Privacy Policy
How Tihna collects, uses, and protects your personal information. Compliant with Australian Privacy Act, GDPR, and CCPA.
Privacy Policy
Tihna Health
Last Updated: 1 July 2026
Effective Date: 1 July 2026
Table of Contents
- About This Policy
- Who We Are
- What Personal Information We Collect
- Health and Wellness Information
- How We Collect Your Information
- Why We Collect Your Information and How We Use It
- How We Store and Protect Your Information
- Who We Share Your Information With
- Overseas Data Transfers
- Data Retention — How Long We Keep Your Information
- Automated Decision-Making
- Your Privacy Rights
- Australian Privacy Rights
- GDPR Rights — EU and EEA Users
- CCPA Rights — California Users
- Children's Privacy
- Data Breach Notification
- Cookies and Tracking Technologies
- Apple App Store and Device Permissions
- Wellness Disclaimer — Tihna Is Not a Medical App
- Changes to This Policy
- How to Contact Us
- How to Make a Complaint
1. About This Policy
This Privacy Policy explains how Tihna Health ("Tihna", "we", "us", or "our") collects, uses, holds, and shares your personal information when you use our Tihna app (the "App") and visit our website at tihna.com.au.
We have written this policy in plain English so it is easy to understand. If you have any questions about anything in this policy, please contact us at brainfrequency@tihna.com.au.
This policy complies with:
- The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
- The EU General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Apple App Store privacy requirements
By using the App or our website, you agree to the collection and use of your information as described in this policy.
2. Who We Are
| Company name | Tihna Health |
|---|---|
| Website | tihna.com.au |
| brainfrequency@tihna.com.au | |
| Country | Australia |
Tihna Health is an Australian company. For the purposes of the GDPR, Tihna Health is the data controller — meaning we decide how and why your personal information is used.
We have not appointed a formal Data Protection Officer (DPO) as we are not currently required to do so, but you can direct any privacy-related queries to us at the contact details above.
3. What Personal Information We Collect
"Personal information" means any information that identifies you, or could reasonably identify you.
3.1 Account and Contact Information
When you create an account, we collect:
- Email address
- Name (if you provide one)
- Password (stored in encrypted form — we never store your plain-text password)
- Profile preferences you set during onboarding
3.2 Subscription and Purchase Information
When you subscribe to Tihna, our subscription management provider (RevenueCat) collects and processes:
- Your App Store customer ID (assigned by Apple — we do not receive your credit card details)
- Subscription tier and status (active, trial, expired, cancelled)
- Purchase history and transaction IDs
- Trial start and end dates
- Subscription renewal dates
We do not receive or store your full name, credit card number, billing address, or any other financial information directly. All payments are handled by Apple and processed through RevenueCat.
3.3 App Usage and Analytics Data
When you use the App, our analytics provider (PostHog) collects:
- Which features and screens you visit
- Which audio sessions you play, pause, skip, or complete
- Time spent in the App and individual sessions
- How you navigate through the App
- Button taps and in-app interactions
- Session start and end times
- App version and operating system version
- Device type (e.g., iPhone 14) and device model
- Country or region (based on IP address — not precise location)
- Language settings
This data is used to understand how people use Tihna so we can improve it. We do not track you across other apps or websites. We do not use this data for advertising.
3.4 Crash Reports and Technical Diagnostics
If the App crashes or experiences an error, our crash reporting service (Firebase Crashlytics) collects:
- Error logs and stack traces (technical information about what went wrong)
- Device type and operating system version
- App version
- A randomly generated device identifier (not linked to your name or email)
- The state of the App at the time of the crash
This information helps us identify and fix bugs. It is not linked to your account unless you separately contact us about the issue.
3.5 Customer Support Information
If you contact us for support, we collect:
- Your email address
- The content of your messages
- Any screenshots or files you choose to share with us
3.6 Information You Voluntarily Provide
You may choose to share additional information with us, such as feedback about your experience or responses to optional surveys. We only collect this if you actively provide it.
