Quiddo
Privacy Policy
Last updated April 30, 2026
This Privacy Notice for Four By Firelight (“we”, “us”, or “our”) describes how and why we collect, store, use, and share your personal information when you use Quiddo, including when you:
- Visit quiddo.com.au or any site of ours that links to this notice.
- Download and use the Quiddo mobile app, or any other app of ours that links to this notice.
- Use Quiddo. Quiddo is designed only as a record-keeping and reminder tool for families. It does not hold stored value, execute transfers, debit accounts, or enable payments through the app. Parents record what they owe their children; children see their balance.
- Engage with us in other related ways, including marketing or events.
If you have questions, contact us at [email protected].
Summary
- What we collect: only what you give us — your email, password, your name, the first names of your children, contact preferences — plus basic device and usage data.
- Sensitive information: we do not process sensitive personal information.
- Where information comes from: we collect directly from you. If you choose to sign in with a social provider (Google, Apple, or Facebook), that provider gives us a limited set of profile information.
- Why we process it: to run the service, communicate with you, prevent fraud, and comply with the law.
- Sharing: only with our service providers under contract, or in a business transfer.
- Security: appropriate technical and organisational measures, though no system is 100% secure.
- Your rights: access, correct, delete, and (where applicable) object or withdraw consent.
1. What information do we collect?
Personal information you give us
We collect information you voluntarily provide when you register, use Quiddo, or contact us:
- Your email address
- Your password (stored as a one-way hash, never in plain text)
- Your name
- The first names of your children, which you enter to set up their accounts
- Contact preferences
We do not process sensitive personal information.
Information about your children that you provide
When you set up child accounts, you provide information about your children — typically just first names, plus the chores, allowances, and balances you choose to record. This information is provided by you, not collected from the child. For users in the EU/UK, this means your child is a data subject whose personal information has been collected from a source other than the child themselves; the source is you, the parent or guardian. We process this information only to provide the family-account features you have signed up for, and we keep it for as long as you keep your account active.
Payment data
Subscription payments are processed by Stripe using hosted checkout pages. Raw card data never reaches our servers. Stripe stores payment information in accordance with PCI DSS standards. We store only your subscription status and renewal date. Stripe’s privacy notice: stripe.com/au/privacy.
Device, log, and usage data
When you use the website or the app, we automatically collect technical information needed to operate and secure the Services. This includes IP address, device identifiers, device model and manufacturer, operating system and version, browser type, language preferences, ISP or mobile carrier, app version, crash reports, and information about how and when you use the Services (pages viewed, features used, timestamps). This information is used for security, troubleshooting, and analytics. It does not by itself identify you.
Push notifications
We may request to send push notifications. You can turn these off in your device settings.
Google APIs
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
2. How do we process your information?
We process personal information to:
- Create and manage your account, and authenticate you.
- Deliver the Services you ask for.
- Protect a person’s vital interests where necessary.
- Communicate with you about service-related matters.
- Prevent fraud and keep the Services secure.
- Comply with applicable law.
We process information for other purposes only with your prior explicit consent.
3. Legal bases for processing (EU/UK)
Where the GDPR or UK GDPR applies to your use of Quiddo, we process your personal information on the following lawful bases. The legal basis depends on the purpose:
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account; delivering the Services | Performance of a contract (Art 6(1)(b)) |
| Processing subscription payments | Performance of a contract (Art 6(1)(b)) |
| Service-related communications (e.g. account verification, password reset, billing notices) | Performance of a contract (Art 6(1)(b)) |
| Marketing emails | Consent (Art 6(1)(a)) — opt-in only |
| Push notifications | Consent (Art 6(1)(a)) — granted in your device settings |
| Security, fraud prevention, error monitoring, and service operation | Legitimate interests (Art 6(1)(f)) — our interest in keeping Quiddo secure and reliable for families |
| Complying with legal, tax, or regulatory obligations | Legal obligation (Art 6(1)(c)) |
| Protecting a person’s vital interests | Vital interests (Art 6(1)(d)) |
For Canadian users, see section 12. International data transfers are addressed in section 4.
