Privacy Policy
Last updated: May 2026
At Taughtful, we take privacy and data security seriously. As a platform coordinating care for children with additional support needs, we adhere to the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and treat all information with the highest level of care.
This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have. It covers our public website at taughtful.com.au and the Taughtful application.
1. Data Storage and Sovereignty
All Taughtful production data is stored in Sydney, Australia, by our database provider Supabase. Our application code runs on Vercel pinned to Vercel's Sydney region (syd1). We do not transmit or store identifiable personal information outside Australian borders, except for the limited de-identified AI processing disclosed in §4 and §5.
2. Information We Collect
We collect only the personal information necessary to provide the Taughtful service:
- Account information: name, email address, role (parent, teacher, allied health professional, early-years educator), organisation if applicable.
- Children's records: limited to initials or an auto-generated code, plus an age bracket. Surnames, dates of birth, and other directly identifying information are not stored.
- Observations: chip selections, structured tags, and optional free-text descriptions of what an adult observer has seen.
- Documents: drafts generated from observations, edits and approvals made by users, and the audit trail of who reviewed each document.
- Voice journal entries (optional): voluntary audio recordings logged by parents, transcribed for the parent's own subsequent review.
- Communications and consent records: emails sent through the platform; consent decisions logged in an append-only audit trail.
3. Sensitive Information
The Australian Privacy Principles classify information about health, disability, and mental health as sensitive information (APP 3). Taughtful's care team coordination function inherently involves sensitive information about children with additional support needs.
We collect sensitive information only with the parent or carer's explicit consent, recorded in our consent_records table. Each consent is logged with a timestamp and the specific care team member it applies to. It can be revoked at any time. The consent record itself cannot be modified or deleted retrospectively — database triggers block update and deletion operations to preserve an accurate audit trail.
4. AI and Data Use
Taughtful uses artificial intelligence to draft compliance documents from your observations, transcribe voluntary voice journals, and suggest additional observation prompts. Every AI output is a draft for human review and approval. The AI does not make decisions.
Before any AI call, personal information is removed by a two-pass de-identification filter: a regex pass for emails, phone numbers, Medicare and NDIS participant numbers, and dates; and a named-entity pass for child, team, and organisation names. AI providers never see a child's real name, surname, or date of birth. Identifiers are restored locally after the model responds.
Our AI subprocessors operate under commercial agreements that contractually exclude submitted content from being used to train their models. The full subprocessor list, regions, and data flows are set out on our AI & Ethics page. The full AI Ethics Policy and AI Incident Management Plan are available on request.
5. Cross-Border Data Flow (APP 8)
While all stored data resides in Australia, AI processing involves de-identified text and audio being sent to our AI providers in the United States: Anthropic (Claude) for text drafting and OpenAI (Whisper) for voice transcription. Both providers operate under commercial agreements that exclude submitted content from model training.
We have assessed this cross-border flow against APP 8 and consider the de-identification process to provide protection equivalent to APP 11 (Security of Personal Information), because the AI providers never receive identifiable information about any individual. The full assessment is set out in the AI Ethics Policy §2 (available on request).
We do not transfer identifiable personal information outside Australia.
Subprocessor register
The full list of subprocessors who process personal information on Taughtful's behalf, with the data they process, the country in which they operate, the lawful basis under APP 6, and a link to their published privacy policy:
| Provider | Data processed | Country | Lawful basis (APP 6) | Privacy contact |
|---|---|---|---|---|
| Supabase | De-identified observation and account data; authentication credentials; audit logs; consent records | Sydney, Australia | APP 6.1(a) consent at signup; APP 6.1(b) necessary for primary purpose | supabase.com/privacy |
| Anthropic (Claude) | De-identified text only (post PII filter) | United States | APP 6.1(b) necessary for primary purpose; APP 8 discharged by de-identification before disclosure | anthropic.com/legal/privacy |
| OpenAI (Whisper) | De-identified audio only (parent voluntary voice journals) | United States | APP 6.1(a) explicit user opt-in to voice feature; APP 6.1(b) necessary for that feature | openai.com/policies/privacy-policy |
| Resend | Email addresses and transactional message content (invites, notifications, account communications) | United States; EU options available | APP 6.1(b) necessary for primary purpose (transactional email) | resend.com/legal/privacy-policy |
| Vercel | None at rest. Stateless application hosting only; request metadata in transit. | Sydney region for compute (syd1) | APP 6.1(b) necessary for primary purpose (application hosting) | vercel.com/legal/privacy-policy |
Each subprocessor is engaged under written terms that include data-processing obligations consistent with Australian privacy law. We notify account holders before adding a new subprocessor or materially changing the data shared with an existing one, as set out in §11.
6. Children's Data and Parent-Controlled Access
Children are not the account holders of Taughtful. A parent or legal guardian holds the account on behalf of the child and acts as the access agent for the purposes of APP 12.
Parents and guardians:
- Approve every member of the child's care team before that person can see any observation, document, or note.
