Privacy Policy

IsItWorthIt is operated by IS IT WORTH IT, an Australian registered business (ABN 72 734 983 769). That’s the entity that holds and is accountable for the personal information described in this policy.

Businesses of our size are generally exempt from the Australian Privacy Principles under the Privacy Act 1988 (Cth). This page exists so you can see exactly what we collect, what we don’t, and what we do with it. If you have a privacy question or concern, contact us at isitworthitaus@gmail.com and we’ll respond within 30 days.

We do not receive commissions, kickbacks, or referral fees from any health insurer, comparison service, or broker. We do not share your information with insurers, brokers, or comparison partners.

We do not hold an Australian Financial Services Licence (AFSL) and do not provide personal financial advice. The calculator presents results based purely on the inputs you give it; you make every decision.

If we ever change either of these positions, we will update this page and tell you before the change takes effect.

Calculator use (no account)

When you use the calculator without an account, your inputs (state, cover type, services, expected visits, prices, time horizon, optional rebate details) are processed on our servers to generate results and are not stored as a scenario. The anonymous usage events described under Analytics below record at most your state, cover type and counts, never the detail of what you entered. Share links encode your scenario inside the URL itself; nothing is uploaded to our servers when you create one.

Accounts and saved scenarios (optional)

If you create an account, we collect and store your email address, encrypted at rest with AES-256-GCM. Sign-in is by magic link; we never set or store a password. If you save a scenario, the calculator inputs listed above are stored together as a single encrypted blob under a name you choose. Calculation results themselves are not stored; they are recalculated from your inputs each time you reopen or export the scenario.

Payments (paid customers)

Payment processing is handled by Stripe. Your card number, CVV, and billing address are entered on Stripe's hosted checkout page and never reach our servers. After a successful payment, Stripe notifies us and we record the transaction reference, amount, currency, timestamp, and which account purchased. The notification record is kept for audit with your email address removed from it. To update or remove card details held by Stripe, use Stripe's privacy controls.

Feedback form

If you submit feedback, we collect your name, email address, and message. Don't include sensitive personal information in feedback if you don't want it collected.

Analytics

We use Vercel Analytics and Speed Insights for anonymous, aggregated usage data: pages visited, country or region, device type and browser, and page-load performance. This cannot identify you and uses no cookies.

We also record anonymous interaction events on our own server (not a third party), for example: a calculation was started, a result was shown, a share link was opened, a checkout was completed. These events carry at most your state, cover type, the page involved, and how you arrived at the site. They never contain scenario details, personal information, or health information. A random identifier in your browser's session storage groups events from the same visit; it is not a cookie, is not linked to your account, and is deleted when you close the tab.

• ·No passwords (we use passwordless magic links)
• ·No medical records, diagnoses, or claims history
• ·No advertising or third-party tracking cookies
• ·No calculator inputs without an account (server side)
• ·No calculation results (recalculated on demand)
• ·No data sold, rented, or shared with insurers, brokers, or comparison partners

We do not set out to collect sensitive information. The one place it can arise is the restricted-fund filter: selecting a fund tied to defence service, an industry, or a union implies something about you. That selection is used only to filter the policy list (and is stored only inside the encrypted blob if you save the scenario). It is never disclosed to anyone.

We use only the minimum cookies needed for the site to work, and none for advertising, third-party tracking, or cross-site profiling.

Both cookies are httpOnly, SameSite=Strict, and Secure in production.

Your browser also remembers some inputs locally so a refresh doesn't lose your work: calculator inputs in sessionStorage (cleared when the tab closes) and a working copy of your most recent scenario in localStorage (cleared when you clear browser data). This data stays on your device unless you save a scenario to your account.

• ·Email addresses and saved scenarios are encrypted at rest with AES-256-GCM; emails are additionally SHA-256-hashed for lookup.
• ·Magic-link tokens are stored only as SHA-256 hashes and expire after 15 minutes.
• ·All connections use HTTPS.

• ·Saved scenarios and your account: until you delete them.
• ·Magic-link sign-in records: expire 15 minutes after they are issued.
• ·Payment records: at least 7 years, as required by Australian tax record-keeping rules. Card details are never on our servers.
• ·Feedback: kept as ordinary email correspondence.
• ·Anonymous analytics: Vercel retains its aggregated data for up to 14 months; our own usage events contain no personal information.
• ·Database backups: held by our hosting provider for up to 30 days for disaster recovery, then deleted.

• ·Your email is used only for login magic links; we don’t send marketing emails.
• ·Saved scenarios are used only to restore your calculator inputs and generate exports.
• ·Feedback and anonymous analytics are used only to improve the website.
• ·Calculator inputs (without an account) are used only to generate your results and are not stored.

When you click “Share”, we encode your scenario inside the URL itself. Nothing is uploaded to our servers. Anyone with the link can see all the inputs you entered, including your time horizon, services, expected prices, and (if you provided them) your rebate income and any restricted-eligibility selectors. Don't share a URL that contains details you wouldn't want the recipient to see.

If you have an account, you can delete it at any time from your Account Settings. Deleting your account permanently removes your email address and all saved scenarios, immediately and irreversibly. Database backups containing your data age out within 30 days. Payment records are kept for tax purposes (see above) but are unlinked from your account when it is deleted.

We use four service providers, all located in the United States, each bound by their own published privacy policies:

• ·Vercel: website hosting and analytics
• ·Neon: database hosting for accounts and saved scenarios
• ·Resend: magic-link and feedback email delivery
• ·Stripe: payment processing

We do not sell, rent, or share your information with any other parties, and in particular never with insurers, brokers, or comparison partners.

If a data breach affects your personal information, we will tell you promptly: what happened, what information was involved, and what we recommend you do.

This service is intended for adults aged 18 and over. We do not knowingly collect information from children; family scenarios record only the number and type of dependants, never their names or any other details.

We may update this policy from time to time. The “Updated” date at the top reflects the most recent change. Material changes will be noted here and, where practical, emailed to account holders.

To ask a question, access or update your personal information, or raise a privacy concern, contact isitworthitaus@gmail.com or use the About page. We aim to respond within 30 days.