Our Privacy Policy outlines how we collect, use, and disclose your personal information, ensuring transparency and clarity about our practices.

Exam Insights is dedicated to safeguarding the privacy and confidentiality of our users’ information. We take our responsibility regarding the security and processing of user data seriously. This Privacy Policy, in conjunction with our Terms of Use, delineates the legal framework for the collection, processing, and protection of personal data obtained from you or provided by you.

Review this document to gain a comprehensive understanding of our views and practices regarding your personal data. Your visit to exam-insights.com signifies your explicit acceptance and consent to the practices outlined in this legally binding privacy policy. It is essential to acknowledge that any use of our services is subject to compliance with these terms, and we encourage you to contact us with any questions or concerns regarding your privacy at data-protection@exam-insights.com.

If you are under 18 years of age, we recommend reviewing this Privacy Policy with a parent or guardian and gain their consent prior to giving us your personal information.

Our Privacy Policy may be updated periodically. Exam Insights will contact users via email if any policy change diminishes privacy rights that they were entitled to prior to those policy changes.

Summary of Our Privacy Commitment

We are committed to protecting your privacy in accordance with the applicable privacy laws, including the Australian Privacy Principles (APPs) under the Privacy Act for Australian users and the General Data Protection Regulation (GDPR) for users located in the European Union (EU) or European Economic Area (EEA).

Exam Insights will not disclose your information to third parties without your explicit written consent, except when required by law. We collaborate with third-party service providers under strict agreements to ensure that our data security and privacy standards are upheld.

We collect personal information including first name, school, email address, password, subject(s), and role. This data is securely stored within Australia. Users must be at least 13 years old to use our service. User data can be deleted by contacting data-protection@exam-insights.com.

What Data We Collect and Why

What Information Do We Collect?

Exam Insights collects the following information about you and your use of our services:

  • Personal Information: We collect personal information that you provide to us by completing forms on our site exam-insights.com. This includes information you provide when you register to use our site and when you report a problem with our site. The personal information that we collect includes first name, school, email address, password, subject(s) and role.
  • Technical Information: We automatically collect certain information when you visit, use, or navigate the Services, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, location, page response times, page errors, and the length of visits to certain pages. This information is primarily needed to maintain the security and operation of our Services and for our internal analytics and reporting purposes.
  • Use of Service Information: We collect usage information about your use of certain features of our services, such as the your subject matter performance, reflections of questions, questions you chose to add to a collection, Coverage you have attempted, and the amount of time spent to complete a question. This enables us to better tailor educational experiences that are most appropriate for you.
  • Information from Integrated Services: Exam Insights allows for a single-sign-on (SSO) sign in option to make it easier for students and educators to remember multiple passwords for various services. If you choose to sign in through SSO, Exam Insights may collect personal information that is already associated with your integrated service account. By choosing to provide such information during registration or otherwise, you are giving Exam Insights the permission to use, share and store it in a manner consistent with this Privacy Policy.
  • Non-Personally Identifiable Information: Exam Insights uses any non-personally identifiable information that you provide or that we collect from users in an aggregated format to understand and analyse the usage trends, learning behaviours and preferences of our users, to improve the way our services work and look, and to create new features and functionality.

How Do We Process Your Information

We process your personal information for various purposes, including:

  • Facilitating account creation, authentication, and managing user accounts for a seamless experience.
  • Delivering and facilitating requested services to users.
  • Responding to user inquiries and offering support.
  • Sending administrative information, such as product/service details and policy updates.
  • Requesting feedback to enhance our services and user experience.
  • Evaluating and improving our Services, products, and overall user experience.
  • Identifying usage trends to better understand and enhance the effectiveness of our Services.

Purposes for Collection, Use, and Disclosure of Personal Information

We collect, hold, use, and disclose your personal information for the following purposes:

  • To create, maintain, and manage your account.
  • To deliver our services and features as requested.
  • To personalise your experience and improve our service offerings.
  • To communicate with you about account-related matters, product updates, and customer support.
  • To comply with legal obligations and enforce our terms.
  • To assess and analyse usage data to improve our educational tools.

Regional Data Protection Responsibilities

Our Role as a Data Processor (EU/EEA Only)

For schools and institutions based in the European Union (EU) or European Economic Area (EEA), Exam Insights acts as a data processor under the General Data Protection Regulation (GDPR), handling personal data on behalf of educational institutions (‘data controllers’) and processing such data strictly in accordance with their instructions.

Exam Insights will process personal data only on documented instructions from the school. We will not process data outside the agreed scope and will support the school in addressing data subject requests under the GDPR, including access, rectification, erasure, and restriction.

As required by Article 28 of the GDPR, Exam Insights will make available to the data controller all information necessary to demonstrate compliance and will allow for, and contribute to, audits and inspections conducted by the controller or an authorised auditor.

