Privacy Policy
Version 1.4.0 — effective 2026-07-03
1. About this policy
This Privacy Policy explains how Stead collects, uses, discloses, and otherwise handles your personal information. It applies whenever you access or use the Stead application — including signing in, recording transactions, setting budgets, and receiving emails from us.
This policy is governed by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It was last updated on 2026-07-03 and applies from that date.
Please read this policy carefully. By using the Service, you acknowledge that you have read and understood it.
2. Who we are
Stead is operated by Daniel Gamble (sole trader), ABN 15 639 096 880. We are the entity responsible for the personal information we collect and hold about you.
For privacy enquiries, contact us at: support@steadapp.com.au
3. What information we collect and why
We collect personal information that is necessary to provide the Service. We collect it directly from you when you use the application.
Account and identity
- Email address — account identification and communication
- Display name — personalisation and partner-facing features
- Avatar selection — in-app personalisation (pixel-art character choice)
- Password (stored as a bcrypt hash, cost 12 — the plaintext is never retained)
- Password reset tokens (SHA-256 hashed, single-use, expire after 1 hour)
- Email verification tokens (SHA-256 hashed, expire after 1 hour)
Financial data
- Transactions — amount (stored as integer cents in AUD), date, category, description, type (income / expense / transfer), ownership (personal / partner / shared), privacy flag
- Budget allocations by category and month
- Savings goals — target amount, target date, contributions and progress
- Quick-saves — micro-saving entries and streak history
- Recurring financial rules — amount, frequency, category, start date
- Account balances — account name, type (savings, offset, investment, property, loan) and balance; you enter these manually — we do not connect to your bank
- Partner linking — if you link to a partner account, we record the bidirectional user ID association
Usage and technical data
- Session tokens — JSON Web Tokens stored in httpOnly cookies, valid for 24 hours
- Authentication logs — login timestamps and outcomes
- Rate-limit counters — a SHA-256 hash of your IP address (not the raw IP) used solely for rate limiting on authentication endpoints; not stored in our database
- Error and crash data — error messages, stack traces, request metadata, and browser/device info collected by Sentry when the application encounters an error
- Product-analytics data — which pages you visit and which features you use (for example completing onboarding, creating a goal, or making a quick-save), collected by PostHog so we can understand how the app is used and improve it. Events are tied to a dedicated, random analytics identifier that is separate from your account id and contain no personal information — no name, email, transaction details, or amounts. Page addresses are stripped of any identifiers before they are recorded. This is used only to improve the product; it is never sold or used for advertising, and you can turn it off at any time (see “Your rights” below).
We do not collect: government-issued ID numbers, health data, biometric data, criminal history, or payment card details. We do not connect to your bank or financial institution.
4. How we use your information
We use your personal information only for the purposes for which it was collected:
- Service delivery — creating and maintaining your account, authenticating you securely, storing and displaying your transactions, budgets, goals, and accounts, enabling partner-linked features (shared transactions, settlements).
- Engagement and gamification — awarding badges, tracking savings streaks, enabling quick-save challenges, and delivering the weekly digest email to encourage consistent savings behaviour.
- Transactional communications — sending password reset emails, email verification messages, and the weekly digest. We do not send marketing email.
- Error monitoring and reliability — detecting and diagnosing application errors and crashes so we can fix them promptly.
- Security and fraud prevention — enforcing rate limits, detecting unusual access patterns, and protecting accounts from unauthorised access.
- Legal compliance — retaining financial records as required by Australian tax law (ATO record-keeping obligations) and responding to lawful requests from authorities.
We do not sell your personal information to third parties. We do not use your financial data for advertising or profiling.
5. Sharing your information with third-party processors
We use the following third-party service providers to operate the Service. Each acts as a data processor on our behalf, handling your information only as instructed and for the purpose stated.
Neon — Database hosting
Hosts the PostgreSQL database that stores all your account, transaction, budget, goal, and settings data. Region: Australia (Sydney).
Vercel — Application hosting and deployment
Hosts and serves the Next.js application, including server-side rendering, serverless API functions, and Edge Runtime middleware. Processes all requests you make to the app. Region: United States (and edge locations globally).
