Privacy Policy

1. Who This Policy Applies To

This policy applies to individual users of MarkPoint, including:

• High school students (Year 11-12 HSC English students, 13+ years old)
• Parents monitoring student progress and managing subscriptions
• Tutors using MarkPoint to help students improve
• Anyone interested in improving essay writing skills

2. Information We Collect

2.1 Account Information

• Name (first and last)
• Email address
• Password (hashed - we never see your plain text password)
• Age verification (date of birth or "I'm 13+" checkbox)
• Optional profile picture

2.2 Educational Content

• Essay submissions (full text of essays you submit)
• AI-generated marks and feedback
• Your manual edits and notes on essays
• Chat history with AI about essays and feedback
• Quote verification results
• Practice exam responses

2.3 Usage & Technical Data

• Credits used and features accessed
• Login timestamps and activity logs
• IP address (for security and fraud prevention)
• Browser type, version, and device information
• Pages viewed and platform navigation patterns
• Error logs when something breaks

2.4 Payment Data (via Stripe)

We do NOT store or have access to your full credit card information.

Payment processing is handled entirely by Stripe, our PCI-DSS Level 1 certified payment processor:

• We only store: Last 4 digits of card, expiry date, card brand (for display: "Visa ending in 4242")
• Billing email and subscription status (active/canceled)
• Transaction history
• Full card numbers and CVV codes go directly to Stripe (never touch our servers)

3. How We Use Your Information

We may use your data to provide and improve MarkPoint:

• Core Service: Mark essays, generate feedback, verify quotes
• AI Improvement: Train and enhance our AI models for better feedback quality
• Account Management: Authentication, password reset, important notifications
• Progress Tracking: Show your improvement over time
• Service Improvement: Analyze which features work well, identify bugs
• Security: Detect suspicious activity, prevent fraud and abuse
• Billing: Process subscriptions, show payment history
• Communication: Platform updates, billing issues, policy changes

We don't sell your personal data to advertisers or third parties. Your essays and marks are private - only you (and group members you invite) can view them, but content may be used in anonymized form for AI training and service improvement.

4. Cross-Border Data Transfers (Critical - APP 8)

4.1 Where Your Data Is Stored

• Primary Storage: Australia (Supabase/AWS Sydney region) - all account data, essays, and marks
• Website Hosting: Vercel (Sydney edge network)

4.2 AI Processing (USA Transfer)

How it works:

1. Your essay is stored in our Sydney database
2. Essay text is sent to OpenAI servers in USA for processing (typically <30 seconds)
3. AI generates marks and feedback
4. Results are stored back in Sydney
5. OpenAI immediately deletes your essay (zero retention per our agreement)

Why we use OpenAI (USA):

We use OpenAI because they have the most advanced AI models for understanding HSC English essay requirements and providing detailed, rubric-aligned feedback. Australian alternatives don't yet match OpenAI's quality for this educational purpose.

Safeguards in place:

• Zero retention: OpenAI deletes essays immediately after processing (contractually required)
• No AI training: Your essays will NEVER be used to train OpenAI's models
• Encryption: All data encrypted in transit (TLS 1.3)
• Limited data: Only essay text sent (no names, emails, or other personal info)

Disclosure: USA surveillance laws (FISA, CLOUD Act) theoretically allow government access, though the risk is low for student essays. We're actively evaluating Australian AI providers (Azure OpenAI Sydney) to eliminate cross-border transfers in the future.

5. Data Sharing

5.1 Who Can Access Your Data

• You: Your own essays, marks, feedback, chat history
• Group Members: Essays shared within groups (Pro/Ultra/Max feature - you opt in)
• Admins/Support: Only when troubleshooting account issues (with your permission)

5.2 Third-Party Service Providers

We may share limited data with service providers bound by Data Processing Agreements:

• Supabase: Database hosting, backups (has access to stored data)
• OpenAI: AI processing (temporary access to essays only, ~30 seconds, then deleted)
• Vercel: Website hosting and CDN (web traffic logs)
• Stripe: Payment processing (payment data only, not essays)

5.3 Law Enforcement

We may disclose data if legally required by court order or subpoena. We typically notify users before disclosure (unless legally prohibited) and challenge overbroad requests.

5.4 Who We DON'T Share With

• Schools (your data is yours, not a school's)
• Advertisers or data brokers
• Other students (unless you explicitly share via group feature)
• Parents (unless parent is account owner or student grants access)

6. Data Retention

How long we keep your data:

• Active accounts: Indefinitely while account is active
• Inactive accounts: Email warning at 60 days, then deleted at 90 days of no login
• Deleted accounts: Personal data deleted within 30 days
• Essays & Marks: Retained until you delete them OR account inactive for 90 days
• Chat History: Retained for 2 years, then auto-deleted
• Usage Logs: Retained for 1 year (analytics)
• Payment Data: Retained for 7 years (Australian Taxation Office requirement)
• Security Logs: Retained for 3 years (fraud prevention, dispute resolution)

Your Control: You can delete essays anytime via app settings, or delete your entire account by emailing support@markpoint.com.au. Parents can request deletion of minor's data.

7. Data Security

We implement security measures to protect your data:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access controls with admin audit logs
• Regular automated backups
• Secure data centers in Australia
• Beta notice: Security is actively being hardened during testing

8. Your Privacy Rights

Under Australian Privacy Law, you have the right to:

• Access: Request a copy of your data (use "Export My Data" in Settings)
• Correction: Update inaccurate information via your profile
• Deletion: Delete essays or your entire account
• Portability: Export data in JSON/PDF format
• Object: Opt-out of non-essential communications
• Withdraw Consent: Stop using the service if you don't consent to data processing
• Lodge Complaint: Contact OAIC (Office of Australian Information Commissioner) at enquiries@oaic.gov.au

Parents: You can request access, correction, or deletion of your child's data by emailing support@markpoint.com.au with proof of parental relationship.

9. Cookies & Tracking

We use cookies for:

• Session management and authentication (essential)
• Remembering user preferences
• Analytics (Google Analytics - anonymized)
• Security and fraud prevention

No advertising or tracking cookies. You can control cookies through your browser settings (disabling may affect functionality).

10. Data Breach Notification

If a data breach occurs, we will:

• Notify OAIC (Office of Australian Information Commissioner) within 72 hours (legally required)
• Notify affected users via email and in-app notification
• Notify all users if major breach (>1,000 users or high-sensitivity data)
• Publicly disclose if appropriate

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be announced via email with 30 days notice. Continued use after changes constitutes acceptance of the updated policy.