Privacy Policy

Last updated: 3 March 2026

1. Who we are

Woggley is an event management and RSVP platform built for Australian Scout Groups. The platform is operated on behalf of your Scout Group, which is responsible for the personal information collected through Woggley.

For privacy inquiries, contact us at privacy@woggley.com.

2. What personal information we collect

We collect the following categories of personal information:

Category	Information	Who provides it
Account details	Name, email address, password	Leaders and parents at sign-up
Member profiles	Name, date of birth, address, gender, external ID	Leaders (via import or manual entry)
Guardian relationships	Guardian-dependant links, relationship type	Leaders (via import)
Medical records	Conditions, allergies, medications, Medicare details, doctor details, emergency contacts, swimming ability, dietary requirements	Parents and leaders
Medical action plans	Uploaded PDF documents (anaphylaxis, asthma, epilepsy plans)	Parents and leaders
Event responses	RSVP status, answers to event-specific questions	Parents
Attendance records	Presence or absence at events	Leaders
Communication preferences	Preferred notification channels, muted notification types	Parents and leaders

3. How we collect information

Directly from you — when you create an account, submit an RSVP, enter medical information, or update your profile.
From Scout Group leaders — when leaders add members, import member lists, or record attendance.
From uploaded documents — when you upload medical action plans and optionally allow AI-assisted extraction of medical details from those documents (with your explicit consent).

4. Why we collect it

Information	Purpose
Account details	To authenticate you and manage your access to the platform
Member profiles	To organise section membership, send event invitations, and fulfil the Scout Group's duty of care
Medical records	To ensure the health and safety of members during Scout activities and respond appropriately in emergencies
Event responses	To plan events, manage attendance, and communicate logistics
Attendance records	To track participation for safety and reporting
Communication preferences	To respect your choices about how you receive notifications

5. How we store and protect your information

Database — personal information is stored in a PostgreSQL database hosted by Supabase on Australian infrastructure (Sydney region).
Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS (HTTPS).
Encryption at rest — database storage is encrypted at rest by the hosting provider.
Medical data — medical records are subject to additional protections including audit logging (who accessed what and when) and role-based access controls (only authorised section leaders can view medical information for members in their section).
Offline access — when leaders download event packs for offline use, medical information is encrypted using AES-256-GCM with a password-derived key.
Access controls — the platform enforces role-based access. Parents can only see their own children's information. Leaders can only see information for members in their assigned sections. Adult helpers have restricted access and cannot view medical records.
Passwords — passwords are hashed and never stored in plain text.

6. Who we share your information with

We share personal information with the following third-party services to operate the platform:

Service	What is shared	Why	Data protection
Supabase	Email, authentication credentials	User authentication and database hosting	DPA in terms of service
Resend	Names, email addresses, event details	Sending email notifications (RSVP reminders, event updates)	DPA in terms of service
Twilio	Names, mobile numbers, event details	SMS and WhatsApp notifications (when enabled by the user)	DPA in terms of service
Vercel	Application requests, uploaded files	Application hosting and file storage for action plans	DPA in terms of service
OpenRouter / Claude AI	Medical document content (only with explicit consent)	AI-assisted extraction of medical details from uploaded documents	No formal DPA

We maintain formal data processing agreements (DPAs) with our service providers where available. These agreements set out how providers must handle, protect, and delete personal data. Details of our data processing agreements are available on request by contacting privacy@woggley.com.

We do not sell personal information. We do not use personal information for advertising or marketing beyond Scout Group communications.

Your information is also accessible to authorised leaders within your Scout Group, subject to role-based access controls.

7. Overseas disclosure

Our primary infrastructure providers host data within Australia:

Supabase — database and authentication hosted in Australia (Sydney region).
Vercel — application hosting with the origin server located in Australia (Sydney region).

Some services we use process data outside Australia:

Resend — US-based email infrastructure.
Twilio — US-based SMS and messaging infrastructure (with partial Australian presence).
OpenRouter — US-based AI processing (only when you give explicit consent for medical document extraction).

We take reasonable steps to ensure all services protect your information in accordance with the Australian Privacy Principles.

8. Accessing and correcting your information

You have the right to:

Access the personal information we hold about you.
Correct information that is inaccurate, incomplete, or out of date.

Self-service: Parents can view and update their own profile and their children's medical records directly in the app. Leaders can update their own profile.

Requests: For other access or correction requests, email privacy@woggley.com.

We will respond to access requests within 30 days. If we refuse a request, we will provide written reasons.

9. Making a privacy complaint

If you believe we have breached the Australian Privacy Principles:

Contact us — email privacy@woggley.com with details of your concern.
Internal review — we will acknowledge your complaint within 7 days and investigate within 30 days.
Escalation — if you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

10. Changes to this policy

We may update this privacy policy from time to time. When we make significant changes, we will notify users via email or an in-app notice. The “Last updated” date at the top of this page indicates when the policy was last revised.