Privacy Policy
Last updated: 1 April 2026
1. Who We Are
BandBoost is operated by Aria Infotech Pty Ltd (“we”, “us”, “BandBoost”), ABN [TBD], based in Sunshine Coast, Queensland, Australia.
We are subject to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Questions about this policy or your privacy rights may be directed to: [email protected]
2. What Personal Information We Collect
Parent or guardian
Name, email address, and password (hashed using industry-standard encryption — never stored in plain text). Payment information is processed by Stripe and not stored by BandBoost.
Student
First name and year level only. We do not require a student's surname, date of birth, school name, or any other identifying information.
Test data
Answers submitted during practice tests, AI-generated feedback, scores, and parent progress reports.
Payment records
Purchase history and invoice records for GST compliance. Card details are held by Stripe, not BandBoost.
Technical data
IP address (for security and fraud prevention only), browser type, and session tokens.
3. How and Why We Collect It (APP 5)
We collect this information to provide NAPLAN practice tests, generate AI feedback on student answers, deliver parent progress reports, and process payments. We do not collect information we do not need to operate the platform.
We do not collect data for advertising purposes and do not sell data to third parties.
4. Who We Share It With (APP 8: Overseas Disclosure)
We use third-party services to operate BandBoost. By using BandBoost, you consent to your data being processed by these providers in accordance with their privacy policies:
| Service | Purpose | Location | Data shared |
|---|---|---|---|
| Supabase | Database hosting | Australia (Sydney) | All platform data |
| Stripe | Payment processing | USA | Payment records only |
| Zoho ZeptoMail | Transactional email | Australia (Sydney) | Email address, name |
| Anthropic | AI feedback generation | USA | Student answers (anonymised, no names) |
| Vercel | Web hosting / CDN | USA + global edge | Request logs (IP, URL) |
| Cloudflare | Security / CDN | USA + global edge | IP address, request metadata |
Important: Anthropic and student data
Student answers sent to Anthropic for AI evaluation contain no names, no parent email, and no personally identifiable information. Anthropic's API terms prohibit using API inputs to train their models. Your child's test answers are not used to train AI models.
All overseas providers are required by contract to maintain equivalent privacy protections as required under the Australian Privacy Act.
5. Children's Data
BandBoost is designed for students aged 8–15. Only a parent or guardian (aged 18+) may create an account. Students do not have their own login. Student data is only accessible to their parent or guardian and, if data sharing is enabled, to teachers at their school.
Student data is never used for advertising, profiling, or sold to any third party for any purpose.
6. Data Retention
| Data type | Retention | Reason |
|---|---|---|
| Test results + AI reports | Until account deletion | Core product feature |
| Request logs | 48 hours (auto-deleted) | Security monitoring only |
| AI call logs | 12 months | Cost auditing |
| Transaction records | 7 years | GST law |
| Anonymised benchmark data | Indefinite | No PII, aggregate only |
7. Your Rights (APP 12 + 13)
Under the Australian Privacy Act, you have the right to access the personal information we hold about you, request corrections, and request deletion of your data.
You can exercise these rights at any time via your Privacy & Data settings , including downloading a copy of all your data or deleting your account and all associated student records.
For questions or requests not covered by the self-service tools, email: [email protected]
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
8. Cookies and Analytics
BandBoost uses session cookies required for login functionality. These cookies are essential and cannot be disabled while using the platform.
We use analytics tools to understand how the platform is used in aggregate. Analytics cookies are only set after you provide consent via the cookie consent banner shown on your first visit.
9. Security
Data is encrypted in transit using TLS 1.3 and at rest using AES-256 via Supabase. We implement rate limiting, geo-blocking, and abuse detection to protect the platform. Passwords are stored using bcrypt hashing and are never visible to BandBoost staff.
10. Online Safety (Online Safety Act 2021)
BandBoost is designed for students aged 8–15. We take online safety seriously.
If you have a concern about content on BandBoost that is harmful to children, or about how your child's data is being handled, please contact us:
Email: [email protected]
We will respond within 14 days as required by Australian law.
If you are not satisfied with our response, you may escalate to:
- Office of the eSafety Commissioner: esafety.gov.au
- Office of the Australian Information Commissioner: oaic.gov.au
11. Data Breach Notification
In the event of an eligible data breach as defined by Part IIIC of the Privacy Act, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) within 30 days as required by the Notifiable Data Breaches scheme.
12. Changes to This Policy
We will notify you by email at least 30 days before making material changes to this Privacy Policy.