4. Health and Wellness Information
This section requires special attention because health information is a more sensitive category of personal information under Australian and international privacy law.
4.1 What Health or Wellness Information We Collect
Tihna is a sound frequency wellness app. We may collect the following wellness-related information if you choose to provide it:
- Wellness goals — for example, whether you are using Tihna for relaxation, focus, sleep support, or general wellbeing
- Self-reported mood or state — for example, how you feel before or after a session, if you choose to log this
- Session preferences — the types of audio sessions you prefer or have saved as favourites
We do not collect:
- Medical records or clinical health data
- Information about specific diseases, conditions, diagnoses, or medications
- Physiological measurements (heart rate, blood pressure, etc.)
- HealthKit or Apple Health data (we do not access your Apple Health profile)
- Any health data that you have not actively and voluntarily provided to us
4.2 Why We Collect Wellness Information
We collect wellness preferences and self-reported data solely to:
- Personalise your experience and recommend sessions relevant to your goals
- Help you track how you feel over time (if you choose to use this feature)
- Improve the App based on what types of sessions are most useful
4.3 Legal Basis for Collecting Wellness Information
Under the Australian Privacy Act, health information is sensitive information and we collect it only with your explicit consent. You can choose not to provide wellness-related information — you can use the core features of Tihna without sharing any health or wellness data.
Under the GDPR, any health data falls under Article 9 special categories. We rely on your explicit consent (Article 9(2)(a)) as the lawful basis for processing any health or wellness data. You can withdraw this consent at any time (see Section 12).
4.4 How We Protect Your Wellness Information
Wellness information is stored securely, encrypted at rest, and is never shared with third-party advertisers, data brokers, or marketing platforms. We do not sell wellness or health data under any circumstances.
In line with Apple App Store guidelines, health and fitness data gathered through the App is not used for advertising, marketing, or data mining by third parties.
5. How We Collect Your Information
5.1 Information You Give Us Directly
We collect information directly from you when you:
- Create an account
- Subscribe to a plan or start a free trial
- Set wellness preferences or goals during onboarding
- Contact our support team
- Respond to optional surveys or provide feedback
5.2 Information Collected Automatically
When you use the App, certain information is collected automatically through the third-party services we use (PostHog for analytics, Firebase for crash reporting). You do not need to do anything for this to occur — it happens as a standard part of how modern apps work.
5.3 Information from Apple
When you subscribe through Apple's In-App Purchase system, Apple shares limited transaction information with us through RevenueCat, such as your subscription status and transaction identifiers. Apple's own Privacy Policy governs how Apple handles your data.
5.4 What We Do Not Collect
We do not:
- Purchase personal data from data brokers or list providers
- Collect data from competitions, referrals, or third-party lead generation
- Collect precise GPS location data
- Access your contacts, camera, or microphone (unless you use a feature that requires it, in which case we will ask for your permission first)
6. Why We Collect Your Information and How We Use It
The table below explains every main purpose for which we use your information, and the legal basis for doing so (relevant to GDPR).
| Purpose | Information Used | Legal Basis (GDPR) | Australian APP Basis |
|---|---|---|---|
| Creating and managing your account | Email, name, password | Contract performance | Necessary for the service |
| Delivering the App and its features | Account data, session preferences, subscription status | Contract performance | Necessary for the service |
| Processing your subscription and payments | App Store customer ID, subscription status (via RevenueCat) | Contract performance | Necessary for the service |
| Personalising your in-app experience | Wellness goals, session history, preferences | Consent (for wellness data); contract performance (for general preferences) | Consent (for wellness data) |
| Understanding how the App is used and improving it | Usage data, feature interactions (via PostHog) | Legitimate interests | Legitimate interests |
| Fixing bugs and crashes | Crash logs, device diagnostics (via Firebase Crashlytics) | Legitimate interests | Legitimate interests |
| Responding to your support enquiries | Email, support messages | Contract performance / legitimate interests | Necessary for the service |
| Sending you important service updates | Email address | Contract performance / legal obligation | Necessary for the service |
| Sending you optional marketing communications | Email address | Consent (you can opt out at any time) | Consent |
| Complying with legal obligations | Any relevant data | Legal obligation | Legal obligation |
| Detecting and preventing fraud or misuse | Account data, usage data | Legitimate interests | Legitimate interests |
Legitimate interests: Where we rely on legitimate interests, we have assessed that our interest in improving and operating the App is proportionate and does not override your privacy rights. You have the right to object to processing based on legitimate interests (see Section 14).
