SuperYears - Privacy Policy (AU + GDPR‑Ready)

Version: Draft v2026-1

Effective date: 01 March 2026
Entity: SuperYears AI PTY LTD; ABN 49 687 133 106. Hampton, VIC 3188, AUSTRALIA
Privacy Officer: privacy@superyears.com.au
Primary website: www.superyears.com.au

Plain‑English explainer (read this first)

This Privacy Policy tells you what we collect, why we collect it, who we share it with, how long we keep it, and the choices you have. It applies to the public SuperYears website and public calculators/tools (the “Site”). If you later use our subscriber app/service, extra terms apply there (see Subscriber/App Terms and our Data Processing Addendum).

What this covers, in simple terms:

  • What you give us: things like your name and email if you subscribe or contact us, plus anything you type into public calculators.
  • What we collect automatically: basic device and usage information (e.g., pages viewed, IP‑derived region) to keep the Site reliable and secure.
  • Why we use it: to run the Site, fix issues, prevent abuse, improve features, and-only with your permission-send updates and tips.
  • Who helps us: trusted service providers (hosting, email, analytics, security). They must protect your info and can only use it to provide their service to us.
  • Your choices: control cookies in our banner and your browser; opt out of marketing anytime; ask to access or correct your info; complain if something’s not right.
  • How long we keep it: only as long as needed for the reasons we collected it (then we delete or de‑identify).
  • Where it’s stored: all your data will be stored within Australian data centers

A note on calculators: we aim to process inputs in memory and not keep them unless you choose to save or export a scenario. For troubleshooting, limited error logs may hold snapshots for up to 7 years as per Australian Government polocies before deletion or de‑identification.

If you need help, email our Privacy Officer at privacy@superyears.com.au. If you’re unhappy with how we handle your data, you can also contact the OAIC (details below in Contact & complaints).

(Cross-references: this Policy sits alongside our Website Terms, Cookie Policy, Acceptable Use Policy, and—if you use the app—our Subscriber/App Terms. Links: Website Terms (https://superyears.com.au/terms), Cookie Policy (https://superyears.com.au/cookies), Acceptable Use Policy (https://superyears.com.au/acceptable-use), Subscriber/App Terms (https://superyears.com.au/app-terms).)

This Policy explains what we collect, why we collect it, how we use and share it, how long we keep it, and your choices. We follow Australia’s Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If we handle EU/UK resident data, we also apply GDPR/UK GDPR rights. Cross‑references: this Policy works with our Website Terms, Cookie Policy, Acceptable Use Policy (AUP), Complaints & Dispute Resolution Policy, and (for customers of our paid app/service) our Subscriber/App Terms and Data Processing Addendum (DPA).

PP‑1. Who we are and scope

  • This Policy applies to the SuperYears public website, content, and publicly accessible tools (the Site). If you use our app/service, additional terms (e.g., Subscriber/App Terms and DPA) also apply.
  • For GDPR/UK GDPR purposes, SuperYears AI PTY LTD is the controller for the Site. Where we process on behalf of enterprise customers, we act as a processor under a DPA.
  • EU/UK representative (Art. 27, if required): we will publish representative details here if and when Article 27 representation becomes applicable.

PP‑2. Quick summary (at a glance)

  • We collect contact, account/usage, calculator inputs, and support data.
  • We use data to operate the Site/tools, secure it, improve reliability, and, with consent, personalise and market.
  • We do not sell Personal Information. We use vetted service providers under contract.
  • We keep data only as long as needed, then delete or de‑identify.
  • You can access/correct your info and opt out of marketing.
  • If a breach is likely to cause serious harm, we’ll notify you and the OAIC; EU/UK users may also receive regulator notice where applicable.

PP‑3. Key definitions

  • Personal Information: Information about an identified or reasonably identifiable individual.
  • Processing: Collecting, storing, using, disclosing, securing, or deleting information.
  • Sensitive Information: Information such as health, biometric, or other sensitive data under applicable privacy laws. We do not seek to collect this on the Site.
  • Government identifiers: We do not require users to adopt, use, or disclose government-related identifiers (for example, Medicare numbers or Tax File Numbers) as our own identifiers, except where permitted or required by law.
  • International data protection terms (where applicable): Terms such as “controller”, “processor”, “lawful basis”, and “data subject rights” have the meanings given under applicable data protection laws.

