Privacy Policy

Last updated: 9 May 2026

ReRooted ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our visa application tracking service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address (for authentication and communication)
• Name (for personalization)
• Password (stored securely using industry-standard hashing)
• Profile image URL (if signing in with a social provider)

If you sign in using a social provider such as Google or Facebook, that provider shares your email address, name, and profile image with ReRooted. The provider's own privacy policy governs how they handle your data.

1.2 Application Tracking Data

When you use our service, we collect:

• Application labels (user-defined names for your applications)
• Application status (workflow status such as "In Progress" or "Submitted")
• Relationship milestone dates (e.g., when your relationship started, cohabitation began)
• Application milestone dates (e.g., lodgement date, grant date)
• Requirement completion statuses
• Structured prompt responses (limited to 1,000 characters per response)
• Applicant, sponsor, or petitioner nationality (optional)

1.3 Information We Do NOT Collect

We are committed to data minimization. We explicitly do not collect:

• Passport numbers
• Full dates of birth
• Physical addresses
• Document numbers or identification numbers
• Private message transcripts
• Free-form personal notes (we use structured prompts instead)

Our structured prompt system includes warnings reminding you not to enter sensitive information such as passport numbers or private messages.

1.4 Automatically Collected Information

When you use our service, we automatically collect certain technical information for security and operational purposes:

• IP address (stored per session for security auditing)
• User-Agent and browser information (stored per session)

This information is used for security auditing, abuse prevention, and rate limiting. It is associated with your session and retained in accordance with our data retention policy.

1.5 Subscription & Billing Data

If you subscribe to a paid plan, we store:

• Subscription status (e.g., active, trialing, cancelled)
• Trial end date (if applicable)
• Current billing period start and end dates

We do not store your credit card details. All payment information is handled entirely by Stripe, our payment processor. See Section 7 for more information.

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain our visa application tracking service
• Enable you to track your progress against visa requirements
• Calculate and display your application completion progress
• Authenticate your account and maintain your session
• Process your subscription and billing (if applicable)
• Send important service-related communications

3. Data Storage and Security

Your data is stored securely using industry-standard practices:

• All data is transmitted using HTTPS encryption
• Passwords are hashed using secure algorithms (never stored in plain text)
• Session cookies use HttpOnly, Secure, and SameSite=Lax attributes
• Access to data is restricted to authorized personnel only

4. Data Retention

• Active accounts: Your data is retained for as long as your account is active.
• Deleted accounts: When you delete your account, all your personal data is immediately and permanently deleted (cascade deletion).
• System logs: Technical logs are retained for 30 days for security and debugging purposes, then automatically deleted.

5. Your Rights

You have the right to:

• Access your data: View all information we hold about you through your account.
• Delete your account: Permanently delete your account and all associated data at any time from your account settings. For step-by-step instructions, see our Data Deletion page.
• Update your information: Modify your account details and application data.
• Request your data: You may request a copy of your personal data in a portable format. Automated data export is planned for a future release; in the meantime, contact us to request a manual export.

6. Cookies

We use essential cookies for authentication and session management. For more details, please see our Cookie Policy.

7. Third-Party Services

We use the following third-party services:

• Stripe:For payment processing. Stripe's privacy policy applies to payment data. We do not store your credit card information.
• Google & Facebook: For social sign-in (OAuth authentication). If you choose to sign in with Google or Facebook, your email address, name, and profile image are shared with us by the provider. Their respective privacy policies govern how they handle your data.
• Resend: For transactional email delivery. Your email address is shared with Resend to deliver password reset emails, verification emails, and other service-related communications.
• Hosting & infrastructure providers: Our service is hosted on secure cloud infrastructure in Australia and internationally. This includes database hosting, session management infrastructure (e.g., Redis for CSRF token storage), and content delivery networks.

8. International Data Transfers

ReRooted is operated from Australia and offered to users worldwide. Some of our third-party service providers (including hosting, email delivery, and payment processing) may process your data outside of your country of residence — for example, Australian users' data may be processed in the United States or Europe, and United States users' data may be processed in Australia or elsewhere.

Where your data is transferred internationally, we take reasonable steps to ensure that the recipient handles your personal information consistently with the protections required in your jurisdiction. For Australian users, that means the Australian Privacy Principles (in particular APP 8). For United States users, that means a standard of care reasonably consistent with the privacy laws of your state of residence (including the California Consumer Privacy Act / California Privacy Rights Act, where applicable).

We encourage you to review the privacy policies of our third-party providers listed in Section 7 for details on their data handling and transfer practices.

9. Children's Privacy

ReRooted is intended for users aged 18 and over, consistent with our Terms of Service. We do not knowingly collect personal information from children under 18 years of age. If you believe a child under 18 has provided us with personal information, please contact us and we will promptly delete it.

10. Jurisdiction-Specific Rights

10.1 Australian Privacy Principles (Australian users)

ReRooted is designed with the Australian Privacy Principles (APPs) in mind. We are committed to:

• Collecting only the minimum data necessary for our service
• Using data only for the purpose it was collected
• Maintaining appropriate security measures
• Providing transparency about our data practices
• Giving you control over your personal information

10.2 California Consumer Privacy Act / CPRA (California residents)

If you are a California resident, you have the following rights, subject to verification:

• Right to know: request the categories and specific pieces of personal information we have collected about you in the preceding 12 months. You can satisfy this right today by viewing your account data through the in-product settings page; for items not yet exposed in-product, contact us.
• Right to delete: request deletion of your personal information. You can do this immediately from your account settings page (see Section 5 above), which deletes all of your data on a cascade basis.
• Right to correct: request correction of inaccurate personal information. Most fields are editable directly in-product; contact us for anything that is not.
• Right to opt out of sale or sharing: we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of. We will update this notice if that ever changes.
• Right to non-discrimination: we will not deny service, charge a different price, or provide a different level of quality because you exercise any of these rights.

10.3 Users in other jurisdictions

If you reside outside Australia or the United States, you may have additional rights under your local data-protection laws (including, for example, GDPR if you are in the European Union or UK GDPR if you are in the United Kingdom). Contact us to exercise any such rights and we will respond consistently with the standard required by the applicable law.

11. Automated Decision-Making

ReRooted does not use automated decision-making or profiling that produces legal or similarly significant effects. All visa application tracking and progress calculations are based on information you provide and are entirely user-directed.

12. Data Breaches

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the relevant regulators in each jurisdiction we are obligated to notify, including:

• The Office of the Australian Information Commissioner (OAIC) under the Australian Notifiable Data Breaches (NDB) scheme, for incidents affecting Australian users.
• State attorneys general and any other regulators required by United States state breach notification laws (for example, California, New York, and other states with breach notification statutes), for incidents affecting United States users.
• Any other regulators required by the applicable local laws of users in other jurisdictions.

We will provide affected individuals with sufficient information to understand the nature and scope of the incident, the categories of data involved, and the steps we are taking in response.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us through our support channels.

Note: ReRooted provides general information to help you organise your visa application. It is not legal advice. For official information about visas, please refer to the immigration authority for your jurisdiction — for example, the Department of Home Affairs (Australia) or USCIS (United States) — and/or a registered migration agent or licensed immigration attorney.