Privacy Policy

IsItWorthIt is operated by IS IT WORTH IT, an Australian registered business (ABN 72 734 983 769). That’s the entity that holds and is accountable for the personal information described in this policy.

We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) issued by the Office of the Australian Information Commissioner (OAIC). This policy describes how we collect, use, store and disclose personal information.

If you have a complaint about how we have handled your personal information that we cannot resolve directly, you may contact the OAIC:

• ·Phone: 1300 363 992
• ·Email: enquiries@oaic.gov.au
• ·Web: oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint

We do not receive commissions, kickbacks, or referral fees from any health insurer, comparison service, or broker. We do not share your information with insurers, brokers, or comparison partners.

We do not hold an Australian Financial Services Licence (AFSL) and do not provide personal financial advice. The calculator presents results based purely on the inputs you give it; you make every decision.

If we ever change either of these positions, we will update this page and tell you before the change takes effect.

Calculator use (no account)

When you use the calculator without an account, your inputs (state, cover type, services, expected visits, prices, time horizon, optional rebate details) are processed temporarily on our servers to generate results. These inputs are not stored, saved, or logged on our servers. Share links encode your scenario inside the URL itself. Nothing is stored on our servers.

Account registration (optional)

If you choose to create an account, we collect and store your email address. Your email is encrypted at rest using AES-256-GCM encryption and can only be decrypted by our servers. We use passwordless login via magic links sent to your email. We never set or store a password for you.

Saved scenarios (account holders)

If you save a scenario to your account, the following inputs are stored as a single AES-256-GCM-encrypted blob:

• ·Scenario name (a label you choose)
• ·State and cover type (single, couple, family, single parent)
• ·Fund-type filter (open / restricted / all) and any restricted-eligibility selectors you ticked
• ·Dependant type (child / student / non-student) when applicable
• ·Services list (service codes, expected visits, per-visit prices, appointment type, claimant)
• ·Time horizon (months) and your custom date range if used
• ·Rebate inputs (age band and income), if you entered them
• ·Whether you opted out of applying the rebate

Calculation results themselves are not stored; they are recalculated from your inputs each time you reopen or export the scenario.

Cross-device sign-in handshake

To support clicking your magic link on a different device than the one you requested it from, we store a short-lived “pending login” record containing only a hashed magic-link reference and a status flag. It contains no email, name, or other identifying information, and is automatically removed within 24 hours.

Payments (paid customers)

If you purchase the Decision Pack, payment processing is handled entirely by Stripe. Your card number, CVV, and billing address are entered on Stripe's hosted checkout page and never reach our servers. Stripe is a PCI-DSS Level 1-certified payment processor and the merchant of record for that step.

After a successful payment, Stripe notifies us of the transaction. We record:

• ·Stripe session id and payment intent id (used to support refunds and audit)
• ·Amount, currency, and timestamp of the payment
• ·The user id of the account that purchased
• ·The Stripe event payload (stored for audit; contains no card details)

We do not see, receive, or store: card numbers, expiry dates, CVVs, or full billing addresses. If you need to update or remove your card details with Stripe, do so via Stripe's privacy controls.

Feedback form

If you submit feedback, we collect: your name, email address, and message. Please don't include sensitive personal information in feedback if you don't want it collected.

Analytics

We use Vercel Analytics and Speed Insights to collect anonymous, aggregated website usage data, including:

• ·Pages visited
• ·Country or region
• ·Device type and browser
• ·Performance metrics (e.g. page load times)

This data cannot identify you personally, and Vercel Analytics does not use cookies for tracking.

• ·No passwords (we use passwordless magic links)
• ·No medical records, diagnoses, or claims history
• ·No advertising or third-party tracking cookies
• ·No calculator inputs without an account (server side)
• ·No calculation results (recalculated on demand)
• ·No data sold, rented, or shared with insurers, brokers, or comparison partners

We do not seek to collect “sensitive information” as defined under the Privacy Act 1988, including health information, racial or ethnic origin, religious beliefs, criminal record, sexual practices, or membership of a professional, trade or political association or union, except where such information is necessarily implied by the inputs you provide.

The most common case is when you select a restricted health fund whose membership is tied to industry, defence service, religious affiliation, or similar criteria, in order to filter the policies displayed to you. The calculator stores your selection so the result is reproducible, but uses it only to filter the policy list; it is never disclosed to any third party.

