Safety & Compliance
How we protect your family's information with enterprise-grade security and privacy-by-design principles
We treat your data like our own
Gestalts was built by parents for our own daughter, Olivia. When we designed the app's security and privacy features, we asked ourselves: "Would we trust this with Olivia's information?" The answer had to be an unequivocal yes.
We implement privacy-by-design principles from the ground up. That means collecting only the minimum data necessary, encrypting everything, giving you complete control over your information, and never selling your data to anyone.
Below, we explain exactly how we protect your family's information in plain language, not legal jargon.
How we protect your data
Enterprise-grade security measures
AES-256 Encryption
All data is encrypted at rest using industry-standard AES-256 encryption. Your family's information is protected with the same security used by banks and governments.
TLS 1.2+ in Transit
All data transmission between your device and our servers uses TLS 1.2 or higher encryption, preventing interception during transfer.
Australian Data Centers
For Australian users, we prioritize storing data in Australian data centers (Sydney and Melbourne regions) where technically feasible.
Google Cloud Security
We leverage Google Cloud Platform's enterprise-grade security infrastructure, including advanced threat protection and access controls.
Immediate Photo Deletion
Original photos uploaded for avatar creation are processed and immediately deleted. Only AI-generated illustrations are stored, which you can delete anytime.
Content Moderation
AI interactions are monitored for concerning content (self-harm, abuse). Flagged content triggers crisis resources and may be reviewed for safety.
Our privacy commitments
We never sell your data
Your family's information will never be sold, rented, or traded to third parties for marketing purposes. Period.
You control your data
Access, modify, export, or delete your data anytime. You can delete individual entries or your entire account with one click.
Minimal data collection
We collect only what's necessary to provide value. No surnames, addresses, medical record numbers, or unnecessary identifiers.
Transparent practices
Our Privacy Policy and Terms are written in plain language. No hidden clauses or confusing legal jargon.
Legal compliance
Australian Privacy Act 1988
We comply with the Privacy Act 1988 (Cth) and Australian Privacy Principles regarding collection, use, and storage of personal information.
GDPR (EU/EEA/UK Users)
For European users, we comply with General Data Protection Regulation requirements, including data minimization, right to erasure, and data portability.
COPPA (US Users)
For US users, we comply with the Children's Online Privacy Protection Act. Parents provide verifiable consent and have full control over child data.
Australian Consumer Law
Our Terms and Conditions comply with Australian Consumer Law, with clear limitations on liability that do not exclude non-excludable rights.
If something goes wrong
We take security seriously and implement multiple layers of protection. However, in the unlikely event of a data breach:
- 72-hour notification: We will notify affected users within 72 hours of discovery
- Full transparency: We'll explain what happened, what data was affected, and steps we're taking
- Regulatory reporting: We'll report to relevant authorities (OAIC, supervisory authorities) as required by law
- Incident response: We maintain procedures and cyber insurance to address and mitigate impact
Questions about security or privacy?
We're parents first, and we understand how important it is to protect your child's information. If you have any concerns or questions about our security practices, we're here to listen.
Contact Us About SecurityOr view our full Privacy Policy and Terms & Conditions
Your family's privacy is our priority
Built by parents who understand how precious your child's information is.
Enterprise-grade security, parent-first approach