Privacy Policy

Last updated: 4 June 2026

1. Who we are

PLOT (the "Service") is operated by The Coochin Company (ABN 59 670 336 963), based in Queensland, Australia. In this policy "we", "us", and "our" refer to The Coochin Company. We are an APP entity bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

The Service includes the website at plotplan.land, the web application at plotplan.land/app, and the PLOT mobile apps for iOS and Android. This policy covers personal information collected through any of those surfaces.

For any privacy question, access or correction request, or complaint, write to [email protected]. We acknowledge requests promptly and respond substantively within 30 days (sooner where the law requires).

2. Scope and key terms

• Personal information has the meaning given in section 6 of the Privacy Act: information or an opinion about an identified or reasonably identifiable individual.
• Project Data means the geometries, addresses, notes, photos, and other content you create inside a PLOT project.
• Aggregate Insights means de-identified statistical outputs derived from Project Data at a regional level. See §11.
• Mobile App means the PLOT iOS and Android applications distributed through the Apple App Store and Google Play.

3. The kinds of personal information we collect

The website

• Newsletter / marketing list: your email address only, handled by our email service provider. You can unsubscribe with one click from any email.
• Contact form: name, email, optional phone, optional business name, and the body of your message. Routed through our email service provider.
• Analytics: Google Analytics 4, consent-gated. Page paths, referrer, anonymised IP, broad geolocation.
• Diagnostics: we collect limited diagnostic information when something goes wrong so we can fix faults. Sensitive information is removed before it is stored.

The web application (plotplan.land/app)

• Account profile: email, password hash, optional display name, optional TOTP secret for multi-factor authentication. Stored in our managed database hosted in Sydney, Australia.
• Project Data: the geometries, addresses, notes, photos, and other content you create inside a PLOT project are stored in our managed database hosted in Sydney, Australia, scoped to your account — except photo / image attachments, which are held by our object-storage provider (Cloudflare R2; see §6, §7 and §10).
• Geocoding queries: the addresses you type into the search hero are sent to Mapbox or to Nominatim/OpenStreetMap to resolve them into coordinates. The query string carrying the typed address is scrubbed from our server-side request logs.
• Map tile loads: map tiles are fetched by your browser from Mapbox so it can render the basemap. Mapbox sees standard request metadata (IP, user-agent, referer).
• Billing: Stripe handles payment data directly. We do not see your card number. Stripe returns to us your customer ID, plan, currency, status, the last four digits of your card, and country.
• Photos / image attachments (paid tiers): when you attach a photo to a point of interest on a plan, the image file is uploaded from your browser straight to our private object-storage provider (Cloudflare R2) and referenced by your project. We store the image as part of your Project Data, scoped to your account and to that project. We do not analyse the image content. Photos are private by default and are visible to collaborators you have invited to the project, including those with read-only access. The links used to display a photo are short-lived, but while a link is valid anyone it is forwarded to can open it. See §6 and §10. Important: a photo file can carry embedded metadata (see the next item).
• Photo metadata (EXIF / embedded data): photo files commonly carry embedded metadata such as GPS coordinates of where the photo was taken, the capture date and time, and device/camera details. We store the image exactly as you upload it and we do not strip this embedded metadata on the server. If you do not want this information attached to a project, remove the metadata before you upload, or upload a copy with the metadata cleared. Where your browser re-encodes the image before upload it may drop some embedded metadata, but this is browser-dependent and we do not strip metadata on our server — so the safe assumption is that an uploaded photo may still contain its original metadata, including its GPS location.

The Mobile App

The PLOT Mobile App is in pre-release at the time of writing (not yet available in the App Store or Google Play). When it ships, the Mobile App will sign you in to the same account as the web application, and in addition to the categories above will collect the following on a permission-gated basis:

• Device data: operating system version, app version, device model. Sent with crash reports as limited diagnostic information; sensitive information is removed before it is stored.
• Local storage: an authentication token, a cached copy of your most recent Project Data (for offline use), and your display preferences. Held on the device only; cleared on sign-out or app uninstall.
• Location (optional, permission-gated): when you tap "find my property" the app may ask for foreground location to centre the map. We do not collect background location and we do not store the location server-side. The permission can be revoked from the device's system Settings.
• Push notification token (rolling out post-launch): if you opt into push notifications, an APNs (Apple) or FCM (Google) device token is registered with our backend so we can send delivery notifications (e.g. data-export ready, share-link accepted). Revoking notification permission in system Settings stops further sends.
• Camera / photo library (rolling out post-launch, permission-gated): only when you explicitly attach a photo to a point of interest on a plan. The photo is uploaded directly to our private object-storage provider (Cloudflare R2) as part of your Project Data and is never read without the explicit attach action. As with web uploads, a photo can carry embedded metadata (location, capture time, device details); we store the image as uploaded and do not strip this metadata on the server. See the photo-metadata item under "The web application" above.

The App Store and Google Play will publish their own privacy labels for the Mobile App reflecting the categories above when the binaries are submitted for review.

