Effective date: 28 February 2026
Short plain-language summary
A quick overview of what we collect, why and how you can control it.
What is Thothly for?
Thothly helps health professionals and teams record professional development, supervision and practice hours, reflect on practice and support auditing and reporting requirements.
What we collect
- Account details: name, email and organisation information.
- User uploads: certificates and professional reflection notes. We encourage removal of any client identifiers before upload.
- Supervisor sign-off: supervisor name and email when they confirm entries using a single-use token.
- Cookies and analytics: Google Analytics data and site cookies.
- Payments: only if you use a paid tier. Payments are processed using Stripe.
How we use your data
We use data for authentication, to operate the service, personalisation, product analytics and payment processing where relevant.
Who can see your data
Only the site administrator has access to raw user data. We use Stripe and Google Analytics as service providers. We do not sell or share user lists with advertisers or partners.
Where data is stored
Our systems, including the primary Supabase Postgres database, are hosted in Australia. Backups follow our hosting provider’s schedules.
How long we keep it
We retain personal information while your account exists. When you delete your account we remove data from our active systems so it is not recoverable via the application. Backups may persist in line with our host’s retention policies and are not used for routine account restoration.
Your controls
- Export: CSV exports of your data (raw data) are available to all users. PDF exports are available to paid users. XLSX exports are available on Enterprise plans.
- Delete: you can delete your account and data; this removes data from live systems.
- Cookies: you are shown cookie choices at first visit.
- Marketing: marketing emails include an unsubscribe link.
Contact: Level Up Psychology Pty Ltd (ABN 40 654 820 167) trading as Thothly - privacy@thothly.au
Full privacy policy
This section describes in detail how Thothly collects, holds, uses and discloses personal information. It is written to align with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
1. Who owns Thothly?
Thothly is operated by Level Up Psychology Pty Ltd (ABN 40 654 820 167) trading as Thothly. Contact for privacy enquiries: privacy@thothly.au.
2. Scope
This policy applies to personal information collected through the Thothly web application used by health professionals and organisations in Australia.
3. What we collect
We collect the following categories of information:
- Account information: name, email address and organisation details for account creation and management.
- User content: uploaded certificates and professional reflection notes. Users are encouraged to remove client identifiers and avoid including sensitive client information.
- Supervisor sign-offs: when supervisors confirm entries via single-use tokens we record their name and email only.
- Payment information: information required to process paid subscriptions. Payments are processed by Stripe.
- Usage and device data: IP addresses, browser and device information, and usage logs for operational, analytics and security purposes. We use Google Analytics for product analytics.
- Cookies: cookie identifiers and related data to operate the site and support analytics.
4. How we use personal information
We use personal information for:
- Account creation, authentication and user support.
- Providing core product features such as recording, reporting and supervision workflows.
- Supervisor confirmation and record keeping.
- Product personalisation and analytics to improve the service.
- Payment processing and billing for paid tiers.
- Security, fraud prevention and legal compliance.
5. Legal basis and Australian framework
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. We collect and use information where it is necessary to perform the contract between you and Thothly, for our legitimate interests in operating and improving the service, or to satisfy legal obligations.
6. Disclosure to third parties
We do not sell personal data or provide user lists to advertisers or partners. We disclose personal information to:
- Payment processor: Stripe, for payment processing.
- Analytics provider: Google Analytics, for product analytics and improvement.
- Hosting and platform providers: our Supabase Postgres backend and related infrastructure providers.
- Legal or regulatory bodies where required by law.
We do not currently have Data Processing Agreements with all providers. We take reasonable steps to ensure third parties handle personal information appropriately and only for the purposes described.
7. Hosting and international transfers
Our systems, including the primary Supabase Postgres database, are hosted in Australia. Some external service providers may process data outside Australia. Please consult the privacy notices of those providers for details of any cross-border processing.
8. Security and access controls
We use reasonable technical and organisational measures to protect personal information from unauthorised access, loss or misuse. Measures include:
- Encryption in transit.
- Role based access controls. Only the site administrator has access to raw user data.
- Two factor authentication for privileged accounts.
- An incident response plan for security events.
9. Retention and deletion
We retain personal information while an account exists to provide the service. When you delete your account:
- Your information is removed from active systems and is not recoverable through the application.
- Backups may persist in accordance with our hosting provider’s retention schedule. Backups are not used for routine restoration of deleted accounts.
10. Payments and billing
Paid subscriptions are processed via Stripe. We do not share billing data with advertisers or partners. Aggregate billing information is kept in our accounting systems for reporting.
11. Cookies and tracking
We use cookies and Google Analytics. We do not use other tracking technologies such as advertising networks or browser fingerprinting. A cookie consent choice is presented to users on their first visit and can be updated via the cookie controls.
12. Supervisors and single-use tokens
Supervisors confirm entries using single-use tokens. When supervisors sign off we record their name and email for identification and audit purposes and no further supervisor details are collected through that process.
13. Your rights and choices
You have the right to:
- Access the personal information we hold about you.
- Request correction of inaccurate information.
- Export your data. CSV exports include raw data and are available to all users. PDF exports are available to paid users. XLSX exports are available on Enterprise plans.
- Delete your account and associated personal information.
- Opt out of marketing communications using the unsubscribe link in emails.
To exercise any of these rights, contact privacy@thothly.au. We will respond within a reasonable time and in accordance with the Privacy Act.
14. Automated decision making
We do not carry out automated decision making that has legal or similarly significant effects on users. We may use analytics to provide product personalisation and service improvements.
15. Incident response and breach notification
We maintain an incident response plan. If we become aware of a data breach requiring notification under applicable law we will notify affected users and the relevant regulator as required.
16. Changes to this policy
We may update this policy from time to time. We will publish any changes on our website and update the effective date. Material changes will be notified to account holders where appropriate.
17. Contact and complaints
Privacy enquiries should be sent to privacy@thothly.au.
If you remain dissatisfied after contacting us, you may raise a complaint with the Office of the Australian Information Commissioner: www.oaic.gov.au.
Operational notes and recommendations
We recommend documenting subprocessors publicly, considering Data Processing Agreements with key providers and keeping a brief privacy checklist for onboarding new vendors. A simple privacy impact assessment for handling uploaded reflections is also advisable.