Privacy Policy

We collect several types of information to provide and improve our Service:

Personal Information: When you create an account, we collect your name, email address, and password (stored securely using bcrypt hashing). If you use Google OAuth for authentication, we collect your Google account ID and email address.

Company Information: For Enterprise accounts, we collect company name, contact details, and team member information for tutors invited to your organization.

Payment Information: Payment processing is handled by Stripe. We store your Stripe customer ID and subscription status, but we never store your credit card details directly. Stripe maintains your payment method information securely on their PCI-compliant servers. We also collect payment card fingerprints (unique identifiers for your payment method) from Stripe to prevent fraudulent use of free trials. Card fingerprints are cryptographic hashes that cannot be used to make charges and do not reveal your card number, cardholder name, or any other sensitive payment information.

Usage Data: We collect information about how you use GradeAid, including worksheets generated (lesson topics, difficulty levels, duration), generation timestamps, download activity, and rate limit usage. This helps us improve our Service and ensure fair usage.

Authentication Tokens: We store email verification tokens, password reset tokens, and invitation tokens temporarily (24 hours for verification, 1 hour for password reset, 7 days for invitations) to facilitate secure account management.

We use the information we collect for the following purposes:

Service Delivery: To generate AI-powered worksheets aligned with the NSW curriculum, render PDFs, store your worksheet history, and provide download access to your generated materials.

Account Management: To create and maintain your account, authenticate your identity, manage your subscription and billing, enforce rate limits (3 worksheets per day for paid users, 1 per day for trial users), and track trial periods (7 days for individuals, 30 days for companies).

Communication: To send essential emails including email verification, password reset instructions, tutor invitation emails, billing notifications, and important service updates. We do not send marketing emails without your explicit consent.

Company Management: For Enterprise accounts, to manage team members, process tutor invitations, calculate active seat counts for billing, and provide team management dashboards to company administrators.

Service Improvement: To analyze usage patterns (anonymized where possible), improve our AI worksheet generation quality, enhance curriculum alignment, optimize performance, and develop new features based on user needs.

Security and Compliance: To detect and prevent unauthorized access, enforce our Terms of Service, comply with legal obligations, and protect the rights and safety of GradeAid and our users.

Fraud Prevention: To detect and prevent abuse of free trial periods, including creating multiple accounts to access repeated trials using the same payment method. We use payment card fingerprints (unique identifiers that cannot be used for transactions) to identify when the same payment card has been used across different accounts.

We take data security seriously and implement industry-standard measures to protect your information:

Database Security: All user data, account information, and metadata are stored in a secure PostgreSQL database hosted on Neon with servers located in Sydney, Australia (ap-southeast-2 region). Database connections are encrypted, and access is restricted to authorized systems only.

File Storage: Generated worksheets (PDF files) are stored in Amazon Web Services (AWS) S3 buckets located in the Sydney region (ap-southeast-2). Files are accessed via presigned URLs with 1-hour expiry times, ensuring temporary and secure download access.

Password Protection: User passwords are hashed using bcrypt with industry-standard salt rounds before storage. We never store passwords in plain text, and our systems cannot retrieve your original password.

Data Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. Authentication tokens and session data are encrypted and signed to prevent tampering.

Access Controls: We implement role-based access control (RBAC) with five distinct user roles (Individual, Company Admin, Company Tutor, GradeAid Admin, Internal Test User). Users can only access data they are authorized to view based on their role and company affiliation.

While we implement robust security measures, no system is completely secure. We encourage you to use a strong, unique password and enable two-factor authentication when available.

GradeAid relies on trusted third-party services to deliver our platform. These services have access to certain information as necessary to perform their functions:

Stripe (Payment Processing): We use Stripe to process subscription payments and manage billing. Stripe collects and stores your payment method details, billing address, and transaction history. Stripe also provides us with payment card fingerprints (unique identifiers for each card) which we use to prevent trial abuse. These fingerprints cannot be used to process payments or identify cardholder information. Stripe is PCI-DSS Level 1 certified. View Stripe's privacy policy at stripe.com/privacy

OpenAI (AI Worksheet Generation): We use OpenAI's GPT models to generate worksheet content based on NSW curriculum learning objectives. When you generate a worksheet, lesson details (topic, difficulty, duration) are sent to OpenAI's API. OpenAI does not use data submitted via their API to train their models. View OpenAI's privacy policy at openai.com/policies/privacy-policy

Google (OAuth Authentication): If you choose to sign in with Google, we use Google OAuth 2.0 for authentication. Google provides us with your email address and account ID. We do not access your Gmail, Google Drive, or other Google services. View Google's privacy policy at policies.google.com/privacy

Amazon Web Services (File Storage): We use AWS S3 (Sydney region, ap-southeast-2) to store generated worksheet PDFs. AWS maintains SOC, ISO, and PCI compliance certifications. View AWS's privacy policy at aws.amazon.com/privacy

We carefully select third-party providers that meet high standards for data security and privacy. We do not sell your personal information to third parties.

GradeAid uses cookies and similar technologies to maintain your session and improve your experience:

Essential Cookies: We use session cookies powered by NextAuth to keep you logged in and maintain your authentication state. These cookies are necessary for the Service to function and cannot be disabled.

Preference Cookies: We may store your UI preferences (such as selected tabs in Settings) in your browser's local storage to enhance your experience across sessions.