Data Protection Impact Assessments (EU/EEA Only)

For processing activities related to EU/EEA-based data subjects, Exam Insights supports the use of Data Protection Impact Assessments (DPIAs) where the rights and freedoms of individuals may be at high risk due to new or significantly changed data operations.

In collaboration with schools (data controllers), we assess risks prior to deployment. Upon request, Exam Insights will provide documentation necessary to conduct a DPIA, including processing operations, data flows, security controls, and mitigation strategies.

If a DPIA identifies a residual high risk, we will escalate the matter, notify the school, and pause implementation of any high-risk processing until jointly resolved or, if needed, submitted for consultation with the relevant supervisory authority under GDPR Article 36.

Your Right to Erasure (EU/EEA Only)

Under the GDPR, individuals based in the EU/EEA have the right to request the deletion of their personal data. To submit such a request, please contact data-protection@exam-insights.com.

Upon receiving your request, we will assess it and respond within one calendar month. In some cases, deletion may not be possible—for instance, if we are legally required to retain the data or where it is necessary for the establishment, exercise, or defence of legal claims.

We also implement automated deletion and data retention schedules to minimise long-term data storage. See below for an overview of our standard data retention table.

How to Exercise Your GDPR Rights (EU/EEA Only)

For users in the EU/EEA, the following rights under the GDPR may be exercised by contacting data-protection@exam-insights.com:

  • Access: Request a copy of your personal data
  • Rectification: Ask us to correct inaccurate data
  • Erasure: Request deletion of your data
  • Restriction: Ask us to pause processing in certain cases
  • Portability: Receive your data in CSV or JSON format
  • Objection: Object to specific types of processing
  • Automated Decision-Making: Request a manual review

We will respond to all valid requests within one month.

Our Data Protection Officer (DPO)

Exam Insights has appointed a Data Protection Officer (DPO) to oversee our compliance with data protection regulations.

The DPO acts independently and reports directly to our Chief Executive Officer. They cannot be instructed on how to perform their duties and are protected from dismissal or penalty for doing so.

Exam Insights staff, schools, and external stakeholders may contact our DPO at data-protection@exam-insights.com for any matters related to personal data, including the exercise of GDPR rights.

Our DPO is consulted at the outset of any project, feature, or partnership involving personal data processing, ensuring privacy by design is embedded in our practices.

Access, Correction, and Data Control

Access and Correction of Your Personal Information

You have the right to access personal information we hold about you and request correction of any inaccuracies. If you believe that any information, we are holding is incorrect or incomplete, please contact us at: data-protection@exam-insights.com.

We will promptly correct any information found to be incorrect in accordance with applicable data protection regulations.

How Can I Remove My Information?

If you wish to remove your personal information, please note that this can only be done by deleting your entire account. Unfortunately, we cannot delete individual pieces of information separately; the entire account must be deleted to remove all associated data. If you wish to delete your account, please contact data-protection@exam-insights.com. Once your account is deleted, all associated personal information will be permanently removed from our database, along with any data related to third-party services.

We conduct regular reviews of stored personal data to ensure compliance with data minimisation principles. By default, the personal data and accounts of Year 12 students are subject to automatic deletion at the conclusion of each academic year, on the basis that they no longer require access to the platform.

An exception applies where a student has independently purchased a subscription plan. In such cases, the student’s account and associated personal data will be retained until the conclusion of their subscription period, even if that period extends beyond the end of the calendar year. Upon expiry of the subscription, data will be deleted in accordance with our standard data deletion protocols.

This retention approach ensures that personal information is not held for longer than is necessary and aligns with our obligations under applicable privacy laws.

Can You Export Your Data?

Schools with active licences may request a full export of their data at any time. Data will be provided in commonly used formats such as CSV or JSON to ensure compatibility and portability.

Data Storage & Processing Locations

When And With Whom Do We Share Your Personal Information?

Exam Insights relies on third-party service providers to perform specific services on our behalf, such as content optimisation, functionality enhancement, infrastructure optimisation, and user account registration/authentication. These providers are instrumental in ensuring optimal website performance and user experience.

In limited cases, some non-personal data may be processed overseas by trusted third-party service providers to enable platform functionality. We do not share personal identifiers or student-specific information with any third-party providers unless required to deliver the service and only with adequate safeguards in place. For EU/EEA users, any international transfers are governed by appropriate safeguards under the GDPR, including Standard Contractual Clauses.

Where Is Your Personal Data Stored?

Our web application is hosted in multiple regions to support our global user base.

For users located in the European Union (EU) or European Economic Area (EEA), personal data is stored on servers located within the EU. We maintain dedicated EU-based infrastructure to ensure compliance with the General Data Protection Regulation (GDPR) and to support local data residency preferences.