Sentry — Error monitoring and performance tracing
Captures error reports, stack traces, and performance traces when the application encounters an issue. May include request metadata and browser/device information. Sensitive fields (passwords, tokens) are scrubbed before transmission. Region: European Union. Data retained for 90 days on the free tier.
PostHog — Product analytics
Records anonymised, privacy-first usage analytics (pages visited, features used) so we can understand how the app is used and improve it. Events are keyed to a dedicated random analytics identifier — never your name, email, transactions, or amounts — and page addresses are stripped of identifiers before recording. Not used for advertising and never sold. You can opt out at any time in Settings → Privacy, and “Do Not Track” is honoured automatically. Region: European Union.
Analytics requests are sent to our own subdomain (e.steadapp.com.au) rather than directly to PostHog, so that privacy/ad-blocking tools do not silently drop them. This is a transport arrangement only — it collects nothing extra, and your opt-out and “Do Not Track” choices still stop analytics entirely before anything is sent. In transit these requests pass through Cloudflare (PostHog’s content-delivery network) before reaching PostHog in the European Union — see the Cloudflare entry below.
Resend — Transactional email
Delivers password reset emails, email verification messages, and weekly digest emails. Processes your email address and the content of outbound messages. Region: United States.
Upstash — Distributed rate limiting (Redis)
Stores rate-limit counters used to protect authentication and mutation endpoints from abuse. Counters are keyed by a SHA-256 hash of the requester's IP address — the raw IP is never stored. Counters expire automatically (short TTL, typically seconds to minutes). Region: Asia-Pacific (ap-southeast).
Cloudflare — Encrypted database backups + analytics transit
Backups (R2): stores encrypted nightly snapshots of the database for disaster-recovery purposes. Backups are encrypted at rest. Retained for 30 days on a rolling basis, then automatically deleted. Region: Oceania (as configured).
Analytics transit: our analytics subdomain (e.steadapp.com.au) is served over Cloudflare’s global edge network, which forwards analytics requests on to PostHog in the European Union. Cloudflare is a transit provider here only — it carries the requests, does not store the analytics data, and the events contain no personal information (see PostHog above).
Google — OAuth sign-in (optional)
If you choose to sign in with Google, your authentication is handled by Google OAuth. Google will share your email address and profile name with us to create or identify your account. We do not receive your Google password. Region: global. This is optional — you may sign in with email and password instead.
We do not share your personal information with any other third parties except as required by law or with your explicit consent.
6. Cross-border data transfers
Your primary data is stored in Australia: the database (Neon, Sydney), the nightly database backups (Cloudflare R2, Oceania region), and rate-limiting data (Upstash, Asia-Pacific) are all hosted in-region. Some ancillary services are processed overseas: application compute (Vercel) may run in global edge locations, error monitoring (Sentry) and product analytics (PostHog) are in the European Union, and email delivery (Resend) is in the United States. Analytics requests reach PostHog via Cloudflare’s global edge network (transit only; no analytics data is stored there). As a result, some of your personal information — minimised where possible — is transferred to and processed in countries outside Australia.
These countries may not have privacy laws that provide the same level of protection as Australian law. We take reasonable steps to ensure that our overseas processors handle your information in a manner consistent with the Australian Privacy Principles by:
- Selecting processors that maintain robust privacy and security programmes
- Reviewing processor privacy policies before engagement
- Limiting the scope of data shared to what is strictly necessary for the service
By using Stead, you consent to the transfer of your personal information to these countries for the purposes described in this policy.
7. How long we keep your information
We retain your information for as long as necessary to provide the Service and meet our legal obligations:
- Financial records (transactions, budgets, goals) — 7 years from the date of creation, in line with ATO record-keeping requirements (APP 11). Records for deleted accounts are hard-deleted once the retention period expires.
- Account PII (email, display name, password hash) — retained while your account is active. Upon account deletion, PII is removed within 30 days by an automated deletion job. You have a 30-day restore window before deletion is permanent.
- Session tokens — 24 hours from issuance, then invalidated automatically.
