Skip to main content

Last updated: 2026-05-16

Australia — Privacy Notice (Privacy Act 1988 and the APPs)

This page is the Australian-specific privacy notice Gila publishes for Australian residents under the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) in Schedule 1 to that Act. It supplements — and does not replace — our main Privacy Policy and Health Data Notice. Where this notice and the main Privacy Policy diverge for an Australian user, this notice controls.

If anything is unclear, email dpo@gila.coach and we will explain it.

1. Why this notice exists, and why we apply the APPs

The Privacy Act applies to "APP entities" — federal agencies and private-sector "organisations" that meet the criteria in s. 6 of the Act. Private-sector organisations with annual turnover below AUD 3 million are generally exempt under the small-business exemption in s. 6D, but the exemption does not apply to organisations that provide a health service and hold health information (s. 6D(4)(b)).

Gila collects and uses health information about Australian users (body weight, GLP-1 medication, mood, food intake, fitness signals, AI-derived health insights) — see §3 below. We consider it likely that we hold "health information" within the meaning of s. 6FA and that we are not entitled to rely on the small-business exemption for Australian users. Independently of how that analysis resolves, we have decided to apply the 13 Australian Privacy Principles to our processing of Australian users' personal information.

This is consistent with how we approach every jurisdiction: where we materially process personal information about residents, we apply the local standard, even when statutory thresholds might technically excuse us.

2. APP 1 — open and transparent management

This notice, our main Privacy Policy, Health Data Notice, and subprocessor list together discharge our APP 1 obligation to maintain a clearly expressed and up-to-date privacy policy, and to take reasonable steps to implement practices, procedures, and systems that ensure compliance with the APPs.

Specifically, our compliance practices include:

The Privacy Officer for Australia is Sezen Soykut, reachable at dpo@gila.coach.

3. APP 3 — collection of solicited personal information

Gila collects only personal information that is reasonably necessary for the functions and activities of the service (APP 3.1, 3.2).

Personal information

  • Email address, display name, OAuth subject ID (Google or Apple Sign-In), push device token, profile photo URL
  • Locale, time zone, app version, device OS

Sensitive information (APP 3.3 — including health information)

The Privacy Act defines sensitive information in s. 6 to include health information, biometric information, and several other special categories. Gila collects the following sensitive information from Australian users:

  • Health information (s. 6FA): body weight, GLP-1 medication name and dose, injection zone, injection date, pain level, side effects (description and severity), mood entries, food intake (calories, macronutrients, meal photos), Apple Health / Health Connect synced signals (steps, sleep, heart rate, active minutes), AI-derived health insights, journal entries that reveal physical or mental state

APP 3.3 requires that we collect sensitive information only with the individual's consent, and only if the information is reasonably necessary for one of our functions or activities. The consent must be express, and it must be obtained in a way that allows the individual to provide it knowingly and voluntarily.

We do not collect:

  • Biometric templates (Face ID / Touch ID stay on your device — Gila never receives them)
  • Genetic data
  • Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, criminal record (directly; free-text journal content may incidentally include such categories and is protected by the same controls)

How we obtain APP 3.3 consent

Before any health-information field is written to our database, we present an in-app consent gate (LegalConsentGate in lib/widgets/legal/) that satisfies APP 3.3 and APP 5:

  • Health-data consent is express, separate from the terms-of-service acceptance, and granular by purpose (health tracking, AI features, community sharing each have their own affirmative action)
  • The screen states the categories of personal information collected, the purposes, the recipients (Supabase US; Google Gemini US when AI features are invoked; Apple Health or Health Connect on-device only), and the cross-border destination
  • A link to this notice is rendered above the consent control
  • Withdrawal is reachable from Settings → Privacy → Consents in two taps

A consent receipt is persisted in public.consent_log for each acceptance (policy version, accepted categories, jurisdiction, timestamp, source) so we can demonstrate the APP 3.3 consent on request.

