Privacy Policy.

Version: 1.1 · Effective date: 9 May 2026 · Next scheduled review: 9 May 2027 · Operator: Creator Alliance Group Pty Ltd ACN 689 817 070, trading as Vett · Privacy Officer: hello@getvett.com.au

Plain English summary Vett collects only what's needed to run a Scan, operate your Account, and prevent misuse. Sensitive Information — including biometric photographs — is collected only with your express consent. We use named overseas processors (Google, FaceCheck, TinEye, Stripe, Neon, HIBP, Firecrawl). We never sell your data, never train AI models on it, and never use it for advertising. You can access, correct, delete, or port your data within 30 days. Notifiable data breaches are reported to the OAIC and to you. Features are released progressively. Where this Policy describes data handling for a specific feature (for example F1 morning-after debrief, F2 public-profile search, F3 court-record discovery, live-location share, push notifications, dark-web monitoring, watch-list, or Community Warnings), that handling applies only when and to the extent the feature is made available to your Account. Some features may be in limited beta, gated to a paid tier, or planned for a future release.

1. Definitions

In plain English The defined terms used in this Privacy Policy mirror the Terms of Use. Key extra terms — Personal Information, Sensitive Information, Biometric Data, Subject Data — are set out below.

1.1 Defined terms

"APP": means an Australian Privacy Principle in Schedule 1 of the Privacy Act 1988 (Cth) ("Privacy Act").
"Biometric Data": means biometric information that is to be used for the purpose of automated biometric verification or biometric identification, and biometric templates, both of which are Sensitive Information under section 6 of the Privacy Act. For the purposes of this Policy, Biometric Data includes any photograph processed by a facial-recognition or facial-comparison service.
"NDB Scheme": means the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act.
"OAIC": means the Office of the Australian Information Commissioner.
"Personal Information": has the meaning given in section 6 of the Privacy Act.
"Sensitive Information": has the meaning given in section 6 of the Privacy Act, including health information, biometric information, biometric templates, and information about a person's racial or ethnic origin, religious beliefs or sexual orientation, where collected.
"Subject Data": means Personal Information about a Subject submitted by a User or processed by the Service in connection with a Scan.
"Terms": means the Terms of Use at getvett.com.au/terms, which use the same defined terms as this Policy.

Capitalised terms not defined in this Policy have the meanings given in the Terms.

2. Who we are (APP 1)

2.1 The entity responsible for the handling of Personal Information described in this Policy is Creator Alliance Group Pty Ltd ACN 689 817 070, trading as Vett, an Australian proprietary limited company.
2.2 Registered office: Sydney NSW, Australia.
2.3 Privacy Officer: Michael Dewick. Reach the Privacy Officer at hello@getvett.com.au or by post to the address below.
2.4 Postal address for privacy correspondence: Sydney NSW, Australia, marked "Attention: Privacy Officer".
2.5 This Policy describes how Vett complies with the Australian Privacy Principles (APP 1–13) and the NDB Scheme.
2.6 Feature availability. The Service is delivered as an evolving product. Where this Policy describes the collection, use, retention, disclosure or cross-border transfer of Personal Information in connection with a specific feature, that description applies only if and to the extent the relevant feature is made available to your Account. A feature that is not yet available, that is in limited beta, that is gated behind a paid tier (for example Vett+), that is region- or device-restricted, or that has been suspended, sunset or removed, is not part of the Service supplied to you, and the corresponding data-handling description does not apply to you for that period. Vett may add, modify, suspend or withdraw any feature at any time; clause 24.1 (notification of material changes) and the user-rights provisions of this Policy continue to apply.

3. Collection of Personal Information (APP 3)

In plain English We collect only what we need: account data, the data you submit about a Subject, the resulting scan output, basic usage data, payment metadata, and (where you use the feature) check-in / live-share data. Sensitive Information needs your explicit consent.

3.1 What we collect, by category

Each category below is collected only where the relevant feature is made available to your Account and you use it. Categories tied to a specific feature (for example live-location share, F1 morning-after debrief, push notifications, Community Warnings) are subject to clause 2.6. Where a feature is not available to you, the corresponding category is not collected.