7. How We Store and Protect Your Information
7.1 Where Your Data Is Stored
Your data is stored on servers operated by our third-party service providers. The primary storage locations are:
- Firebase (Google) — primary app backend and crash reporting; servers located in the United States
- RevenueCat — subscription management; servers located in the United States
- PostHog — analytics; servers located in the United States (PostHog Cloud US region)
This means your personal information may be stored and processed overseas. See Section 9 for more detail on overseas transfers.
7.2 Security Measures
We take the security of your personal information seriously and implement the following safeguards:
- All data is transmitted using TLS/SSL encryption (the padlock you see in your browser)
- Data at rest is encrypted on third-party servers
- Passwords are stored using one-way hashing — we cannot see your password
- Access to personal data is restricted to staff and contractors who need it to do their jobs
- We regularly review our security practices and those of our third-party providers
- We maintain incident response procedures so we can respond quickly to any suspected data breach
7.3 No System Is Perfect
Despite these precautions, no data transmission over the internet or storage system is completely secure. If you have reason to believe your account has been compromised, please contact us immediately at brainfrequency@tihna.com.au.
8. Who We Share Your Information With
We do not sell your personal information. We only share your information with third parties in the circumstances set out below.
8.1 Service Providers (Processors)
We use the following third-party service providers who may access your personal information to perform services on our behalf:
| Provider | What They Do | Data Shared | Location |
|---|---|---|---|
| RevenueCat | Subscription management and in-app purchase validation | App Store customer ID, subscription status, transaction history | United States |
| PostHog | Product analytics — how the App is used | Usage events, device type, OS version, anonymised user ID, country/region | United States |
| Firebase (Google) | App backend, user authentication, database, and crash reporting | Account data, crash logs, device identifiers | United States |
Each of these providers is contractually required to:
- Use your data only to provide the service to us
- Protect your data with appropriate security measures
- Not sell or use your data for their own commercial purposes
- Comply with applicable privacy laws
8.2 Legal Requirements
We may disclose your personal information if we are required to do so by law, or in response to a valid request by a government authority (such as a court order, subpoena, or law enforcement request). We will take reasonable steps to notify you before complying unless we are legally prohibited from doing so.
8.3 Business Transfers
If Tihna Health is acquired, merges with another company, or sells its assets, your personal information may be transferred to the new entity. If this happens, we will notify you by email and/or a prominent notice in the App before your information is transferred and becomes subject to a different privacy policy.
8.4 With Your Consent
We will share your information with other parties only if you have given us your explicit consent to do so.
8.5 What We Do Not Do
- We do not sell your personal information to data brokers, advertisers, or any third party
- We do not share your health or wellness data with any third party for advertising, marketing, or data mining
- We do not share your data with social media platforms for advertising targeting
9. Overseas Data Transfers
We are an Australian company, but some of the services we use store and process data in other countries — primarily the United States.
9.1 Countries Involved
Your personal information may be transferred to, stored in, or processed in:
- United States — Firebase (Google), RevenueCat, PostHog
9.2 Your Protections
Under Australian law (APP 8): When we share your information with overseas service providers, we remain accountable for ensuring they handle it in accordance with the Australian Privacy Principles. We have contractual arrangements in place with each provider that require them to protect your data.
