Privacy policy

1. Who we are

study-canvas (“we”, “us”) is an online practice tool for senior-secondary mathematics, operated from Victoria, Australia. We are an APP entity under the Privacy Act 1988 (Cth) and we comply with the Australian Privacy Principles (APPs).

This policy explains what personal information we hold, why we hold it, who we share it with, and how you can exercise your rights over it.

2. Information we collect

• Account details — email address, display name, date of birth (month and year), and a one-time consent timestamp.
• Study activity — questions you attempt, your handwritten working, the grading verdict, hints viewed, and mastery scores per topic.
• Handwritten attempt images — for paid (Premium) accounts only. Free accounts have their working graded but the image itself is never stored.
• Payment information — we do not store card numbers. Stripe holds the payment details; we only retain your Stripe customer ID and the status of your subscription.
• Technical metadata — IP address, user-agent, and timestamps from sign-in and grading requests, used for abuse prevention and basic service reliability.

3. Why we collect it

• Operating your account and authenticating you securely.
• Grading your handwritten attempts and providing walkthrough feedback.
• Tracking your progress so the practice surface adapts to your level.
• Processing payments for Premium subscriptions.
• Investigating misuse, debugging issues, and improving grading prompt quality.

4. Who we share it with

We use a small number of third-party processors. We do not sell your data, and we do not use it for advertising.

Supabase (data hosting)

Hosts our database, authentication, and storage in theap-southeast-2(Sydney) region. Data stays in Australia.

OpenAI (grading)

When you submit a question for grading, the question text and — for Premium users — your handwritten image are sent to OpenAI’s API for processing. OpenAI is contractually prohibited from training on API content. Servers are located in the United States. This is a cross-border disclosure under APP 8.

Anthropic (optional grading cross-check)

If enabled for your account, the same grading request may also be sent to Anthropic for a second opinion. Same data-handling posture as OpenAI. United States. Cross-border disclosure under APP 8.

Stripe (payments)

Handles subscription billing in Australian dollars. Stripe holds your payment details; we hold only the customer and subscription IDs. United States and Australia. Cross-border disclosure under APP 8.

Resend (transactional email)

Delivers the one-time codes you use to sign in. United States. Cross-border disclosure under APP 8.

5. How long we keep it

• Account and progress data — kept for the life of your account.
• Handwritten attempt images (Premium) — kept until you close your account or for 24 months from upload, whichever is sooner.
• Usage counters — rolled up into anonymous aggregates after 90 days.
• Authentication logs — 30 days, after which only an aggregate count survives.
• Closed accounts — personal information is deleted within 30 days of a verified deletion request. We may retain anonymised aggregate records and records we are required by law to keep.

6. Your rights

Under the APPs you can ask us to:

• Confirm what personal information we hold about you and give you a copy.
• Correct anything that is wrong.
• Delete your account and the information attached to it.
• Withdraw a consent you previously gave us.
• Make a complaint — either to us first, or directly to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, email privacy@studycanvas.app. We aim to respond within 30 days.

7. Students under 18

study-canvas is intended for students aged 16 and over. We ask for your date of birth at signup so we can apply the right consent process:

• Under 16 — you cannot create an account at this time. We are working on a parent-consented signup path; check back later or ask a parent or guardian to contact us.
• 16 to 17 — you can self-consent, but we strongly recommend reading this policy with a parent or guardian. Your acceptance is logged with a timestamp.
• 18 and over — standard adult consent applies.

If you are a parent or guardian and you believe a child under 16 has created an account, email privacy@studycanvas.app and we will close the account and delete the associated information within 7 days.

See also our Child safety statement.

8. Cookies and local storage

We use a single session cookie, set by Supabase Auth, so we can recognise you between page loads. We do not use third-party analytics, advertising trackers, or cross-site cookies. The browser also stores a small amount of data locally so the practice surface keeps working when your network is unstable.

9. Data breaches

If we believe a breach is likely to result in serious harm, we will notify affected users and the OAIC under the Notifiable Data Breaches scheme as soon as practicable, and in any event within 30 days of becoming aware of the breach.

10. Contact

Our Privacy Officer is the person to contact for any privacy question or complaint:

If you are not satisfied with our response you can complain to the OAIC at oaic.gov.au or on 1300 363 992.

11. Changes

We will update this policy as the product and the law change. Material changes will be flagged in-app and by email at least 14 days before they take effect.