Analytics: We currently do not use third-party analytics services. If we implement analytics in the future, we will update this policy and provide opt-out options where appropriate.

Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies if you prefer. Please note that disabling cookies may affect your ability to use certain features of GradeAid.

You have the following rights regarding your personal data:

Access: You can view your profile information, subscription status, trial status, and worksheet history through your account Settings page. You may request a copy of all personal data we hold about you by contacting contact@gradeaid.com.au.

Correction: You can update your name and email address directly in the Profile tab of your Settings page. If you change your email address, you will need to verify the new email before it takes effect.

Deletion: You have the right to request deletion of your account and associated personal data. Individual users can delete their account directly via Settings → Delete Account. Company members should contact their company admin or email contact@gradeaid.com.au. GradeAid administrators can also process deletion requests on your behalf. Please note that we may retain certain information as required by law or for legitimate business purposes (such as preventing fraud).

Data Portability: You can download your generated worksheets at any time through your account. For a complete export of your data in machine-readable format, contact contact@gradeaid.com.au.

Opt-Out: You cannot opt out of essential service emails (verification, password reset, billing notifications), but you can unsubscribe from promotional communications if we introduce them in the future.

Restrict Processing: You can pause your subscription or deactivate your account to limit how we process your data while retaining your account information.

For Enterprise accounts, individual tutors should contact their company administrator first. Company administrators have additional rights to manage team member data within their organization.

To exercise any of these rights, please contact us at contact@gradeaid.com.au. We will respond to your request within 30 days.

We retain your personal information for as long as necessary to provide our Service and comply with legal obligations:

Active Accounts: We retain your account information, subscription data, and user preferences for as long as your account remains active. Worksheet history is automatically pruned to the most recent entries to optimize storage.

Cancelled Subscriptions: If you cancel your subscription, we retain your account information to allow you to reactivate your subscription easily. Your trial period information is preserved to prevent multiple trial uses.

Deleted Accounts: When you request account deletion, we permanently delete your personal information within 30 days, except where we are required to retain data for legal, tax, or fraud prevention purposes. Generated worksheet PDFs are deleted from S3 storage.

Temporary Tokens: Email verification tokens expire after 24 hours, password reset tokens after 1 hour, and invitation tokens after 7 days. Expired tokens are automatically deleted from our database.

Billing Records: We retain billing and transaction records for 7 years to comply with Australian tax regulations and accounting requirements.

Security Logs: We may retain security and access logs for up to 90 days to detect and prevent unauthorized access or abuse of our Service.

Fraud Prevention Records: Payment card fingerprints are retained indefinitely after account deletion to prevent abuse of free trial periods. These fingerprints are cryptographic identifiers that cannot be used to process payments and do not contain your card number, cardholder name, expiration date, or any other sensitive payment information. They are used solely to detect when the same payment method has been used across multiple accounts.

GradeAid is intended for use by educators, tutors, and educational professionals who are 18 years of age or older. Our Service is not directed to children under 18, and we do not knowingly collect personal information from minors.

If you are under 18 years of age, please do not create an account or submit any personal information through GradeAid. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

While worksheets generated by GradeAid are designed for students (including those under 18), the platform itself is meant to be used by teachers and tutors, not students directly.

If you believe we have inadvertently collected information from a minor, please contact us immediately at contact@gradeaid.com.au so we can take appropriate action.

GradeAid is operated from Australia, and we store data primarily in Australian data centers:

Primary Storage Location: Your account data is stored in PostgreSQL databases hosted in Sydney, Australia (ap-southeast-2 region). Generated worksheets are stored in AWS S3 buckets also located in Sydney (ap-southeast-2).

Third-Party Services: Some of our service providers (OpenAI, Stripe, Google) operate globally and may process your data in other countries, including the United States. These providers maintain strong data protection practices and comply with applicable privacy frameworks.

Data Protection Standards: When data is transferred internationally, we ensure that appropriate safeguards are in place, such as standard contractual clauses, Privacy Shield certification (where applicable), or equivalent data protection mechanisms.

If you are accessing GradeAid from outside Australia, please be aware that your information may be transferred to, stored, and processed in Australia, where data protection laws may differ from those in your country.

In the event that GradeAid is involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your personal information may be transferred as part of that transaction.

We will provide notice via email and/or a prominent notice on our website before your personal information is transferred and becomes subject to a different privacy policy. You will have the opportunity to delete your account before the transfer if you do not agree to the new policy.

Any successor entity will be required to honor the commitments made in this Privacy Policy or provide you with notice and choice regarding any changes.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this policy.

Material Changes: If we make material changes that significantly affect your privacy rights or how we use your data, we will notify you by email (sent to the email address associated with your account) and/or by displaying a prominent notice on our website at least 30 days before the changes take effect.

Minor Changes: For minor changes (such as clarifications, formatting updates, or changes that do not affect your rights), we will update this page and note the revision date. We encourage you to review this Privacy Policy periodically.

Your continued use of GradeAid after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you may delete your account by contacting contact@gradeaid.com.au.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: contact@gradeaid.com.au

Response Time: We strive to respond to all privacy-related inquiries within 2 business days and resolve requests within 30 days.

For data protection inquiries, please include "Privacy Request" in your email subject line to ensure prompt routing to the appropriate team.

If you are a company administrator with questions about managing team member data, please include your company name and administrator email in your inquiry.