Under GDPR: For users in the EU and EEA, transfers to the United States are governed by Standard Contractual Clauses (SCCs) approved by the European Commission. The key providers we use (Google/Firebase, PostHog) maintain EU SCCs and additional safeguards such as data processing agreements that comply with GDPR Chapter V. You can request details of these safeguards by contacting us.
Under CCPA: For California users, our service providers are contractually prohibited from selling your personal information or using it for purposes other than providing services to us.
By using the App, you acknowledge that your information may be transferred to and processed in the United States, where privacy laws may differ from those in your home country.
10. Data Retention — How Long We Keep Your Information
We keep your personal information only for as long as we need it. The table below explains our retention periods.
| Type of Information | How Long We Keep It | Why |
|---|---|---|
| Account information (email, name, preferences) | For as long as your account is active, plus up to 3 years after account deletion | To assist with support queries, comply with legal obligations, and resolve disputes |
| Subscription and transaction data | 7 years from the date of the transaction | Australian tax and financial record-keeping obligations |
| Wellness and session preference data | For as long as your account is active; deleted within 30 days of account deletion | Solely to personalise your experience |
| Analytics data (PostHog) | Up to 24 months in identifiable form; then anonymised or deleted | To understand long-term usage trends |
| Crash and diagnostic data (Firebase Crashlytics) | Up to 90 days | Sufficient time to identify and fix issues; older crash data has minimal diagnostic value |
| Support correspondence | Up to 3 years from last contact | To handle follow-up queries and complaints |
| Marketing consent records | Until you withdraw consent, then 3 years | To demonstrate compliance with consent obligations |
When your data is no longer needed, we securely delete or anonymise it.
Deleting your account: You can delete your account from within the App. This will remove your personal information from our active systems in accordance with the timelines above. Subscription transaction records are retained for 7 years regardless of account deletion to comply with tax law.
11. Automated Decision-Making
11.1 Current Use
At the date of this policy, Tihna uses basic automated processes to personalise your experience — for example, recommending audio sessions based on your stated preferences and listening history. These recommendations are based on your own input and in-app activity. No automated decisions are made that significantly affect your legal rights, financial situation, or access to services.
11.2 Disclosure From 10 December 2026 (Australian Privacy Act Amendment)
From 10 December 2026, Australian privacy law requires us to disclose automated decision-making that uses your personal information. In preparation for that requirement, we confirm:
- What decisions are automated: Session recommendations and personalisation of your in-app experience
- What information is used: Your stated wellness goals, session history, and in-app preferences
- Nature of the decisions: Content curation (surfacing relevant audio sessions). These decisions do not affect your rights, finances, or access to external services
- How to seek human review: If you believe an automated process has produced an outcome that is incorrect or has adversely affected you, you can contact us at brainfrequency@tihna.com.au to request a human review
11.3 GDPR — Automated Decision-Making (Article 22)
We do not currently make solely automated decisions that produce legal or similarly significant effects on EU/EEA users. If this changes, we will update this policy and implement appropriate safeguards, including the right to obtain human intervention and to contest the decision.
12. Your Privacy Rights
No matter where you live, you have the following basic rights regarding your personal information:
- Access: You can ask us to provide a copy of the personal information we hold about you
- Correction: If any of your information is wrong or out of date, you can ask us to correct it
- Deletion: You can ask us to delete your personal information (subject to legal requirements to retain certain records)
- Withdraw consent: Where you have given consent for us to process your information, you can withdraw that consent at any time. Withdrawing consent will not affect anything we did before you withdrew it
To exercise any of these rights, contact us at brainfrequency@tihna.com.au. We will respond within 30 days.
Additional rights for EU/EEA users are in Section 14. Additional rights for California users are in Section 15.
13. Australian Privacy Rights
13.1 Your Rights Under the Australian Privacy Act 1988
If you are in Australia, the Australian Privacy Principles give you the following rights:
Right to access your information (APP 12)
You can ask us for a copy of the personal information we hold about you. We will provide it within 30 days of receiving your request. In some limited circumstances we may refuse access (for example, if providing access would reveal information about another person), but we will explain why if we do.