3.1.1 User account data

Email address (required);
Mobile phone number (required for OTP / SMS notifications);
Personal Identification Number (PIN) — stored as a salted bcrypt hash; plaintext PINs are never stored, transmitted in cleartext, or accessible to Vett staff;
Authentication artefacts: one-time-password tokens (short TTL), JWT session cookies (httpOnly, Secure, SameSite=Strict);
Express consents recorded at sign-up (sensitive-information, cross-border, acceptable-use), with timestamp and the version of the Terms accepted.

3.1.2 Scan input data (Subject Data)

Photograph of the Subject (used for facial recognition and reverse image search);
Subject's name (where submitted);
Subject's mobile phone number (where submitted);
Subject's social-media handle, dating-app username or profile URL (where submitted);
Subject's email address (where submitted);
Your stated reason for the Scan.

3.1.3 Scan results

Report content, including findings, scores, signals, summaries;
Breach-exposure indicators returned by HIBP;
Image-match results returned by FaceCheck.id and TinEye;
AI-generated synthesis returned by Google Gemini;
Public-record signals retrieved via Firecrawl and public datasets.

3.1.4 Usage data

Device type, operating system, browser/user-agent;
IP address;
Session timestamps, request paths, error codes;
Push-notification tokens (where you have enabled push notifications).

3.1.5 Community Warning data

Free-text description (visible to moderators only, never to other Users or to the Subject);
Category, severity;
Your Account ID (linked to your User record);
A one-way SHA-256 hash with a server-side pepper of the Subject's identifying details. The plaintext Subject identifier is not stored.

3.1.6 Safety check-in / live-share data

Nominated contact's name and mobile number;
Venue name and suburb;
Check-in time window;
Optional location data, where the User chooses to enable live share;
Reminder and consent acknowledgement records.

3.1.6.1 Live location sharing

Where you choose to start a Live Location session:

Your device's geolocation coordinates (latitude, longitude) are transmitted to Vett every 30–60 seconds while the Vett app or browser tab is in the foreground;
A unique, unguessable session token is generated and sent by SMS to your nominated contact only — it is not indexed, listed, or otherwise discoverable;
The session has a hard maximum duration of 12 hours and an automatic expiry at the time you choose, after which the session is closed and no further updates are accepted;
You may stop the session at any time from your device. Once stopped or expired, the friend's link will return a "session ended" view and no further coordinates are served;
Your last-known coordinates are retained only for the duration of the safety check-in retention window (currently up to 7 days from the check-in time) and are then deleted as part of our retention sweep. We do not use live-location data for analytics, profiling, advertising, or training models;
Friends viewing the live link receive only the data needed to render the map: your first name, the venue you selected, your current and venue coordinates, the last-update timestamp, and the session expiry. They do not receive your phone number, email, or any Vett report content;
The friend-viewing page is loaded by Google Maps JavaScript, which means Google may receive the coordinates in order to render map tiles. We have no business relationship that exposes your raw location to Google beyond this technical rendering function.

You should only start a Live Location session with a contact you trust. Do not start a session under coercion. If you feel unsafe, you can stop the session immediately and contact 000 in an emergency or 1800RESPECT on 1800 737 732 for non-emergency support.

3.1.6.2 Morning-after debrief (Feature F1)

Structured fields you select (overall feel, flag categories, future intent);
Free-text notes you write about a Subject you previously Scanned;
Your Account ID and the linked Report ID;
Timestamps and edit history.

Debrief content is private to your Account by default. Vett does not share debrief content with the Subject, with your safety contact, with other Users, or with any third party except as required by law. Debrief content is treated as Sensitive Information for the purposes of clause 4 and is not used to train AI models. Retention: 24 months from creation, then automatically purged. You may delete any entry at any time; soft-deleted entries are removed from all systems within 30 days.

3.1.7 Payment data

Stripe transaction ID, amount, GST component, product code;
Vett does not see or store full primary account numbers, CVCs or expiry dates. Card data is processed solely by Stripe under PCI-DSS Level 1 controls.

3.2 How we collect

3.2.1 Personal Information is collected directly from you when you create an Account, run a Scan, submit a Community Warning, or contact support.

3.2.2 Personal Information about a Subject is collected indirectly from public sources (court records, business registers, news indices, breach databases) at the time of fulfilling a Scan you have requested. Vett does not maintain a standing database of Subjects: queries are made at run-time.

