LAST UPDATED: JANUARY 2025
Halftone Digital Pty Ltd (ABN: 52675706519), trading as The Keepsake Project ("Keepsake", "we", "us", or "our"), is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and related services (collectively, the "Services").
This Privacy Policy is incorporated into and forms part of our Terms and Conditions. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. If you do not agree with the terms of this Privacy Policy, you must not access or use the Services.
We are committed to complying with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) and, where applicable, the General Data Protection Regulation (GDPR) for users in the European Union and United Kingdom, and the California Consumer Privacy Act (CCPA) for users in California.
In addition to the purposes set out below, we identify the following legal bases for processing under the GDPR and UK GDPR:
When you create an account, subscribe to our Services, or otherwise interact with Keepsake, you provide us with information that we collect and store. This includes your name, email address, and password (which is encrypted and cannot be viewed by our staff), date of birth to verify age requirements, profile information you choose to include, billing address and payment method details for subscription purchases, and any additional information you provide when contacting our customer support team.
When using our storytelling platform, you create and upload content including written stories, memories, and text entries, photographs and images, comments and messages in collaborative features, project titles, descriptions, and chapter organisation, and any other creative content you generate within the Services. We also collect information from communications you send to us, including support requests, feedback, suggestions for improvements, responses to surveys if you choose to participate, and any other correspondence you initiate with us.
When you access or use our Services, we automatically collect certain technical and usage information. This includes device information such as your IP address, browser type and version, operating system and platform, device identifiers, and mobile network information. We also collect usage data including pages or screens you view, features you use, time spent on pages or in the app, search queries within the Services, referring and exit pages, click patterns, and date and time stamps associated with your usage.
We collect log information including details of how you use our Services, diagnostic data, crash reports, performance metrics, and error logs that help us improve the Services. Location information is collected at a country level based on your IP address to provide localised content and comply with regional legal requirements, though we do not collect precise geolocation data without your explicit consent.
We may receive information about you from third-party sources including payment processors like Stripe, which provide us with payment confirmation and transaction details (though not full credit card numbers), social media platforms if you choose to connect your accounts, and publicly available sources as permitted by applicable law. When you use single sign-on services or connect social media accounts, we receive basic profile information as authorised by your privacy settings on those platforms.
We use cookies and similar tracking technologies to provide and improve our Services. Essential cookies are always active because they are necessary for the Services to function properly. These include authentication cookies that keep you logged in, security cookies that protect against fraud and misuse, and preference cookies that remember your settings and choices. Our legal basis for using these cookies is legitimate interest, as they are required to deliver the Services.
We also use analytics cookies, but only with your consent. These include Google Analytics cookies (_ga, _gid) that help us understand usage patterns and improve the Services, as well as performance monitoring cookies that allow us to identify technical issues and optimise overall functionality.
In addition, with your consent, we may use marketing cookies such as Meta Pixel cookies (_fbp, _fbc). These help us measure the effectiveness of our advertising and track conversions so that we can better understand the performance of our campaigns.
Cookie durations vary by type: Essential cookies last between session-only (deleted when you close your browser) and 30 days for authentication. Analytics cookies (_ga) persist for 2 years, while _gid expires after 24 hours. Marketing cookies (_fbp, _fbc) last for 90 days. Third-party cookies from Google and Meta are set directly by these services when you consent, and they may process data according to their own privacy policies.
You can withdraw or change your cookie preferences at any time through our cookie settings. You can also control cookies through your browser settings, though disabling certain cookies may limit your ability to use some features of the Services. Most browsers allow you to refuse cookies, delete cookies, or receive warnings before cookies are stored. For more information about managing cookies, please refer to your browser's help documentation.
Family stories naturally contain deeply personal information that may include sensitive details about you and your loved ones. We recognise that your content may include health information and medical histories shared within families, religious beliefs, cultural practices, and spiritual experiences, details about racial, ethnic, or cultural heritage, political opinions or affiliations mentioned in historical contexts, information about relationships, family conflicts, or personal struggles, financial circumstances or economic situations, and details about sexual orientation or gender identity within family narratives.