4. APP 5 — notification at the time of collection

At the point of collection, we give you a concise on-screen notice that identifies:

  • Gila's identity and contact details
  • The fact and purposes of the collection
  • The main consequences (if any) of not providing the information
  • The categories of third parties to whom we usually disclose the information
  • That the information may be disclosed to recipients located in the United States (Supabase, Google Gemini, Firebase Cloud Messaging, Resend, Sentry, PostHog, and other processors listed at /subprocessors)
  • The fact that this notice and our main Privacy Policy explain how to access, correct, and complain about our handling of personal information

The notice at collection is the first interaction with the LegalConsentGate screen and is reachable from every web form that collects personal information.

5. APP 6 — use or disclosure

We use and disclose personal information only for the primary purpose of providing the Gila service to you, or for a directly related secondary purpose within your reasonable expectation, or with your consent. For sensitive information, the secondary-purpose use is constrained further to a purpose directly related to the primary purpose.

In practice:

  • Account identifiers are used for authentication, push delivery, and support
  • Health information is used to provide your trends, recommendations, AI coaching (only with separate AI-features consent), and your personal account state
  • Pseudonymised telemetry is used for product analytics and error tracking, scrubbed of any health-information values
  • We do not disclose personal information to data brokers, advertising networks, or insurance carriers
  • We do not sell personal information in any sense
  • We do not use personal information for direct marketing without your separate opt-in

The complete list of processors that may receive personal information about you, and the role of each, is at /subprocessors.

6. APP 8 — cross-border disclosure

Before disclosing personal information to an overseas recipient, APP 8.1 requires us to take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to the information. Under s. 16C, Gila remains accountable for any act done by an overseas recipient that would be a breach of the APPs if done by an Australian APP entity.

Gila's principal overseas recipients are all located in the United States:

Recipient Role Why a US recipient is reasonable
Supabase Inc. Primary database, authentication, storage, edge runtime (us-east-2 / Ohio) Industry-standard managed Postgres with RLS, AES-256 at rest, TLS 1.3 in transit, SOC 2 Type II audited
Google LLC (Gemini API + Firebase Cloud Messaging) AI features (separate consent) and push delivery Google DPA + the EU-US Data Privacy Framework (which Gila treats as an additional safeguard, not a sole reliance)
Resend Inc. Transactional and marketing email Resend DPA; minimum-necessary metadata only
PostHog Inc. Pseudonymised product analytics Pseudonymisation at SDK boundary; health-information values excluded by configuration
Functional Software Inc. (Sentry) Error tracking Pseudonymisation + scrubbing of health-information values
Cloudflare Inc. Bot protection on web forms (Turnstile) Transient signals only; no personal-information storage

For each US recipient, our Transfer Impact Assessment documents the destination-jurisdiction legal regime (including FISA 702 and the CLOUD Act), the safeguards in place (technical, contractual, organisational), and our risk verdict. The TIA is intended to satisfy the APP 8.1 "reasonable steps" test, complemented by the written processor agreements that obligate each recipient to handle personal information consistent with the APPs.

The 2024 Tranche 1 amendments to APP 8 (now in force) introduced the framework for a prescribed list of countries with substantially similar privacy protections; transfers to those countries would not require the APP 8.1 reasonable-steps step. The United States is not currently on a prescribed list; we will update this notice if and when that changes.

7. APP 7 — direct marketing

We use personal information for direct marketing (marketing emails, newsletter) only with your separate opt-in. The marketing-email column in our database defaults to opt-out (decision-log #12), and every marketing email contains a simple, functional unsubscribe link that we honour within 5 business days. APP 7 also requires us to honour any other reasonable request to stop direct marketing.

We do not use sensitive information for direct marketing. We do not engage in cross-context behavioural advertising.

8. APP 10 — quality

We take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant. The in-app interface lets you correct your profile and your tracked entries directly. For data you cannot self-edit, the correction right under APP 13 (see §10) is the route.

9. APP 11 — security

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11.1):

  • TLS 1.3 for all data in transit
  • AES-256 at-rest encryption for the Supabase Postgres database and storage objects
  • Row-level security (RLS) on every Supabase table that holds personal information, scoped to auth.uid() = user_id
  • OAuth state + PKCE for Google and Apple sign-in
  • "Do not train" flag set on every Google Gemini API request, per the Gemini API terms
  • Pseudonymisation and scrubbing at the analytics and error-tracking boundary, with health-information values excluded by configuration
  • Push payload minimisation — notifications are written to be non-revealing of health context
  • Written processor agreements with security and confidentiality obligations for every sub-processor
  • Append-only consent receipts in public.consent_log for accountability
  • Sole-operator access with database changes logged in the Supabase audit log

When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, we take reasonable steps to destroy or de-identify it (APP 11.2). Retention periods are documented in our Records of Processing Activities and our Data Inventory §5.