3.3 Why we collect

To deliver the Scan you have requested and operate your Account;
To detect and prevent misuse, fraud and abuse;
To comply with our legal obligations, including taxation and lawful disclosure;
To respond to your support enquiries; and
To improve the Service in aggregated, de-identified form.

4. Sensitive Information (APP 3.3)

In plain English Photographs that we send to facial-recognition or reverse-image services are Sensitive Information under the Privacy Act. We collect Sensitive Information only with your explicit, granular, informed consent. You can withdraw consent at any time.

4.1 Vett collects the following categories of Sensitive Information:
1. photographs that are processed as Biometric Data via FaceCheck.id and TinEye;
2. geolocation data and venue information selected by you in the safety check-in / live-share feature;
3. free-text descriptions in Community Warnings, which may include inferences about another person's behaviour or relationships;
4. inferences derivable from a Subject's relationship history disclosed by you;
5. structured fields and free-text notes in your morning-after debrief (Feature F1), which may include inferences about another person's behaviour, your own emotional state, and the nature of your interaction with the Subject.
4.2 Vett collects each category of Sensitive Information only with your explicit, granular, informed consent, captured by separate consent controls in the application and recorded against your Account with a timestamp and a copy of the version of the Terms accepted.
4.3 You may withdraw any consent at any time at the in-app Data Request page or by emailing hello@getvett.com.au. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal but may end your access to the relevant feature.

5. Unsolicited information (APP 4)

5.1 If Vett receives Personal Information that it did not solicit (for example, where a User mistakenly submits unrelated material in a misuse report), Vett will, within a reasonable period, determine whether the information could have been collected under APP 3.
5.2 If the information could not have been so collected, and is not contained in a Commonwealth record, Vett will, as soon as practicable, destroy or de-identify the information.

6. Collection notice (APP 5)

In plain English At or before the time we collect Personal Information from you, we'll tell you who we are, why we're collecting it, who we'll share it with, the consequences of not providing it, and how to access or correct it.

Vett provides an APP 5 collection notice in-app at the point of collection (sign-up, before each Scan, before submitting a Community Warning, before initiating a safety check-in). The notice includes the matters set out in APP 5.2, including: the identity and contact details of Vett; the fact and purposes of collection; the consequences of not providing the information; the entities to which Vett usually discloses the information; the existence of this Policy; and how to access, correct, or complain.

7. Use and disclosure (APP 6)

In plain English We use your Personal Information for the primary purpose for which it was collected. We don't sell it. We don't use it for advertising. We don't use your Scan content to train AI models.

7.1 Primary purpose. Vett uses Personal Information for the primary purpose for which it was collected, namely the provision of the Service.
7.2 Secondary purposes. Vett may use Personal Information for secondary purposes only where:
1. you would reasonably expect Vett to use it for that purpose, and the secondary purpose is related (or, for Sensitive Information, directly related) to the primary purpose;
2. you have consented;
3. it is required or authorised by law; or
4. another exception in APP 6.2 applies, including the "permitted general situation" of lessening or preventing a serious threat to life, health or safety (APP 6.2(c)).
7.3 No sale. Vett does not sell, rent or trade Personal Information.
7.4 No advertising use. Vett does not use your Personal Information for direct marketing without your consent and does not disclose it to advertising platforms or data brokers.
7.5 No AI training. Vett does not, and contractually requires its AI sub-processors not to, use the content of your Scans, Reports, photographs or messages to train production AI models. Google Gemini API requests are submitted under terms that prohibit prompt-data training.

8. Direct marketing (APP 7)

8.1 Vett will only use or disclose Personal Information for direct marketing where you have consented.
8.2 Every marketing communication includes a simple, no-cost opt-out mechanism. You may opt out at any time at the in-app Data Request page or by emailing hello@getvett.com.au.
8.3 Transactional communications (Scan completion, payment receipts, safety alerts, security notices, legal updates) are not direct marketing and may continue while your Account is active.

9. Cross-border disclosure (APP 8)

In plain English Some of our service providers are located outside Australia. Where we send your data overseas, we either rely on your express consent (APP 8.3(a)) or on contractual safeguards that require the recipient to handle the data in line with the APPs (APP 8.2(b)). The full list is below.

