Privacy Policy

1. Who we are

This Privacy Policy explains how Phonicspal Pty Ltd (ACN: [insert ACN]) ("Phonicspal", "we", "us", or "our") collects, uses, discloses and protects personal information when you use our platform and related services (collectively, the "Service").

We are an Australian company and manage personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme. We also comply with the Spam Act 2003 (Cth) for electronic communications.

Contact us at team@phonicspal.com for privacy enquiries, access/correction requests, or complaints.

2. Who this Policy applies to

This Policy applies to teachers, school staff, homeschool parents, and school administrators who use the Service. Where the Service is used to support students, this Policy also applies to the student information entered by those users.

For student personal information, we act as a service provider to the school or teacher. We process student data on the school's or teacher's instructions and do not use it for our own independent purposes (such as marketing or profiling).

3. Information we collect

3.1 Account and profile information

When you create an account (via our authentication provider Clerk), we collect your name, email address, phone number (if provided), and profile image. We also store your role (e.g. teacher, admin), year level preferences, state/territory, and school association.

3.2 School information

School name, suburb, state, postcode, sector, and type. This is used for administration, programme matching, and licence management.

3.3 Content you create

Lesson plans, word selections, phoneme configurations, uploaded images, saved lessons, custom stories, and feedback (including any attachments). If you share stories publicly, your name may be displayed alongside the story if you have opted in.

3.4 Student information (entered by teachers)

Student names, class assignments, and group memberships. Teachers may also record phoneme progress flags, activity results, and learning notes for individual students. We rely on the school or teacher to have appropriate authority (including any required parent/guardian consent) to provide this information.

We do not collect student dates of birth, addresses, government identifiers, or login credentials.

3.5 Usage data and analytics

• Product analytics (PostHog): pages visited, features used, clicks, events, time on page, and session recordings (visual replays of how you interact with the Service). PostHog data is proxied via our domain (not sent directly to PostHog from your browser). Teacher/user identity (Clerk ID, email, name) is linked to analytics sessions. Student data is not sent to PostHog.
• Performance analytics (Vercel): Web Vitals metrics (page load times, responsiveness). No personal identifiers.
• Device information: browser type, operating system, screen size, and IP-derived general location (country/region level).

3.6 AI and voice service interactions

When you use AI-powered features, we send curriculum parameters to our AI processors: selected phonemes, high-frequency words, word lists, complexity settings, themes, and genres. We take steps to minimise personal information sent to these processors. Student names and personal data are not sent to AI providers.

For text-to-speech features, individual words and phonemes are sent to ElevenLabs for audio generation. No personal information is included.

3.7 Audit and security logs

We log certain actions for security and integrity purposes, including the actor, action type, timestamp, IP address, and user agent. These logs help us investigate security incidents and maintain data quality.

4. How we collect personal information

• Directly from you: when you create an account, configure settings, upload content, submit feedback, or enter student information.
• Automatically: through your use of the Service via analytics SDKs, cookies, and server logs.
• From your school: where your account or student information is managed centrally by a school administrator.
• From your authentication provider: Clerk provides us with your profile information when you sign in (including via Google or other social login if you choose).

5. How we use personal information

We collect and use personal information for the following purposes (aligned with APP 6):

• To operate, maintain, and improve the Service (including AI-powered lesson and story generation).
• To provision accounts, authenticate users, and provide support.
• To generate and deliver educational content and activities you request.
• To track student learning progress on the teacher's behalf.
• To send transactional emails (e.g. account welcome) and, where you have opted in, educational newsletters and digest emails.
• To ensure security, prevent fraud, and enforce acceptable use.
• To conduct analytics and improve Service quality (including session recordings to understand usability issues).
• To comply with laws and enforce our Terms.

We do not sell personal information. We do not use student data for marketing, advertising, or building user profiles for commercial purposes.

6. Children and student information

Phonicspal is designed for use by teachers in Australian primary schools and homeschool settings. Students (typically Prep to Year 2, ages 5 to 8) access activities under teacher supervision. We:

• Process student personal information solely as a service provider to the school or teacher, on their instructions.
• Collect only the minimum student data needed to deliver the Service (names, class assignments, learning progress).
• Do not send student personal data to AI providers, analytics services, or email providers.
• Do not display advertising to students or use student data for marketing.
• Rely on the school or teacher to obtain any parent/guardian consent required under applicable privacy legislation.

Schools and teachers should not upload unnecessary sensitive information about students (e.g. health information, disability details, government identifiers).

