Security & Privacy

How we protect
your family's data.

Plain-language answers to what we do — and don't do — with your information. No jargon.

Encryption everywhere

  • All traffic between your browser and BrightPath uses TLS 1.2+ (HTTPS). The padlock in your browser is always on.
  • Data stored on our servers is encrypted at rest using AES-256.
  • Passwords are hashed using bcrypt — we cannot read your password, and neither can anyone else.

Payment security

  • All payments are handled by Stripe, certified to PCI DSS Level 1 — the highest level of payment security certification.
  • Your card number never touches our servers. It goes directly from your browser to Stripe.
  • We store only the last four digits of your card and expiry date — for display purposes only.

Where your data lives

  • Some data passes through third-party services (Stripe, Google Analytics, Brevo) which may be hosted internationally. These providers are all subject to equivalent privacy protections under their respective certifications and agreements.

Children's data — extra protection

  • Children's accounts are always created and managed by a parent or guardian — a child cannot create their own account.
  • We collect only what's needed: a first name (or nickname) and year level. No surname, date of birth, or school name required.
  • A child's learning data is never used for advertising, never shared with other users, and never sold.
  • There are no social features, no public profiles, and no way for children to interact with other users.
  • Questions sent to our AI tutor (Ask Pax) are anonymised — no name, email, or account details are sent to AI providers.

Compliant with the Australian Privacy Act 1988, UK GDPR / Children's Code, and general GDPR principles for children's data.

Regulatory compliance

🇦🇺

Australian Privacy Act 1988

Australian Privacy Principles (APPs) · OAIC oversight

🇬🇧

UK GDPR

Data Protection Act 2018 · ICO oversight · Children's Code

🇪🇺

EU GDPR 2016/679

General Data Protection Regulation · local DPA oversight

What we never do

  • Sell or rent your personal information to anyone, ever.
  • Use your child's data for advertising or marketing.
  • Use advertising cookies or third-party tracking pixels.
  • Store full credit card numbers on our systems.
  • Send sales calls, cold calls, or unsolicited messages.

Found a security issue?

If you discover a vulnerability in BrightPath, please tell us privately before disclosing it publicly. We take all reports seriously and will respond within 2 business days.

[email protected]

Please include: what you found, how to reproduce it, and your contact details. We do not pursue legal action against good-faith researchers.