PP‑4. Data we collect (categories)

  • Identification & contact: name, email, phone, address (if supplied).
  • Account & usage: login identifiers, activity logs, device/IP, browser type, pages viewed, timestamps, approximate location derived from IP.
  • Calculator inputs: variables you enter into public calculators/tools. Where feasible we process these transiently; see PP‑7 and PP‑10.
  • Support & feedback: messages/attachments you send to us.
  • Payment/subscription metadata (if applicable on Site): transaction references from payment provider (no full card numbers stored).
  • Regulatory/verification: information needed to comply with law or respond to lawful requests.
  • We do not intentionally collect Sensitive Information or children’s data (see PP‑14).

PP‑5. How we collect data

We collect Personal Information in several ways:

  • Directly from you when you submit forms, use calculators, create an account, subscribe, sign up for updates, or contact support.
  • Automatically through cookies, server logs, and similar technologies when you use the Site or app, for purposes such as security, performance monitoring, analytics, and service improvement (see PP-7).
  • From service providers where necessary to operate the Site and app — for example, payment processors, subscription management providers, email delivery services, and analytics providers.
  • Collection notices: Where practicable, we provide contextual notices at or before the time of collection explaining what we collect, why we collect it, and who we may share it with

PP‑6. Why we use data (purposes & lawful bases)

PurposeExamplesLawful basis (where applicable)
Operate & secure the Site/toolspage delivery, load balancing, fraud/abuse prevention, uptimeLegitimate interests; contract where applicable
Provide calculator outputscompute results from inputs; show estimatesLegitimate interests; contract where applicable
Improve features & reliabilitydiagnostics, analytics, A/B testingLegitimate interests
Personalise (if enabled)show relevant content/tipsConsent where required; Legitimate interests
Communicate service updatesoperational emails (e.g., policy updates)Legitimate interests/legal obligation
Marketing (optional)newsletters, product updatesConsent; unsubscribe anytime; Spam Act 2003 (Cth) compliance
Legal compliancerespond to regulators/courts; record‑keepingLegal obligation

We do not use automated decision‑making that produces legal or similarly significant effects about you via this Site. Where we rely on legitimate interests, we perform a balancing assessment; a summary is available on request.

PP‑7. Cookies, analytics & personalisation

  • We use cookies and similar tech to keep the Site reliable, secure, and useful.

  • Consent management: A banner lets you accept/reject non-essential cookies; settings can be changed anytime. Essential cookies are required for core functionality.

  • Analytics: We use analytics tools to understand how the Site is used and to improve performance. Where available, we configure analytics to minimise data collected (for example, IP truncation/anonymisation and reduced retention

  • A/B testing / performance: We may use performance and experimentation tools (for example, to test layouts or measure load times).

  • Personalisation: we may tailor on-site content/tips based on your activity. Email marketing uses separate opt-in and unsubscribe controls.

  • Browser controls may let you block cookies. We do not change behaviour in response to generic Do Not Track signals unless required by law.

  • See our Cookie Policy for categories, examples, and retention windows: https://superyears.com.au/cookies.

PP‑8. Sharing with service providers (processors)

We use trusted service providers to help run the Site and app (for example, hosting and cloud infrastructure, content delivery, email and communications, analytics, security monitoring, and payments). They must protect Personal Information, use it only to deliver services to us, and follow our written instructions and confidentiality obligations.

Hosting / infrastructure: We use reputable cloud providers, including Google Cloud Platform (GCP) and Microsoft Azure, to host and operate the Site and app.

Email delivery & support tools: We use third-party providers to deliver email communications and manage customer support interactions.

Security / monitoring: We use security and monitoring providers to detect, prevent, and respond to fraud, abuse, and technical issues.

Payments & subscriptions: Where payments or subscriptions are processed, we use established third-party providers including Stripe (for payment processing) and RevenueCat (for subscription management). Payment card details are processed directly by these providers in accordance with their own terms and privacy policies. We do not store full payment card numbers on our own systems. Subscription billing and renewals are managed through our payment providers in accordance with the Subscriber/App Terms.

Sub-processors & changes: We may update our service providers from time to time as our business evolves. Where required by applicable law, we will take reasonable steps to notify users of material changes.

We may also disclose Personal Information to regulators, courts, or law enforcement where required or authorised by law.