Right to correct your information (APP 13)
If you believe any personal information we hold about you is incorrect, out of date, incomplete, irrelevant, or misleading, you can ask us to correct it. We will take reasonable steps to correct it or, if we disagree that a correction is needed, we will add a note to the record that you have disputed its accuracy.
How to access or correct your information
Contact us at:
- Email: brainfrequency@tihna.com.au
- We may need to verify your identity before processing your request
We will not charge you a fee for making an access or correction request, though we may charge a reasonable fee to cover the cost of locating and providing copies of large amounts of information.
13.2 Complaint Process (APP 1)
If you believe we have breached the Australian Privacy Principles, you have the right to complain. Here is how the process works:
Step 1 — Contact us first:
Send your complaint to brainfrequency@tihna.com.au. Please describe the issue clearly. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
Step 2 — If you are not satisfied with our response:
You may refer your complaint to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Online: oaic.gov.au/privacy/privacy-complaints
13.3 Privacy Act Applicability
The Privacy Act 1988 applies to Tihna Health because we collect health information (wellness data) as part of providing our service. This means we are bound by the APPs regardless of our annual turnover. We are also subject to the Notifiable Data Breaches (NDB) scheme — see Section 17.
Statutory tort for serious invasion of privacy (in force since 10 June 2025): Australian individuals may bring a legal claim for a serious invasion of privacy, regardless of a company's size or turnover. We take this seriously and are committed to handling your information with respect.
14. GDPR Rights — EU and EEA Users
If you are located in the European Union (EU) or European Economic Area (EEA), the General Data Protection Regulation (GDPR) applies to how we handle your personal information. This section explains your rights under the GDPR.
14.1 Your GDPR Rights
| Right | What It Means | How to Exercise It |
|---|---|---|
| Right of access (Art. 15) | Obtain a copy of the personal data we hold about you | Email us at brainfrequency@tihna.com.au |
| Right to rectification (Art. 16) | Have inaccurate personal data corrected | Email us at brainfrequency@tihna.com.au |
| Right to erasure / "right to be forgotten" (Art. 17) | Request deletion of your personal data where there is no longer a legal basis to hold it | Email us or delete your account in the App |
| Right to restrict processing (Art. 18) | Ask us to pause processing your data in certain circumstances (e.g., while you contest its accuracy) | Email us at brainfrequency@tihna.com.au |
| Right to data portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) | Email us at brainfrequency@tihna.com.au |
| Right to object (Art. 21) | Object to processing based on legitimate interests | Email us at brainfrequency@tihna.com.au |
| Right to withdraw consent (Art. 7(3)) | Withdraw consent at any time for processing based on consent — this does not affect any processing already done | Email us or adjust your settings in the App |
| Right to lodge a complaint | Complain to a supervisory data protection authority | See Section 14.3 |
We will respond to all GDPR rights requests within 30 days. Complex requests may take up to 90 days — we will notify you if we need extra time.
14.2 Lawful Bases for Processing (GDPR Articles 6 and 9)
Under the GDPR, we must have a lawful reason ("legal basis") to process your personal data. Here is a summary:
| Processing Activity | Lawful Basis |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) — necessary to provide you the App |
| Delivering subscription services | Contract performance (Art. 6(1)(b)) |
| Processing payments via RevenueCat | Contract performance (Art. 6(1)(b)) |
| Product analytics (PostHog) | Legitimate interests (Art. 6(1)(f)) — to improve the App; you can object |
| Crash reporting (Firebase) | Legitimate interests (Art. 6(1)(f)) — to maintain a working App; you can object |
| Wellness and health data | Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — collected only with your separate, specific consent |
| Marketing emails | Consent (Art. 6(1)(a)) — you can withdraw at any time |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Preventing fraud and misuse | Legitimate interests (Art. 6(1)(f)) |
Legitimate interests balancing test: For activities we base on legitimate interests, we have assessed that those interests are not overridden by your interests or fundamental rights. You can request details of this assessment by contacting us.
