Privacy Policy

1. Scope

This Privacy Policy explains how Studitory Pty Ltd collects, uses, stores and discloses personal information for our online learning platform and related services used by students, families, schools and staff. Studitory complies with the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles (APPs).

2. Information We Collect

• Account and profile data, including name, username, email, year level, school context and selected subjects.
• Learning activity data, including questions viewed, answers submitted, study progress, flashcards, and learning analytics.
• Support and communications data when you contact us.
• Technical and security data, including IP address, device/browser metadata, access logs and cookie/session data.
• Payment-related metadata for premium features (billing is processed by Stripe).

3. Data We Do NOT Collect

To protect your privacy and comply with data minimisation principles, Studitory explicitly does not collect:

• Date of birth
• Home address
• Phone number
• Parent or guardian contact information (unless a parent creates an account for a student under 13)
• Government ID numbers (driver's licence, passport, etc.)
• Student ID numbers from your school
• Health or medical information
• Biometric data (no facial recognition or fingerprinting)

4. Cookies and Analytics

Studitory uses cookies and similar technologies only for user interface functionality (such as theme preferences and session management) and website traffic analytics. We do not use cookies for advertising or third-party tracking. We do not sell, rent or trade personal information to any third party. We may use anonymised and aggregated analytics data to monitor platform usage and improve our product. This data does not identify individual users.

5. How We Use Information

• Provide, maintain and improve the platform and learning features.
• Authenticate users, protect accounts and prevent abuse or misuse.
• Provide customer support and service communications.
• Generate educational feedback, including AI-assisted features where enabled.
• Produce anonymised, aggregated analytics to monitor platform usage and guide product improvements.
• Meet legal, regulatory, security and audit obligations.

6. AI Services and Student Data Protection

Some features use AI services to process educational content you submit (such as question text, responses and associated images) to return marking, feedback or validation outcomes. We configure AI features for education use and do not permit use that conflicts with school safety requirements.

7. Third-Party Service Providers

To deliver our educational services, we share limited data with trusted third-party service providers. All providers are bound by contractual and security controls appropriate to their role.

8. Cross-Border Data Handling

We store and process school data in Australia where practical. Some approved service providers process data in other jurisdictions (primarily the United States). Where this occurs, we ensure compliance with Australian Privacy Principle 8 (APP 8) through contractual protections (Data Processing Agreements), providers with international security certifications (SOC 2, ISO 27001) and zero-retention settings for AI services.

9. Student Works and Copyright

"Works" refers to student-created content on Studitory, including practice question answers, flashcards and study notes.

10. Data Retention and Deletion

• We retain data for as long as needed for service delivery, legal obligations, dispute handling and security investigations.
• We apply data retention schedules for operational logs, account records and educational activity records.
• When retention periods expire, data is deleted or de-identified using controlled procedures.
• Upon verified request, we support deletion and export workflows, subject to legal exceptions.

11. Security Controls

• Encryption in transit (TLS 1.3) and at rest (AES-256) for all platform and API communications.
• Row Level Security (RLS) enforced at the database layer across all tables.
• Access controls, authentication protections and least-privilege administration.
• Monitoring, logging and incident response procedures.
• Regular patching, dependency maintenance and penetration testing.

12. Children and School Context

Studitory is designed for school contexts. We process student information under school, parent/guardian and applicable legal frameworks. Where required, we rely on schools or guardians to provide and manage permissions.

13. Your Rights

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

• Request access to personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion where lawful and operationally feasible.
• Request a copy or export of your personal information.
• Object to certain data processing (for example, opt out of AI marking).
• Raise a complaint about privacy handling with us or directly with the Office of the Australian Information Commissioner (OAIC).

14. Data Breach and Incident Notifications

If we identify an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will assess the breach within 24 hours. If the breach is likely to result in serious harm, we will notify the OAIC and all affected users within 72 hours in accordance with applicable law and school contractual obligations.

15. Changes to this Policy

We may update this policy from time to time. We will update the "Last updated" date and publish the current version at this page. We will notify users via email of any material changes at least 30 days before the changes take effect.

16. Australian Privacy Rights

As an Australian organisation, Studitory complies with the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles (APPs). If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

17. Policy Version History