Legal
Privacy policy.
Last updated: 2026-05-01
Hey Winnie is operated by Rift Engineering (ABN 85 613 964 115), based in Victoria, Australia. This policy is product-specific and covers the data flows unique to Hey Winnie: AI processing, WhatsApp, and email forwarding. For our company-wide practices (account data, advertising, international transfers, your rights), see the Rift Engineering privacy policy. Where this app-specific policy is silent, the Rift Engineering policy applies.
Hey Winnie is a household life-admin assistant. This policy explains what data we collect, why we collect it, and your rights under the Australian Privacy Principles (APPs).
What we collect
- Account data: your email (via magic-link sign-in) and the household name you choose.
- Content you create: tasks, calendar events, health records, profiles for household members and children.
- Messages you send the assistant: chat messages in-app and forwarded WhatsApp / email content.
- Files you attach: photos, PDFs, and voice notes, stored encrypted at rest in Supabase Storage.
- Usage telemetry: model and token counts per AI call (no message content), used for cost tracking.
Why we collect it
To run the service: store your data so you can come back to it, route messages through AI providers to extract tasks and events, and show you cost dashboards.
Who we share it with
Hey Winnie sends parts of your messages to the following providers for processing. Each provider is bound by their own privacy policy:
- Anthropic: primary AI model. Receives your chat messages, household context (member names, timezone), and tool-use results. Privacy policy.
- Google (Gemini API): image OCR for forwarded photos and PDF attachments. Privacy policy.
- Groq: voice transcription for WhatsApp voice notes. Privacy policy.
- Twilio: WhatsApp message inbound and outbound. Privacy policy.
- SendGrid: email forwarding inbound and transactional notifications outbound. Privacy policy.
- Supabase: database and storage hosting. Privacy policy.
- Vercel: application hosting. Privacy policy.
Health data
Hey Winnie stores health records you create (appointments, immunisations, medications, conditions, and notes) alongside other household data. Sensitive identifiers such as Medicare numbers are encrypted at rest (see our Medicare encryption feature). Parents and co-parents can export or delete all household data, including health records, via Settings → Privacy & data. Children's health data is managed under parental responsibility per the Australian Privacy Act (APP 11); when a child reaches the applicable age threshold, they may request migration of their records to their own account. Hey Winnie is not a HIPAA-covered entity and is not connected to the Australian My Health Record system.
Where it's stored
Data is stored in Supabase (Postgres + Object Storage). Database region is configured per project. See your Supabase dashboard for the specific region.
Your rights (under the Australian Privacy Principles)
- Access: request a full JSON export of all your household's data via Settings → Privacy & data → Request data export. The export includes signed download URLs for any attachments, valid for 7 days.
- Correction: edit or delete tasks, events, profiles, and messages directly in the app at any time.
- Deletion: fully delete your household and all associated data via Settings → Privacy & data → Delete my household. The deletion runs as a background job and you'll receive an email confirmation when complete. Cleanup typically completes within a few minutes.
- Complaint: if you believe we've mishandled your data, email the contact below. If we don't resolve it to your satisfaction, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Retention
- Active records: kept while your household exists.
- Soft-deleted ("Trashed") records: moved to Trash with a 30-day expiry, then hard-deleted by a daily job.
- Forwarded inbox items: kept for 7 days if not actioned, then expired.
Third-party data processing
Your messages and household data are not used to train AI models. Anthropic, Google, and Groq operate under their respective API terms which prohibit training on API traffic by default for paid usage tiers.
Cookies and analytics
Hey Winnie uses one cookie for authentication (your sign-in session). No analytics or tracking cookies. No third-party scripts.
Contact
Privacy questions, data requests, or complaints: privacy@riftengineering.com.au. Postal: Rift Engineering, Victoria, Australia (ABN 85 613 964 115).
Complaints unresolved by us can be escalated to the Office of the Australian Information Commissioner: oaic.gov.au.