9.1 Recipients

Recipient	Country	Purpose	Basis
FaceCheck.id (FaceCheck LLC)	International (operator-disclosed)	Facial recognition matching against indexed public images	APP 8.3(a) — express consent
TinEye (Idée Inc.)	Canada	Reverse image search	APP 8.3(a) — express consent (Canada is recognised as having substantially similar privacy law)
Google LLC (Gemini API / Vertex AI)	United States	AI analysis and summarisation of Scan data, and morning-after debrief pattern analysis (F1, Vett+ only and against the User's own debrief history only)	APP 8.3(a) — express consent; Google contractual terms prohibit training on prompt data
Google LLC (Custom Search Engine)	United States	Allowlisted public-profile search across permitted public sources (F2)	APP 8.3(a) — express consent; query strings transmitted to Google for indexing
AustLII (Australasian Legal Information Institute)	Australia	Public Australian case-law text and citation retrieval for the court-records component (F3)	APP 6.1 — primary purpose of the Service; AustLII attribution displayed with every finding
NSW Caselaw (NSW Department of Justice)	Australia	NSW court judgment listings and decisions for the court-records component (F3)	APP 6.1 — primary purpose of the Service; public government data
RevenueCat, Inc.	United States	Subscription state management for Vett+ via Apple App Store and Google Play in-app purchases	APP 8.2(b) — contractual protections; SCCs
Apple Inc. (APNs)	United States	Delivery of push notifications to iOS devices	APP 8.2(b) — contractual protections under Apple Developer Program
Google LLC (Firebase Cloud Messaging)	United States	Delivery of push notifications to Android devices	APP 8.2(b) — contractual protections; SCCs
Neon, Inc.	United States	Managed PostgreSQL database hosting (primary application database)	APP 8.2(b) — contractual protections substantially similar to the APPs; encryption at rest
Have I Been Pwned	United Kingdom	Breach exposure lookups (k-anonymous prefix where supported)	APP 8.3(a) — express consent (UK recognised as having substantially similar privacy law)
Stripe, Inc. / Stripe Payments Australia Pty Ltd	United States / Australia	Payment processing, subscription billing, refunds	APP 8.2(b) — PCI-DSS Level 1; SCCs; APP-equivalent contractual terms
Firecrawl, Inc.	United States	Public-page retrieval (profile verification)	APP 8.3(a) — express consent
Resend, Inc.	United States	Transactional email delivery	APP 8.2(b) — contractual protections; SCCs
Twilio Inc.	United States	SMS delivery (OTP, check-in alerts)	APP 8.2(b) — contractual protections; SCCs

9.2 Where Vett relies on APP 8.3(a) (your express consent) for a transfer, you acknowledge that, by virtue of section 16C and APP 8.3, Vett is not accountable under APP 8.1 for the recipient's acts in respect of the transferred information. You retain rights against Vett for any breach of contract and may have separate rights against the recipient under the law of its jurisdiction. Where Vett relies on APP 8.3(a) (your express consent) for an overseas disclosure, before you give that consent we tell you that, by giving consent, you accept that Vett will not be required under APP 8.1 to take reasonable steps to ensure the overseas recipient does not breach the APPs in respect of the information. This notice is also surfaced in-app at the granular consent gate at first sign-in.

9.3 Sub-processor changes: Vett may add or replace sub-processors. Material changes are notified in-app at least 30 days before they take effect.

10. Government identifiers (APP 9)

10.1 Vett does not collect, use, store, adopt or disclose any government-related identifier (including Tax File Numbers, Medicare numbers, driver's licence numbers, or passport numbers) as an identifier of an individual within the Service.

10.2 Vett does not require government photo identification to use the Service.

11. Data quality (APP 10)

11.1 Vett takes reasonable steps to ensure the Personal Information it collects is accurate, up-to-date and complete, and that information used or disclosed is, having regard to the purpose, accurate, up-to-date, complete and relevant.
11.2 Where Personal Information is derived from third-party public sources, you may request correction or annotation of any inaccuracy under clause 14.
11.3 Vett does not represent that information returned from Third-Party Services (including FaceCheck.id matches, TinEye matches, breach data, and AI-generated summaries) is accurate, complete or up to date.

12. Security (APP 11)

In plain English We use modern technical controls — bcrypt for PIN hashing, httpOnly Secure cookies, HTTPS everywhere, SHA-256 hashing for community-warning identifiers, MFA on admin access, and audit logging.

