Legal

Privacy Policy

We take the privacy and safety of survivors seriously. This policy explains what information we collect, how we use it, and the technical and legal protections we have in place.

Effective date: 8 June 2026  ·  The Purple Arrow  ·  Queensland, Australia

Contents

  1. Who We Are
  2. Information We Collect
  3. How We Use Your Information
  4. Where Your Information Is Stored
  5. Who We Share It With
  6. How We Protect It
  7. How Long We Keep It
  8. Your Rights
  9. The Secure Vault
  10. Your Onboarding Profile
  11. Amy — Our AI Support Guide
  12. Cookies & Browser Storage
  13. Children’s Privacy
  14. Changes to This Policy
  15. Contact Us

Important: The Purple Arrow is a support and advocacy service. Nothing on this website or from Amy constitutes legal advice. If you are in immediate danger, please call 000. DVConnect QLD is available 24/7 on 1800 811 811.

1. Who We Are

The Purple Arrow ("we," "us," "our") is a domestic violence survivor support and advocacy service based in Queensland, Australia. We operate the website at thepurplearrow.com.au and related tools including the Secure Vault, the Recovery Roadmap, and the Amy support guide.

We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Given that we work with survivors of domestic violence, we treat all information shared with us as sensitive personal information under APP 3, regardless of how it is technically classified.

For privacy questions, contact us at: hello@thepurplearrow.com.au

2. Information We Collect

We collect only what is necessary to provide our services safely and effectively.

Account information

  • Your name and email address when you create a vault account
  • Account credentials (email and password) managed by our authentication provider, Clerk

Onboarding profile

When you first log in to the vault, we ask you to complete a short onboarding quiz. This includes:

  • Your role (e.g. survivor seeking support, support worker, friend or family member)
  • A small number of optional questions about your current situation and what you are most looking for help with

These answers help us personalise your vault experience and are stored encrypted (see Section 6). You can update them at any time.

Vault content you create

  • Your safety plan
  • Incident log entries and any attached files or photos
  • Documents you upload (e.g. protection orders, legal correspondence)
  • Protection order preparation requests
  • Recovery Roadmap progress and notes

Information collected automatically

  • Basic server logs (request timestamps, IP addresses) — retained briefly by our hosting provider, Netlify
  • Your last seen date within the vault (used for admin purposes only)

We do not use advertising trackers, Facebook Pixel, Google Analytics, or any third-party marketing tracking on our site.

3. How We Use Your Information

We use your information to:

  • Provide and maintain your Secure Vault account
  • Personalise your vault experience based on your onboarding answers
  • Respond to requests for assistance with protection orders or safety planning
  • Support our team in understanding who is using the platform (in aggregate, not individually) to improve our services
  • Send you relevant updates or resources if you have opted in
  • Comply with legal obligations

We will never use your personal information for advertising or marketing purposes without your explicit consent. We will never sell your data.

4. Where Your Information Is Stored

All vault data is stored in a secure, encrypted database. Here is a precise breakdown of what is stored where:

Data type Where stored Encrypted?
Account login (email, password) Clerk Inc. (USA) Yes — by Clerk
Safety plan, incident log, documents, protection orders, Recovery Roadmap, onboarding answers Neon Inc. PostgreSQL database (AWS, USA) Yes — AES-256-GCM
Your name, email, last seen date (for admin use) Neon Inc. PostgreSQL database (AWS, USA) Plaintext (admin-only table)
Contact form and protection order submissions Netlify Inc. (USA) Yes — via Netlify's TLS/storage

What AES-256-GCM means in plain language: Your vault content is scrambled using the same encryption standard used by banks, hospitals, and defence departments before it is saved to the database. Without the decryption key — which is held securely in our server environment and never stored in our code — the data is unreadable to anyone, including our team, even if they accessed the database directly.

Our infrastructure providers and their credentials:

Clerk Inc. Authentication. SOC 2 Type II certified. Privacy policy
Neon Inc. Database. SOC 2 Type II certified. All connections TLS-encrypted. Privacy policy
Netlify Inc. Hosting & functions. SOC 2 Type II, ISO 27001 certified. Privacy policy

All three providers operate under US law and maintain cross-border data transfer agreements. By creating a vault account, you consent to your data being processed in the United States under these providers' terms.

5. Who We Share Your Information With

We do not sell, rent, or trade your personal information. We may share it only in the following circumstances:

  • Infrastructure providers: Clerk, Neon, and Netlify as described above — only to the extent necessary to operate our services
  • Your nominated advocate: If you choose to connect an advocate or support worker to your vault, they may be granted limited access to specific sections you approve (e.g. protection order submissions). You control this entirely
  • Legal requirements: If we are required by law to disclose information (e.g. a court order), we will do so only to the extent required and will notify you where we are legally permitted to do so
  • Imminent safety risk: If we have genuine reason to believe disclosure is necessary to prevent serious harm to you or another person, we may act accordingly — but we will always try to discuss this with you first where it is safe to do so

We will never share your information with police, government agencies, or any other third party without your consent, unless legally compelled.

6. How We Protect It

We have implemented multiple layers of protection, specifically designed around the needs of domestic violence survivors.

Encryption at rest

All sensitive vault data is encrypted using AES-256-GCM before it is stored in the database. This is authenticated encryption — meaning if any data were tampered with, decryption would fail and the system would reject it. Each record uses a unique random value (IV) per encryption operation, so patterns in data cannot be reverse-engineered. The encryption key lives exclusively in our secure server environment and is never included in our codebase or git history.