4. Who do we share your information with?
We share information only with the service providers we use to operate Quiddo, under written contract. We do not sell personal information. We do not share it for advertising. The current list of service providers (subprocessors) and the countries where they are likely to process or store your information:
| Provider | Purpose | Likely location |
|---|---|---|
| Laravel Cloud / Amazon Web Services | Application hosting and database storage | Australia (Sydney, ap-southeast-2) |
| Stripe | Subscription payments | Australia and United States |
| Resend | Transactional email (verification, password reset, billing) | United States |
| Loops | Marketing email (only if you opt in) | United States |
| Firebase Cloud Messaging (Google) and Apple Push Notification service | Delivery of push notifications | United States |
| Sentry | Error and crash reporting | United States |
| Nightwatch (Laravel) | Application monitoring | United States |
| Better Stack | Uptime monitoring and telemetry | United States and European Union |
We may also share information in connection with a merger, sale of company assets, financing, or acquisition, or where required by law.
International transfers
Where the GDPR or UK GDPR applies, transfers to recipients outside the EEA / UK are made under appropriate safeguards — Standard Contractual Clauses (SCCs) and, for UK personal data, the UK International Data Transfer Addendum or IDTA — unless an exception applies. Where the Australian Privacy Act applies, we take reasonable steps to ensure overseas recipients handle your information in accordance with the Australian Privacy Principles, as required by APP 8.1.
6. How long do we keep your information?
We keep personal information only as long as necessary for the purposes set out in this notice, or as required by law. The retention period depends on the type of information:
| Category | Retention period |
|---|---|
| Account data (your details, family setup, transactions you record) | For as long as your account is active. Deleted within 30 days of account closure, except as below. |
| Billing records (subscription, invoice, tax records) | 7 years, to meet Australian tax record-keeping obligations. |
| Marketing suppression records (so we don’t email you again) | Indefinitely, unless you ask us to delete them. |
| Logs and telemetry | Up to 90 days. |
| Encrypted backups | Up to 35 days. After account deletion, residual data in backups is purged on the next backup rotation. |
When we no longer need information, we delete or anonymise it. If immediate deletion is not possible (for example, in backup archives), we securely store and isolate it until deletion is possible.
7. How do we keep your information safe?
We use appropriate technical and organisational security measures to protect your personal information, including encryption in transit (TLS), one-way password hashing, role-based access control, and infrastructure hosted in audited Australian data centres. No system is 100% secure, so we cannot guarantee that unauthorised third parties will never defeat our security. Use Quiddo only within a secure environment.
We assess and notify eligible data breaches in accordance with Part IIIC of the Privacy Act 1988 (Cth) (the Notifiable Data Breaches scheme). If a breach is likely to result in serious harm and we cannot prevent that harm, we will notify affected individuals and the Office of the Australian Information Commissioner as required.
8. Information from and about children
Quiddo is designed for use by parents and guardians on behalf of their children. We do not require children to submit contact details or create accounts themselves; children interact with the app through a device linked by a parent. When a child uses a parent-linked device, the app does automatically collect technical data (such as device identifiers, IP address, app version, crash reports, and basic interaction logs) — see the COPPA notice below for details and your rights as a parent.
The first names of children entered by parents are accessible only to the parent’s family account, our service providers (under contract) where needed to operate the service, and a small number of authorised Four By Firelight staff for support and operational purposes. They are not used for marketing, advertising, profiling, or any purpose other than displaying within your family account.
Quiddo is designed with the Australian Privacy Act 1988 and the Australian Privacy Principles in mind. We collect the minimum data necessary to provide the service.
Notice to parents in the United States (COPPA)
The US Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule (16 CFR Part 312) place obligations on operators of online services directed to children under 13. The following notice is provided to parents:
- Operator: Four By Firelight, 21 Woods Point Rd, Warburton, Victoria 3799, Australia. Contact: [email protected].
- Information collected from a child using a parent-linked device: automatically collected technical data (device identifiers, IP address, app version, crash reports, basic interaction logs). The first name a parent has entered for the child. No direct contact information is collected from the child.