12.1 Technical measures include:
1. TLS 1.2+ in transit;
2. encryption at rest where supported by the storage provider;
3. bcrypt salted hashing for User PINs (no plaintext PINs are stored);
4. JWT-based session authentication using httpOnly, Secure, SameSite=Strict cookies;
5. SHA-256 hashing of Subject identifiers in Community Warnings, with a server-side pepper held outside the application database;
6. strict scoping of administrative access, with multi-factor authentication and audit logging;
7. rate-limiting and abuse detection on a per-IP and per-Account basis;
8. regular dependency scanning and code review;
9. an internal security incident-response process tied to the NDB Scheme.
12.2 Staff access to Personal Information is granted on a need-to-know basis, requires multi-factor authentication, and is audit-logged. Unauthorised access is a disciplinary matter and may be a breach of the Privacy Act.
12.3 Vett securely destroys or de-identifies Personal Information that is no longer needed in accordance with the retention schedule in clause 21.

13. Access to your Personal Information (APP 12)

13.1 You may request access to the Personal Information Vett holds about you at any time at the in-app Data Request page or by emailing hello@getvett.com.au.
13.2 Vett will respond within 30 days of receiving the request and will provide access in a format reasonably appropriate to the request (typically a structured JSON export).
13.3 Vett may refuse access only on a ground specified in APP 12.3 (including where access would have an unreasonable impact on the privacy of another individual, would prejudice an investigation of unlawful activity, or where the information relates to existing or anticipated legal proceedings). Where access is refused, Vett will provide written reasons and information about complaint avenues.
13.4 Vett does not charge for making an access request. A reasonable cost-recovery fee may apply where the form of access requested imposes disproportionate effort.

14. Correction of your Personal Information (APP 13)

14.1 You may request correction of any Personal Information Vett holds about you that you believe is inaccurate, out-of-date, incomplete, irrelevant or misleading.
14.2 Vett will respond within 30 days and, if it agrees, will take reasonable steps to correct the information and notify any third parties to whom Vett has previously disclosed the information.
14.3 If Vett refuses correction, you may request that a statement of your view be associated with the relevant record. Vett will take reasonable steps to do so.

15. Biometric Data

In plain English We send your Subject's photograph to FaceCheck.id and TinEye for matching. We do not generate, store, or maintain a biometric template, vector or face print. We delete the photograph from our systems after the Scan completes.

15.1 Photographs uploaded as Scan input are Sensitive Information and constitute Biometric Data.
15.2 Vett:
1. does not generate, store or hold biometric templates, vectors, embeddings, face prints or other biometric identifiers within its own systems;
2. does not maintain a biometric database;
3. transmits the photograph to FaceCheck.id and TinEye solely for the purpose of executing the Scan you requested;
4. deletes the photograph from Vett's storage as soon as the Scan completes (the structured outcome — match counts, signals — is retained as part of the Report under clause 21);
5. relies on your express consent under section 6 and APP 3.3 of the Privacy Act as the basis for processing.
15.3 You acknowledge that FaceCheck.id and TinEye are independent processors and that their processing of the photograph is governed by their own privacy policies.
15.4 If you withdraw consent to biometric processing, you will no longer be able to run Scans that include a photograph.

16. Subject Data

In plain English When you submit data about another person (the Subject), you are responsible for having a legitimate basis to do so. Vett's role is limited: we run the Scan you requested, return a Report to you, and delete the photograph after the Scan.

16.1 Subject Data is Personal Information about a third party submitted by the User.
16.2 As between Vett and the User, the User warrants that they have a lawful basis to submit Subject Data, that submission is for a genuine personal-safety purpose, and that submission does not breach any restraining order, AVO, family-law order or non-contact undertaking.
16.3 Vett's role in respect of Subject Data is limited to executing the Scan and returning the Report to the User. Vett does not maintain a standing dossier of Subjects and does not market to Subjects.
16.4 Vett deletes Subject photographs at the end of each Scan and retains other Subject Data only as set out in clause 21.
16.5 A Subject who can demonstrate, through Vett's data-request flow, that information held by Vett relates to them and is materially inaccurate may request review and removal under clauses 13 and 14.
16.6 Subjects cannot enumerate, search, or download Community Warnings against themselves through the Service. This protects the safety of submitting Users.