14.3 Supervisory Authority
If you are not satisfied with how we have handled a privacy concern, you have the right to lodge a complaint with the data protection supervisory authority in your EU/EEA member state. For example:
- Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
- France: Commission Nationale de l'Informatique et des Libertés (CNIL)
- Ireland: Data Protection Commission (DPC)
- All EU supervisory authorities: edpb.europa.eu/about-edpb/about-edpb/members_en
14.4 Data Transfers Outside the EU/EEA
As explained in Section 9, your data may be transferred to the United States. These transfers are governed by Standard Contractual Clauses (SCCs) and other safeguards in compliance with GDPR Chapter V. Contact us if you would like details of the specific safeguards applicable to any transfer.
14.5 Special Category Data (Art. 9)
Any wellness or health data you voluntarily provide is treated as special category data under Article 9 of the GDPR. We process this data only on the basis of your explicit consent, which you give separately from general account creation. You may withdraw this consent at any time without affecting the rest of your account.
15. CCPA Rights — California Users
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you additional rights in respect of your personal information. This section explains those rights.
15.1 Categories of Personal Information We Collect
In the past 12 months, we have collected the following categories of personal information (as defined by the CCPA):
| CCPA Category | Examples We Collect | Sold or Shared? |
|---|---|---|
| Identifiers | Email address, account ID, device ID | No |
| Personal information (California Civil Code s. 1798.80) | Name (if provided), email address | No |
| Internet or electronic network activity information | App usage data, features accessed, session history | No (shared with PostHog for analytics only) |
| Inferences drawn from personal information | Session recommendations based on preferences | No |
| Sensitive personal information — health data | Wellness goals and self-reported mood (if you choose to provide) | No |
| Commercial information | Subscription history and transaction IDs | No (shared with RevenueCat for subscription management only) |
15.2 Sources of Personal Information
We collect personal information from:
- Directly from you (when you create an account, subscribe, or contact us)
- Automatically from your device (usage data, crash reports)
- From Apple (transaction information via RevenueCat)
15.3 Purposes for Collection
We use the categories of personal information listed above to:
- Provide and improve the App
- Process and manage your subscription
- Personalise your in-app experience
- Detect and prevent fraud and misuse
- Respond to your support requests
- Comply with legal obligations
15.4 Your California Privacy Rights
Right to know: You can ask us to tell you what personal information we have collected about you in the past 12 months, where we collected it from, what we use it for, and who we share it with.
Right to delete: You can ask us to delete personal information we have collected from you. We will comply, subject to certain exceptions (such as information we are required to keep for legal or financial reasons).
Right to correct: You can ask us to correct inaccurate personal information we hold about you.
Right to opt out of sale or sharing: We do not sell your personal information or share it for cross-context behavioural advertising purposes. If this changes, we will update this policy and provide a "Do Not Sell or Share My Personal Information" mechanism before doing so.
Right to limit use of sensitive personal information: You can ask us to limit the use of your sensitive personal information (including health/wellness data) to what is strictly necessary to provide you with the services you have requested. Contact us to exercise this right.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you the App's services, charge you different prices, or provide a lower quality of service because you exercised a privacy right.
15.5 How to Exercise Your California Rights
Submit a request by email to: brainfrequency@tihna.com.au
Please include "California Privacy Request" in the subject line. We will acknowledge your request within 10 business days and fulfil it within 45 calendar days (extendable by a further 45 days if we notify you).
We will verify your identity before processing your request to protect your information from unauthorised disclosure or deletion.
Authorised agent: You may designate an authorised agent to submit requests on your behalf. The authorised agent must provide written authorisation signed by you. We may still contact you directly to verify your identity.