The expected service usage you enter (e.g. expected number of dental or physio visits) is not, in itself, health information; it does not describe a diagnosis, treatment, or claim. We treat it as ordinary calculator input.

We use only the minimum cookies needed for the site to work. We do not set any cookies for advertising, third-party tracking, or cross-site profiling.

Both cookies are httpOnly (not readable by JavaScript) and SameSite=Strict (not sent on cross-site requests). They are marked Secure in production so they only travel over HTTPS.

To make the calculator easier to use, your browser remembers some of your inputs locally. This data never leaves your device unless you explicitly save a scenario to your account.

• ·sessionStorage (cleared when you close the tab): calculator inputs, so a refresh doesn't lose your work.
• ·localStorage (cleared when you clear browser data): a working copy of your most recent scenario, used to share data between calculator pages on the same device.

You can clear these at any time via your browser's site-data controls.

• ·All stored data (email addresses, saved scenarios) is encrypted at rest using AES-256-GCM.
• ·Email addresses are SHA-256-hashed for lookup and AES-256-GCM-encrypted for storage; we never store plain-text emails.
• ·Magic link tokens are SHA-256-hashed before storage and automatically expire after 15 minutes.
• ·Pending sign-in records contain only the magic-link hash and a status flag, with a 15-minute lifetime.
• ·All connections use HTTPS encryption in transit.

• ·Saved scenarios: until you delete them or your account.
• ·Account record: until you delete your account, at which point your email and all scenarios are removed immediately.
• ·Magic link tokens and pending sign-in records: 15-minute lifetime, removed within 24 hours of expiry or use.
• ·Feedback messages: retained for up to 12 months after we’ve responded, then deleted.
• ·Payment records: retained for at least 7 years to comply with Australian tax and audit obligations (ATO record-keeping requirements). The card details themselves are never on our servers; what we keep is the Stripe transaction reference, amount, and timestamp.
• ·Anonymous analytics: retained for up to 14 months by Vercel Analytics, per their default retention policy.
• ·Database backups: retained by our hosting provider for up to 30 days for disaster recovery, then deleted.

• ·Your email is used only for login magic links; we don’t send marketing emails.
• ·Saved scenarios are used only to restore your calculator inputs and generate exports.
• ·Feedback and anonymous analytics are used only to improve the website.
• ·Calculator inputs (without an account) are used only to generate your results and are not stored.

When you click “Share”, we encode your scenario inside the URL itself. Nothing is uploaded to our servers. Anyone with the link can see all the inputs you entered, including your time horizon, services, expected prices, and (if you provided them) your rebate income and any restricted-eligibility selectors. Don't share a URL that contains details you wouldn't want the recipient to see.

If you have an account, you can delete it at any time from your Account Settings. Deleting your account will permanently remove:

• ·Your email address.
• ·All saved scenarios.
• ·Any unused magic link tokens or pending sign-in records linked to your account.

This action is immediate and irreversible. Database backups containing your data will age out within 30 days.

We use the following third-party service providers, all of which are located in the United States. By using the site you consent to your information being disclosed to these providers, who are bound by their own published privacy policies.

• Vercel (website hosting and analytics, US): vercel.com/legal/privacy-policy
• Neon (database hosting for accounts and saved scenarios, US): neon.tech/privacy-policy
• Resend (magic link and feedback email delivery, US): resend.com/legal/privacy-policy
• Stripe (payment processing for paid customers, US): stripe.com/au/privacy

We do not sell, rent, or share your information with any other parties, and in particular never with insurers, brokers, or comparison partners.

In the unlikely event of a data breach affecting your personal information, we will notify affected users and the OAIC in line with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. Notifications will include the nature of the breach, the kinds of information involved, and the steps we recommend you take in response.

This service is intended for adults aged 18 and over. We do not knowingly collect information from children. The family-plan calculator may include the number and type of dependants in a household. We do not collect dependants’ names, dates of birth, or any other identifying details.

We may update this policy from time to time. The “Updated” date at the top reflects the most recent change. For material changes affecting how we collect or use your data, we will notify account holders by email before the change takes effect.

If you have questions, want to access or update your personal information, or have a privacy concern, contact us at isitworthitaus@gmail.com or via the About page. We aim to respond within 30 days. If you remain unsatisfied, you can escalate to the OAIC at the contact details listed at the top of this policy.