We do not actively scan or analyse your content for sensitive information, but we implement additional protections including restricted access controls ensuring only essential personnel can access user content when necessary for technical support, enhanced encryption for all stored content regardless of sensitivity level, and regular security audits of systems storing user-generated content. You maintain full control over who can access your stories through our collaboration and privacy settings.
If you have concerns about sensitive information in your content, you can adjust sharing settings at any time, remove or edit sensitive details before sharing with collaborators, and contact our support team for guidance on privacy controls. We encourage thoughtful consideration when sharing stories containing sensitive information about family members, particularly those who cannot consent to sharing.
We use your information to create and manage your account, including verifying your identity and age eligibility. We process your subscription payments, manage billing, and provide access to premium features according to your subscription tier. Your information enables us to facilitate collaboration features, allowing you to invite others to contribute to your projects and manage permissions. We use your content to generate printed books when requested and coordinate with our printing partner for fulfilment. Your information is also used to provide customer support, respond to inquiries, and resolve technical issues you may encounter.
We analyse usage patterns and user behaviour to understand how people interact with our platform and identify areas for improvement. This information helps us develop new features and enhance existing functionality based on user needs and preferences. We conduct testing and quality assurance to ensure the Services operate smoothly and efficiently. User feedback and usage data inform our product roadmap and help us prioritise development efforts. We also use aggregated and anonymised data for research and statistical analysis to better understand storytelling patterns and user engagement.
We send transactional emails related to your account, including welcome messages, password resets, subscription confirmations, and billing receipts. Service-related communications inform you about changes to the Services, scheduled maintenance, new features, and important updates to our Terms or Privacy Policy. With your consent, we may send marketing communications about special offers, promotions, and Keepsake news, though you can opt out of these at any time through your account settings or by clicking the unsubscribe link in our emails. We also send notifications related to your projects, such as when collaborators add content or when your print order ships.
We use your information to detect, investigate, and prevent fraudulent transactions, unauthorised access, and other illegal activities. We monitor for violations of our Terms and Conditions and take appropriate enforcement action when necessary. Your information may be used to comply with legal obligations, respond to legal requests from government authorities, and protect the rights, property, and safety of Keepsake, our users, and the public. We maintain records as required by applicable laws and regulations, including tax and accounting requirements.
We personalise your experience by remembering your preferences, suggesting relevant features, and customising content display. Analytics help us understand user demographics, measure the effectiveness of our marketing campaigns, and identify trends in how different user segments engage with the Services. This information enables us to make data-driven decisions about product development and resource allocation whilst respecting your privacy.
We may use automated systems and artificial intelligence technologies to enhance your experience with the Services, always with appropriate human oversight and user control. Our automated processing may include content suggestions and writing prompts tailored to your storytelling style and preferences, photo organisation and enhancement tools to help manage your visual memories, quality checks to identify potential technical issues with uploads or formatting, and search functionality to help you find specific content within your projects.
User Control: Our AI features, including the ghostwriter tool, are designed as optional enhancements to your storytelling experience. You can choose whether to engage with AI-powered features on a per-use basis - there is no requirement to use automated suggestions or AI assistance to access any core functionality of the Services. When AI features are available, you can manually override any automated suggestions, choose to write entirely independently without AI assistance, and request human support for any technical issues related to AI features. We do not make purely automated decisions that would significantly impact your access to the Services or your content.
AI Training: When you use our AI-powered features like the ghostwriter, the system processes your input (stories, prompts, and context) to generate relevant suggestions and responses. This processing occurs in real-time to provide the service but does not involve permanently storing or using your content to train, improve, or update our AI models. Your stories and creative content are processed only for the immediate purpose of generating your requested output and are not retained or used to enhance the AI system for other users. We do not use your personal stories or uploaded content to train our base AI systems or any third-party AI models. Any AI system improvements are based on anonymised usage patterns, technical performance metrics, and publicly available information only.
Transparency: We will clearly label features that use automated processing or AI assistance. We provide explanations for how automated suggestions are generated and maintain human oversight for all content-related processing. If our use of automated processing changes significantly, we will update this Privacy Policy and notify users accordingly.
We share your content with collaborators you explicitly invite to your projects, according to the permission levels you set. When you send a gift subscription, we share limited information with the recipient to facilitate the gift. If you participate in testimonials or case studies with your permission, we may share your story as agreed. We will always obtain your explicit consent before sharing your information in ways not described in this Privacy Policy.