15.6 Notice at Collection
At or before collecting personal information, we provide a notice (in-app and in this policy) of:
- The categories of personal information collected
- The purposes for which each category is used
- Whether it is sold or shared (it is not)
- How long we retain each category (see Section 10)
15.7 Do Not Sell or Share
We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioural advertising. Accordingly, there is currently no "Do Not Sell or Share" link required. If we ever begin selling or sharing data in this way, we will provide the required link and opt-out mechanism.
16. Children's Privacy
The Tihna App is intended for users aged 13 and over. We do not knowingly collect personal information from children under 13 years of age.
If you are the parent or guardian of a child under 13 who has provided us with personal information, please contact us at brainfrequency@tihna.com.au and we will delete that information promptly.
For users aged 13–17, we encourage a parent or guardian to review this policy with them before they use the App. If you are under 18, please do not provide us with any health information beyond what is necessary to use basic features of the App.
CCPA — Under 16: We do not knowingly sell or share the personal information of users we know to be under 16 years of age.
Australian Children's Online Privacy Code: The OAIC is finalising a Children's Online Privacy Code with a legislated deadline of 10 December 2026. We are monitoring the development of this Code and will update our practices and this policy to comply when it comes into force.
17. Data Breach Notification
17.1 Australia — Notifiable Data Breaches (NDB) Scheme
Under the Australian Privacy Act's Notifiable Data Breaches (NDB) scheme, if we experience a data breach that is likely to result in serious harm to any affected individual, we must:
- Assess the suspected breach within 30 days
- If it is an "eligible data breach", notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable
We will notify you by email if your personal information is involved in an eligible data breach.
17.2 GDPR — EU Users
Under the GDPR, if there is a personal data breach that poses a risk to your rights and freedoms, we must:
- Notify the relevant EU supervisory authority within 72 hours of becoming aware of the breach
- Notify you directly if the breach is likely to result in a high risk to your rights and freedoms
17.3 What a Breach Notification Will Tell You
If we notify you of a breach, the notification will include:
- A description of what happened
- The types of personal information involved
- What we are doing to address the breach
- Steps you can take to protect yourself
- Contact details for further information
18. Cookies and Tracking Technologies
18.1 The App
The Tihna iOS app does not use cookies. However, it uses similar technologies:
- PostHog SDK — records anonymised usage events for analytics (see Section 3.3)
- Firebase SDK — records crash data and manages app sessions (see Section 3.4)
- RevenueCat SDK — manages your subscription state (see Section 3.2)
These SDKs may use device identifiers (such as a randomly generated ID) to distinguish between different users or sessions. These identifiers are not linked to your name or email address unless you are logged in to your account.
18.2 The Website (tihna.com.au)
Our website may use cookies to remember your preferences and understand how visitors use the site. We will provide a separate cookie notice on the website where applicable.
18.3 App Tracking Transparency (iOS)
Tihna does not track you across other companies' apps or websites. We do not use your Advertising Identifier (IDFA) for cross-app tracking. If this changes, we will implement Apple's App Tracking Transparency (ATT) framework and ask for your permission before tracking.
19. Apple App Store and Device Permissions
19.1 App Privacy Details (Nutrition Label)
Consistent with Apple App Store requirements, Tihna declares the following data types in our App Privacy Details submitted to App Store Connect:
| Data Type | Collected? | Used For | Linked to Identity? |
|---|---|---|---|
| Contact Info (email) | Yes | Account management, support | Yes |
| Health and Fitness (wellness preferences) | Yes (if voluntarily provided) | App personalisation | Yes |
| Identifiers (user ID, device ID) | Yes | App functionality, analytics | User ID: Yes; Device ID: No |
| Usage Data (app interactions) | Yes | Analytics, app improvement | No |
| Diagnostics (crash data) | Yes | Bug fixes | No |
| Purchases (subscription history) | Yes | Subscription management | Yes |
Tihna does not collect: precise location, contacts, photos, search history, browsing history, messages, audio recordings, or sensitive demographic information.
