Legal
Privacy Policy
Last updated 10 May 2026. Kindtact is operated by Kindtact Pty Ltd, Queensland, Australia. Privacy contact: hello@kindtact.com
Plain-English summary
Kindtact is a privacy-first platform. We collect the smallest amount of data needed to make the service work, we don't sell it or use it for advertising, and we delete message content automatically after 30 days (or 7 days after a thread is resolved). If you want your data deleted, you can do it yourself in seconds, or email us and we'll do it within 30 days.
Owners' contact details are never shown to scanners. Scanners' contact details are never shown to anyone except the owner they chose to message.
Who this applies to
This policy applies to owners (people who create a Kindtact account and register QR codes), scanners / finders (people who scan a QR code and send a message), and visitors (people who browse the website). Kindtact is operated from Queensland, Australia and serves users globally including AU, NZ, UK, EU, and US.
Personal information we collect
Owners: email address; name and profile picture if you sign in with Google, Apple, or Facebook; item labels and notes; subscription status (last four digits of card only — full card details handled by Stripe); IP address, browser type, and activity timestamps.
Scanners / finders: message text (required); optional name, phone, or email if the scanner chooses to provide them; optional precise GPS coordinates (latitude, longitude, accuracy in metres) if the scanner enables the location feature via their browser's Geolocation API — always optional and consent-based; IP address and browser fingerprint for abuse prevention only.
Visitors: standard server logs (IP address, page path, timestamp). No third-party analytics scripts.
What we don't intentionally collect
- Health or medical data.
- Financial account details beyond what Stripe shares with us.
- Racial or ethnic origin, political opinions, religious beliefs, biometric data, or other GDPR Article 9 sensitive categories.
- Data from children under 16.
How we collect information
Directly from you when you use the service; from your sign-in provider (Google, Apple, Facebook) when you choose social sign-in; automatically via server logs and abuse-prevention fingerprinting; from Stripe via webhook for subscription events.
Why we use it
To deliver messages and replies; to run your account, dashboard, and subscription; to send transactional service emails; to prevent and investigate abuse; to comply with legal obligations; and to operate and improve service reliability. We do not use data for advertising, behavioural profiling, or AI/ML training. We do not sell or rent personal data.
UK/EU lawful bases (GDPR Article 6)
- Contract (6(1)(b)) — account management, message delivery, billing.
- Legitimate interests (6(1)(f)) — security, abuse prevention, server logging.
- Legal obligation (6(1)(c)) — mandatory data retention or disclosure.
- Consent (6(1)(a)) — any processing not covered above (e.g. optional analytics if introduced).
How information is shared
With owners (scanner's message and any voluntarily shared contact details). With scanners (owner's replies via relay — owner's personal details are not revealed). With service providers: Clerk (authentication), Stripe (payments), Resend (transactional email). When required by law. In a business transfer (with equivalent privacy protections).
Overseas transfers
Kindtact operates from Queensland, Australia. Our providers (Clerk, Stripe, Resend) are US-based and may process data in the US, EU, or UK. We use data processing agreements and standard contractual clauses (SCCs) as required. For AU users we comply with APP 8. For UK/EU users we comply with UK GDPR/EU GDPR transfer rules.
Retention
| Data | Retention | Notes |
|---|---|---|
| Message content (text, sender contact details, GPS location, image attachments) | 30 days (default) | Anonymised automatically nightly. Owner can delete earlier. |
| Message content in resolved threads | 7 days after resolution (default) | Whichever window expires first. |
| Account profile | Until account deletion | Delete anytime via dashboard or email. |
| Billing records | 7 years | Tax/accounting compliance. De-identified after account deletion. |
| Security/abuse-prevention logs | Up to 90 days | IP addresses and fingerprints. |
| QR code records and scan counts | Until account deletion | Aggregate counts only after message anonymisation. |
Your choices and rights
Regardless of where you live, you can: ask what data we hold about you; ask us to correct it; ask us to delete it; object to or restrict certain processing; request a portable copy; withdraw consent; and lodge a complaint with your privacy regulator.