4. How we collect personal information

• Directly from you when you sign up, create or edit projects, complete billing, attach a photo, contact us, or send a support message.
• Automatically via cookies, request logs, our diagnostics tooling, and (with your consent) Google Analytics.
• From third parties who process events on our behalf: Stripe webhooks confirm a successful subscription; our email service provider reports message deliverability and unsubscribe events.

5. Why we collect it (purposes of use)

• To create and authenticate your account.
• To store your projects and sync them across your devices.
• To process subscriptions, calculate tax, and issue receipts.
• To send transactional email (magic-link sign-in, password reset, billing receipts, data-export ready, project invitations) via our email service provider.
• To send marketing email only if you have opted in, via our email service provider.
• To respond to your messages and provide support.
• To diagnose errors, detect abuse, and protect the Service.
• To produce de-identified regional Aggregate Insights (see §11) where you have not opted out.
• To comply with applicable law and respond to lawful requests.

6. Who we disclose your personal information to (sub-processors)

We use a small set of third-party service providers ("sub-processors") to deliver PLOT. Each receives only the personal information necessary to perform the function listed below.

• Stripe: payment processing, subscription management, and tax calculation. Receives: email, billing address, card data (handled by Stripe; we never see it), customer ID.
• Mapbox: map tiles (satellite imagery) and primary geocoding. Receives: the addresses you search, the map area you are viewing, and standard request metadata.
• Cloudflare R2 (object storage): stores photo / image attachments you add to a plan. Receives: the image file you upload (which may carry the photo's embedded metadata, such as GPS location and capture time; see §3) and standard request metadata. It does not receive your account profile or billing data. The bucket is private; images are served back to you and to invited collaborators only via short-lived signed links. Cloudflare, Inc. is headquartered in the United States and operates a globally distributed storage network, so your photo data may be stored on, or accessed from, servers located outside Australia (see §7).
• Nominatim / OpenStreetMap: fallback address search and the OpenStreetMap basemap used as a last-resort fallback. Receives: the addresses you search, the map area you are viewing, and standard request metadata.
• Our email service provider: transactional and (opt-in only) marketing email delivery. Receives: your email and the body of the email being sent, plus, for marketing mail, your opt-in timestamp and open and click telemetry.
• Google Analytics 4: web analytics, consent-gated. Receives: page paths, referrer, anonymised IP, broad geolocation. No cross-site behavioural profile is built.
• Apple Push Notification service (APNs) / Firebase Cloud Messaging (FCM): Mobile App push delivery. Receives: the device push token and the notification payload at send time.

7. Cross-border disclosures (APP 8)

Some of the sub-processors above are located outside Australia. We take reasonable steps to ensure each recipient handles your personal information consistently with the APPs. The jurisdictions involved are:

• Australia: our managed database hosting (Sydney); Stripe Payments Australia Pty Ltd (the AU contracting entity for Stripe).
• United States: Stripe (payment infrastructure), our email service provider, Mapbox, Google (GA4 + FCM), Apple (APNs).
• Cloudflare (object storage, R2): Cloudflare, Inc. is headquartered in the United States and operates a globally distributed storage network; your photo attachments may be stored on, or accessed from, servers located outside Australia. We take reasonable steps to ensure photo data is handled consistently with the APPs.
• Open infrastructure: Nominatim / OpenStreetMap is operated by community volunteers and hosted on infrastructure that may be located in the European Union.

If you are an Enterprise customer with data-residency requirements, get in touch via the contact form on the homepage to discuss the available configurations.

8. Cookies, analytics, and tracking

We use cookies for the things you would expect: keeping you signed in and remembering your unit / currency preferences. These are strictly necessary for the Service to work.

Google Analytics 4 is loaded under Google Consent Mode v2 with analytics_storage set to denied by default. We only collect analytics events after you accept the cookie banner; until you do, GA queues hits behind the consent gate and nothing is sent. The same gate applies regardless of where you visit from. EU/UK/EEA visitors see the banner first (per local consent requirements); visitors elsewhere see the same banner so the opt-in is consistent.

We honour Do-Not-Track and Global Privacy Control signals from your browser as a withdrawal of consent. You can change your choice at any time by clearing the plot.consent entry in your browser's local storage; the banner will reappear on your next visit.

9. Direct marketing (Spam Act 1988 + APP 7)

Marketing email is opt-in only. Every marketing message includes a one-click unsubscribe link. Transactional email (sign-in, password reset, billing receipts, data-export ready, project invitations) is necessary to operate your account and is excluded from the unsubscribe.

10. Storage, security, and retention

Account data, your Project Data, and database backups live in our managed database hosted in Sydney, Australia — except photo / image attachments, which are held as objects in our private Cloudflare R2 bucket and served only via short-lived signed links (see §6 and §7). Enterprise customers with specific data-residency requirements can get in touch to discuss the available configurations. Address search and map traffic is handled by Mapbox and OpenStreetMap. Stripe processes billing data on their global infrastructure.

We follow industry-standard practice for securing your account: passwords are stored as one-way hashes, sessions are protected against common web-attack vectors, and multi-factor authentication is available on every account. Your Project Data is private by default and is only retrievable by you, by collaborators you have explicitly invited, and, if you belong to a Team or Enterprise organisation, by the other members of any team a project is assigned to. All traffic between your device and our servers is encrypted in transit. Specifics of our security architecture are deliberately not published here; security researchers can write to [email protected] for the responsible-disclosure path.