19.2 Device Permissions
Tihna will only request the following device permissions:
- Audio playback — required to play sound frequency sessions (this does not record your audio)
- Notifications — optional, to send you reminders you set for yourself (you can deny this and still use the App)
- Internet access — required to load sessions and manage your account
We will never access your microphone to record audio, access your camera, read your contacts, or access your location without explicitly asking your permission and explaining why.
19.3 Account Deletion
You can delete your account from within the App at any time. This is in accordance with Apple App Store requirements. Deleting your account will:
- Remove your profile, wellness data, and preferences from our active systems
- Cancel your in-app subscription (you can manage refunds through Apple)
- Trigger deletion of your data in accordance with the retention periods in Section 10
20. Wellness Disclaimer — Tihna Is Not a Medical App
Tihna is a wellness and relaxation app. The sounds and audio frequencies provided are intended for general wellbeing purposes only.
Tihna is not a medical device and is not intended to diagnose, treat, cure, prevent, or alleviate any disease or medical condition. The content provided in the App is not a substitute for professional medical advice, diagnosis, or treatment.
Always consult a qualified healthcare professional before making any decisions about your health. If you are experiencing a medical or mental health emergency, contact emergency services (000 in Australia) or a qualified health professional immediately.
Safety warnings:
- Epilepsy and seizure disorders: Some audio frequencies may trigger seizures in people who are susceptible to photosensitive or sound-sensitive epilepsy. If you have epilepsy or a seizure disorder, consult your doctor before using the App.
- Hearing: Use the App at a safe and comfortable volume. Prolonged exposure to loud audio can cause hearing damage.
- Do not use while driving or operating machinery. The relaxing nature of the audio may reduce your alertness. Use only in a safe environment where you can sit or lie down comfortably.
- Pregnancy: If you are pregnant and have any concerns about using audio frequency applications, consult your healthcare provider before using the App.
- Children: Children under 13 should not use the App. Children aged 13–17 should use it only with parental awareness.
This disclaimer does not affect your rights under the Australian Consumer Law.
21. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify you by email and/or an in-app notice if the changes are significant
- For material changes, provide at least 30 days' notice before the new policy takes effect, where practicable
You can always find the current version of this policy at tihna.com.au/privacy and within the App.
If you continue to use the App after a new policy takes effect, you are agreeing to the updated policy. If you do not agree with a change, you should stop using the App and may request deletion of your data (see Section 12).
22. How to Contact Us
For any privacy-related questions, access requests, correction requests, or concerns, please contact us:
| brainfrequency@tihna.com.au | |
|---|---|
| Website | tihna.com.au |
| Response time | Within 5 business days for initial acknowledgement; 30 days for full response |
Please include:
- Your name or account email address (so we can locate your records)
- A brief description of your request
- Your preferred contact method for our response
We can provide this policy in alternative formats on request (for example, larger text or audio format) to make it more accessible.
23. How to Make a Complaint
If you are unhappy with how we have handled your personal information, here is what you can do:
Step 1 — Contact us directly
Email us at brainfrequency@tihna.com.au with a description of your complaint. We will acknowledge it within 5 business days and aim to resolve it within 30 days. If we need more time, we will let you know.
Step 2 — External complaint bodies
If you are not satisfied with our response, you can contact the relevant external body:
Australia:
Office of the Australian Information Commissioner (OAIC)
Website: oaic.gov.au
Phone: 1300 363 992
Online complaints: oaic.gov.au/privacy/privacy-complaints
Post: GPO Box 5218, Sydney NSW 2001
EU / EEA users:
Contact the data protection supervisory authority in your country of residence. A full list is available at edpb.europa.eu.
California users:
California Privacy Protection Agency (CPPA)
Website: cppa.ca.gov
This Privacy Policy is published at tihna.com.au/privacy and is also accessible from within the Tihna App.
Tihna Health — ACN: 679 869 437
© 2026 Tihna Health. All rights reserved.