This Privacy Policy explains how Cumulus Labs Pty Ltd as trustee for Wolstenholme Family Trust (ABN 54 815 423 293) ("Hilllz", "we", "us", "our") collects, uses, and shares information when you use the Hilllz mobile app and hilllz.com (together, the "Service"). Cumulus Labs is an Australian company based in Victoria, and this policy is written to comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). It also includes specific provisions for users in the European Economic Area (EEA), the United Kingdom (UK), New Zealand, and California where additional rights and protections apply under local law.
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
Definitions
For the purposes of this Privacy Policy:
- Account means a unique account created for you to access the Service.
- Application refers to the Hilllz mobile app provided by Cumulus Labs.
- Cumulus Labs (referred to as "we", "us", or "our") means Cumulus Labs Pty Ltd as trustee for Wolstenholme Family Trust, ABN 54 815 423 293, the entity that controls and is responsible for the Service. For the purposes of the EU/UK GDPR, Cumulus Labs is the Data Controller.
- Device means any device that can access the Service, such as a phone, tablet, or computer.
- Personal Data (or "personal information") means any information that relates to an identified or identifiable individual, as defined under the Privacy Act 1988 (Cth), the EU/UK GDPR, the New Zealand Privacy Act 2020, and the California Consumer Privacy Act (CCPA/CPRA), as applicable.
- Service Provider means any third party that processes data on behalf of Cumulus Labs to facilitate or operate the Service. For the purposes of the GDPR, Service Providers are considered Data Processors.
- Service refers to the Hilllz mobile app and the Hilllz website.
- Third-Party Sign-In Service refers to Apple, Google, or (in future) Facebook, through which you can register or log in to the Service.
- Usage Data refers to data collected automatically, generated by your use of the Service or from the Service infrastructure.
- You means the individual using the Service.
What we collect
Account information. When you create an account, we collect your email address and a display name. If you sign in with Apple or Google (and, in future, Facebook), the provider shares your email address, display name, and a profile photo URL with us.
Riding profile. Your chosen rider persona (Piste Cruiser, Powder Hound, Family Leader, or Backcountry Explorer), display preferences (theme, units of measurement), and the resorts you save as favourites.
Location. If you grant location permission, we use your device's coarse location to show nearby resorts and personalise forecasts. You can revoke the permission at any time in your device settings. If we later add features that use location in new ways — for example, detecting when you arrive at or leave a resort so we can reconcile forecasts against real trips — we will ask for your explicit opt-in consent inside the app before enabling them, and update this policy to describe what the new feature does.
Content you share. If you send us support requests or feedback, we store what you write along with your account identifier so we can reply and improve the Service. If we introduce user-generated content features in future (for example, user-posted conditions reports or photos), this policy will be updated to describe how that content is stored and displayed. We will not use content you submit to train machine-learning models without your explicit consent.
Usage data. We record how you use the app (screens viewed, features used, errors encountered, and search queries) via PostHog and Typesense. This data is tied to a pseudonymous user identifier, not directly to your email.
Device and crash data. We collect device model, OS version, crash reports, and performance metrics via Firebase Crashlytics and Performance Monitoring. This helps us find and fix bugs.
Subscription data. If you subscribe to a paid tier, RevenueCat records your subscription status on our behalf. Apple and Google handle payment — we never see your card details.
Advertising. Free-tier users see ads delivered by Google AdMob. On iOS we ask for App Tracking Transparency (ATT) consent first; if you decline, the ads you see are non-personalised.
Email subscriptions. If you join our waitlist or newsletter on hilllz.com, Kit stores your email address so we can send product updates. You can unsubscribe at any time from the footer of any email we send.
We do not collect: payment card details, government identifiers, health or fitness data, biometric information, photos or videos from your device, your contacts, your browsing history outside the Service, or precise (street-level) location.
How we use your information
We use your information to:
- Provide and maintain the Service — authentication, account management, search, favourites, forecasts, alerts, and the Hilllz Score.
- Improve the Service — analytics, bug fixes, performance monitoring, and feature development.
- Personalise content — surface nearby resorts, deliver location-relevant forecasts, and tailor the Hilllz Score to the conditions you care about.
- Bill subscriptions — via Apple and Google.
