Privacy Policy

1. Introduction

YS Infomatics Pty Ltd(ABN 46 644 607 714) (“we”, “us”, or “our”) operates PrepMethod, an adaptive exam-preparation platform for Australian students. We are committed to protecting the privacy of our users, especially children.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website at www.prepmethod.com.auand the services provided through it (collectively, the “Service”). Please read this policy carefully. By using the Service, you consent to the data practices described in this policy.

We are bound by the Australian Privacy Principles(“APPs”) contained in the Privacy Act 1988(Cth). Where we handle the personal information of children, we take additional care in accordance with the APPs and applicable guidance from the Office of the Australian Information Commissioner (“OAIC”).

2. Information We Collect

We collect information in the following ways:

2.1 Information You Provide Directly

• Parent account: name, email address, and hashed password. Passwords are stored using bcrypt; we never store them in plain text.
• Student account: first name, nickname, optional email address, login mode (email or PIN), and a 4-digit PIN (hashed) where applicable. Student accounts are always created and managed by a Parent.
• Household information: a household code (word-based identifier) that links Parent and Student accounts.
• Support enquiries: name, email, and any information you provide when contacting us.

2.2 Payment Information

When you purchase a subscription or credits, our third-party payment processor, Stripe, collects your payment details. We do not store your credit card number, CVC, or full card details on our servers. We receive from Stripe: confirmation of payment, Stripe customer ID, subscription status, and invoice data to manage your account and display billing history.

2.3 Student Performance Data

We collect information related to a Student's use of the Service, including practice responses, scores, time spent, progress over time, and identified areas of strength and weakness. This data is essential for delivering adaptive questions and generating progress reports.

2.4 Automatically Collected Technical Data

• Device fingerprint: a random opaque identifier stored as a cookie (pm_did) with a 180-day expiry. This is used solely to recognise trusted devices and reduce repeated one-time-password challenges. We do not use this cookie for advertising or cross-site tracking.
• Session tokens: a refresh-token cookie (pm_rt, HttpOnly, Secure, 30-day expiry) is stored on your device to maintain your logged-in session.
• Log data: IP address, browser type, operating system, pages visited, referring URL, and timestamps. This data is used for security monitoring and service improvement.
• Error reports: anonymised crash and error data sent to Sentry for monitoring and debugging.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Create and manage your account, household, and Student profiles.
• Process transactions and manage subscriptions and credits.
• Personalise each Student's learning experience through adaptive question selection and progress tracking.
• Generate progress reports for Parents summarising their Student's performance.
• Send transactional emails (e.g. account verification, password reset, one-time login codes, billing receipts) via Postmark.
• Communicate service updates, security alerts, and support responses.
• Detect, prevent, and address fraud, security incidents, and technical issues.
• Monitor aggregate usage trends to improve the Service (no individual-level data is shared externally for this purpose).

4. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information with third parties only in the following limited circumstances:

4.1 Service Providers

• Stripe(payments): receives payment details to process transactions. Stripe's use of your information is governed by Stripe's Privacy Policy.
• Postmark (email): receives email addresses and names to deliver transactional emails. We do not send marketing emails through Postmark.
• Sentry (error monitoring): receives anonymised error and performance data. We take care to exclude personally identifiable information from error reports.
• Fly.io (hosting): our application servers and database are hosted in Sydney, Australia.
• Vercel (frontend hosting): serves the website from edge locations. No user data is stored by Vercel beyond standard web-server logs.
• AI providers (e.g. OpenAI, Anthropic): when AI-powered features are active, we may send anonymised or de-identified content (e.g. question prompts, performance summaries) to generate educational material. We do not send names, email addresses, or other directly identifying information to AI providers.

4.2 Legal Compliance

We may disclose information if required by law, regulation, legal process, or enforceable government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

In connection with a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will notify you before your personal information becomes subject to a different privacy policy.

5. Cookies and Local Storage

We use the following cookies and client-side storage to operate the Service:

We also store a short-lived access token and user summary in your browser's localStorage (pm-auth) to maintain your session between page loads. This data never leaves your device and is cleared when you log out.

We do not use third-party advertising cookies, analytics trackers (such as Google Analytics), or social-media tracking pixels. All cookies and local storage listed above are strictly necessary for the Service to function.

6. Children's Privacy

Our Service is designed for use by students, many of whom are under 18. We take children's privacy seriously:

• Only a Parent (aged 18+) may create an account and add Students. We collect information about Students only as directed by the Parent and solely to provide the educational service.
• We collect the minimum information necessary for a Student to use the Service: first name, nickname, login mode, and practice activity data.
• We do not display targeted advertising to Students or use Student data for marketing purposes.
• Parents can view, correct, or request deletion of their Student's data at any time (see Section 8 below).
• If you believe we have collected personal information from a child without proper parental consent, please contact us immediately at privacy@prepmethod.com.au so we can take appropriate action.

7. Data Security

We implement reasonable technical and organisational measures to protect your information, including:

• All data in transit is encrypted using TLS (HTTPS). Our API enforces HTTPS-only connections.
• Passwords and PINs are hashed using bcrypt before storage. We never store credentials in plain text.
• Refresh tokens are stored hashed in the database and rotated on every use.
• Our database is hosted on managed infrastructure in Sydney, Australia with automated backups and access controls.
• Access to production systems is restricted to authorised personnel.

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we take all commercially reasonable steps to protect your data.

8. Your Rights

Under the Australian Privacy Principles, you have the following rights in relation to your personal information:

• Access: You may request access to the personal information we hold about you or your child.
• Correction: You may request that we correct any inaccurate or out-of-date personal information.
• Deletion: You may request that we delete your account and associated personal information. We will action such requests within 30 days, except where we are required to retain data by law (e.g. financial records for taxation purposes).
• Data portability: You may request a copy of your data in a commonly used electronic format.
• Complaint: If you are not satisfied with how we handle your personal information, you may lodge a complaint with the Office of the Australian Information Commissioner.

To exercise any of these rights, contact us at privacy@prepmethod.com.au.

9. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account and household data is retained until you request deletion or close your account.
• Student practice data is retained for the duration of the Student's account to enable ongoing adaptive learning and progress tracking.
• Billing records are retained for seven (7) years after the transaction date, as required by Australian taxation law.
• Security logs (e.g. login attempts, audit records) are retained for up to 12 months for fraud detection and security purposes.

When data is no longer needed, it is securely deleted or de-identified.

10. International Data Transfers

Our primary infrastructure (application servers and database) is hosted in Sydney, Australia. However, some third-party service providers (e.g. Stripe, Sentry, Vercel, AI providers) may process data in other countries. Where data is transferred overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs, including by entering into appropriate contractual arrangements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Site at least 14 days before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Privacy enquiries: privacy@prepmethod.com.au
• General support: support@prepmethod.com.au
• Post: YS Infomatics Pty Ltd, Victoria, Australia