PP‑9. International transfers

Personal Information may be transferred to, stored in, or accessed from jurisdictions outside Australia, including the European Union and the United States, where our service providers operate infrastructure or personnel.

Where we transfer Personal Information internationally, we implement appropriate safeguards such as contractual protections, vendor due diligence, encryption in transit and at rest, and data minimisation practices.

Where Australian Privacy Principle (APP) 8 applies to cross-border disclosure, we take reasonable steps to ensure overseas recipients do not breach the APPs, or we rely on another permitted ground under the Privacy Act 1988 (Cth).

Where applicable, we rely on recognised transfer mechanisms under relevant data protection laws (for example, contractual safeguards) to support lawful international data transfers.

PP‑10. Retention & deletion

Data categoryTypical retentionNotes
Account & contact recordsUp to 7 years after account closureRequired for legal, tax, dispute resolution and record-keeping obligations
Support, legal, and record-keepingUp to 7 yearsMay be retained longer where required by law
Web/server logs90–180 daysSecurity monitoring and diagnostics; shorter where practicable
Calculator inputs (public tools)Retained while your account is active; deleted or de-identified within a reasonable period after account closureStored encrypted; accessible only to the authenticated user via MFA-protected account access
Analytics eventsUp to 26 monthsSubject to tool settings and data minimisation practices
Marketing subscriptionsUntil you unsubscribeRemove from marketing list promptly

When Personal Information is no longer required for the purposes described in this Policy, we delete or de-identify it using reasonable, industry-standard methods. Where deletion is not immediately feasible (for example, in encrypted backups), we securely segregate the data and delete it in accordance with our backup lifecycle.

We may create and use de-identified or aggregated data for reporting, research, analytics, and improving the Site. We take reasonable steps to prevent re-identification.

PP‑11. Security measures

We implement reasonable technical and organisational safeguards designed to protect Personal Information from misuse, interference, loss, unauthorised access, modification, or disclosure.

These measures include:

  • Access control and least-privilege principles; multi-factor authentication (MFA) for privileged accounts.
  • Encryption in transit and secure key management practices.
  • Change control, logging and monitoring, and vulnerability management processes.
  • Vendor security reviews and contractual safeguards.
  • Incident response and business continuity planning.

These practices align with our Website Terms and our Responsible Disclosure and Security Policy: https://superyears.com.au/security

PP‑12. Data breach notifications

We follow Australia’s Notifiable Data Breaches scheme. If a breach is likely to result in serious harm, we will notify affected individuals and the OAIC and take steps to mitigate risk. For EU/UK users, we assess and notify under GDPR/UK GDPR where required.

PP‑13. Your rights & how to exercise them

  • Access & correction: You can request access to, or correction of, your Personal Information. We will verify your identity and respond within a reasonable period. Where we refuse, we will explain why and how you may complain.
  • Anonymity/pseudonymity: Where lawful and practical, you may interact with us without identifying yourself or by using a pseudonym. Some features will not function without basic contact details.
  • Marketing choices: Use the unsubscribe link in marketing emails or contact us to opt out.
  • EU/UK users (if applicable): You may have rights to access, rectification, erasure, restriction, portability, and objection. You may withdraw consent where processing relies on consent.
  • How to make a request: Email privacy@superyears.com.au with details. We aim to respond within 30 days; complex requests may take longer and we will keep you informed. Reasonable administrative fees may apply to providing copies, but not for lodging a request.
  • Supervisory authority complaints (EU/UK): You may contact your local data protection authority if you believe your rights have been infringed.

PP‑14. Children

Our Site is intended for adults. We do not knowingly collect Personal Information from children. If you believe a child has provided Personal Information to us, please contact us and we will take reasonable steps to delete it. Under-18s may browse the Site in a read-only capacity only, as set out in our Website Terms.

PP‑15. Changes to this Policy

We may update this Policy. For material changes, we will give at least 14 days’ notice via a banner on the Site and this page (except for security/legal updates requiring earlier effect). We keep an archive of prior versions.

PP‑16. Contact & complaints

Privacy Officer: privacy@superyears.com.au
If you’re not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC):

  • Website: https://www.oaic.gov.au
  • Phone: 1300 363 992
  • Mail: GPO Box 5288, Sydney NSW 2001
  • EU/UK users may also complain to their supervisory authority.

Important notice: Information on the Site is general in nature and does not constitute personal financial advice.