- Can revoke any team member's access at any time, with immediate effect.
- Receive a record of every approval, every revocation, and every consent decision in the audit trail.
- May request a copy of all data Taughtful holds about their child by emailing hello@taughtful.com.au.
- May request the correction or deletion of any personal information about themselves or their child (subject to legal record-keeping obligations where they apply).
7. Data Retention
We retain personal information only for as long as is reasonably necessary for the purposes set out in this Policy, or as required by law.
- Account data: retained while the account is active; deleted on account closure (subject to legal record-keeping where applicable).
- Observations and documents: soft-deleted on user request; permanently purged from the database by a scheduled job 30 days after soft deletion.
- Consent records: append-only; retained for the lifetime of the care team relationship plus a minimum of 7 years for audit purposes.
- Audit log entries: retained for a minimum of 7 years.
- Incident records: retained for 7 years from the date of incident resolution (see AI Incident Management Plan §8).
8. Your Rights — Access, Correction, Deletion (APPs 12 and 13)
You have the right at any time to:
- Access the personal information Taughtful holds about you, or — where you are the parent or guardian — about the child for whom you hold an account.
- Correct any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
- Request the deletion of personal information, subject to legal obligations that require us to retain certain records.
- Dispute or remove the AI's contribution to any AI-generated draft (see our Terms of Service §6).
- Complain to Taughtful's AI Safety Officer if you believe we have not handled your information in accordance with this Policy or the Australian Privacy Principles.
- Complain to the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response.
Requests are sent to hello@taughtful.com.au. We respond within 30 days in accordance with APP 12.
9. Cookies and Tracking
Taughtful does not use third-party tracking pixels, advertising cookies, or user-level analytics tools. We use only the cookies strictly necessary for authentication and session management (Supabase authentication session cookies). Aggregate, anonymous visit metrics may be collected via our hosting provider's first-party analytics; no personally identifiable information is captured.
You can revoke session cookies at any time by signing out and clearing your browser cookies for taughtful.com.au.
10. Notifiable Data Breaches
Where a data breach is likely to result in serious harm to one or more affected individuals, and we cannot prevent that harm through remedial action, Taughtful will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and in any event within 30 days of becoming aware of the breach, in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
For incidents involving Taughtful's AI components specifically, our response is governed by the AI Incident Management Plan (available on request), which sets out severity classification, response phases, and voluntary near-miss disclosure commitments that go beyond the statutory minimum.
11. Notification of Material Changes
Taughtful commits to notifying account holders before any material change to:
- the AI model provider we use;
- the jurisdiction in which AI inference or stored data is hosted;
- the scope of what our AI is used for, beyond drafting from human inputs;
- this Privacy Policy.
Notifications are sent to account holders by email and published on the Taughtful website.
12. Australian Privacy Principles Compliance
Taughtful complies with the Australian Privacy Principles under the Privacy Act 1988 (Cth):
- APP 1 (Open and transparent management): We publish this Privacy Policy, our AI & Ethics page, our Security page, and our Terms of Service.
- APP 2 (Anonymity and pseudonymity): Children are pseudonymous by default — stored as initials or an auto-generated code with age bracket only, never surname or date of birth.
- APP 3 (Collection of solicited personal information): Sensitive information (health, disability, mental health) is collected only with explicit consent recorded in the audit trail (see §3).
- APP 4 (Dealing with unsolicited personal information): If unsolicited personal information is received, we assess whether we could have collected it under APP 3; if not, we destroy or de-identify it.
- APP 5 (Notification of the collection of personal information): This Policy is notified at signup; care team members are notified of the scope of their data access at invitation.
- APP 6 (Use or disclosure of personal information): Personal information is used only for documented purposes — care team coordination, compliance documentation, and the safety override path under CISS/FVISS where applicable. No secondary use without explicit consent.
- APP 7 (Direct marketing): We send only transactional emails (account, invites, notifications, incident communications). We do not market to users.
- APP 8 (Cross-border disclosure): De-identified text and audio are processed by AI providers in the United States; identifiable information is not transferred outside Australia (see §5).
- APP 9 (Government related identifiers): We do not use Medicare, NDIS participant, or other government identifiers as Taughtful identifiers. Where such numbers appear in user free-text content, they are removed by the PII filter before AI processing.
- APP 10 (Quality of personal information): Users may correct or amend their own information; the audit trail preserves accuracy.
- APP 11 (Security of personal information): Database row-level security, encryption at rest, TLS in transit, audit logging, principle of least privilege (see Security).
- APP 12 (Access to personal information): Access by request to hello@taughtful.com.au, responded to within 30 days. Parents and guardians act as access agents for children.
- APP 13 (Correction of personal information): Correction by request to the same address, on the same timeline.
Contact Us
If you have any questions about this Privacy Policy, how we handle your data, or wish to exercise any of the rights in §8, please contact us at hello@taughtful.com.au. Privacy-related concerns are received by our AI Safety Officer.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.