Privacy Policy
Effective date: 15 April 2026
Version: 1.0
Entity: Edvora (ABN 66 773 492 536), Melbourne, Australia
1. Who we are
Edvora is an AI-driven adaptive learning platform that helps students prepare for Australian K-12 examinations. We are headquartered in Melbourne, Victoria, and regulated by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Privacy Officer: support@edvora.com.au
2. What this policy covers
- What personal information we collect
- How we use it, including for AI model training
- Who we share it with
- How we keep it secure
- Your rights under Australian law
3. Personal information we collect
3.1 Information you give us directly
- Account details: email, display name, birth year, year level, state, optional school name
- Subscription details: billing name and address (processed by Stripe — we do not store card numbers)
- Profile preferences: exam focus, timezone
3.2 Information we collect as you use the platform
- Learning interactions: questions shown, answers submitted, correctness, time per question
- Optional self-reported data: pre-written reason chips (e.g. “I made a calculation mistake”)
- Usage data: pages visited, features used, session duration
- Device data: browser, OS, IP address (security and abuse prevention only)
3.3 Information we do NOT collect
- Card numbers (handled by Stripe)
- Voice or video
- Photos or images
- Precise location (only approximate country from IP)
- Data from other apps on your device
- Free-text answer reasoning (no such field exists; only the pre-written chips)
4. How we use your information
4.1 To run the platform
- Authenticate your account and deliver the learning experience
- Adapt practice to your specific error patterns
- Generate progress reports
- Process payments
4.2 To train and improve our AI models (opt-in only)
If you explicitly opt in, we use the following to train our misconception-diagnosis AI:
- The question text shown
- The correct answer
- The answer you selected
- Whether your answer was correct
- Your year level and subject (in aggregate form)
- Your self-reported reason chip (if you tapped one)
We never include in training data:
- Your name, email, or school
- Your IP address or device identifier
- Free text of any kind
- Data from users under 16 without explicit parental opt-in
Training data is pseudonymised at the architectural level: each record is linked only to a random pseudonym ID, stored in a separate mapping table from your account details. When you delete your account or withdraw AI training consent, the link between your pseudonym and your user record is severed, making your past contributions fully anonymous.
The resulting fine-tuned model powers the Edvora platform, including both the free research program and the paid subscription tiers.
4.3 For security and fraud prevention
We may review account activity to detect abuse, shared accounts, or automated scraping.
5. Consent and opt-out
5.1 Your consent
Participation in AI training is entirely optional. You choose whether to opt in during account setup, and you can change your mind at any time in Settings → Privacy. We will never assume consent on your behalf. The AI training toggle defaults to off for new users.
5.2 Withdrawing consent
- We stop collecting training data from your future sessions immediately
- The pseudonym link is severed within 30 days, so past contributions are no longer tied to you
- Your progress records remain so your learning history is preserved
6. Children and young people
6.1 Minimum age
Self-registered Edvora accounts are for users aged 16 and over. Users under 16 must have a parent or legal guardian create the account. The parent is the account holder of record.
6.2 Parental consent
- We require the parent's email and explicit confirmation they are the parent or legal guardian
- AI training data is not collected without a separate, explicit parental opt-in
- Parents can view, export, and delete their child's data at any time
6.3 School accounts
Where a school licenses Edvora, the school is responsible for obtaining any necessary parental consent under its own information-handling practices. Edvora acts as a data processor for the school.
7. Who we share your information with
7.1 Service providers
- Supabase (AWS Sydney / ap-southeast-2) — database hosting
- Firebase Authentication (Google, US region) — login
- Stripe (US / Australia) — payments
- Vercel (US) — website hosting
- Render (US) — API hosting
- Anthropic, Google (Gemini), Groq — AI inference providers for generating explanations
All providers are contractually bound to handle your data only for the purposes we specify and to maintain security controls equivalent to those required by Australian law.