10. APP 12 (access) and APP 13 (correction)

You have the right to access the personal information Gila holds about you and to seek correction of any information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

How to request access or correction

Two channels, both free:

  1. Self-service web form — visit /dsar and select Australia (Privacy Act) as your jurisdiction. We will email a verification link.
  2. Email — write to dpo@gila.coach stating the right you are exercising and a contact email associated with your Gila account.

Response window

The Privacy Act does not impose a single fixed deadline for APP 12 / APP 13 responses, but the OAIC's longstanding guidance treats 30 calendar days as a reasonable target. We will:

  • Acknowledge within 5 business days
  • Respond substantively within 30 calendar days of receipt
  • For complex requests, notify you within the initial 30 days that we need more time, with reasons and a revised completion date

Refusal grounds

APP 12.3 and APP 13.4 permit refusal of access or correction in limited circumstances (for example, where giving access would have an unreasonable impact on the privacy of others, or where the request is frivolous or vexatious). If we refuse, we will give you a written notice of refusal that explains the reasons, the mechanisms available to complain, and any other matter prescribed by the regulations.

Cost

Access requests are processed at no cost to you. We may charge a reasonable fee for transcription, reproduction, or transmission only where APP 12.7–12.8 expressly permit, and only after notifying you in advance.

11. Notifiable Data Breaches — Part IIIC of the Privacy Act

If a data breach involving personal information about Australian users is likely to result in serious harm to one or more individuals, we will:

  1. Assess the breach within 30 days of suspecting it (s. 26WH)
  2. Prepare a statement containing the matters required by s. 26WK — Gila's identity and contact, a description of the breach, the kinds of information concerned, recommended steps for individuals
  3. Notify the OAIC (s. 26WK) as soon as practicable after preparing the statement
  4. Notify affected individuals (s. 26WL) as soon as practicable after preparing the statement — by direct method where practicable, otherwise by publishing the statement on our website and taking reasonable steps to publicise it

Our Breach Response Playbook is built to discharge this obligation within the statutory windows.

12. Children

The 2024 Privacy and Other Legislation Amendment Act foreshadows a Children's Online Privacy Code to be developed by the OAIC, with consultation in 2025 and registration in 2026. Until that Code is in force, Gila operates a 16-and-over self-attested age gate that exceeds the standards anticipated in the Code — see Privacy Policy §11. We do not knowingly serve users under 16 and we will delete personal information of any user we identify as under 16.

13. Automated decision-making

The 2024 Tranche 1 amendments introduce a new transparency obligation for automated decisions that significantly affect an individual (sections to be inserted into the Privacy Act; phased in over 24 months after assent on 10 December 2024). Gila's AI features (food vision, AI coaching, weekly briefing, activity-goal AI, habit suggestions) are decision-support features under your control — they do not make legally significant or similarly significant decisions about you on a substantially automated basis. If a future Gila feature were to qualify under the new ADM transparency provision, we would update this notice and provide the meaningful information about how the decision is made, ahead of the provision's start date.

14. Complaints

If you are not satisfied with how we have handled your personal information, you may:

  1. Contact us first at dpo@gila.coach. We will acknowledge within 5 business days and respond substantively within 30 days
  2. Complain to the OAIC at any time:

You are not required to complain to us before complaining to the OAIC, but doing so first often produces a faster resolution.

15. Contact

For any Australian privacy question or request:

16. Updates to this notice

We update this notice whenever:

  • The Privacy Act, the APPs, or binding OAIC guidance changes in a way that affects our practices
  • A future tranche of the Privacy Act reforms (including the Children's Online Privacy Code and the automated-decision-making transparency provisions) takes effect
  • Our processing of Australian personal information materially changes
  • A material processor change occurs

We will give you at least 30 days' notice before any change that reduces your APP protections takes effect, by email (if you have an account) and by an in-app banner. The effective_date in the frontmatter above is the current version date.