Privacy Policy

BrightPath Education Pty Ltd (ABN 65 366 917 788) ("BrightPath", "we", "us", or "our") is committed to protecting the privacy of all individuals who use our online tutoring platform and services.

This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the BrightPath Education platform, website, or any related services, you acknowledge that you have read and understood this Privacy Policy. If you are a parent or guardian creating an account for a child, you consent to the collection of your child's information as described herein.

We collect the following types of personal information:

Account Information

• Parent/guardian full name, email address, and phone number
• Child's first name (or preferred nickname) and year level
• Account login credentials (password stored using bcrypt encryption; session tokens stored in your browser's local storage)
• Billing address and payment information (processed securely by our payment provider)

Learning Data

• Lesson progress and completion status
• Quiz and assessment results, including individual answers
• Practice exercise scores and time spent on activities
• XP points, streaks, and achievement data
• Subjects and topics accessed
• Diagnostic assessment results

Technical Information

• IP address and approximate geographic location (state/territory level)
• Browser type, device type, and operating system
• Pages visited, session duration, and usage patterns
• Referral source (how you found us)

Communication Data

• Emails, messages, or enquiries you send to us
• Feedback, survey responses, and support tickets
• Communication preferences and opt-in/opt-out choices

We use the information we collect for the following purposes:

We will not use your personal information for purposes other than those described in this policy without first obtaining your consent, unless required or authorised by law.

We take the privacy of children very seriously. Our special provisions for children's data include:

• Parental control: Parents and guardians have full visibility and control over their child's account, including the ability to review, modify, or delete all data associated with their child.
• Minimal collection: We only collect the minimum information necessary to provide our educational services. We do not require a child's surname, date of birth, school name, or other unnecessary identifying information.
• No child-targeted marketing: We do not serve advertising to children or use their data for marketing purposes. Educational communications are directed to the parent/guardian email only.
• No social features: Our platform does not include social networking, messaging, user profiles visible to others, or any features that allow children to interact with other users.
• Data deletion: Parents may request deletion of all their child's personal information at any time by contacting us. We will process deletion requests within 30 days.
• Restricted access: Access to children's learning data is restricted to the parent/guardian account holder and authorised BrightPath staff who require access for support purposes.

We take the security of your personal information seriously and implement industry-standard measures to protect it:

• Australian-based servers: All personal data is stored on servers located within Australia, ensuring compliance with Australian data sovereignty requirements.
• Encryption in transit: All data transmitted between your device and our servers is protected using TLS 1.2 or higher (HTTPS) encryption.
• Encryption at rest: Personal data and learning records are encrypted at rest using AES-256 encryption.
• Access controls: We enforce strict role-based access controls, ensuring only authorised personnel can access personal information, and only as required for their role.
• Regular security audits: We conduct regular security assessments and vulnerability testing of our systems.
• Secure payment processing: Payment information is processed by PCI DSS-compliant third-party payment processors. We do not store full credit card numbers on our systems.
• Incident response: We maintain an incident response plan and will notify affected individuals and the OAIC of any eligible data breach in accordance with the Notifiable Data Breaches scheme.

While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your information to the highest practicable standard.

We use cookies and similar technologies to provide and improve our services:

We do not use advertising cookies or tracking pixels from third-party ad networks. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the platform from functioning correctly.

We may share limited information with the following categories of third parties, only as necessary to provide our services:

• Payment processing — Stripe: We use Stripe to securely process subscription payments and refunds. Stripe is PCI DSS Level 1 compliant (the highest level of certification). Stripe receives only the information necessary to complete transactions (billing name, email, and payment card details). We do not store full credit card numbers on our systems. You can review Stripe's privacy policy at stripe.com/privacy.
• Website analytics — Google Analytics (GA4): We use Google Analytics 4 to understand how visitors interact with our platform in aggregate. GA4 collects anonymised usage data such as pages visited, session duration, and general geographic region. We have IP anonymisation enabled, and no personally identifiable information (names, email addresses, or learning data) is sent to Google. You can review Google's privacy policy at policies.google.com/privacy.
• Email delivery — Amazon Web Services (AWS SES) and Resend: We use Amazon Simple Email Service (AWS SES) as our primary transactional email provider and Resend as a backup delivery service. These providers send account confirmations, password resets, and progress reports on our behalf. They receive the recipient's email address and message content only as necessary to deliver emails. You can review their respective privacy policies at aws.amazon.com/privacy and resend.com/legal/privacy-policy.
• AI tutoring assistant — MiniMax and OpenAI: Our AI-powered tutoring feature ("Ask Pax") uses language models provided by MiniMax and OpenAI to generate educational explanations and answer student questions. All questions are processed anonymously — no child personally identifiable information (name, email, account details, or learning history) is sent to these AI providers. Only the text of the question and relevant curriculum context are transmitted. You can review their respective privacy policies at minimax.io/privacy-policy and openai.com/policies/privacy-policy.
• Cloud infrastructure providers: Australian-based hosting and cloud service providers that store and process data on our behalf, bound by strict data processing agreements.
• Legal and regulatory bodies: Where required by law, court order, or to protect the safety of our users, we may disclose information to relevant authorities.

All third-party service providers are contractually required to protect your personal information and may only use it for the specific purposes for which it was shared. We do not transfer personal information outside of Australia unless the receiving party is subject to equivalent privacy protections.

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the following rights regarding your personal information:

• Right to access: You can request a copy of the personal information we hold about you or your child at any time.
• Right to correction: If you believe any information we hold is inaccurate, incomplete, or out of date, you can request that we correct it.
• Right to deletion: You can request that we delete your personal information, subject to any legal obligations we may have to retain certain records.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. This will not affect the lawfulness of processing carried out before withdrawal.
• Right to opt out of marketing: You can opt out of marketing communications at any time by clicking the unsubscribe link in any email or contacting us directly.
• Right to data portability: You can request your data in a commonly used, machine-readable format.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

Complaints

If you believe we have breached the Australian Privacy Principles or are unhappy with how we have handled your information, you may lodge a complaint with us. We will investigate and respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected:

• Active accounts: We retain your information for as long as your account remains active.
• Cancelled accounts: Following account cancellation, we retain account data for 90 days in case you wish to reactivate. After 90 days, personal information is deleted or de-identified.
• Learning data: Anonymised and aggregated learning data (which cannot identify any individual) may be retained indefinitely for research and service improvement purposes.
• Financial records: Transaction records are retained for 7 years as required by Australian tax law.
• Legal obligations: Some information may be retained longer where required by law or to resolve disputes.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last updated" date at the top of this page.
• For material changes, we will notify you by email at least 30 days before the changes take effect.
• We will post a notice on our platform informing users of the update.
• Continued use of our services after the effective date constitutes acceptance of the updated policy.

We encourage you to review this policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Officer: