Contents
1. Overview
Rise Bright ("we", "our", "us") is committed to protecting the privacy of children and families who use our educational platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Rise Bright.
Rise Bright is an Australian educational technology platform designed for children in Foundation to Year 6, with a focus on supporting neurodiverse learners.
Key points
- We comply with the Australian Privacy Act 1988 and Australian Privacy Principles (APPs)
- We collect minimal data necessary to provide our educational service
- We never sell personal information
- Children's data receives enhanced protection
- You have the right to access, correct, and delete your data
2. Data we collect
2.1 Information you provide
| Data Type | Purpose | Required |
|---|---|---|
| Parent email address | Account creation, communications | Required |
| Parent name | Account identification | Required |
| Child's first name | Personalised learning experience | Required |
| Child's year level | Age-appropriate content delivery | Required |
| State/territory | State curriculum alignment | Required |
| Learning needs (ADHD, dyslexia, etc.) | Content adaptation and accessibility | Optional |
2.2 Information we collect automatically
- Learning progress: Assessment results, lesson completion, time spent
- Technical data: Browser type, device type, IP address (anonymized)
- Usage data: Pages visited, features used, session duration
2.3 Information from third-party sign-in
If you choose to sign in using Google, we receive the following information from your Google account:
| Data Type | Purpose | Storage |
|---|---|---|
| Email address | Account identification and login | Encrypted at rest (AES-256-GCM) |
| Display name | Account personalisation | Encrypted at rest (AES-256-GCM) |
| Profile picture URL | Account display only | Stored as URL reference, not downloaded |
| Google account ID | Linking your Google identity to your Rise Bright account | Stored in our authentication database |
Google Sign-In: what you should know
- We only request the minimum scopes needed: your email address and basic profile information
- We do not access your Google Drive, Gmail, contacts, calendar, or any other Google services
- We do not store your Google password or authentication tokens long-term
- We never sell, trade, or transfer your Google user data to third parties
- We do not use your Google data for advertising, profiling, or any purpose unrelated to providing the Rise Bright educational service
- Google data is not used for AI or machine learning model training
- You can unlink your Google account at any time from your account settings, and we will delete the associated Google identity data
2.4 Information we do NOT collect
- Child's surname or full name
- Home address or location details
- School name or specific institution
- Photos or images of children
- Social media profiles
- Payment information (payments are processed securely by Stripe; we never store card details)
3. How we use your data
| Purpose | Legal Basis (APP) |
|---|---|
| Provide personalised educational content | APP 6 - Primary purpose |
| Track learning progress and generate reports | APP 6 - Primary purpose |
| Adapt content for learning needs | APP 6 - Primary purpose |
| Send important account notifications | APP 6 - Related purpose |
| Improve our educational platform | APP 6 - Related purpose |
| Ensure platform security | APP 11 - Security |
We will NEVER:
- Sell your personal information to third parties
- Use your data for targeted advertising
- Share children's data with marketing companies
- Create public profiles of children
- Use data for purposes unrelated to education
4. Data sharing
4.1 Third-party services
| Service | Purpose | Data Shared |
|---|---|---|
| Google Sign-In (Google LLC) | Optional account authentication | Email, display name, profile picture URL, Google account ID. Used solely for login. No data shared back to Google beyond authentication. |
| Claude AI (Anthropic) | Personalised content generation | Anonymised: Year level, state, learning needs only. No names or identifiable data. |
| Stripe (Stripe Inc.) | Payment processing | Payment details are handled entirely by Stripe. We never receive or store card numbers. We only receive confirmation of payment status. |
| DB-IP | IP geolocation for geographic access control | IP address only. Used to determine country of origin. No personal data stored. |
4.2 When we may disclose information
- With your consent: If you explicitly authorize us to share specific information
- Legal requirements: If required by Australian law, court order, or government request
- Safety: To protect the safety of children or prevent harm (mandatory reporting)
4.3 Cross-border data transfer
Rise Bright primarily processes data in Australia. Some third-party services are operated by companies based in the USA:
- Google Sign-In (Google LLC, USA): Authentication data (email, name, profile picture) is exchanged securely via OAuth 2.0 over TLS. We do not share any additional user data with Google beyond what is required for the sign-in process.
- Claude AI (Anthropic, USA): Only anonymised data is sent (no names, no identifiable information). Data is transmitted via encrypted connection (TLS). Anthropic's privacy policy prohibits use of API data for training.
5. Data retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Active account + 7 years | Educational records |
| Assessment results | 7 years from completion | Progress tracking, educational records |
| Lesson progress | 3 years from activity | Learning continuity |
| Consent records | 7 years + account lifetime | Legal compliance |
| System logs | 90 days | Security and debugging |
| Anonymized analytics | Indefinite | Platform improvement |
After the retention period, data is securely deleted or anonymized so it can no longer be linked to any individual.