- Communicate with you — send service notifications, respond to support requests, and (if you opt in) deliver newsletters and product updates.
- Comply with legal obligations — respond to lawful requests, enforce our Terms, and maintain records required by law.
- Detect and prevent abuse — identify and prevent fraud, misuse, or breaches of our Terms.
We do not sell your personal information. We do not use your data to train machine-learning models without your explicit consent.
Who we share information with
We rely on the following Service Providers to run Hilllz. Each processes data under its own privacy policy, which you should review.
- Google Firebase — authentication, database, Cloud Functions, Crashlytics, Performance Monitoring, and push notifications. Stores account and usage data in Google Cloud. Privacy policy
- PostHog — product analytics (pseudonymous user identifier). Privacy policy
- RevenueCat — subscription management and entitlement state. Privacy policy
- Mapbox — map rendering. Receives approximate location when you interact with the map. Privacy policy
- Open-Meteo — public weather API. Receives only resort coordinates, no personal data. Terms and privacy
- Typesense Cloud — resort search. Receives the text of your search queries. Privacy policy
- Google AdMob — ad delivery to free-tier users. Subject to ATT consent on iOS. Privacy policy
- Kit — email list management (only if you subscribe to our newsletter). Privacy policy
- Linear — issue tracking and user support. When you report an issue with place or conditions data through the Service, your name, email address, and the content of your report may be sent to Linear so we can track and respond to your report. Privacy policy
- Apple — authentication and subscription billing. Privacy policy
- Google — authentication and subscription billing. Privacy policy
We may also disclose your personal information:
- To public authorities, regulators, or law enforcement where required by law (for example, in response to a valid subpoena or court order).
- To our professional advisers (lawyers, accountants, auditors, insurers) in connection with operating the business, subject to confidentiality.
- In connection with a merger, acquisition, sale of assets, or financing — in which case we will provide notice before your data becomes subject to a different privacy policy.
We do not share your personal information with anyone else except where required by law or with your consent.
Cookies and similar technologies
Hilllz uses cookies and equivalent on-device storage (browser local storage on the web, secure storage in the app) to keep you signed in, remember your preferences, and measure how the Service is used. Some of our Service Providers set their own cookies or persistent identifiers:
- PostHog stores a pseudonymous identifier on your device or in your browser so we can link usage events into a session. It does not identify you by name or email.
- Kit uses cookies and tracking pixels in marketing emails to measure opens and clicks — only if you have subscribed to our newsletter.
- Mapbox may set session cookies when the map loads on hilllz.com.
- Google AdMob uses advertising identifiers to deliver ads to free-tier users. On iOS we request App Tracking Transparency consent before personalised ads are served.
- Firebase Authentication stores tokens in secure device storage so you stay signed in between visits.
You can clear cookies and site data from your browser at any time. In the app, signing out and reinstalling resets on-device identifiers.
International transfers
Your personal information may be transferred to — and maintained on — computers located outside Australia, including in the United States, the European Union, and other countries where our Service Providers operate. Data protection laws in these jurisdictions may differ from those in your own.
Where we transfer personal information outside Australia or the EEA/UK to a country that has not been recognised as providing an adequate level of protection, we rely on appropriate safeguards including:
- The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, as applicable.
- Supplementary measures where appropriate, such as encryption in transit and at rest, access controls, data minimisation, and vendor security reviews.
By using the Service, you consent to your data being transferred and processed in those jurisdictions, subject to the safeguards above. You may contact us using the details in the "Contact us" section to request further information about the safeguards we use for international transfers.
How long we keep data
We retain personal information only for as long as necessary for the purposes set out in this policy, or as required by law. Specific retention periods:
- Account and profile data — until you delete your account, then up to 90 days in backups.
- Subscription records — seven (7) years after the end of the subscription, as required by Australian tax and financial reporting law.
- Analytics data — up to two (2) years from collection.
- Crash reports and performance data — up to 90 days.
- Support requests and correspondence — up to two (2) years from resolution, to handle follow-up inquiries.
- Marketing data (if you've subscribed to the newsletter) — until you unsubscribe, or up to two (2) years from your last engagement, whichever comes first.
- Server logs (IP addresses, access times) — up to 12 months for security and troubleshooting.