For users located in Australia or other regions, personal data is stored on servers located in Australia, and we comply with the Australian Privacy Act and associated privacy principles.

Where it is necessary to transfer personal data across jurisdictions—for example, to support platform operations—we apply appropriate safeguards. For EU/EEA data, any transfers outside the EU (such as to Australia) are governed by the European Commission’s Standard Contractual Clauses (SCCs), which ensure that the level of protection for personal data remains consistent with GDPR requirements.

Countries Where Data May Be Processed

We use carefully selected sub processors to ensure the reliability, performance, and security of Exam Insights. Each provider is reviewed for compliance with privacy standards and data handling practices.

A full list of sub-processors is available below. We notify schools at least 30 days before engaging any new sub-processor. Schools may object on legitimate grounds by submitting a written request within this period.

All sub-processors are contractually bound to uphold data protection obligations that are no less protective than those required by the GDPR and include sufficient guarantees for technical and organisational safeguards.

Third-Party Services and Sub-Processors

OpenAI

  • Organisation: OpenAI, Inc.
  • Website: https://openai.com
  • Purpose: Supports AI-powered feedback and content generation features
  • Data Shared: Only non-identifiable, question-based content is sent (no personal information)
  • Lawful Basis: Performance of a contract (platform functionality)
  • Country of Processing: United States

DigitalOcean

  • Organisation: DigitalOcean, LLC
  • Website: https://www.digitalocean.com
  • Purpose: Infrastructure and server hosting
  • Data Shared: Full application and database hosting (Australian data centre for non-EU users; EU data stored on EU-based servers)
  • Lawful Basis: Performance of a contract
  • Country of Processing: Australia

In certain circumstances, your personal information may be shared or transferred in the event of a business transfer, including negotiations, mergers, sale of company assets, financing, or acquisition of our business, either wholly or partially, by another company.

Notification of Data Residency and Access Changes

Exam Insights is committed to transparency regarding where and how your data is stored and accessed.

If there is any planned relocation or expansion of:

  • Our cloud infrastructure (including system components, personal data, or backups) to a new country; or
  • Access permissions granted to vendors, cloud infrastructure personnel, or contractors that would allow them access to unencrypted personal data or encryption keys

we will notify affected customers in advance. This notification will:

  • Identify the nature of the change
  • Specify the country or organisation involved
  • Provide details on relevant safeguards or contractual protections

This ensures our customers—particularly educational institutions—can assess the impact of such changes on their own data protection obligations.

Security, Safeguards, and Data Handling

Safeguards and Ongoing Review

All third-party providers are subject to data processing agreements and are assessed to ensure alignment with applicable privacy frameworks, including the Australian Privacy Act for Australian users and the GDPR for users in the EU/EEA. Any future processors will be disclosed as part of our ongoing privacy commitments.

How Do We Keep Your Information Safe?

We’ve implemented robust technical and organisational security measures to safeguard your personal information. Alongside encryption protocols, access controls, and advanced technologies, we regularly conduct comprehensive security audits and assessments to identify and address any vulnerabilities proactively. Additionally, we ensure data encryption both in transit and at rest, providing an added layer of protection against unauthorised access.

Continuous monitoring of our systems using automated tools and manual oversight allows us to promptly detect and respond to any suspicious activity or unauthorised access attempts in real-time. Furthermore, our secure development practices ensure that security is prioritised at every stage of product development, reducing the risk of potential vulnerabilities.

All data transmitted between users and our platform is encrypted using TLS 1.2 or higher to prevent interception or tampering during transfer.

In addition to regular audits, we engage independent security experts to conduct annual penetration testing. Identified vulnerabilities are prioritised and resolved based on risk severity to maintain strong protection.

We perform regular encrypted backups and store them using tamper-proof methods to ensure recoverability and data integrity. These safeguards protect against data loss and ensure we can restore service in the event of system failures or malicious attacks.

Despite these efforts, it’s essential to recognise that no system can offer absolute certainty, and users should remain cautious regarding potential risks.

How Long Is Your Information Stored For?

During the active period of your account, we maintain your data securely. Once your account is created, we preserve the information for as long as it is necessary for the purpose for which it was collected and as required by applicable laws. When your account is active, we continuously assess the need for the data and its relevance to our services.

Anonymised Performance Data Sharing

Exam Insights may share anonymised, aggregated data to analyse collective performance trends at the school, local, and state levels. Individual data is never shared. Your name and email address are anonymised to ensure that no personally identifiable information (PII) is disclosed. While the name of your school may be included in these analyses, it cannot be used to identify individual users. Your personal information remains confidential and will never be disclosed without your explicit consent.

Is Your Data Sold To Third Parties?

We do not sell, share, or rent your personal information to any third party or use your e-mail address for unsolicited mail.