We engage trusted third-party service providers to help us operate and improve the Services. These providers have access to your information only as necessary to perform their functions and are contractually obligated to maintain its confidentiality and security. Our key service providers include Stripe for payment processing, which handles all payment transactions securely and is certified as a PCI Service Provider Level 1, the most stringent level of certification. SendGrid manages our email delivery infrastructure to ensure reliable communication. Mixam Inc. receives necessary information to print and ship your books, including your delivery address and book content. Cloudflare provides content delivery network services and helps protect against security threats. Google Analytics and Meta assist with usage analytics and advertising effectiveness measurement, receiving only anonymised or aggregated data where possible.
We may disclose your information when we believe in good faith that disclosure is required by law, regulation, or legal process, including in response to court orders, subpoenas, or government requests. We may share information to protect the rights, property, and safety of Keepsake, our users, or others, including to prevent fraud, security threats, or illegal activities. In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business, your information may be transferred to the successor entity. We will notify you via email and prominent notice on our Services before your information is transferred and becomes subject to a different privacy policy.
We may share aggregated or anonymised information that cannot reasonably be used to identify you. This includes statistical data about user demographics, usage patterns, and trends that help us improve the Services and demonstrate our platform's value. Such information may be shared publicly or with partners for research, marketing, or business development purposes.
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not share your stories or personal content with anyone other than the collaborators you explicitly authorise. We do not use your content for advertising purposes without your express written consent. We do not allow unauthorised access to your account or personal information.
As our service providers operate globally, your information may be transferred to and processed in countries other than the one in which you reside. These countries may have data protection laws that differ from those in your country. When we transfer your information internationally, we implement appropriate safeguards to protect your information in accordance with this Privacy Policy and applicable laws.
For transfers from Australia, we ensure that recipients in other countries provide appropriate protections for your personal information as required by the Australian Privacy Principles. For transfers from the European Union or United Kingdom, we rely on adequacy decisions, standard contractual clauses approved by the European Commission, or other appropriate safeguards recognised under the GDPR. For transfers from other jurisdictions, we comply with local legal requirements for international data transfers.
Our primary service providers process data in the following locations: Stripe processes payments primarily in the United States with appropriate security certifications; SendGrid operates email services from data centres in the United States and European Union; Mixam has production facilities in Australia, United States, United Kingdom, Germany, and Canada, processing orders in the facility closest to your delivery address; and Cloudflare operates a global network with data centres worldwide, processing data at the edge location nearest to you for optimal performance.
We implement comprehensive security measures to protect your information from unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit using industry-standard TLS/SSL protocols and encryption of sensitive data at rest in our databases. We maintain secure servers with firewalls, intrusion detection systems, and regular security updates. Access controls ensure that only authorised personnel can access personal information on a need-to-know basis. We conduct regular security audits and vulnerability assessments to identify and address potential risks. Our incident response procedures enable rapid detection and mitigation of security threats.
We enforce strong password requirements and offer two-factor authentication for enhanced account security. Session management includes automatic logout after periods of inactivity and secure session token handling. We monitor for suspicious account activity and notify you of any unusual login attempts. Password reset processes include verification steps to prevent unauthorised account access.
Whilst we implement robust security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your information, though we continuously work to improve our security practices. You play an important role in protecting your information by maintaining the confidentiality of your password, using secure networks when accessing the Services, and promptly reporting any suspected security breaches to us.
You have the right to access the personal information we hold about you. You can view most of your information directly through your account settings. You may request a copy of your personal information in a structured, commonly used, and machine-readable format. We provide data export functionality that allows you to download your stories and content at any time. To request additional information not available through your account, please contact us at hello@keepsakeproject.co.
For clarity, here is our retention schedule:
You can update most of your personal information directly through your account settings. If you identify any inaccuracies in your information that you cannot correct yourself, please contact us and we will promptly update our records. We encourage you to keep your information current to ensure you receive important communications and the best possible service experience.
