This Privacy Policy ("Policy") describes how MaxDex Services ("Company", "we", "us", "our"), based in Melbourne, Victoria, Australia, collects, uses, stores, and protects personal information when you use the MaxDex mobile application (the "App"). We operate as the Data Controller in respect of personal data collected through the App.

This Policy is designed to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR) (for users located in the European Economic Area), and the California Consumer Privacy Act (CCPA) (for California residents). By using the App, you consent to the data practices described in this Policy.

Our Data Protection contact: maxdexaiservices@gmail.com

A. Account Information (Stored in Firebase Cloud)

When you create an account, we collect your email address, a unique User ID (UID) generated by Firebase Authentication, your chosen display name, and account creation timestamp. This information is necessary to provide you with secure account access and communicate with you about your account.

B. Health & Wellness Data (Stored On-Device Only)

The App collects the following health metrics using on-device sensors and APIs. This data is processed locally on your device and is never uploaded to or stored on any MaxDex-controlled server: (i) Step count and physical activity data, collected via the device's built-in accelerometer and pedometer hardware; (ii) Sleep duration and quality estimates, inferred from device motion patterns during overnight periods; (iii) Manually logged workout sessions including duration and activity type; (iv) Meal and calorie logs, stored locally after AI analysis is completed.

C. Goal, Task & Planner Data (Stored On-Device Only)

Your goals, daily tasks, planner schedules, chat history, and AI roadmap data are stored exclusively in your device's local application storage (Capacitor Preferences / Android SharedPreferences). This data is not synchronised to any cloud service and is not accessible by MaxDex Services.

D. Generative AI Data Processing (Ephemeral)

When you use AI features - including Chat AI, Morning Briefing, Evening Debrief, Goal Chat, and Meal Logging - the relevant input data (text messages, voice audio, meal photos, or contextual goal summaries) is transmitted to Google Gemini AI via Firebase Cloud Functions for real-time processing. MaxDex Services does not store, log, or retain this AI interaction data in any MaxDex-controlled database. This data is governed by Google's Enterprise Data Processing Terms and is prohibited from being used to train Google's foundational AI models.

Reporting Content: Users have the right to report any AI-generated content that is offensive, harmful, or inaccurate. Reports can be submitted via the "Report Issue" button in the App Settings or by emailing support@maxdex.ai.

E. Usage & Analytics Data

We use Firebase Analytics to collect pseudonymised event data, including feature interactions, session duration, and app crash reports. We have explicitly disabled Advertising ID (ADID) collection to prevent cross-application tracking. This data is used solely to understand feature usage and improve App stability.

We use the information we collect for the following purposes:

(a) To create and manage your account and verify your identity; (b) To provide personalised AI coaching, goal strategy, and health insights through the App's features; (c) To process your AI requests by transmitting relevant data to Google Gemini for response generation; (d) To improve App performance, diagnose technical issues, and develop new features through anonymised analytics data; (e) To communicate with you about your account, including critical security or service notices; (f) To comply with our legal obligations under applicable law.

We do not use your personal information for marketing to third parties, profiling for advertising purposes, or any purpose beyond those listed above.

For users located in the European Economic Area, we rely on the following legal bases for processing personal data:

(a) Performance of a Contract: Processing your account information is necessary to provide the Service you have contracted us to deliver; (b) Consent: For processing audio data during AI voice calls and sensor data for health tracking, we rely on your explicit consent, which you provide at the point of granting the relevant device permissions; (c) Legitimate Interests: For Firebase Analytics data collection, we rely on our legitimate interest in understanding App usage to improve the Service, balanced against your privacy rights; (d) Legal Obligation: Where required by applicable law.

We engage the following third-party service providers who act as Data Processors under our instruction:

(a) Google LLC (Firebase Authentication & Firestore): Processes account identity data (email, UID, display name, subscription status) for secure authentication and account persistence. Governed by Google's Cloud Data Processing Addendum.

(b) Google LLC (Firebase Cloud Functions): Hosts our backend AI processing logic. AI interaction data is routed through Cloud Functions to Google Gemini for real-time response generation. Data is not persistently stored in Cloud Functions.

(c) Google LLC (Gemini AI): Provides the AI language model that powers Max, Goal Chat, Roadmap generation, and all voice processing. Subject to Google's Enterprise Privacy Agreement prohibiting use of data for model training.

(d) Google LLC (Firebase Analytics): Processes pseudonymised usage events for App improvement purposes. ADID collection is disabled.

We do not share personal information with any other third parties. We do not sell, rent, or trade personal data to any party for any purpose.

Cloud Account Data: Your Firebase Authentication records (email, UID, display name) are retained for as long as your account remains active. Upon account deletion, this data is permanently removed from Firebase within 30 days, subject to any applicable legal retention requirements.

Local Device Data: Health metrics, goals, planner data, and chat history stored on your device are retained until you uninstall the App, clear the App's data through your device settings, or exercise your right to erasure. Once deleted, this data cannot be recovered by MaxDex Services.

AI Processing Data: Data submitted to Google Gemini for AI processing is transient and subject to Google's session retention policies. MaxDex Services does not retain copies of this data.

Analytics Data: Firebase Analytics event data is retained by Google for a maximum of 14 months under standard Firebase Analytics retention settings.

MaxDex Services is based in Victoria, Australia. However, Google's infrastructure — including Firebase, Cloud Functions, and Gemini AI — operates globally across multiple data centre regions, including the United States. When AI features are used, data may be transferred to and processed in these international jurisdictions.

We ensure that such international transfers are conducted under appropriate safeguards, including Google's Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), which provide equivalent data protection to that required under Australian and European data protection law.

Subject to applicable law, you have the following rights regarding your personal data:

(a) Right of Access: You may request a copy of the personal data we hold about you; (b) Right to Rectification: You may request correction of inaccurate personal data; (c) Right to Erasure: You may request deletion of your account and associated cloud data via Settings > Profile > Delete Account, or by contacting us directly; (d) Right to Restriction: You may request that we restrict processing of your data in certain circumstances; (e) Right to Data Portability: Where technically feasible, you may request a copy of your data in a portable format; (f) Right to Object: You may object to processing based on legitimate interests; (g) Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at maxdexaiservices@gmail.com. We will respond within 30 days. Australian users may also lodge complaints with the Office of the Australian Information Commissioner (OAIC). EEA users may lodge complaints with their relevant national Data Protection Authority.

We implement industry-standard technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. Account data stored in Firebase is protected by Firebase Authentication access controls and HTTPS encryption in transit. Firebase Firestore security rules restrict access to authenticated users viewing only their own data.

While we take reasonable precautions to secure your data, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee the absolute security of your data and are not responsible for security breaches that are outside our reasonable control, including breaches occurring within Google's infrastructure.

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13 without parental consent, we will take immediate steps to delete such information. If you believe we have collected information from a child under 13, please contact us at maxdexaiservices@gmail.com.

We reserve the right to update or amend this Privacy Policy at any time to reflect changes in our practices, applicable law, or the features of the App. The date of the most recent revision is indicated at the top of this Policy. Where changes are material, we will endeavour to provide prominent notice within the App or via email. Your continued use of the App following notice of amendments constitutes your acceptance of the updated Policy.

For all privacy-related enquiries, data subject access requests, or complaints, please contact MaxDex Services at: maxdexaiservices@gmail.com. We aim to respond to all enquiries within 30 calendar days.