aquasentinel Privacy Policy

Privacy Policy

How AquaSentinel collects, stores, uses, and protects information about you, your home, and the people you nominate to help when a leak fires.

Effective: 27 April 2026 · Version: 1.0 · Jurisdiction: Australia

The short version. Your data lives in Sydney. We don't sell it. We share only what an insurer or plumber needs to respond to a leak. You can opt out of SMS by replying STOP, opt out of push in iOS settings, and request deletion of your account at any time. Full detail below.

01Who we are

"AquaSentinel" (we, us, our) is an Australian residential water-leak detection and plumber-dispatch service. We provide IoT sensors that detect leaks at your home and coordinate a response involving you, optionally a nominated neighbour or building manager, a verified local plumber, and — where you have an active home-insurance policy with a participating insurer — your insurer's claim-handling team.

We are based in Australia and operate exclusively from Australian Web Services (AWS) infrastructure in the Sydney Region (ap-southeast-2).

Contact for privacy matters: privacy@aquasentinel.pro · Postal: AquaSentinel, [registered AU address].

02Data sovereignty — where your data lives

Every byte of personal data we hold about you, your home, and your nominated contacts is stored in AWS Sydney (ap-southeast-2):

Aurora PostgreSQL — your account, property, sensor history, contact list, dispatch records, claim audit threads. Encrypted at rest with AWS-managed KMS keys.
Amazon S3 (Sydney) — photos uploaded as part of a leak response (mains-tap location, damage evidence). Object-level encryption.
Amazon CloudWatch (Sydney) — application logs, retained for diagnostic purposes with bounded retention.
AWS Cognito (Sydney) — authentication identities. Passwords are never stored by us in plaintext or hash; AWS handles secure auth with PBKDF2-derived keys.
Amazon SNS / Pinpoint (Sydney) — outbound SMS and push notification dispatch.

We do not use AWS Regions outside Australia for primary storage. Backups remain within ap-southeast-2 unless we expand explicitly to other Australian regions and update this policy first. Cross-border transfer of personal information happens only in narrow, disclosed cases — see Section 07.

Why this matters for insurer partners. Australian general insurers (Suncorp, IAG, QBE and others) operate under Australian Privacy Principles (APPs) and increasingly require their data partners to hold customer data on Australian soil. AquaSentinel's architecture is Sydney-only by design — not by accident — so an insurer due-diligence team can verify residency in a single AWS console screenshot.

03What we collect, and why

Category	What's collected	Why
Account	Name, email, phone, password (hashed by Cognito), role (homeowner / plumber / building manager).	Sign you in; address you correctly in alerts.
Property	Address, geocoded coordinates, mains-tap location and photo (optional).	Route the right plumber; tell a neighbour where to find your mains shutoff.
Sensor data	Moisture readings, flow, pressure, battery, last-seen timestamps from the sensors you install.	Detect leaks; rank severity; raise alerts.
Contacts	Names, phone numbers, relationship type (neighbour / building manager / installer) for the people you nominate as emergency contacts.	So we can SMS them when a leak fires. We collect contacts only after you add them in the app — we do not read your phone's address book.
Location (Pro app only)	Plumber location (when actively on the network and tracking is enabled by the plumber).	Match the nearest plumber to a job. Plumbers can pause sharing at any time.
Photos	Mains-tap photo, leak evidence, post-repair photos uploaded inside the app.	Speed up the plumber's first visit; build the insurer claim pack.
Communications	Messages and structured Q&A answers exchanged inside a dispatch chat.	Coordinate the response; produce a tamper-evident archive when the dispatch closes.
Device tokens	Apple Push Notification (APNs) tokens, per app bundle (consumer / pro / owner).	Deliver push notifications. Tokens are opaque to us.
Diagnostics	App version, build number, device model, OS version, crash logs and rate-limited debug events.	Find and fix bugs. Used in aggregate; not linked to insurance claims.

04Consent and opt-in

You opt in to AquaSentinel's services in three places, and each opt-in can be withdrawn:

Account creation in the iOS app. When you sign up, you actively check a consent box covering: receipt of transactional SMS to the number you provide, push notifications, and acceptance of this Privacy Policy.
Adding an emergency contact. When you nominate a neighbour, building manager, or other contact in the app, that person receives an enrollment SMS identifying who added them and offering an immediate STOP-out before any leak alert ever reaches them.
Plumber sign-on. Plumbers using AquaSentinel Pro consent at signup to receive job-offer SMS, share live location while on the network, and have their performance metrics shared with insurers and customers in aggregate.