When retention periods expire, we securely delete or anonymise personal information. Residual copies may remain in encrypted backups for a limited period and are not restored except where necessary for security, disaster recovery, or legal compliance.
We may retain personal information beyond these periods where:
- We are required by law to do so (for example, financial records for tax authorities).
- The information is necessary to establish, exercise, or defend a legal claim.
- You ask us to retain specific information.
You may request information about how long we will retain your personal data by contacting us.
Your rights
You have rights over your personal information that vary by jurisdiction. The general rights described below apply in Australia under the Privacy Act 1988; additional or extended rights may apply if you are in the EU/UK, New Zealand, or California, as set out in the dedicated sections below.
In all jurisdictions, you can:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete data.
- Request deletion of your account and associated personal information.
- Withdraw consent for processing where we rely on consent (for example, location, ATT-based advertising, or marketing emails).
- Complain to us, or to the relevant privacy regulator in your jurisdiction.
You can delete your account directly from within the app (Profile → Delete account), which removes your personal data from our active systems. For other requests, email us at hello@hilllz.com. We will respond within 30 days, or sooner where required by law.
Security
We use industry-standard security controls — HTTPS in transit, encrypted storage, access controls on our Google Cloud project, multi-factor authentication on administrative accounts, and vendor security reviews — to protect your personal information. We comply with the Australian Privacy Principles (APP 11) requirement to take reasonable steps to protect personal information.
No system is completely secure, so we cannot guarantee absolute safety. If we become aware of a data breach that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme, and equivalent regulators in other jurisdictions where required.
Children's privacy
Hilllz is intended for users aged 13 and over. Users between 13 and the age of digital consent in their jurisdiction must have the consent of a parent or legal guardian to use the Service.
We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please email hello@hilllz.com and we will delete it.
In December 2026, the Australian Children's Online Privacy Code is expected to take effect under the Privacy and Other Legislation Amendment Act 2024. We will update our practices and this policy to reflect those requirements as they apply to Hilllz.
Australian Privacy Principles (APPs)
Cumulus Labs is bound by the Australian Privacy Principles in the Privacy Act 1988 (Cth). Under the APPs, you have the right to:
- Be informed of what personal information we collect, why, and how we use it (this policy).
- Access the personal information we hold about you.
- Request correction of inaccurate, incomplete, or out-of-date personal information.
- Request deletion of your personal information where there is no legal reason for us to retain it.
- Lodge a complaint with us about how we handle your personal information.
If you are not satisfied with our response to a complaint, or believe we have breached the APPs, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.
We are aware of the Privacy and Other Legislation Amendment Act 2024 and will update our practices and this policy in line with the strengthened APP 11 security obligations, formal deletion rights, and automated decision-making transparency provisions taking effect from December 2026.
New Zealand Privacy Act 2020
If you are in New Zealand, your rights under the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs) apply to your personal information. You have rights similar to those described above, including the right to access, correct, and request deletion of your personal information. You can complain to us, or to the Office of the Privacy Commissioner of New Zealand at privacy.org.nz if you believe we have breached the IPPs.
EU/UK GDPR Privacy Notice
If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, the EU General Data Protection Regulation (GDPR) and equivalent UK and Swiss laws apply to your personal information. Cumulus Labs is the Data Controller for personal information processed in connection with the Service.
Legal basis for processing
We process personal information under one or more of the following legal bases:
- Consent (Article 6(1)(a)) — where you have given consent for one or more specific purposes (for example, location access, marketing emails, or ATT-based personalised advertising).
- Performance of a contract (Article 6(1)(b)) — where processing is necessary to provide the Service to you or to take steps before entering into a contract (for example, account creation, subscription billing).
- Legal obligation (Article 6(1)(c)) — where processing is necessary to comply with a legal obligation (for example, tax recordkeeping).
- Legitimate interests (Article 6(1)(f)) — where processing is necessary for our legitimate interests in operating, securing, and improving the Service, provided those interests are not overridden by your rights and freedoms (for example, fraud prevention, analytics).
Your rights under the GDPR
In addition to the general rights described earlier, you have the right to:
- Access the personal information we hold about you and obtain a copy.
- Request rectification of inaccurate or incomplete personal information.
- Request erasure of your personal information where there is no compelling reason for us to continue processing it.