- Password reset tokens — 1 hour from issuance, or immediately upon use (whichever is sooner). Single-use only.
- Email verification tokens — 1 hour from issuance.
- Audit logs — 2 years, then deleted.
- Error monitoring data (Sentry) — 90 days, per Sentry's free-tier data retention policy, then automatically purged by Sentry.
- Product-analytics data (PostHog) — retained for up to 12 months, then deleted. It is anonymised (keyed to a dedicated analytics identifier, never your account details) and you can opt out at any time.
- Database backup files (Cloudflare R2) — 30 days rolling. Each backup is automatically deleted when replaced by one older than 30 days.
8. Your rights
Under the Australian Privacy Principles (APP 12 and APP 13), you have the following rights:
- Access (APP 12) — request a copy of the personal information we hold about you. You can download a full export of your data at Settings → Data → Export (available in JSON and CSV formats). You may also contact us directly.
- Correction (APP 13) — request that we correct personal information that is inaccurate, out of date, incomplete, or misleading. You can update your display name and other profile details at Settings → Profile. For corrections we cannot automate, contact us.
- Deletion — request deletion of your account and all associated data. You can initiate this at Settings → Account → Delete Account. There is a 30-day restore window during which you can cancel the deletion. After 30 days, your PII is permanently deleted by an automated job.
- Withdrawal of consent — you may withdraw consent to optional processing at any time via Settings. This includes turning off product analytics at Settings → Privacy (we also honour your browser's “Do Not Track” signal). Withdrawal does not affect processing carried out before you withdrew consent.
- Complaint — if you believe we have mishandled your personal information, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
To exercise any of the above rights, contact us at support@steadapp.com.au. We will respond within 30 days. We will not charge a fee for reasonable access requests.
9. Security
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure:
- Passwords — hashed with bcrypt at cost 12. Plaintext passwords are never stored or logged.
- Encryption in transit — all data is transmitted over HTTPS (TLS 1.2 or higher) between your browser and our servers.
- Field-level encryption — your email address and display name are encrypted with AES-256-GCM at the application layer before they are written to the database. The encryption keys are held separately from the database, so a leaked database snapshot does not by itself reveal them. Note that the running application holds the keys, so this is not zero-knowledge encryption — we can access your data to operate the service.
- Encryption at rest — the database (Neon, Sydney) and the nightly backups (Cloudflare R2) are encrypted at rest at the storage layer.
- Session management — authentication cookies are httpOnly, SameSite=Lax, and expire after 24 hours. They are inaccessible to JavaScript running in the browser.
- Access control — all API routes validate your session before returning data. Data is scoped strictly to your user ID. Partner data is only accessible when explicitly marked as non-private.
- Rate limiting — authentication and mutation endpoints are rate-limited using Upstash Redis to prevent brute-force attacks.
- Tokens — password reset and email verification tokens are SHA-256 hashed before storage and are single-use with short expiry windows.
- Content Security Policy — a strict CSP is enforced on all pages to mitigate cross-site scripting and injection attacks.
Despite these measures, no system is entirely secure. If you believe your account has been compromised or you have identified a security vulnerability, please contact us immediately at support@steadapp.com.au.
10. Children
Stead is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we become aware that a person under 18 has created an account, we will delete their account and all associated data within 30 days.
If you believe a minor has provided us with personal information, please contact us at support@steadapp.com.au.
11. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make changes, we will update the effective date at the top of this page.
For material changes — those that significantly affect your rights or how we handle your data — we will notify you by email to the address associated with your account prior to the changes taking effect, giving you at least 14 days' notice where reasonably practicable.
Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree to the changes, you may request account deletion before they take effect.
12. Contact us and complaints
For any questions about this Privacy Policy, to exercise your privacy rights, or to report a concern, contact us:
Email: support@steadapp.com.au
Entity: Daniel Gamble (sole trader), ABN 15 639 096 880
We aim to respond to all privacy enquiries within 30 days.
If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5218, Sydney NSW 2001
Stead Privacy Policy — Version 1.4.0 — effective 2026-07-03
Related: Terms of Service · Cookie Policy