Privacy Policy

1. Scope

This Privacy Policy explains how Studitory Pty Ltd collects, uses, stores and discloses personal information for our online learning platform and related services used by students, families, schools and staff. Studitory complies with the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles (APPs).

2. Information We Collect

• Account and profile data, including name, username, email, year level, school context and selected subjects.
• Learning activity data, including questions viewed, answers submitted, study progress, flashcards, and learning analytics.
• Support and communications data when you contact us.
• Technical and security data, including IP address, device/browser metadata, access logs and cookie/session data.
• Payment-related metadata for premium features (billing is processed by Stripe).

3. Data We Do NOT Collect

To protect your privacy and comply with data minimisation principles, Studitory explicitly does not collect:

• Date of birth
• Home address
• Phone number
• Parent or guardian contact information (unless a parent creates an account for a student under 13)
• Government ID numbers (driver's licence, passport, etc.)
• Student ID numbers from your school
• Health or medical information
• Biometric data (no facial recognition or fingerprinting)

4. Cookies and Analytics

Studitory uses cookies and similar technologies only for user interface functionality (such as theme preferences and session management) and website traffic analytics. We do not use cookies for advertising or third-party tracking. We do not sell, rent or trade personal information to any third party. We may use anonymised and aggregated analytics data to monitor platform usage and improve our product. This data does not identify individual users.

5. How We Use Information

• Provide, maintain and improve the platform and learning features.
• Authenticate users, protect accounts and prevent abuse or misuse.
• Provide customer support and service communications.
• Generate educational feedback, including AI-assisted features where enabled.
• Produce anonymised, aggregated analytics to monitor platform usage and guide product improvements.
• Meet legal, regulatory, security and audit obligations.

6. AI Services and Student Data Protection

Some features use AI services to process educational content you submit (such as question text, responses and associated images) to return marking, feedback or validation outcomes. We configure AI features for education use and do not permit use that conflicts with school safety requirements.

7. Sub-Processors and Third-Party Service Providers

Studitory (the Data Processor) engages the trusted third-party sub-processors listed below to deliver our educational services. In ST4S terms, the School or Department is the Data Controller, Studitory is the Data Processor acting on the Controller's documented instructions, and each provider below is a downstream sub-processor. All sub-processors are bound by Data Processing Agreements (DPAs) that flow down confidentiality, security, breach-notification, onward-transfer, data deletion/return and audit obligations. The register below is the authoritative, publicly published list and records, for each sub-processor: legal entity, contact, service and purpose, data categories processed, lawful basis, the locations where data is stored, processed and accessed (including backups and support), the cross-border transfer mechanism, and security attestations.

Register governance: This register is reviewed at least quarterly and whenever a sub-processor changes. It is owned by the Studitory Privacy Officer (support@studitory.app), who maintains the underlying internal third-party inventory from which this public list is derived. Last reviewed: June 2, 2026.

8. Sub-Processor Change Notifications

We notify customers in advance of changes to our sub-processors or to the locations where personal information is stored, processed or accessed, so that schools can assess and, where necessary, object before a change takes effect.

• Subscribe: School and Department customers can subscribe to advance change notifications by emailing support@studitory.app with the subject "Sub-processor notifications". Material changes are also reflected in the change log on this page.
• Advance notice: We provide at least 30 days' written notice before a new sub-processor begins processing personal information or before a material change to a processing location takes effect.
• Right to object or exit: During the notice period, customers may raise concerns or object. Where an objection cannot be resolved, the customer may exit the affected service before the change is activated, without penalty for the unused portion of any prepaid term.

9. Overseas Disclosure Statement

We store and process school data in Australia where practical. Some approved sub-processors store, process, access or provide support for personal information outside Australia. The countries to which personal information is likely to be disclosed or from which it may be accessed are:

• Australia — primary storage, processing and backups for hosting, database, file storage and primary AI marking (Microsoft Azure, Amazon Web Services, Supabase, Vercel primary region).
• United States — AI marking fallback (AWS Claude Platform), Google Sign-In authentication, transactional email (Resend), OCR image processing (Mathpix), payment processing (Stripe), CDN edge delivery and vendor support/incident response.

Why disclosure occurs: hosting and infrastructure, AI marking fallback, authentication, email delivery, image OCR, payment processing, content delivery, and provider support/incident response. Controls when data is overseas: we protect personal information disclosed overseas through contractual measures (Data Processing Agreements incorporating standard contractual clauses consistent with APP 8), technical measures (encryption in transit with TLS 1.3 and at rest with AES-256, anonymisation of student data sent to AI providers, zero-retention AI settings, least-privilege access and audit logging), and organisational measures (sub-processors holding international security attestations such as ISO 27001 and SOC 2). We remain accountable under APP 8 for personal information handled by our overseas sub-processors.

10. Student Works and Copyright

"Works" refers to student-created content on Studitory, including practice question answers, flashcards and study notes.

11. Data Retention and Deletion

• We retain data for as long as needed for service delivery, legal obligations, dispute handling and security investigations.
• We apply data retention schedules for operational logs, account records and educational activity records.
• When retention periods expire, data is deleted or de-identified using controlled procedures.
• Upon verified request, we support deletion and export workflows, subject to legal exceptions.

12. Security Controls

• Encryption in transit (TLS 1.3) and at rest (AES-256) for all platform and API communications.
• Row Level Security (RLS) enforced at the database layer across all tables.
• Access controls, authentication protections and least-privilege administration.
• Monitoring, logging and incident response procedures.
• Regular patching, dependency maintenance and penetration testing.

13. Children and School Context

Studitory is designed for school contexts. We process student information under school, parent/guardian and applicable legal frameworks. Where required, we rely on schools or guardians to provide and manage permissions.

14. Your Rights

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

• Request access to personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion where lawful and operationally feasible.
• Request a copy or export of your personal information.
• Object to certain data processing (for example, opt out of AI marking).
• Raise a complaint about privacy handling with us or directly with the Office of the Australian Information Commissioner (OAIC).

15. How We Handle Privacy Complaints

If you believe we have mishandled your personal information or breached the Australian Privacy Principles, you can make a complaint and we will work with you to resolve it. Our complaints process is:

• Lodge: Email your complaint to support@studitory.app with enough detail for us to identify you and investigate (what happened, when, and the outcome you are seeking).
• Acknowledge: We will acknowledge receipt of your complaint within 5 business days.
• Investigate and respond: We will investigate and provide a written response, including any remediation, within 1 week (and no later than 30 days) of receiving your complaint.
• Escalate: If you are not satisfied with our response, you may escalate the matter to the Office of the Australian Information Commissioner (OAIC) — see the section below for contact details.

For school and department customers, we will also notify the relevant school contact where a complaint relates to a student account managed under a school agreement.

16. Data Breach and Incident Notifications

If we identify an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will assess the breach within 24 hours. If the breach is likely to result in serious harm, we will notify the OAIC and all affected users within 72 hours in accordance with applicable law and school contractual obligations.

17. Changes to this Policy

We may update this policy from time to time. We will update the "Last updated" date and publish the current version at this page. We will notify users via email of any material changes at least 30 days before the changes take effect.

18. Australian Privacy Rights

As an Australian organisation, Studitory complies with the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles (APPs). If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

19. Policy Version History