You have the right to request deletion of your personal information, subject to certain legal exceptions. You can delete individual pieces of content through the Services, with a thirty (30) day recovery period for accidentally deleted items. To request complete account deletion, contact us at hello@keepsakeproject.co. We will delete your information within thirty (30) days of your request, except where we are required to retain it for legal obligations, dispute resolution, fraud prevention, or enforcement of our Terms and Conditions. Please note that content already incorporated into printed books cannot be recalled or deleted from physical products already produced.
You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, adjusting your communication preferences in account settings, or contacting us directly to request removal from marketing lists. Please note that you cannot opt out of transactional communications related to your account, such as billing notifications, security alerts, and service updates.
You can manage cookie preferences through your browser settings, including blocking all cookies, deleting existing cookies, or receiving notifications before cookies are set. Some Services features may not function properly without cookies. For more granular control, you can opt out of specific analytics services: Google Analytics by installing the Google Analytics Opt-out Browser Add-on, and Meta Pixel by adjusting your Facebook ad preferences.
California residents: while we do not sell your information, some third-party tools (such as advertising or analytics cookies) may be considered "sharing" under the California Privacy Rights Act (CPRA). You may opt out of this sharing through your browser or device settings, or by contacting us.
The Services are not intended for children under fifteen (15) years of age. We do not knowingly collect personal information from children under fifteen (15). If we become aware that we have collected personal information from a child under fifteen (15) without parental consent, we will take steps to delete that information as quickly as possible.
For users between fifteen (15) and eighteen (18) years of age, we require verifiable parental consent before allowing account creation. Our parental consent process includes collection of the parent or guardian's contact information and explicit consent, verification through email confirmation or telephone contact, and documentation of the consent provided. Parents or guardians may request to review their child's personal information at any time and may withdraw consent or request deletion of their child's account and associated information.
Parents or legal guardians of minor users have the following rights: to review the personal information we have collected from their child, to request corrections or deletions of their child's personal information, to refuse to permit further collection or use of their child's information, to request deletion of their child's account, and to receive a copy of our privacy practices relating to children. To exercise any of these rights, parents should contact us at hello@keepsakeproject.co with proof of their relationship to the child.
Whilst adults may create stories about children in their families, we encourage responsible sharing practices. Consider the privacy implications of sharing stories or photos involving minors, obtain appropriate permissions from parents or guardians when including content about other people's children, and be mindful that content shared digitally may have lasting implications for the children involved. If children's information is included in content (e.g., family stories), we encourage account holders to manage collaborator access carefully. Parents/legal guardians may review or delete such content at any time.
We retain your personal information for as long as your account remains active and you continue to use the Services. Your content remains accessible to you throughout your subscription period and in read-only format after cancellation unless you request deletion.
When you delete content, we implement a soft delete process with a thirty (30) day recovery period during which you can restore the content. After thirty (30) days, or if you select permanent deletion, the content is removed from our active systems. Deleted content may persist in our backup systems for up to ninety (90) days for disaster recovery purposes. Once permanently deleted, content cannot be recovered.
After you cancel your subscription, we retain your account information to allow you to reactivate your subscription and access your existing content in read-only mode. We maintain transaction records as required for tax and accounting purposes, typically seven (7) years. You may request complete account deletion at any time, which will remove all your information except what we must retain for legal obligations.
In the event of a data breach that poses a risk to your personal information, we have response procedures to protect you and minimise potential harm. Our incident response includes immediate containment and assessment of the breach, investigation to determine the scope, cause, and affected data, and coordination with law enforcement and regulatory authorities as required.
We will notify affected users confirming a breach likely to result in harm, or otherwise required by applicable law. Our notification will include a clear description of what happened and when it occurred, the types of information that were involved, steps we are taking to address the breach and prevent future incidents, specific actions you can take to protect yourself, and contact information for further questions or assistance.
We will notify relevant authorities as required under the Australian Notifiable Data Breaches scheme, the GDPR for EU/UK users, and other applicable laws as required. We maintain detailed incident response documentation and will cooperate fully with regulatory investigations.
For EU/UK users: in addition to the rights described, you may object at any time to our processing of your personal information for direct marketing purposes, and we will stop processing for this purpose.
Under the Australian Privacy Principles, you have the right to access your personal information, request corrections to inaccurate information, and lodge complaints about privacy breaches. If you are unsatisfied with our response to a privacy concern, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.