Additional rights by jurisdiction: EU/UK (GDPR) — full GDPR rights including no solely-automated decisions; Australia (Privacy Act 1988) — access and correction under APPs; New Zealand (Privacy Act 2020) — IPP 6 and 7; California (CCPA/CPRA) — right to know, delete, correct, opt out of sale. We do not sell or share personal data as defined by CCPA.
To exercise any right, email hello@kindtact.com. We respond within 30 days.
Data deletion and Meta compliance
See our full Data Deletion page for self-service deletion, email requests, what gets deleted, what is retained, and the dedicated section for Facebook/Meta login users. Our Meta automated callback: POST https://kindtact.com/api/meta/data-deletion. Status check: https://kindtact.com/data-deletion/status/YOUR_CODE.
Children
Kindtact is not designed for children under 16. We do not knowingly collect data from children. Contact hello@kindtact.com if you believe a child has used the service.
Cookies and analytics
We use cookies (set by Clerk) and browser local storage to keep the service working. No advertising cookies, no third-party tracking pixels, no third-party analytics scripts.
Cookies: Authentication session cookie (set by Clerk, expires on sign-out). Referral attribution cookie (kindtact_ref, 30-day cookie set when you arrive via a referral link).
Local storage: Theme preference (kindtact:theme); language preference (kindtact:finderLocale); SEO landing source (kindtact_src, cleared on sign-up or sign-out); checkout state (kindtact_checkout_intent, kindtact_sticker_draft_v2); dashboard preferences (kindtact_item_view_mode, kindtact_item_sort_order, kindtact:notifications-filter); onboarding tour flags (kindtact:finderScanTourSeen, kindtact:finderReplyTourSeen); help-bot history (kindtact-helpbot-history-v1); security fingerprint (kindtact:fp, rate-limiting only, not advertising).
Security
All data is transmitted over HTTPS and stored in encrypted databases with role-based access controls and audit logging. We do not offer end-to-end encryption — message content is accessible to Kindtact staff where necessary for abuse investigation or legal compliance, and we handle this responsibly. In the event of a data breach affecting your rights, we will notify you and the relevant regulator as required by law.
QR-specific privacy promises
- An owner's email, phone, home address, and name are never shown to a scanner at any point.
- A scanner's optional contact details are shown only to the owner of the specific QR code that was scanned.
- Scanners are never required to create an account or download an app.
- An owner can disable or delete any QR code from their dashboard at any time.
Emergency and misuse
Kindtact is not an emergency service. For urgent, dangerous, or life-threatening situations, contact local emergency services immediately. We may disclose data to emergency services or law enforcement where we have a good-faith belief it is necessary to prevent serious harm. If someone misuses a QR code to harass you, disable it from your dashboard and email hello@kindtact.com.
Changes to this policy
We update the "Last updated" date when this policy changes. For material changes (new processor, changed use) we will notify account holders by email before the change takes effect.
Contact and complaints
Kindtact Pty Ltd, Queensland, Australia. Email: hello@kindtact.com. We respond within 30 days.
Privacy regulators: Australia — OAIC (oaic.gov.au); New Zealand — OPC (privacy.org.nz); United Kingdom — ICO (ico.org.uk); European Union — your national DPA (edpb.europa.eu); United States — relevant state Attorney General.
Terms of Service · Data Deletion
Consistency with our other policies
This Privacy Policy is designed to be read alongside our other legal and product documents. Where there is any apparent inconsistency, this Privacy Policy prevails for matters of data privacy.
- Terms of Service — governs the contract between you and Kindtact. Termination of your account triggers the deletion timeline described in the Retention section above.
- Cookie banner — reflects the categories described in the Cookies and analytics section. Your consent choices are saved in your browser's localStorage and honoured on every subsequent visit.
- Pricing and payments — payment processing is handled by Stripe; we never see or store your full card number.
- In-app disclosures — QR sticker packaging and the scanner contact form carry short notices that summarise this policy. If those notices conflict with this full policy, this policy prevails.
- Data Deletion page — the step-by-step instructions at kindtact.com/data-deletion implement the rights described in the User choices and rights and Data deletion sections above.
If you notice a contradiction between any published document and this Privacy Policy, email hello@kindtact.com so we can correct it promptly.