17. Notifiable data breaches

In plain English If a data breach is likely to result in serious harm and we can't prevent that harm, we will notify the OAIC within 30 days and contact affected Users as soon as practicable.

17.1 Vett is covered by the NDB Scheme. An "eligible data breach" occurs where there is unauthorised access to, unauthorised disclosure of, or loss of, Personal Information held by Vett, and a reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to one or more affected individuals, and Vett has not been able to prevent the likely risk of serious harm with remedial action.
17.2 Process.
1. Vett completes a suspected-breach assessment within 30 days of becoming aware of the suspected breach (sooner where practicable).
2. Where the breach is eligible, Vett notifies the OAIC and all individuals at risk of serious harm as soon as practicable, with a statement under section 26WL of the Privacy Act including: a description of the breach, the kinds of information involved, recommended steps for affected individuals, and remediation actions.
3. Vett maintains a Data Breach Register, retained for at least 2 years.
4. The designated security contact is hello@getvett.com.au (also accepts coordinated security disclosure).
17.3 Coverage. NDB coverage explicitly includes: Account credentials and PIN hashes; payment metadata; Report contents; Subject hashes and verified-purchase flags; Community-Warning descriptions; breach-monitoring snapshots; biometric photographs in transit; misuse reports; debrief content; and data-subject-request correspondence.

18. Children

18.1 Vett is for adults only (18+). Account creation requires affirming you are 18 or over. Where a person who may be under 18 is the subject of a search, Vett will not run automated court-record or conversation-analysis searches against them and will halt processing if a minor is identified during a search.
18.2 If you become aware that a minor has signed up, or that a Scan has been conducted in respect of a minor, please report it immediately to hello@getvett.com.au. Vett will promptly delete the Account and the relevant data, and may notify the relevant child-protection authority and the eSafety Commissioner where required.

19. eSafety Commissioner

19.1 Vett is a covered service under the Online Safety Act 2021 (Cth) and complies with the Basic Online Safety Expectations Determination by:
1. providing accessible in-app reporting (the Report Misuse flow);
2. promptly actioning validated reports of illegal or seriously harmful content;
3. being able to remove content and suspend accounts;
4. responding to lawful notices from the eSafety Commissioner, including content-removal and information-gathering notices.
19.2 Harmful content (including image-based abuse, cyberbullying, technology-facilitated abuse, and harmful Community Warnings) may be reported in-app at "Report Misuse" or to the eSafety Commissioner at esafety.gov.au.

20. State-specific notes

20.1 Coercive control is criminalised differently across Australian States and Territories, including under section 54D of the Crimes Act 1900 (NSW), the Family Violence Protection Act 2008 (Vic), and section 334A of the Criminal Code (Qld). The elements of the offence and the available remedies vary by jurisdiction.
20.2 Vett does not characterise the conduct of any Subject in legal terms. Community-Warning categories (such as "controlling behaviour") reflect the submitting User's personal experience and are not a legal characterisation.
20.3 If you believe a person has engaged in conduct that may amount to a criminal offence, you should seek independent legal advice and may report to police.
20.4 If you are at risk, contact 000 (Police, Fire, Ambulance), 1800RESPECT (1800 737 732) or Lifeline (13 11 14).

20A. How we use AI (APP 1.4 disclosure)

In plain English Vett uses AI (Google Gemini) to summarise what we find in a Scan and to surface patterns in your own morning-after debrief history (Vett+ only, F1). The AI does not take any action on your behalf — it generates text you read. We never use your data to train an AI model, and a human reviews every flagged or escalated case.

20A.1 Where AI is used.
1. Generating natural-language summaries of Scan findings;
2. Surfacing recurring patterns within your own morning-after debrief history (Feature F1, Vett+).
20A.2 Model and provider. Vett uses Google LLC's Gemini model family via the Gemini API. No other model provider is used at the time of this Policy.
20A.3 No autonomous action. AI output is informational only. The Service does not use AI to take any action that affects you or any third party — it does not contact anyone, file reports, make payments, escalate to police, or change your Account state.
20A.4 Limitations. AI output may be incomplete, inaccurate, biased, or misleading. AI output is never a clinical, psychological, legal, forensic, or domestic-and-family-violence risk assessment. Where AI output describes patterns observed in messages or in your debrief history, those are signals for your reflection, not findings of fact about any person.
20A.5 No training on your data. Vett does not use your data to train AI models. Google Gemini API requests are submitted under contractual terms that prohibit training on prompt data.
20A.6 Human in the loop. Where AI output triggers an escalation (e.g. a moderation flag is raised, or a subject-access request is received), a human reviews the matter before any decision is taken.
20A.7 Right to opt out. You may opt out of AI-assisted features in your Account settings. Opting out disables AI-summarised Scan output (in which case the Scan returns structured findings without a natural-language summary) and AI-assisted debrief pattern surfacing.

