Privacy Policy

1. Who we are

BambooPrep is operated by Henry Huang (ABN active from 21 May 2026), trading as "BambooPrep" (ASIC business name registration in progress). Contact: hello@bambooprep.com.au.

This Privacy Policy explains how we collect, use, hold, and disclose your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and the OAIC Children's Online Privacy Code (effective 10 December 2026).

2. Personal information we collect

From parents (account holders):

• Email address (required for sign-up + transactional emails)
• Name (legal name, as it appears on payment card)
• Phone number (optional, used only for account recovery)
• Payment card details (processed by Stripe — we never store full card numbers)
• Preferred language (EN or 简体中文)

From children (under parent account):

• Display name (can be a nickname — does not need to be legal name)
• Year level and target exam (OC / Selective / Scholarship)
• Exam date (optional)
• Practice attempt data (questions answered, time taken, correct/incorrect)
• AI tutor conversation transcripts (when child uses chat feature, Day 3+)

We do not collect: health information, biometrics, government IDs (other than what Stripe receives for payment), photos/videos, or location data.

3. Why we collect it (purposes)

• To deliver personalised practice sessions to your child
• To generate fresh AI questions calibrated to your child's level and weak areas
• To send your account confirmations, receipts, and weekly progress reports
• To verify parental consent under the Children's Online Privacy Code
• To bill subscriptions and process refunds
• To improve our AI question quality (aggregated and de-identified metrics only)

We will not:sell your data, train external AI models on your child's answers, share data with marketers, or use data for advertising profiles.

4. How we hold it (security + data residency)

All consumer personal information is stored in Australian data centres:

• Database: Neon Postgres, Sydney region (aws-ap-southeast-2)
• Serverless functions: Vercel, pinned to syd1 (Sydney) region
• Static assets: Vercel global CDN (cached HTML only, no PII)

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). We follow industry standard practices for password hashing (Clerk-managed), credential rotation, and least-privilege access controls.

5. Who we share with (sub-processors)

We use the following trusted sub-processors. Each is bound by a Data Processing Agreement:

• Vercel Inc. (US) — hosting + serverless. Functions pinned to Sydney region for compliance.
• Neon Inc. (US-controller, Sydney data) — Postgres database hosted in Sydney region.
• Clerk Inc. (US) — authentication. Stores email + hashed password only; no child data.
• Anthropic PBC(US) — AI question generation. We send only the question prompt (no child PII) and receive generated content. Workspace configured with "Zero data retention".
• Stripe Inc.(US/IE) — payment processing. We share only what's required for billing.
• Resend Inc. (US) — transactional email delivery (welcome, receipt, weekly digest).

6. Overseas disclosure (APP 8)

Some of our sub-processors (Anthropic, Clerk, Stripe, Resend) operate from the United States. Under Australian Privacy Principle 8, we take reasonable steps to ensure these providers handle your data consistently with the APPs through written contracts (DPAs).

At sign-up, we ask for your explicit consent for this overseas disclosure under APP 8.1(a). You may withdraw consent at any time, which will require you to close your account (since our AI features depend on Anthropic).

7. Children's data (special handling)

For children under 15, we follow the OAIC Children's Online Privacy Code:

• Children cannot create accounts directly — only a parent or legal guardian can create an account on behalf of a child
• We require explicit parental consent for data collection, AI processing, and overseas disclosure, captured at sign-up via our Parental Gate flow
• The most-restrictive privacy settings are enabled by default for child accounts
• There is no chat between children, no public profiles, and no direct messaging features that could expose children to strangers
• When a child reaches age 15, we will request re-consent and provide options to transition the account to the young person's own control
• We do not allow targeted advertising of any kind to children

8. Your rights (APP 12 + APP 13)

You can, at any time:

• Access your data — request a complete export of all data we hold about your account and your children (delivered within 30 days). Available at Account → Data export.
• Correct inaccurate data — update your account information through Account settings or by emailing us
• Delete your data — close your account and request full erasure within 30 days (including from backups). Available at Account → Delete account.
• Withdraw consent — revoke any individual consent (data collection, AI processing, overseas disclosure) — note that revoking AI processing or overseas disclosure will disable AI features
• Complain — to us first at privacy@bambooprep.com.au. If unresolved, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

9. Data breach notification (NDB Scheme)

If we become aware of a data breach likely to result in serious harm to you or your child, we will notify both you and the Office of the Australian Information Commissioner without undue delay (typically within 30 days), per the Notifiable Data Breaches scheme.

10. Changes to this policy

We will notify you of material changes by email and via an in-app notice. The effective date at the top of this page indicates when the current version took effect. After the OAIC Children's Online Privacy Code is formally registered (10 December 2026), we will issue a refreshed version aligned with the final registered Code.

11. Contact us

Privacy enquiries: privacy@bambooprep.com.au
General enquiries: hello@bambooprep.com.au