Privacy Policy

Effective date: 26 June 2026. Version: 1.0

The National Allergy Council (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use the Food Follower web application and related services (the “Service”). It also explains your rights under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1. What this policy covers

This policy applies to the Food Follower web application at app.preventallergies.org.au, the email communications we send in connection with it, and any other channel where we collect personal information for the Service. Other National Allergy Council websites have their own privacy statements which are not replaced by this policy.

2. The information we collect

We only collect personal information that is reasonably necessary to operate the Service. This includes:

Account information

• Your email address
• A password (stored as a one-way hash; we cannot read it)
• Your preferred language and notification preferences

Information about a child you add

• The child’s first and last name, and any preferred name
• The child’s date of birth
• The allergens you have chosen to track
• Milestones, reactions and notes you record
• Risk factors you tell us about (for example whether the child has eczema, has started solids, has a diagnosed food allergy, or whether someone in the household does)

Information about a child’s allergens, reactions and risk factors is “sensitive information” under the Privacy Act, and we treat it accordingly (see §5 and §7).

Sharing and invitations

• The name and email address of any carer you invite to access a child’s record, and the level of access you grant them

Use of the Service

• Technical information such as your IP address, browser, device type, and the pages you visit, collected automatically through cookies and similar technologies (see §10)

Communications with us

• Any information you provide when you contact us for support, including the content of your message

What we do not collect

We do not ask for, and do not knowingly hold, government-issued identifiers such as Medicare numbers, tax file numbers, driver’s licence numbers or passport numbers (consistent with APP 9). We also do not collect payment card information — the Service is free to use.

3. How we collect it

We collect information directly from you when you sign up, complete onboarding, add a child, record a milestone or reaction, change a setting, or contact us. We also collect technical information automatically through your browser when you use the Service.

We do not buy lists of personal information from third parties.

4. Why we collect it (purposes of use)

We use your personal information to:

• create and manage your account, authenticate you and keep your account secure;
• provide the Service, including showing your child’s record back to you and to any carer you have invited;
• send you notifications you have not opted out of (for example milestone reminders or check-in nudges);
• respond to your support requests;
• improve the Service, understand how it is used, and produce de-identified statistics;
• comply with our legal obligations.

We will not use your personal information for any other purpose without your consent, unless we are permitted or required to do so by law.

4a. Email and in-app communications

The Service sends communications in five categories:

1. Transactional — sent in response to an action you take, for example email verification on sign-up, password resets, sharing-invitation notices, and notices that this policy or our Terms have changed.
2. Age-milestone reminders — periodic prompts tied to your child’s age (for example “has Emma started solid foods?” around 5–6 months, or the year-one summary at 12 months).
3. Behavioural nudges — for example a one-off nudge if you have not logged anything for several weeks, or a celebration when you record your first allergen introduction.
4. Tips and guidance — informational content such as age-appropriate tips, eczema guidance if you have flagged eczema at onboarding, and texture or recipe suggestions.
5. System and account — for example sharing invitations sent to people you have invited, and notices about changes to the Service.

How to control these:

• Transactional communications are required to deliver the Service and cannot be unsubscribed from. If you want to stop receiving them, close your account.
• All other emails carry a one-click unsubscribe link in the footer.
• You can also turn email categories on or off, and switch off email notifications entirely, in your Service settings.
• You can opt out of the programme as a whole; see the Service settings for details.

4b. Anonymity and pseudonymity

To deliver the core Service we need to associate the information you provide with an account, so it is not possible to use Food Follower fully anonymously. You can however contact us with a general enquiry or feedback without identifying yourself — for example by writing to us via the postal address in §13.

4c. Direct marketing

We will not use your personal information for third-party marketing purposes. We may send you information about the Service itself (for example new features, programme reminders, or research-survey invitations from the National Allergy Council). You can opt out of any non-essential communications using the controls described in §4a.

5. Health and sensitive information

Information about a child’s allergens, reactions, risk factors and feeding milestones is treated as sensitive information under APP 3. We collect it only with your consent (provided when you enter it into the Service) and use it only for the purposes described in §4. We do not share it with third parties for marketing or research without your express consent.

6. Who we share information with

We do not sell, rent or trade your personal information. We disclose it only:

• to carers you have invited to access a child’s record, at the access level you have chosen;
• to service providers who help us operate the Service (for example our hosting and database provider, our email delivery provider, and our analytics provider), under contractual obligations to handle your information only on our instructions and to protect it appropriately;
• where we are required or permitted by law (for example in response to a valid subpoena, court order, or request from a regulator);
• to a successor entity in the event of a merger, acquisition or restructure of the National Allergy Council, subject to the new entity continuing to handle your information consistent with this policy.

A list of our current service providers and their locations is available on request.

7. Where your information is stored

The Service is hosted on infrastructure operated by third-party providers. Supabase and frontend hosting is located in the AWS ap-southeast-2 (Sydney) region. Some of our service providers may store or process information outside Australia. Where this happens, we take reasonable steps to ensure that the overseas recipient handles your information in a manner consistent with the APPs.

8. How long we keep it

We keep your account and child information for as long as your account is active. If you close your account, we will delete or de-identify your personal information within a reasonable period, subject to:

• any legal obligation we have to retain certain records (for example audit logs of significant security events);
• any legitimate need to retain de-identified aggregate data for analytics.

You can request earlier deletion at any time (see §11).

9. How we protect it

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. These steps include encrypted transport (HTTPS), encrypted storage of credentials, access controls limiting who at the National Allergy Council and our service providers can see your information, and audit logging of sensitive operations. No method of transmission over the internet is completely secure, however, and we cannot guarantee absolute security.

If we become aware of an eligible data breach affecting your personal information, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

10. Cookies and analytics

The Service uses cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Service is used. Most browsers accept cookies by default; you can adjust your browser settings to refuse cookies or to warn you when a cookie is being sent, but some parts of the Service may not function correctly if you do.

We use Google Analytics to understand how the Service is used at an aggregate level. Information collected by Google Analytics is transmitted to and stored by Google on servers in the United States. You can opt out by installing the Google Analytics opt-out browser add-on, or by adjusting your cookie settings.

11. Your rights — access, correction, deletion

You may at any time:

• access most of the personal information we hold about you and your child through the Service settings;
• request a copy of additional information we hold about you;
• request correction of information you believe is inaccurate or out of date;
• request deletion of your account and the information associated with it;
• opt out of non-essential email communications (a one-click unsubscribe is included in every email).

To make a request, contact us using the details in §13. We may need to verify your identity before we act on a request. Most requests will be actioned within 30 days.

12. Children’s information

Food Follower is designed to be used by parents and carers to record information about children under their care. The account holder must be 18 or older (or have parental/guardian consent — see the Terms of Service). Children themselves do not have accounts on the Service.

13. Contact us and complaints

If you have a question about this policy or wish to exercise any of the rights in §11, please contact us:

National Allergy Council PO Box 367, Guildford WA 6055 Australia

Privacy contact email — https://nationalallergycouncil.org.au/contact-us

If you are not satisfied with our response to a privacy concern, you can contact the Office of the Australian Information Commissioner:

• Website: oaic.gov.au
• Phone: 1300 363 992

14. Third-party links

The Service may contain links to other websites operated by third parties. We are not responsible for the privacy practices or content of those websites. Please review their privacy policies before providing them with any personal information.

15. Changes to this policy

We may update this Privacy Policy from time to time. The current version is identified by the “Effective date” at the top. Where changes are material, we will notify you through the Service or by email.