Honest disclosure of current state. Some of the consent surfaces described above are being rolled out as part of our active development — see the Section 12 changelog for what's live today vs in the next release. We will not store personal data we have not informed you about; this policy is updated before any new data type is collected.

05How alerts and SMS work

When a sensor detects a leak meeting our severity threshold, we run a coordinated response:

An SMS and a push notification go to you (the property owner) immediately. Severity, address, and a deep link to the dispatch chat.
If you have configured emergency contacts (a neighbour, a building manager) and the leak severity warrants, those people receive an SMS asking them to check on the property — only ever after they have completed enrollment opt-in.
Verified local plumbers within range receive a job-offer SMS and push. The first plumber to accept gets the job; the others see "no longer available".

SMS opt-out: reply STOP to any AquaSentinel SMS at any time. We process the keyword automatically (also accepting UNSUBSCRIBE / CANCEL / END / QUIT) and stop sending you SMS within minutes. Reply HELP for our service description and the contact email above.

Push opt-out: turn off notifications for AquaSentinel in iOS Settings → Notifications → AquaSentinel.

Sender identity: SMS appear from "AQUASENT" (registered Sender ID — pending registration, see Section 12) for Australian recipients, and from a long code in regions where Sender IDs are not supported.

We do not send marketing or promotional SMS. All AquaSentinel SMS are transactional safety alerts or coordination messages tied to a specific event you or your property is part of.

06Who we share data with

We share information only with parties who are necessary to deliver the service you signed up for, and only the minimum required:

Recipient	What they see	Why
The plumber assigned to your job	Property address, mains-tap location and photo (if you've shared one), the dispatch chat thread, sensor reading at time of alert.	So they can arrive prepared and stop the leak fast.
The neighbour / building manager you nominated	Property address, your first name, mains-tap location, the dispatch thread.	So they can walk over and shut off the water.
Your insurer (foundation-partner insurers only, when you have an active policy and the leak triggers a claim)	The dispatch audit pack: alert metadata, response timeline, photos, plumber's verified shutoff record.	Faster, evidence-based claim resolution. We never share your full chat history with marketing or general insurer staff — only the closed claim pack with their authorised claim assessor.
AWS (our infrastructure provider)	All operational data, encrypted, in AWS Sydney.	Compute, storage, dispatch. AWS is bound by their Customer Agreement and the Australian Privacy Principles.
Anthropic (Claude model API, via AWS Bedrock or HTTPS)	Severity-scoring snippets and dispatch summarisation prompts. No PII is sent — alerts are de-identified before scoring.	Severity assessment, narrative summarisation. Anthropic does not retain prompts past 30 days under our terms.
Apple (Push notification service)	Encrypted notification payload + your device token.	Deliver push to your device.
Tuya (sensor cloud, where used)	Raw sensor telemetry. Tuya holds device data in its regional cloud; we mirror it into AWS Sydney as soon as our bridge ingests it.	The IoT sensor manufacturer's stack feeds raw readings into ours. We are reviewing alternatives that keep telemetry in Sydney from the device upward.
Stripe (payments — plumbers and pro accounts)	Payment card and account details, processed entirely on Stripe's infrastructure. We never store card numbers.	Process plumber subscriptions and call-out payments.

We do not sell, rent, or trade your personal data with any party for marketing or analytics purposes. We do not run advertising. We do not enrich your data against third-party data brokers.

07Cross-border transfers

Primary storage is in AWS Sydney. Limited cross-border transfer of personal data may occur in the following narrow cases:

Apple Push Notification Service. Push payloads transit Apple's global infrastructure. Apple is a US-headquartered company with global infrastructure; their handling of push data is governed by their developer agreement.
Anthropic API requests may transit US infrastructure when not routed via AWS Bedrock. We send severity-scoring prompts only, with personal identifiers removed.
Tuya sensor cloud. Tuya operates regional clouds; in Australia they operate from Singapore. We are working towards eliminating this dependency. Until then, raw sensor telemetry briefly transits Tuya before mirroring to our Sydney AWS infrastructure.
Stripe processes payments in the country of the merchant of record, which for AquaSentinel is Australia. Stripe's data handling complies with Stripe's published privacy notice.

We rely on contractual safeguards (AWS Customer Agreement, Anthropic Terms, Stripe DPA, Tuya DPA) and the Australian Privacy Principle 8 framework for cross-border disclosures.

