Privacy Policy

BandUp (ABN 57 793 201 060) ("we", "our") operates the BandUp writing practice platform at bandup.com.au. We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Contact us: privacy@bandup.com.au

Parent account data:

• Name and email address (provided at registration)
• Authentication tokens (via Google or Apple OAuth, or email/password)
• Subscription and billing information (processed by Stripe — we do not store card numbers)
• Email notification and promotional communication preferences

Child (student) data:

• First name, current school year level, state
• Essays written on the platform (text only — no images of children)
• Essay scores and rubric criterion breakdowns across selected frameworks
• Practice streaks and progress metrics

Usage data:

• Session logs, page views, feature usage (via Vercel Analytics — anonymised)
• Error logs (via Sentry — no essay content is sent to Sentry)
• Device type and browser (for layout optimisation only)

We do not collect: photographs, audio, video, government identifiers, or sensitive information as defined under the Privacy Act.

• To score essays against selected frameworks (including NAPLAN, scholarship/selective boards, year-level advanced, state Year 12 pathways such as VCE, HSC, QCE, WACE, SACE, TCE and NTCE, and custom rubrics) using Claude AI (Anthropic) — essay text, rubric metadata, exam type, and year-level context may be sent to Anthropic's API for this purpose
• To display progress tracking, band scores, and feedback to the parent and child
• To send service emails that support your use of BandUp, such as essay-scored updates and weekly progress digests
• To send additional promotional communications and new feature or service offering updates only where your account preference is switched on
• To process subscription payments via Stripe
• To improve our scoring prompts and product features (aggregated, de-identified data only)
• To comply with our legal obligations under Australian law

BandUp uses Claude (developed by Anthropic) to score essays. When a student submits an essay, the essay text, genre, year level, writing prompt, and selected rubric context are sent to Anthropic's API. No name, email, or identifying information is sent with the essay. Essays are sent with a randomly generated session identifier only.

Anthropic's data handling is governed by their Privacy Policy and API Terms of Service. Anthropic does not train its models on data submitted via the API.

Named exam and board references are descriptive only. BandUp is not endorsed by, or officially affiliated with, ACARA, ACER, Edutest, selective school authorities, VCAA, NESA, or other exam bodies.

All BandUp data is stored in Australia (Supabase — ap-southeast-2, Sydney). We use:

• Row-Level Security (RLS) in Supabase — parents can only access their own children's data
• TLS 1.2+ for all data in transit
• Hashed passwords (Supabase Auth — bcrypt)
• Stripe for all payment processing — we never see or store card numbers

BandUp is designed for use by parents on behalf of children. Children do not create independent accounts. All accounts belong to a parent or guardian who is responsible for the child's use of the platform. Tutors and schools may access linked student data only where the parent has provided connection consent through BandUp workflows.

We do not knowingly collect personal information directly from children under 13. If you believe a child under 13 has created an account without parental consent, contact us at privacy@bandup.com.au and we will delete the account.

Essay content written by children is stored only for the purpose of scoring and displaying results to the child's registered parent. We do not use children's essay content for marketing, profiling, or training AI models.

Under the Privacy Act 1988 (Cth) and the APPs, you have the right to:

• Access the personal information we hold about you and your child
• Correct inaccurate or out-of-date information
• Request deletion of your account and all associated data
• Opt out of promotional and marketing emails at any time through your BandUp settings or the unsubscribe link in those emails
• Make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs

To exercise any of these rights, contact: privacy@bandup.com.au. We will respond within 30 days.

• Active accounts: data retained while the account is active
• Cancelled accounts: data retained for 90 days then permanently deleted
• Essay content: deleted on account deletion
• Billing records: retained for 7 years as required by Australian tax law
• Anonymised aggregate scoring data: retained indefinitely for product improvement

BandUp uses the following third-party services. Each is subject to its own privacy policy:

• Anthropic (Claude AI) — essay scoring
• Supabase — database and authentication (AWS ap-southeast-2)
• Vercel — web hosting and edge network
• Stripe — payment processing
• Resend — transactional email delivery
• Sentry — error monitoring (no essay content transmitted)

We do not use Google Analytics, Facebook Pixel, or any advertising tracking technology.

We will notify registered parents by email of any material changes to this Privacy Policy at least 14 days before they take effect. Service notices about your account or this policy may still be sent even if promotional communications are turned off. The current version is always available at bandup.com.au/privacy.