Lilianna

Privacy Policy

Last updated: 12 May 2026

Welcome

Thanks for choosing Lilianna. We're genuinely grateful you've chosen to trust us with your gift card wallet, and we've written this policy in plain English so you know exactly what happens with your information.

Lilianna is operated by One Half (Sydney) Pty Limited, a private company incorporated in New South Wales, Australia (referred to in this policy as "Lilianna", "we", "us", or "our").

We don't sell your data, we don't show advertising, and we deliberately collect as little personal information as possible. This policy explains the rest.

1. Australian Privacy Law

We comply with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs) set out in Schedule 1 of that Act. We also comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act and will notify affected users and the Office of the Australian Information Commissioner (OAIC) of any eligible data breach as required.

2. Information We Collect (APP 3)

We only collect personal information that we reasonably need to run Lilianna for you.

Account information

  • Your email address — to identify your account and send security-related messages.
  • Your name and profile photo, if you sign in with Google.
  • A bcrypt-hashed copy of your password, if you sign up with email and password. We never store plain-text passwords.
  • A bcrypt-hashed copy of your 4-digit security PIN.

Gift card and wallet data

  • Gift card details you add: brand, card number, PIN, opening balance, current balance, expiry date.
  • Loyalty / membership card details: brand, member number, colour, default status.
  • Receipt images you scan, the OCR-extracted text, and any line items you save.
  • Transactions you record against gift cards (amount, date, description, category).

Family sharing data

If you create or join a family group, we store the relationship between accounts, the nickname you choose for yourself within that group, and invitation tokens you generate.

Technical data

  • Your IP address — for rate-limiting against brute-force sign-ins, registrations, and password reset requests. We don't associate IP addresses with your account beyond the rate-limit window.
  • Standard server logs from our hosting provider that include request paths, status codes, and timestamps.

We do not collect sensitive information as defined by APP 3.3 (such as health, race, religious or political views).

3. Encryption and Security (APP 11)

We take reasonable steps under APP 11 to protect your information from misuse, interference, loss, unauthorised access, modification, and disclosure.

We encrypt your most sensitive data at rest using AES-256-GCM with a unique initialisation vector per field. This applies to:

  • Gift card numbers and PINs
  • Loyalty / membership card member numbers

The encryption key is held only in our server runtime environment and is not accessible via database access alone. All traffic between your device and our servers is encrypted in transit using TLS (HTTPS).

Despite our reasonable precautions, no online service can guarantee absolute security. You acknowledge that you provide information to us at your own risk and agree to use a strong, unique password.

4. How We Use Your Information (APP 6)

We use the information we collect to:

  • Provide the gift card wallet, receipt scanning, and family sharing features you ask us to perform.
  • Authenticate you and protect your account.
  • Send transactional emails — currently only password reset emails. These are not marketing communications and are sent in reliance on our legitimate interest in keeping your account secure.
  • Investigate complaints, abuse, fraud, and security incidents.
  • Improve the App by reviewing aggregated server logs and error reports.
  • Comply with our legal obligations and respond to lawful requests from regulators or law enforcement.

We do not use your data for advertising and we do not sell, rent, or trade your data with third parties for commercial gain.

If we ever want to use your information for a new purpose that isn't reasonably related to the original purpose, we will get your consent first.

5. Direct Marketing (APP 7 and the Spam Act 2003)

We do not currently send marketing communications. If we ever do, we will only send them with your consent and will include a clear unsubscribe option in every message, as required by the Spam Act 2003 (Cth). You can withdraw consent at any time by emailing us.

6. Disclosure to Service Providers

We use a small number of trusted infrastructure providers to operate Lilianna. We share only the minimum information needed for them to perform their service:

  • Vercel Inc. (United States) — hosts the App; receives request logs.
  • Supabase (data hosted in AWS Sydney, ap-southeast-2) — hosts our Postgres database with the encryption described in Section 3.
  • Google LLC (United States) — handles Google sign-in if you choose that option; shares your email, name, and profile photo with us.
  • Resend (United States) — sends transactional emails; receives only your email address and the message contents.
  • Alibaba Cloud / Qwen (Singapore) — receives receipt and utility-bill images you choose to scan, to extract structured data via OCR. Images are processed transiently and not retained for AI model training.

Each of these providers is contractually required (or required by their own privacy commitments) to handle your information securely and to use it only as we direct.

7. Overseas Disclosure (APP 8)

Some of the providers listed above are based overseas. By using Lilianna you consent to your information being disclosed to those providers in the countries listed (United States and Singapore) for the purposes described in Section 6.

Where we disclose information overseas, we take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to that information.

8. Cross-Account and Family Sharing

If you join or create a family group, the gift cards, receipts, and transactions in that group are visible to every member of the group. Personal data you upload (gift card numbers, receipt images, etc.) will be visible to other family members you choose to share with. We encourage you to invite only people you trust.

9. Data Retention

We keep your account data for as long as your account exists. When you delete your account using "Delete my account" in the Profile tab, we permanently remove your account record and all directly- associated data — gift cards, receipts, transactions, etc. — in a single database transaction.

If you are a family group owner, deleting your account also disbands the group. Sub-users keep their own accounts but lose access to your shared wallet.

Anonymised server logs are retained by our hosting provider for up to 30 days. We may retain limited information for longer where we are legally required to (for example, to comply with tax, accounting, or anti-fraud obligations).

10. Your Rights (APP 12 and APP 13)

Under Australian privacy law, you have the right to:

  • Request access to the personal information we hold about you (APP 12).
  • Request correction of inaccurate or outdated information (APP 13).
  • Delete your account and associated data at any time, directly from the App.
  • Withdraw consent, where consent is the legal basis for processing.
  • Make a complaint to us, and if you are not satisfied with our response, to the OAIC.

You can exercise access, correction, and deletion rights directly in the App (Profile tab). For anything else, please email us at customerservice@onehalf.au. We aim to respond within 30 days, as required by the Privacy Act.

11. Complaints

If you think we have mishandled your personal information, please email us at customerservice@onehalf.au with the subject line "Privacy complaint". We'll acknowledge within five business days and provide a substantive response within 30 days.

If you are not satisfied with how we have handled your complaint, you may contact the Office of the Australian Information Commissioner:

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5288, Sydney NSW 2001

12. Children

Lilianna is not designed for, and not directed at, children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, please contact us and we will delete it promptly.

13. Cookies and Local Storage

We use a small number of essential cookies and browser storage entries to keep you signed in, remember your PIN-verified state for the current session, and protect against cross-site request forgery. We do not use third-party tracking or analytics cookies.

14. Changes to This Policy

We may update this policy when our practices change. The "Last updated" date at the top tells you when. Material changes will be highlighted on the App home screen for a reasonable period, and where required by law we will obtain your renewed consent before applying them.

15. Contact

One Half (Sydney) Pty Limited
Privacy Officer
Email: customerservice@onehalf.au
Postal: please request a postal address by email if needed.

← Back to sign inTerms of Service →