Retention windows:

• Account profile + Project Data: until you delete your account.
• Photo / image attachments: deleting the photo, or deleting the point of interest it belongs to, deletes the underlying stored object. Deleting a project, and deleting your account, removes that project's (or all of your) stored photo objects. The signed links used to view a photo are short-lived and expire; an expired link stops working and a fresh one is issued only to you and your invited collaborators.
• Marketing list: until you unsubscribe.
• Data-export ZIPs: automatically removed a short time after they are generated (typically 7 days). The signed download link itself works exactly once.
• Server request logs (scrubbed): 30 days.
• Database backups: 30 days, then rotated.
• Stripe billing records: 7 years (Australian tax record-keeping under the Income Tax Assessment Act).

11. Regional Aggregate Insights

PLOT intends to produce regional insights to help landowners, planners, and policy makers understand land-use patterns. For example: the number of shed-type structures planned in the Wide Bay statistical area, or the proportion of plans that include a dam versus a bore.

Insights will be produced by aggregating Project Data across many users at the Australian Statistical Geography Standard Statistical Area Level 3 (SA3) or coarser. We will only publish a value where the underlying contributor count exceeds a minimum threshold (we plan to set this at 25 distinct accounts per cell), and we will suppress any cell that could reasonably re-identify an individual property. No address, parcel boundary, photo, note, or per-project value will ever be shared. Aggregate Insights will not be reconstructable into your individual Project Data.

Status (May 2026): the aggregation pipeline itself is not yet running. The per-user opt-out described below is wired and persists today, so the moment the pipeline ships it will honour your preference from the first run.

You retain full ownership of your Project Data. You can opt out of contributing to Aggregate Insights at any time from your Settings page, under Privacy, without losing access to the product or any feature. Opting out applies on a forward basis.

12. Your rights

Wherever you are, you can:

• Access the personal information we hold about you (APP 12).
• Correct personal information that is wrong, incomplete, or out of date (APP 13). Most fields are self-serve from your Account page.
• Export / port a machine-readable copy of your account profile, all of your Project Data, and your billing history. From your Account page, choose "Download my data". A signed download link is emailed to you when your archive is ready; the link works exactly once and the file is automatically removed after seven days.
• Delete your account and the data attached to it. From your Account page, choose "Delete my account". The in-app flow cancels any active subscription immediately (not at period end), removes you from our marketing list, deletes all of your Project Data recorded against your account (including any photo attachments stored as objects in our Cloudflare R2 bucket), and removes your account record (which also clears your project metadata, share links, sessions, exports, invitations, and tags). If a billing or marketing sub-processor is temporarily unreachable, your data is still removed from our systems and the residue is reconciled with the upstream as soon as it recovers.
• Opt out of regional Aggregate Insights at any time from your Settings page, under Privacy. See §11 for what the feature does and when it will run.
• Withdraw consent for marketing or analytics at any time, with no effect on your subscription.
• Complain: first to us at [email protected]; if you are not satisfied with our response within 30 days, to the Office of the Australian Information Commissioner (OAIC, oaic.gov.au, 1300 363 992, GPO Box 5288 Sydney NSW 2001) or your local data-protection authority.

When you exercise your right to erasure, we delete the data we hold and instruct Stripe, our email service provider, and our other sub-processors to do the same. Their internal request logs may persist for the retention period set by each provider's own policy (typically 7 to 30 days for request logs); we cannot reach inside their pipelines to scrub them faster.

13. Notifiable Data Breaches (Part IIIC, Privacy Act)

If a personal information breach occurs and we assess that it is likely to result in serious harm to an individual, we will notify the affected individuals and the OAIC as soon as practicable, in line with the Notifiable Data Breaches scheme. EU/UK residents will also be notified within 72 hours where the GDPR / UK GDPR applies.

14. Automated decision-making

PLOT does not make any decisions about you that have a legal or similarly significant effect on you using fully automated processing. If we ever introduce features that do (for example, an automated planning-permission outcome predictor), we will update this policy in advance and obtain consent where required.

15. EU / UK addendum (GDPR)

If you access the Service from the European Economic Area, the United Kingdom, or Switzerland, the GDPR / UK GDPR applies in addition to the Australian rights above. Our lawful bases are: performance of a contract (your account and subscription), legitimate interests (security, abuse prevention, and product improvement, balanced against your rights), legal obligation (tax record-keeping), and consent (marketing email, analytics cookies). You may exercise the additional rights to object, restrict, and lodge a complaint with your national supervisory authority. The Coochin Company is the controller.

16. Children

PLOT is not directed at children under 16 and we do not knowingly collect personal information from them. If you are a parent or guardian and believe we have collected personal information about a child in your care, email [email protected] and we will delete it.

17. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page always reflects the current revision, and material changes take effect when we post them here. Your continued use of the Service after a change is posted constitutes acceptance.

18. Contact

The Coochin Company
ABN 59 670 336 963
Queensland, Australia
Privacy: [email protected]
General: [email protected]