- How we use it: only to operate, secure, and troubleshoot the Services for the family account. We do not use it for advertising, profiling, or any purpose unrelated to the internal operation of the service.
- Disclosure: only to the service providers listed in section 4, under contract, and only as needed to operate the service.
- Parental rights: at any time you can review the information associated with your child’s account, ask us to delete it, or refuse to permit further collection by closing the account. Email [email protected].
- Parental consent: by creating an account and adding a child profile, you confirm that you are the child’s parent or guardian and consent to the collection and use described above.
If you believe your child has provided personal information to us directly without your consent, contact us and we will delete it.
9. Your privacy rights
Depending on where you live, you may have rights including: access, rectification, erasure, restriction, data portability, and the right not to be subject to solely automated decision-making with legal or similar effects. You may also object to processing in certain circumstances.
Reviewing, updating, or deleting your information
You can review and update most of your information from your account settings at any time. To request access to information you can’t see directly, to correct something you can’t edit yourself, to delete your account, or to withdraw consent, email [email protected]. We may retain some information after account closure to prevent fraud, troubleshoot, assist investigations, enforce our terms, or comply with legal requirements.
Withdrawing consent
Where we rely on consent, you can withdraw it at any time by contacting us. This does not affect the lawfulness of processing carried out before withdrawal.
Marketing opt-out
You can unsubscribe from marketing emails using the link in the email, or by contacting us. We may still send service-related messages necessary to operate your account.
Complaints
If you have a privacy concern, please tell us first by emailing [email protected]. We aim to acknowledge complaints within 5 business days and to substantively respond within 30 days. Please describe the issue, the personal information involved, and how you would like it resolved.
If you are not satisfied with our response, you can escalate:
- Australia: the Office of the Australian Information Commissioner.
- New Zealand: the Office of the Privacy Commissioner.
- EU: a Member State data protection authority.
- UK: the Information Commissioner’s Office (ICO).
- Switzerland: the Federal Data Protection and Information Commissioner.
10. Tracking technologies
Cookies
The Quiddo website uses strictly necessary cookies for authentication, session management, and CSRF protection. We do not use advertising cookies. We do not use cross-site tracking cookies.
Do-Not-Track
There is no uniform standard for recognising DNT browser signals, so we do not currently respond to them. If a standard is adopted that we must follow, we will update this notice.
11. United States residents
If you reside in California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have rights including: to know, access, correct, delete, obtain a copy, opt out of targeted advertising or sale, and non-discrimination. Some states grant additional rights such as access to categories of recipients, profiling review, or limits on sensitive data use.
We have not sold or shared personal information for a business or commercial purpose in the preceding 12 months, and we have no plans to.
To exercise your rights, email [email protected]. If we decline to act, you can appeal by emailing the same address; if denied, you may complain to your state attorney general.
12. Other regions
Australia and New Zealand
We collect and process your personal information under Australia’s Privacy Act 1988 and New Zealand’s Privacy Act 2020. This notice satisfies the notice requirements of both Acts.
You have the right to request access to or correction of your personal information at any time. For complaints, see section 9.
Canada
We may process your information with your express or implied consent. You can withdraw consent at any time. In narrow exceptional cases permitted by law, we may process information without consent (for example, fraud detection, legal investigations, or business transactions that meet specific conditions). To make a request or complaint, email [email protected].
13. Updates to this notice
We may update this Privacy Notice from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes, we may notify you in-app or by email.
14. Contact us
For privacy questions, requests, or complaints, email [email protected], or write to us at:
Four By Firelight21 Woods Point Rd
Warburton, Victoria 3799
Australia
5. Social logins
You can register or sign in to Quiddo using your Google, Apple, or Facebook account. When you do, we receive a limited set of profile information from that provider — typically your name, email address, and profile picture. We do not request access to your friends list, contacts, or social posts.
If you sign in with Apple, Apple may give us a relay email address rather than your real one. That works fine — we use it just like any other email address for service messages.
We use this information only for the purposes described in this notice. Your relationship with the social provider is governed by their privacy notice, which you should review.