Privacy Policy
Last updated: 2 May 2026
Hipponics (ABN 57 973 387 746) ("we", "us", "our") operates the Hipponics Firewatch application, the associated Android app, and the website at hipponics.com ("the Service"). This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use the Service, in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
1. Information We Collect
| Data Type | Purpose | Collected |
|---|---|---|
| Location data (approximate & precise) | Show fires near you, calculate distances, watch zone alerts | Only when you grant browser location permission |
| Email address | Account authentication | Only if you create an account |
| Push notification tokens | Deliver watch zone fire alerts to your device | Only if you enable push notifications |
| Watch zone configurations | Monitor geographic areas for fire activity | Only if you create watch zones |
| Analytics data | Understand usage patterns, improve the Service | Automatically via Google Analytics |
| Photos & EXIF metadata | Community fire incident documentation | Only if you upload photos |
2. How We Use Your Information
We use the information collected to:
- Provide real-time bushfire monitoring and alerting functionality
- Send push notifications when fire activity is detected near your watch zones
- Authenticate your account and manage your preferences
- Analyse usage patterns to improve the Service (via Google Analytics)
- Display community-submitted photos of fire incidents
3. Third-Party Services and Overseas Disclosure
The Service integrates with the following third-party providers. Some of these are located overseas and personal information may be disclosed to them in those jurisdictions (APP 8):
- Amazon Web Services (AWS) — Hosting, authentication (Cognito), data storage (DynamoDB, S3). Your account, watch zones, comments, and uploaded photos are stored in the ap-southeast-2 (Sydney, Australia) region.
- Google (Authentication) — If you choose to sign in with Google, Google receives your email and profile information per their Privacy Policy (United States).
- Google Firebase Cloud Messaging (FCM) — If you use the Android app, Google receives a per-device token used to deliver fire alert push notifications (United States).
- Google Analytics 4 — Anonymous usage analytics. Only enabled if you accept the consent banner on first visit. Default is denied (United States).
- Stripe — Processes payments for the optional Supporter subscription. If you choose to subscribe, Stripe receives your email and payment details directly (United States / Ireland). We never see or store full card details.
- Open-Meteo — Weather and atmospheric data (Germany). Receives only coordinates required to fetch weather, never your account details.
- Cesium Ion — 3D map terrain tiles and globe visualisation (United States).
- OpenStreetMap / Carto / ESRI / NSW DCS Spatial Services — 2D map tiles.
- ADS-B Exchange / airplanes.live / adsb.lol — Live aircraft position data for firefighting aircraft tracking.
- Planespotters.net — Aircraft photo thumbnails.
- NASA FIRMS, Geoscience Australia (DEA Hotspots) — Satellite fire hotspot detection data.
- Australian fire and emergency services — NSW RFS, VIC OSOM/CFA, QLD QFES, SA CFS, WA DFES, TAS TFS, NT Bushfires, ACT ESA — public fire incident data feeds.
Each third-party service has its own privacy policy. We encourage you to review their policies for information about how they handle data.
4. Data Storage and Security
Your data is stored on Amazon Web Services infrastructure in the ap-southeast-2 (Sydney, Australia) region. We use industry-standard security measures including:
- All data transmitted over HTTPS (TLS encryption in transit)
- AWS Cognito for secure authentication with encrypted password storage
- DynamoDB encryption at rest for stored data
- S3 bucket policies restricting access to authorised services only
5. Data Retention
We retain personal information only for as long as it is needed to provide the Service or as required by law (APP 11.2). Specifically:
| Data type | Retention |
|---|---|
| Account login (email, name, Cognito record) | Until you delete your account |
| Watch zone configurations | Until you delete the zone or your account |
| Notification history (in-app alerts) | 30 days, then auto-deleted |
| Web push subscriptions | 60 days from last delivered notification, then auto-deleted |
| FCM tokens (Android) | Until you uninstall the app or sign out, then auto-deleted |
| Comments on fire incidents | 90 days, then auto-deleted |
| Uploaded photos (S3 + metadata) | 30 days, then auto-deleted |
| Photo removal requests | 90 days from request, then auto-deleted |
| Fire incident records | 7 days from last update from the source |
| Operational logs (CloudWatch) | Up to 30 days for security and debugging |
| Stripe payment records | 7 years (Australian Tax Office requirement). Held by Stripe in their systems. |
| Analytics data (Google Analytics) | 14 months (default GA4 retention) |
You can delete your account at any time via the in-app "Delete my account" button (Profile menu) or by emailing us. See Delete Account for full details.
6. Your Rights
Under the Australian Privacy Act 1988 and applicable privacy laws, you have the right to:
- Access — Request a copy of the personal information we hold about you
- Correction — Request correction of inaccurate personal information
- Deletion — Request deletion of your personal information and account
- Opt-out — Disable push notifications, revoke location permissions, or delete your account at any time
To exercise any of these rights, contact us at hipponics@outlook.com.
7. Cookies, Local Storage, and Consent
The Service uses:
- Session cookies — For authentication (AWS Cognito tokens). Required for the Service to function.
- Analytics cookies (Google Analytics) — Default denied. We use Google Consent Mode v2; analytics only run after you click "Accept analytics" on the consent banner shown on your first visit.
- Local storage — Stores your map preferences, view settings, watch-zone display options, banner-dismissed state, and cached UI state on your device. Not transmitted to us.
You can withdraw analytics consent at any time by clearing the
hipponics_analytics_consent entry in your browser's site
data; the consent banner will re-prompt you on next visit. Disabling all
cookies will prevent sign-in.
7a. Photo and EXIF Metadata
When you upload a photo of a fire incident, the photo's EXIF metadata (GPS coordinates, capture timestamp) is read by your browser to place the photo on the public map. The full original image is stored — please be aware that EXIF metadata embedded in the image (which may include camera serial numbers and precise GPS) is preserved and may be visible to anyone who downloads the image. Strip EXIF before uploading if this is a concern. We do not transmit your photos to any third party other than Amazon S3 for hosting.
8. Children's Privacy
The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
9. Data Sharing
We do not sell, trade, or rent your personal information to third parties. We may share anonymised, aggregated analytics data that cannot identify individual users. We may disclose personal information if required by law or to protect the rights, property, or safety of our users or the public.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact Us and Complaints
If you have any questions about this Privacy Policy, want to access or correct your personal information, or wish to make a complaint about how we have handled your information, please contact us at:
- Email: hipponics@outlook.com
- Website: hipponics.com
- Operator: Hipponics (ABN 57 973 387 746)
We will acknowledge your complaint within a reasonable timeframe and respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001