- Restrict processing in certain circumstances (for example, while we verify accuracy or consider an objection).
- Object to processing that is based on our legitimate interests, including for direct marketing.
- Receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller (data portability).
- Withdraw consent at any time where we rely on consent as the legal basis. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents can contact the Information Commissioner's Office (ICO).
Exercising your GDPR rights
You may exercise your rights by contacting us at hello@hilllz.com. We may ask you to verify your identity before responding. We aim to respond within one (1) month and may extend by up to two (2) further months where necessary, in accordance with applicable law.
California Privacy Rights (CCPA/CPRA)
This section applies to California residents and supplements the rest of this policy. It is provided pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA/CPRA").
Categories of personal information collected
In the past 12 months, we may have collected the following categories of personal information from California residents:
- Identifiers (Category A): email address, display name, online identifier, IP address, account name. Yes — collected.
- California Customer Records information (Category B): name and email address. Yes — collected.
- Commercial information (Category D): subscription tier and purchase history. Yes — collected (for paying users).
- Internet activity (Category F): app interaction data, search queries, error logs. Yes — collected.
- Geolocation data (Category G): coarse location, where you grant permission. Yes — collected.
- Sensitive personal information (Category L): precise geolocation is not collected; account login information is collected. Limited — only login credentials processed via Apple/Google sign-in.
- Protected classifications (Category C), biometric (E), sensory (H), professional (I), education (J), inferences (K): Not collected.
Sources of personal information
We obtain personal information from:
- Directly from you — through Account registration, in-app actions, support requests, and newsletter sign-ups.
- Indirectly through your device — via app analytics and crash reports.
- From our Service Providers — for example, when Apple or Google shares profile information at sign-in.
Use of personal information
We use the categories of personal information collected for the business purposes described in the "How we use your information" section above.
Sale or sharing of personal information
We do not sell or share your personal information for monetary consideration. However, our use of certain Service Providers (such as Google AdMob for advertising) may meet the CCPA/CPRA's broad definition of "sharing" for cross-context behavioural advertising. Where this applies, you have the right to opt out as described below.
Your rights under the CCPA/CPRA
If you are a California resident, you have the right to:
- Know what personal information we have collected, used, disclosed, or sold about you.
- Access the specific pieces of personal information we have collected about you.
- Correct inaccurate personal information.
- Delete personal information we have collected from you (subject to certain exceptions).
- Limit the use and disclosure of sensitive personal information.
- Opt out of the "sale" or "sharing" of personal information.
- Non-discrimination for exercising your privacy rights.
To exercise these rights, contact us at hello@hilllz.com. We will respond within 45 days of receiving a verifiable request and may extend by an additional 45 days where reasonably necessary, with prior notice.
Do Not Sell or Share My Personal Information
To opt out of any "sharing" for behavioural advertising:
- In the app: on iOS, decline the App Tracking Transparency prompt or change your setting in Settings → Privacy → Tracking. On Android, enable "Opt out of Ads Personalization" in your device settings.
- By email: contact us at hello@hilllz.com with your request.
California Shine the Light
California residents who have an established business relationship with us can request information once a year about how we share their personal data with third parties for those third parties' direct marketing purposes. Email us at hello@hilllz.com with "Shine the Light Request" in the subject line.
California minors
California residents under 18 who are registered users may request removal of content or information they have publicly posted on the Service. Email us with the request and the email address associated with your account.
"Do Not Track" signals
Our Service does not currently respond to Do Not Track (DNT) signals from web browsers, as no consistent industry standard for DNT exists. You can manage tracking preferences through your browser, device, and the controls described elsewhere in this policy.
Links to other websites
The Service may contain links to third-party websites or services we do not operate. If you click a link to a third-party site, you will be directed to that site, which has its own privacy policy. We have no control over and assume no responsibility for the privacy practices of any third-party sites or services.
Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated via the app or by email to your registered address before they take effect. Your continued use of the Service after a change becomes effective means you accept the updated policy.
Contact us
Questions, requests, or complaints about this Privacy Policy or how we handle your personal information?
Email: hello@hilllz.com
For California residents exercising CCPA/CPRA rights: same email, with "California Privacy Request" in the subject line.
For EEA/UK residents exercising GDPR rights: same email, with "GDPR Request" in the subject line.