6. Your rights
Under the Australian Privacy Act 1988, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (APP 12) | View all personal information we hold about you and your child | Dashboard or contact us |
| Correction (APP 13) | Request correction of inaccurate information | Dashboard or contact us |
| Data Export | Download your data in a portable format | Dashboard export feature |
| Deletion | Request deletion of your account and data | Contact us (some data may be retained for legal compliance) |
| Withdraw Consent | Withdraw consent for optional data collection | Dashboard or contact us |
| Complaint | Lodge a complaint about privacy handling | Contact us first, then OAIC if unresolved |
We aim to respond to all privacy requests within 30 days.
7. Children's privacy
Enhanced protections for children
Rise Bright is designed for children ages 5-12 (Foundation to Year 6). We apply enhanced privacy protections for all children's data.
7.1 Parental consent
- Only parents/guardians can create accounts for children
- Consent is required before any child profile is created
- Parents control all settings and data sharing preferences
- Children cannot modify account settings or share data
7.2 Child data minimization
- We collect only first names (not surnames)
- No photos, videos, or images are collected
- No direct communication with children (all via parent dashboard)
- No social features, profiles, or child-to-child interaction
7.3 Learning needs data
If you choose to provide information about your child's learning needs (such as ADHD, dyslexia, or autism), this information is:
- Used only to adapt educational content and presentation
- Never shared externally (except anonymized to Claude AI for content personalization)
- Not used for any diagnostic or medical purposes
- Optional - the platform works without this information
7.4 Children's online privacy code
Rise Bright is preparing for the Australian Children's Online Privacy Code (effective December 2026). We are committed to meeting or exceeding these requirements.
8. Security measures
Your data security
We implement industry-standard security measures to protect your information.
8.1 Technical security
| Measure | Description |
|---|---|
| Encryption in Transit | All data transmitted using TLS 1.3 encryption (HTTPS) |
| Encryption at Rest | Database and backups encrypted using AES-256 |
| Secure Authentication | Password hashing using Argon2id (OWASP 2024 recommendation), Google OAuth 2.0 sign-in option, secure session management |
| Access Control | Role-based access, parents only see their own children |
| Session Security | Secure session tokens with 24-hour expiry, automatic re-authentication required |
8.2 Organizational security
- Ongoing security reviews and vulnerability assessments
- Incident response procedures in place
- Staff trained on privacy and security requirements
- Principle of least privilege for data access
8.3 Data breach response
In the event of a data breach that is likely to cause serious harm:
- We will assess the breach and contain it immediately
- We will notify the Office of the Australian Information Commissioner (OAIC) within 30 days
- We will notify affected individuals as soon as practicable
- We will provide recommendations for protective actions
9. Cookies and local storage
9.1 Our consent model
Rise Bright uses an opt-in consent model. Google Analytics only loads after you explicitly click "Accept" on the cookie consent banner. If you decline or take no action, no analytics cookies are set.
9.2 Cookies we use
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
__Host-csrf |
Protects forms against cross-site request forgery | Essential | 1 hour |
visitor_session |
Anonymous page view analytics (no personal data) | Essential | 7 days |
_ga, _ga_* |
Google Analytics, used to understand site usage patterns | Analytics (consent required) | 2 years |
9.3 Local storage
We also store small pieces of data in your browser's local storage:
| Key | Purpose | Type |
|---|---|---|
rb-theme |
Remembers your dark or light mode preference | Essential |
rb-cookie-consent |
Stores your cookie consent preference (accepted or declined) | Essential |
authToken |
Keeps you logged in during your session | Essential |
9.4 Managing your preferences
You can change your cookie consent at any time by clicking "Cookie settings" in the footer of any page. This will remove any existing Google Analytics cookies and show the consent banner again.
We do not use:
- Advertising cookies
- Social media cookies
- Third-party tracking cookies (beyond Google Analytics, which requires your consent)
10. Australian compliance
10.1 Privacy Act 1988
Rise Bright complies with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs):
| APP | Principle | Our Compliance |
|---|---|---|
| 1 | Open and transparent management | This privacy policy |
| 2 | Anonymity and pseudonymity | First names only for children |
| 3 | Collection of solicited information | Minimal, necessary data only |
| 5 | Notification of collection | Clear consent at registration |
| 6 | Use and disclosure | Educational purposes only |
| 7 | Direct marketing | No marketing use of data |
| 8 | Cross-border disclosure | Anonymized data only to Claude AI |
| 11 | Security | Encryption, access controls, audits |
| 12 | Access | Dashboard access and data export |
| 13 | Correction | Edit profile and contact for corrections |
10.2 Notifiable Data Breaches scheme
We comply with the Notifiable Data Breaches (NDB) scheme. Any eligible data breach will be reported to the OAIC and affected individuals.
10.3 Regulatory contact
If you are not satisfied with our handling of your privacy complaint, you can contact:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
11. Contact us
For any privacy-related questions, concerns, or requests:
Policy updates
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page indicates when the policy was last revised.