If you are located in the European Union or United Kingdom, you have additional rights under the GDPR, including the right to data portability to transfer your information to another service, the right to restrict processing of your information in certain circumstances, the right to object to processing based on legitimate interests, and the right to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority. Our legal bases for processing include consent for marketing communications, contract performance for providing the Services, legitimate interests for improving our Services and security, and legal obligations for compliance with applicable laws.
California residents have additional rights under the CCPA, including the right to know what personal information we collect, use, disclose, and sell (though we do not sell personal information), the right to delete personal information subject to certain exceptions, the right to opt-out of the sale of personal information (not applicable as we do not sell personal information), and the right to non-discrimination for exercising privacy rights. California residents may exercise these rights by contacting us at hello@keepsakeproject.co or through the methods described in your account settings.
Our Services may contain links to third-party websites and services that are not owned or controlled by Keepsake. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit. The inclusion of a link does not imply endorsement by Keepsake of the linked site or service.
If you choose to connect your social media accounts to share content or import photos, you grant us access to certain information from those accounts as permitted by your settings on the social media platform. You can disconnect these integrations at any time through your account settings or directly on the social media platform. Your interactions with social media features are governed by the privacy policies of the companies providing those features.
User-generated content may include references to or content from third parties. We are not responsible for the privacy practices related to such third-party content. Users are responsible for ensuring they have appropriate rights and permissions for any third-party content they include in their stories.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email to the address associated with your account, through a prominent notice on our Services, or by other means required by applicable law. We will provide at least thirty (30) days notice before material changes become effective. We will also update this Privacy Policy if required by amendments to the Australian Privacy Act 1988 (Cth) or similar legal reforms.
We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices. The "Effective Date" at the top of this Privacy Policy indicates when it was last updated. Your continued use of the Services after changes become effective constitutes your acceptance of the revised Privacy Policy. If you do not agree to the updated Privacy Policy, you should discontinue use of the Services.
We maintain records of previous versions of this Privacy Policy. If you would like to review a previous version, please contact us at hello@keepsakeproject.co.
We do not actively monitor or review user content before it is posted to the Services. However, we reserve the right to review content when it is reported to us or when we become aware of potential violations of our Terms and Conditions. We may remove or restrict access to content that violates our policies or applicable laws.
If you encounter content that you believe violates our Terms and Conditions or is otherwise inappropriate, you can report it by using the report feature within the Services where available, or by emailing us directly at hello@keepsakeproject.co with details of your concern. We aim to review and respond to reports within forty-eight (48) hours. Reporters' identities are kept confidential to the extent permitted by law.
As our platform grows, we may implement additional content moderation measures, including automated detection systems for clearly prohibited content, expanded reporting and review processes, and community guidelines for appropriate content. Any such changes will be reflected in updates to this Privacy Policy and our Terms and Conditions.
We are committed to making our privacy practices accessible to all users, including those with disabilities. This Privacy Policy is designed to be compatible with screen readers and other assistive technologies. If you need this Privacy Policy in an alternative format or have difficulty accessing any part of our privacy practices, please contact us at hello@keepsakeproject.co.
We strive to ensure all privacy-related communications, including consent forms, data access requests, and privacy notices, are accessible. We will provide reasonable accommodations and alternative formats upon request to ensure all users can understand and exercise their privacy rights.
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer at:
Halftone Digital Pty Ltd
(trading as The Keepsake Project)
ABN: 52675706519
Attention: Privacy Officer
27 Carl St, Woolloongabba QLD 4102, Australia
Email: hello@keepsakeproject.co
We endeavour to respond to all privacy-related inquiries within ten (10) business days. Complex requests, such as data access or deletion requests, may take up to thirty (30) days to fulfil, as permitted by applicable law. We will acknowledge receipt of your request within forty-eight (48) hours and keep you informed of our progress.
If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with the relevant supervisory authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC). For users in other jurisdictions, please contact your local data protection authority. We are committed to working with you and the appropriate regulatory authorities to resolve any privacy concerns.
For the purposes of this Privacy Policy, the following terms have the meanings set forth below:
Your stories are personal, and so is your privacy. We are committed to protecting both.