Encryption in transit

All data between your browser and our servers travels over HTTPS (TLS). We enforce this with HSTS (HTTP Strict Transport Security) set for two years, meaning your browser will refuse to load the site over an unencrypted connection after your first visit. Any HTTP request is immediately redirected to HTTPS.

Authentication

Every API request to our server verifies a cryptographically signed session token (JWT) using public-key cryptography. Tokens cannot be forged. Every database query is filtered to return only the data belonging to the verified user — it is technically impossible for one user to access another user's vault data.

Browser-level protections

  • Content Security Policy (CSP): A strict allowlist of permitted scripts and resources. Injected malicious scripts are blocked at the browser level
  • X-Frame-Options: DENY: The vault cannot be embedded in an iframe, blocking clickjacking attacks
  • Permissions Policy: Camera, microphone, location, and payment APIs are explicitly disabled
  • No caching: The vault page is never saved to browser or CDN cache. A shared computer cannot show the vault from history
  • Search engine exclusion: The vault does not appear in Google or any search engine

Quick Exit

Every page of the vault has a Quick Exit button. One click closes the vault and opens Google. For a survivor who hears a key in the door, that matters as much as any technical specification.

No system is 100% secure. If you believe your account or information may have been compromised, contact us immediately at hello@thepurplearrow.com.au.

7. How Long We Keep It

We retain your vault data for as long as your account is active. If you request deletion of your account:

  • All vault content (safety plan, incident log, documents, recovery roadmap, onboarding profile) will be permanently deleted from our database within 30 days
  • Your authentication record with Clerk will be deleted on request
  • Netlify form submissions (protection order requests) may be retained for up to 12 months for legal compliance purposes, after which they are deleted
  • Server access logs held by Netlify are typically retained for 30 days under their standard terms

To request deletion, email hello@thepurplearrow.com.au with the subject line "Delete my account."

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you
  • Correct any information that is inaccurate or out of date
  • Request deletion of your personal information (subject to any legal obligations we may have to retain certain records)
  • Update your onboarding profile at any time from within the vault settings
  • Complain about how we have handled your information

To exercise any of these rights, contact us at hello@thepurplearrow.com.au. We will respond within 30 days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or call 1300 363 992.

9. The Secure Vault

The Secure Vault is a private, authenticated area for registered users. It stores your safety planning tools, documents, and support resources in a single secure location accessible from any device when you log in.

  • All vault content is encrypted with AES-256-GCM before storage (see Section 6)
  • Your account is authenticated via Clerk — we never store your password
  • Every API request requires a verified session token — data cannot be accessed without your login
  • The vault has a Quick Exit button on every screen
  • The vault does not appear in search engines and is never cached by browsers

We recommend using a private (incognito) browser window when accessing the vault if you are concerned about someone else seeing your browser history on a shared device.

10. Your Onboarding Profile

When you first log in to the vault, you complete a short onboarding quiz. This helps us personalise your experience — for example, showing the Recovery Roadmap to survivors or directing support workers to client resources.

Your answers are stored encrypted in our database. They are visible to The Purple Arrow's authorised team members through our admin tools for the sole purpose of understanding who uses the platform and improving our services. They are never shared with third parties or used for advertising.

Specifically, we store:

  • Your selected role (survivor, support worker, or friend/family)
  • Your answers to the follow-up questions (e.g. where you are in your journey, what feels most urgent, your professional role if applicable)
  • The date and time you completed the onboarding

You can update or reset your onboarding profile at any time by contacting us, or from within the vault once that feature is available.

11. Amy — Our AI Support Guide

Amy is an AI-assisted support guide, not a human and not a lawyer. She is designed to help you understand your options, prepare safety plans, and navigate the support system. She does not provide legal advice.

When you use Amy, the following applies:

  • Conversations with Amy may be processed by an AI language model to generate responses. This processing is subject to the privacy practices of the AI provider used
  • We do not use your Amy conversations to train AI models
  • If you choose to generate a protection order preparation document, a summary is submitted to The Purple Arrow team so we can follow up with support
  • Amy does not retain a persistent conversation history across sessions on our servers
  • The documents Amy helps you prepare are preparation aids only — not completed legal documents. Review any documentation with a lawyer or Legal Aid Queensland before lodging anything with a court

If you are in immediate danger, do not use Amy — call 000 now. Amy is not a crisis line.

12. Cookies & Browser Storage

We do not use advertising cookies or tracking cookies. Our site uses:

  • Session storage: Temporary data cleared when you close your browser tab (used for admin preview access flags)
  • Clerk authentication cookies: Required to keep you logged in to your vault account. These are managed by Clerk Inc. and are strictly necessary for the service to function

No third-party analytics or advertising cookies are set on any page of this site.

13. Children's Privacy

Our services are intended for adults (18 and over). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information about a child, please contact us so we can delete it promptly.

If your situation involves children, we may ask about them to better understand your circumstances and connect you with appropriate services — but we will not contact children directly or share their information outside the protections described in this policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our services or legal requirements. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify registered vault users by email.

Continuing to use our services after changes are published constitutes acceptance of the updated policy. The previous version is available on request.

15. Contact Us

For any privacy questions, access requests, corrections, or complaints, please contact:

The Purple Arrow
Email: hello@thepurplearrow.com.au
Queensland, Australia

We aim to respond to all privacy enquiries within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.