Privacy Policy

BandUp (ABN 57 793 201 060) ("we", "our") operates the BandUp writing practice platform at bandup-tech.com. We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Contact us: privacy@bandup-tech.com

Parent account data:

• Name and email address (provided at registration)
• Authentication tokens (via Google or Apple OAuth, or email/password)
• Subscription and billing information (processed by Stripe — we do not store card numbers)
• Email notification preferences

Child (student) data:

• First name, current school year level, state
• Essays written on the platform (text only — no images of children)
• Essay scores and NAPLAN criterion breakdowns
• Practice streaks and progress metrics

Usage data:

• Session logs, page views, feature usage (via Vercel Analytics — anonymised)
• Error logs (via Sentry — no essay content is sent to Sentry)
• Device type and browser (for layout optimisation only)

We do not collect: photographs, audio, video, government identifiers, or sensitive information as defined under the Privacy Act.

• To score essays against the NAPLAN writing rubric using Claude AI (Anthropic) — essay text is sent to Anthropic's API for this purpose
• To display progress tracking, band scores, and feedback to the parent and child
• To send transactional emails (essay scored, band improvement, practice reminders) — only if opted in
• To process subscription payments via Stripe
• To improve our scoring prompts and product features (aggregated, de-identified data only)
• To comply with our legal obligations under Australian law

BandUp uses Claude (developed by Anthropic) to score essays. When a student submits an essay, the essay text, genre, year level, and writing prompt are sent to Anthropic's API. No name, email, or identifying information is sent with the essay. Essays are sent with a randomly generated session identifier only.

Anthropic's data handling is governed by their Privacy Policy and API Terms of Service. Anthropic does not train its models on data submitted via the API.

All BandUp data is stored in Australia (Supabase — ap-southeast-2, Sydney). We use:

• Row-Level Security (RLS) in Supabase — parents can only access their own children's data
• TLS 1.2+ for all data in transit
• Hashed passwords (Supabase Auth — bcrypt)
• Stripe for all payment processing — we never see or store card numbers

BandUp is designed for use by parents on behalf of children. Children do not create independent accounts. All accounts belong to a parent or guardian who is responsible for the child's use of the platform.

We do not knowingly collect personal information directly from children under 13. If you believe a child under 13 has created an account without parental consent, contact us at privacy@bandup-tech.com and we will delete the account.

Essay content written by children is stored only for the purpose of scoring and displaying results to the child's registered parent. We do not use children's essay content for marketing, profiling, or training AI models.

Under the Privacy Act 1988 (Cth) and the APPs, you have the right to:

• Access the personal information we hold about you and your child
• Correct inaccurate or out-of-date information
• Request deletion of your account and all associated data
• Opt out of marketing emails at any time (unsubscribe link in every email)
• Make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs

To exercise any of these rights, contact: privacy@bandup-tech.com. We will respond within 30 days.

• Active accounts: data retained while the account is active
• Cancelled accounts: data retained for 90 days then permanently deleted
• Essay content: deleted on account deletion
• Billing records: retained for 7 years as required by Australian tax law
• Anonymised aggregate scoring data: retained indefinitely for product improvement

BandUp uses the following third-party services. Each is subject to its own privacy policy:

• Anthropic (Claude AI) — essay scoring
• Supabase — database and authentication (AWS ap-southeast-2)
• Vercel — web hosting and edge network
• Stripe — payment processing
• Resend — transactional email delivery
• Sentry — error monitoring (no essay content transmitted)

We do not use Google Analytics, Facebook Pixel, or any advertising tracking technology.

We will notify registered parents by email of any material changes to this Privacy Policy at least 14 days before they take effect. The current version is always available at bandup-tech.com/privacy.