21. Retention schedule

In plain English We hold Personal Information only for as long as we need it for the purpose for which it was collected, or to meet a legal obligation.

Data type	Retention	Basis
Account data (email, phone, PIN hash, consents)	Duration of Account, plus 7 years	Tax / legal-hold obligations
Scan reports	12 months from creation, or until the User deletes the Report (whichever is earlier)	User access and recall; minimisation
Photographs (Scan input — Biometric Data)	Duration of the Scan only; deleted as soon as the Scan completes	Data minimisation; APP 11.2
Payment records (Stripe metadata)	7 years	ATO record-keeping; AML obligations
Safety check-in / live-share session data	24 hours from check-in close	Data minimisation; short-lived purpose
Community Warnings (approved)	Until removed or until 12 months after submission, whichever is later, then anonymised (description cleared, submitter ID severed; aggregate hash retained)	Fraud prevention; trend audit
Community Warnings (rejected)	Brief moderation-audit period, then deleted	Audit trail
Search and request logs	7 years	Misuse investigation; lawful disclosure
Operational logs (IP, user-agent)	90 days	Security; abuse prevention
OTP / authentication tokens	Token TTL only (typically minutes)	Authentication
Misuse reports	2 years (legal hold), then anonymised	Disciplinary record
Data-subject-request correspondence	2 years	Audit / compliance evidence
Morning-after debrief entries (F1)	24 months from creation; soft-deleted entries purged within 30 days	User access and recall; minimisation
Push-notification tokens	Until you disable push or delete the Account	Authentication of device for safety alerts
Data Breach Register entries	At least 2 years	NDB compliance

21.1 At the end of the relevant retention period, Vett securely destroys or de-identifies the relevant Personal Information.

22. Cookies and tracking

22.1 Vett uses only first-party cookies necessary for authentication and session management (an httpOnly, Secure, SameSite=Strict JWT session cookie and CSRF protection tokens).
22.2 Vett does not use Google Analytics, Meta Pixel, advertising trackers, third-party behavioural-advertising tags, or fingerprinting libraries.
22.3 Push-notification tokens are stored only where you have enabled push notifications and are deleted on opt-out.

23. Complaints

23.1 If you believe Vett has interfered with your privacy or breached the APPs, you may complain in writing to hello@getvett.com.au.
23.2 Vett will acknowledge your complaint within 5 Business Days and will provide a substantive response within 30 days.
23.3 If you are not satisfied with Vett's response, you may complain to the OAIC on 1300 363 992 or via oaic.gov.au.

24. Changes to this Policy and contact

24.1 Vett may amend this Policy from time to time. Material changes (changes to the categories of Personal Information collected, the lawful basis, sub-processors, retention or your rights) are notified in-app at least 30 days before they take effect, and presented at next sign-in for re-acceptance where required.
24.2 The current version is always available at getvett.com.au/privacy.
24.3 Contact:
- Privacy queries, access, correction, deletion, complaints, NDB enquiries, security disclosures: hello@getvett.com.au
- Legal queries, misuse referrals, lawful-disclosure requests: hello@getvett.com.au
- Postal address: Sydney NSW, Australia, marked "Attention: Privacy Officer"

Operator: Creator Alliance Group Pty Ltd ACN 689 817 070, trading as Vett · Privacy Officer: hello@getvett.com.au · OAIC (AU): 1300 363 992 · oaic.gov.au · eSafety Commissioner: esafety.gov.au · Crisis: 000 / Lifeline (13 11 14) / 1800RESPECT (1800 737 732) · See also: Terms of Use

This document was prepared with reference to the Privacy Act 1988 (Cth), Australian Privacy Principles, Australian Consumer Law (Schedule 2, Competition and Consumer Act 2010), and should be reviewed by a qualified Australian solicitor before publication.