1. About this Policy
Boomerang Study Pty Ltd ("we", "us", "our") operates Boomerang.study. We comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). We also comply with the Information Privacy Act 2009 (Qld), the Privacy and Personal Information Protection Act 1998 (NSW), and the Privacy and Data Protection Act 2014 (Vic) where applicable.
2. Data storage — Australia only
All personal information is stored exclusively in Australia on AWS infrastructure in the ap-southeast-2 (Sydney) region. We do not transfer personal information offshore. This is a non-negotiable design requirement for Australian school data compliance.
3. What we collect
Account data: name, email, year level, curriculum authority. Practice activity: questions answered, marks, timestamps, session type. AI marking inputs: question text and student answer only — no name, email, or user ID is included. AI chat messages: stored in our Australian database for future personalisation and quality improvement (deletable — see Section 8). Question feedback you submit. Browser type (for app functionality only).
4. How we use your data
Service delivery and adaptive personalisation (contractual necessity). Transactional emails (contractual necessity). Subscription processing via Stripe (contractual necessity). Quality improvement using aggregated anonymised data (consent, opt-out available). Legal compliance (legal obligation). We do not use data for advertising, commercial profiling, or sale.
5. AI marking and Anthropic
Written answers sent to the Anthropic Claude API for marking include: question text, mark scheme, marks available, and student answer. We never include name, email, or any user identifier. Anthropic processes this via Australian/Asia-Pacific infrastructure. We have a Zero Data Retention (ZDR) agreement with Anthropic — answer data is not retained after the API response is returned. Anthropic does not use API inputs to train its AI models. A Data Processing Agreement (DPA) is in place with Anthropic as a formal sub-processor. See Anthropic's Privacy Policy at anthropic.com/privacy.
6. Disclosure of information
We share data only with: Supabase (database, auth, storage — AU-hosted, ap-southeast-2); Stripe (payment processing — PCI DSS Level 1, payments data only); Anthropic (AI marking via API — see Section 5); Resend (transactional email delivery). We do not sell, rent, or trade personal information. We may disclose if required by law or court order.
7. Student privacy — users under 18
We serve students aged 16–18. We do not serve advertising. We do not share student data with schools, government, or third parties without consent. Users under 13 require parental consent. Parent Access shows only progress summaries — individual answers and chat conversations are never accessible to parents. Parents can request access to a student's data by contacting privacy@boomerang.study.
8. Your rights (APPs 12 & 13)
Access: request all data via "Download my data" in Settings › Privacy, or email privacy@boomerang.study. Correction: edit profile in Settings or email us. Deletion: delete account in Settings › General (personal data purged within 30 days). Withdrawal of consent: toggle optional data uses in Settings › Privacy. Complaint: contact us first, then the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.
9. State considerations
QLD: Information Privacy Act 2009. NSW: Privacy and Personal Information Protection Act 1998. VIC: Privacy and Data Protection Act 2014. All states: Privacy Act 1988 (Cth) as the national minimum standard.
10. Data retention
Personal data deleted within 30 days of account deletion. Anonymised aggregate statistics may be retained indefinitely. Stripe retains billing records per financial regulations (~7 years). Inactive accounts (24 months no login) receive a deletion notice before removal.
11. Security
TLS 1.2+ on all connections. bcrypt password hashing. Row Level Security on every database table. API keys stored in encrypted server secrets (never in client code). Notifiable Data Breach (NDB) scheme compliance — affected users and OAIC notified within 30 days of a confirmed breach.
12. Cookies and local storage
Session cookies: authentication only — essential for login. LocalStorage: curriculum cache and session draft state — no personal data. No advertising, tracking, or fingerprinting cookies.
13. Contact
privacy@boomerang.study · Queensland, Australia. Response within 10 business days.