08Your rights

Under the Australian Privacy Act 1988 (and the Australian Privacy Principles) you have the right to:

Access your data. Email privacy@aquasentinel.pro with the email address on your account; we'll provide a JSON export of everything we hold about you within 30 days.
Correct your data. Edit your profile in the app, or email us if a record is wrong.
Delete your data. Request deletion at the same email. We will delete or de-identify your personal data within 30 days, except for what we are legally required to retain (e.g. closed insurer-claim audit packs, which are retained for 7 years for insurance regulatory purposes — see Section 09).
Withdraw consent. Reply STOP to SMS, disable push in iOS Settings, or delete your account.
Make a complaint. If you believe we have mishandled your data, contact us first. If unresolved, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

09How long we keep things

Data type	Retention	Why
Account profile	For the life of your account, then 90 days	Reactivation grace; then deletion.
Sensor history	5 years rolling	Anomaly baselining; insurance claim history.
Dispatch audit pack (when a claim fires)	7 years	Australian insurance regulatory retention.
Photos	2 years from upload	Tied to the dispatch they belong to.
Diagnostic logs	30 days	Bug investigation; cost control.
SMS opt-out flag	Indefinitely	So we never SMS someone who opted out.

10Security

We design with insurer-grade obligations in mind even in our pilot phase:

Encryption at rest: Aurora, S3, and Secrets Manager all use AWS KMS encryption.
Encryption in transit: TLS 1.2+ on all API endpoints; certificate-pinned mobile clients (in progress).
Network isolation: Database lives in private VPC subnets with no internet routing. Only Lambda functions in the same VPC reach it.
Authentication: AWS Cognito with PBKDF2-hashed passwords, short-lived JWTs (1-hour ID tokens), automatic refresh.
Least-privilege IAM: every Lambda has a tightly-scoped role; no shared "admin" credentials in app code.
Auditability: CloudTrail events captured for the AWS account; CloudWatch alarms on critical paths (DLQ depth, DB CPU, API 5xx) page the on-call.
Multi-tenant isolation (when foundation-partner insurers onboard): per-tenant row-level security in PostgreSQL with the tenant identity carried via the user's Cognito token. An insurer cannot see another insurer's data even with full code access.

No system is perfectly secure. If we discover an incident affecting your data, we will follow Australian Notifiable Data Breaches obligations and tell you within the legal window.

11Insurer-aligned compliance

AquaSentinel is built to onboard cleanly with Australian general insurers. We have aligned the platform with the obligations our foundation partners are bound by, including:

Australian Privacy Principles (APPs) — collection limitation, purpose limitation, cross-border restriction, retention, security, access and correction.
APRA CPS 234 (Information Security for regulated entities) — security controls and incident reporting compatible with what an insurer's CISO will require of any IoT partner.
Australian Notifiable Data Breaches scheme — incident notification within 30 days of becoming aware of an eligible breach.
Insurance Council of Australia general practices — fair claim handling, transparent communication, right to internal dispute resolution.
Data sovereignty — see Section 02. Sydney-only primary storage.

We do not yet hold ISO 27001 or SOC 2 certifications — these are deliberate roadmap items as we scale into a fully audited posture for the first foundation-partner pilot's transition to general availability.

12What's live today vs. shipping soon

This is a working pilot. Some of the privacy commitments above are operational today; some are actively being built. Honesty matters more than marketing here:

Live today Verified

Sydney-only data residency for all primary storage.
Encryption at rest (Aurora KMS), TLS in transit, private-VPC database isolation.
STOP-keyword SMS opt-out (server-side handler).
Audience-tagged dispatch messages so unrelated parties don't see each other's chat.
Dispatch auto-close + JSONB archive snapshot on verified shutoff.

Building (in next 30 days) Roadmap

Explicit signup-time consent screen in the iOS Consumer + Pro apps with separate toggles for SMS, push, and emergency-contact notifications.
In-app Notification Settings page with per-channel opt-in/out.
Enrollment SMS for nominated emergency contacts (with STOP before any alert).
HELP keyword auto-reply.
In-app "Privacy Policy" link visible from signup and from Settings.
"Delete my account" flow inside the app (currently email-request only).
Sender ID registration (AQUASENT) for Australian SMS.
Migrate Anthropic LLM calls fully to AWS Bedrock so they remain in-region.

13Children

AquaSentinel is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal data to us, contact privacy@aquasentinel.pro and we will delete it.

14Changes to this policy

If we materially change how we collect, use, or disclose your personal data we will update this page, bump the version number, and — for active users — send a one-time SMS or push to flag the change so you can review it. We will not retroactively apply new permissions to data already collected under an older policy.

15Contact

Privacy questions, access or deletion requests: privacy@aquasentinel.pro.
General contact: hello@aquasentinel.pro.
Founders: brad · chris · michael · @aquasentinel.pro