complaint, we will respond acknowledging receipt as soon as possible and generally provide a resolution or answer within 30 days or the timeframe required by law.

Complaint resolution: If you have a complaint about how we handle your personal information, we encourage you to contact us first at the email above. Please provide details of your complaint and any relevant information (like what happened, dates, who you dealt with, etc.). We take privacy complaints seriously. The Privacy Officer (or their team) will investigate your complaint, and we may reach out to you for more information to ensure we understand the issue fully. We will then inform you of the outcome of our investigation and any steps taken to address your concerns.

If you are not satisfied with our response, you have the right to escalate your privacy complaint to a data protection authority or privacy regulator in your jurisdiction:

Australia: You can contact the Office of the Australian Information Commissioner (OAIC) if you believe we have violated the Australian Privacy Principles and have not resolved your complaint.

Website: oaic.gov.au
Phone: 1300 363 992.

New Zealand: You can contact the Office of the Privacy Commissioner (OPC) in NZ. The OPC can guide you on making a complaint and may investigate the issue.

Website: privacy.org.nz
Phone: 0800 803 909.

United States: There isn't a single national privacy regulator for general consumer data, but you can reach out to your state's Attorney General's office. For example, California residents can contact the California Attorney General. Additionally, the Federal Trade Commission (FTC) accepts reports of unfair or deceptive business practices (which could include privacy issues). If your complaint pertains to a specific law (like CCPA), state authorities will be the ones to address it.
Other Regions: If you are in a jurisdiction not explicitly listed, consult your local data protection authority (if one exists) or consumer protection authority.

Our Privacy Officer's role is to monitor our compliance with privacy laws and this Policy, provide advice on privacy matters, and act as a point of contact for users and regulators regarding privacy. If you have any questions about anything in this Policy or about your personal data at Unlost, do not hesitate to reach out to our Privacy Officer via the contact information above.