7.2 Cross-border data transfers
By using Edvora, you consent to your personal information being transferred to and stored in the following jurisdictions, subject to the safeguards described below:
| Destination | Data | Provider | Legal basis / safeguard |
|---|---|---|---|
| Australia (ap-southeast-2, Sydney) | Primary database, all personal information | Supabase (AWS) | Domestic — APP 11 |
| United States | Authentication tokens only | Firebase (Google) | APP 8.1 — contractual controls, Google DPA |
| United States / Australia | Payment metadata (no card numbers stored by us) | Stripe | APP 8.1 — Stripe AU entity, contractual controls |
| United States | Static site hosting (no PII in transit) | Vercel | APP 8.1 — Vercel DPA |
| United States | API/backend compute, transient request data | Render | APP 8.1 — Render DPA |
| United States | AI inference payloads (question + answer, no PII) | Anthropic, Groq | APP 8.1 — provider DPAs, zero-retention where available |
| United States / European Union | AI inference payloads (question + answer, no PII) | Google (Gemini) | APP 8.1 — Google DPA |
AI inference requests contain only the question, answer choices, and diagnostic context — never your name, email, or identifiers. We take reasonable steps under APP 8.1 to ensure all overseas recipients handle your personal information in a way consistent with the Australian Privacy Principles. Where a provider's contractual terms fall short of APP equivalence, we rely on the APP 8.2(a) exception (you have consented after being expressly informed the APPs will not apply) — your acceptance of this policy constitutes that informed consent.
If you do not consent to these transfers, do not use the platform. You can withdraw consent at any time by deleting your account under Settings → Privacy.
7.3 We do not sell your data
We never sell, rent, or trade personal information to advertisers or data brokers.
7.4 Legal disclosures
We will disclose information if required by an Australian court, government agency, or law enforcement authority.
7A. Cookies and local storage
We use a small number of cookies and browser localStorage keys, strictly for platform operation — we do not use advertising cookies, tracking pixels, or third-party analytics that build user profiles.
| Item | Purpose | Duration |
|---|---|---|
| Firebase auth token (localStorage) | Keep you signed in | Until sign-out |
edvora_beta cookie | Beta access gate | 30 days |
| Session preferences (localStorage) | Remember UI preferences (theme, year level) | Until cleared |
| Stripe session cookies | Process payment on checkout pages only | Per Stripe policy |
| Vercel infrastructure cookies | Load-balancing and DDoS protection | Session |
You can clear cookies and localStorage at any time through your browser settings. Doing so will sign you out but will not delete any data held server-side.
8. How we keep your data secure
- Encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Primary database hosted in Australia (Supabase ap-southeast-2)
- MFA available for all accounts
- Production data access restricted to named staff with logged access
- Automated encrypted backups retained for 30 days
- Identity and behavioural data architecturally separated via pseudonym mapping
9. How long we keep your data
| Data type | Retention |
|---|---|
| Account data (email, profile) | While account active + 12 months |
| Learning progress | While account active + 12 months |
| Training contributions (opted-in) | Indefinitely in anonymised form; link to you severed on withdrawal or deletion |
| Payment records | 7 years (tax law) |
| Support tickets | 3 years |
| Security logs | 12 months |
| Consent audit trail | 7 years after deletion (immutable) |
10. Your rights
- Access the personal information we hold about you
- Correct information that is inaccurate
- Delete your account and associated data
- Withdraw consent for AI training at any time
- Export your data in a portable format (JSON)
- Complain to us or to the OAIC
To exercise any of these rights: support@edvora.com.au. We respond within 30 days.
To complain to the OAIC: www.oaic.gov.au · 1300 363 992
11. Data breaches
If a data breach occurs that is likely to cause you serious harm, we will notify you and the OAIC within 30 days, as required by the Notifiable Data Breaches scheme.
12. Changes to this policy
We may update this policy. For material changes we notify you by email and require you to re-accept before continuing to use the platform. Historical versions remain at /privacy/v<number>.
13. Contact
Privacy Officer
support@edvora.com.au
Edvora, Melbourne, Victoria, Australia
14. Changelog
| Version | Date | Changes |
|---|---|---|
| 1.0 | 15 April 2026 | Initial policy. AI training opt-in. Pseudonym architecture. 16+ default; parent-mediated flow for under-16. |
See also: Terms of Use · AI & Data Use Transparency