7. Cookies, local storage, and tracking

The Service uses the following types of cookies and local storage:

• Authentication cookies (Clerk): essential for keeping you signed in. Cannot be disabled without losing access.
• Analytics (PostHog): session identifiers and event data stored via cookies and localStorage. PostHog is loaded only in production and is proxied via our domain. Session recordings capture page interactions (clicks, scrolls, form interactions) but are configured to mask sensitive input fields.
• Preferences: UI state such as sidebar open/collapsed status.

You can control cookies via your browser settings. Blocking authentication cookies will prevent sign-in. Blocking analytics cookies will disable session recording and product analytics without affecting core functionality. We respect browser Do Not Track signals where technically feasible.

8. Direct marketing and email

In accordance with the Spam Act 2003 (Cth):

• We only send marketing or newsletter emails to users who have opted in (via the emailOptIn setting in your account).
• Every marketing email includes a functional unsubscribe link. You can also update your preferences in your account settings.
• Unsubscribe requests are processed promptly (typically immediately).
• Transactional emails (e.g. account creation, security notices) do not require opt-in and are sent as necessary to operate the Service.

9. Disclosures and overseas transfers

We use trusted third-party service providers to deliver the Service. Some process personal information outside Australia (primarily in the United States). In accordance with APP 8, we take reasonable steps (including contractual protections and security reviews) to ensure overseas recipients handle personal information consistently with the APPs.

Current key processors:

• Clerk(USA) — authentication and user management
• PostHog(USA, via us.posthog.com) — product analytics and session recording
• Google(USA) — Gemini AI models for educational text and image generation
• ElevenLabs(USA) — text-to-speech audio generation
• Vercel(USA) — hosting infrastructure, media storage (Blob), and performance analytics
• PlanetScale(USA) — MySQL database hosting
• Resend(USA) — transactional and marketing email delivery
• Upstash(USA) — rate limiting infrastructure

We do not sell or rent personal information to third parties. We only disclose personal information to service providers for the purposes described in this Policy, or as required by law.

10. Storage, security, and retention

Security

We use technical and organisational measures appropriate to the risk, including: encryption in transit (TLS), access controls, environment separation (development and production databases are separate), HMAC-signed tokens for sensitive operations, and regular security reviews. No method is 100% secure; we continually improve our safeguards.

Retention

• Account data: retained for as long as your account is active, plus a reasonable period after closure (currently 30 days) to allow reactivation.
• Student data: retained while the teacher's account is active. Schools or teachers may request deletion at any time.
• Analytics data: retained in accordance with PostHog's and Vercel's retention policies.
• Audit logs: retained for security and compliance purposes.
• Email logs: delivery metadata (recipient, subject, status) retained for troubleshooting and compliance.

When data is deleted, we use soft-deletion initially (marking records as deleted while preserving them for a recovery period), followed by permanent deletion. Soft-deleted data is excluded from all active queries and is not visible to users.

11. Account deletion

You can request deletion of your account at any time via your account settings or by contacting us. When you delete your account:

• Your authentication record is permanently removed from Clerk.
• Your database record is soft-deleted (marked with a deletion timestamp). Associated student data, classes, and content are retained in soft-deleted state for a recovery period, then permanently removed.
• Public stories you created will be disassociated from your identity.

Schools may request bulk deletion of student data by contacting us at team@phonicspal.com.

12. Access, correction, and complaints

Under the APPs, you have the right to:

• Access the personal information we hold about you (APP 12).
• Request correction of inaccurate, out-of-date, or incomplete personal information (APP 13).

To make a request, contact us at team@phonicspal.com. We will respond within 30 days. We may need to verify your identity before processing a request. If we refuse access or correction, we will explain why in writing.

Complaints

If you believe we have breached the APPs or mishandled your personal information, contact us first. We will investigate and respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au/privacy/privacy-complaints.

13. Data breaches

We maintain a data breach response plan. If we experience an eligible data breach that is likely to result in serious harm, we will:

• Conduct an assessment as soon as practicable (within 30 days as required by the NDB scheme).
• Notify affected individuals and the OAIC if the breach is assessed as an eligible data breach under the Privacy Act.
• Take reasonable steps to contain and remediate the breach.

If you become aware of a potential breach involving Phonicspal data, please notify us immediately at team@phonicspal.com.

14. Changes to this Policy

We may update this Policy from time to time. The updated version will be posted on this page with a new "Last updated" date. If changes are material, we will notify you by email or in-app notice at least 14 days before the changes take effect.