Summary of Our Privacy Commitment
We are committed to protecting your privacy in accordance with the applicable privacy laws, including the Australian Privacy Principles (APPs) under the Privacy Act for Australian users and the General Data Protection Regulation (GDPR) for users located in the European Union (EU) or European Economic Area (EEA). Exam Insights will not disclose your information to third parties without your explicit written consent, except when required by law. We collaborate with third-party service providers under strict agreements to ensure that our data security and privacy standards are upheld. We collect personal information including first name, school, email address, password, subject(s), and role. This data is securely stored within Australia. Users must be at least 13 years old to use our service. User data can be deleted by contacting data-protection@exam-insights.com.What Data We Collect and Why
What Information Do We Collect?
Exam Insights collects the following information about you and your use of our services:- Personal Information: We collect personal information that you provide to us by completing forms on our site exam-insights.com. This includes information you provide when you register to use our site and when you report a problem with our site. The personal information that we collect includes first name, school, email address, password, subject(s) and role.
- Technical Information: We automatically collect certain information when you visit, use, or navigate the Services, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, location, page response times, page errors, and the length of visits to certain pages. This information is primarily needed to maintain the security and operation of our Services and for our internal analytics and reporting purposes.
- Use of Service Information: We collect usage information about your use of certain features of our services, such as the your subject matter performance, reflections of questions, questions you chose to add to a collection, Coverage you have attempted, and the amount of time spent to complete a question. This enables us to better tailor educational experiences that are most appropriate for you.
- Information from Integrated Services: Exam Insights allows for a single-sign-on (SSO) sign in option to make it easier for students and educators to remember multiple passwords for various services. If you choose to sign in through SSO, Exam Insights may collect personal information that is already associated with your integrated service account. By choosing to provide such information during registration or otherwise, you are giving Exam Insights the permission to use, share and store it in a manner consistent with this Privacy Policy.
- Non-Personally Identifiable Information: Exam Insights uses any non-personally identifiable information that you provide or that we collect from users in an aggregated format to understand and analyse the usage trends, learning behaviours and preferences of our users, to improve the way our services work and look, and to create new features and functionality.
How Do We Process Your Information
We process your personal information for various purposes, including:- Facilitating account creation, authentication, and managing user accounts for a seamless experience.
- Delivering and facilitating requested services to users.
- Responding to user inquiries and offering support.
- Sending administrative information, such as product/service details and policy updates.
- Requesting feedback to enhance our services and user experience.
- Evaluating and improving our Services, products, and overall user experience.
- Identifying usage trends to better understand and enhance the effectiveness of our Services.
Purposes for Collection, Use, and Disclosure of Personal Information
We collect, hold, use, and disclose your personal information for the following purposes:- To create, maintain, and manage your account.
- To deliver our services and features as requested.
- To personalise your experience and improve our service offerings.
- To communicate with you about account-related matters, product updates, and customer support.
- To comply with legal obligations and enforce our terms.
- To assess and analyse usage data to improve our educational tools.
Regional Data Protection Responsibilities
Our Role as a Data Processor (EU/EEA Only)
For schools and institutions based in the European Union (EU) or European Economic Area (EEA), Exam Insights acts as a data processor under the General Data Protection Regulation (GDPR), handling personal data on behalf of educational institutions (‘data controllers’) and processing such data strictly in accordance with their instructions. Exam Insights will process personal data only on documented instructions from the school. We will not process data outside the agreed scope and will support the school in addressing data subject requests under the GDPR, including access, rectification, erasure, and restriction. As required by Article 28 of the GDPR, Exam Insights will make available to the data controller all information necessary to demonstrate compliance and will allow for, and contribute to, audits and inspections conducted by the controller or an authorised auditor.Data Protection Impact Assessments (EU/EEA Only)
For processing activities related to EU/EEA-based data subjects, Exam Insights supports the use of Data Protection Impact Assessments (DPIAs) where the rights and freedoms of individuals may be at high risk due to new or significantly changed data operations. In collaboration with schools (data controllers), we assess risks prior to deployment. Upon request, Exam Insights will provide documentation necessary to conduct a DPIA, including processing operations, data flows, security controls, and mitigation strategies. If a DPIA identifies a residual high risk, we will escalate the matter, notify the school, and pause implementation of any high-risk processing until jointly resolved or, if needed, submitted for consultation with the relevant supervisory authority under GDPR Article 36.Your Right to Erasure (EU/EEA Only)
Under the GDPR, individuals based in the EU/EEA have the right to request the deletion of their personal data. To submit such a request, please contact data-protection@exam-insights.com. Upon receiving your request, we will assess it and respond within one calendar month. In some cases, deletion may not be possible-for instance, if we are legally required to retain the data or where it is necessary for the establishment, exercise, or defence of legal claims. We also implement automated deletion and data retention schedules to minimise long-term data storage. See below for an overview of our standard data retention table.How to Exercise Your GDPR Rights (EU/EEA Only)
For users in the EU/EEA, the following rights under the GDPR may be exercised by contacting data-protection@exam-insights.com:- Access: Request a copy of your personal data
- Rectification: Ask us to correct inaccurate data
- Erasure: Request deletion of your data
- Restriction: Ask us to pause processing in certain cases
- Portability: Receive your data in CSV or JSON format
- Objection: Object to specific types of processing
- Automated Decision-Making: Request a manual review
Our Data Protection Officer (DPO)
Exam Insights has appointed a Data Protection Officer (DPO) to oversee our compliance with data protection regulations. The DPO acts independently and reports directly to our Chief Executive Officer. They cannot be instructed on how to perform their duties and are protected from dismissal or penalty for doing so. Exam Insights staff, schools, and external stakeholders may contact our DPO at data-protection@exam-insights.com for any matters related to personal data, including the exercise of GDPR rights. Our DPO is consulted at the outset of any project, feature, or partnership involving personal data processing, ensuring privacy by design is embedded in our practices.Access, Correction, and Data Control
Access and Correction of Your Personal Information
You have the right to access personal information we hold about you and request correction of any inaccuracies. If you believe that any information, we are holding is incorrect or incomplete, please contact us at: data-protection@exam-insights.com. We will promptly correct any information found to be incorrect in accordance with applicable data protection regulations.How Can I Remove My Information?
If you wish to remove your personal information, please note that this can only be done by deleting your entire account. Unfortunately, we cannot delete individual pieces of information separately; the entire account must be deleted to remove all associated data. If you wish to delete your account, please contact data-protection@exam-insights.com. Once your account is deleted, all associated personal information will be permanently removed from our database, along with any data related to third-party services. We conduct regular reviews of stored personal data to ensure compliance with data minimisation principles. By default, the personal data and accounts of Year 12 students are subject to automatic deletion at the conclusion of each academic year, on the basis that they no longer require access to the platform. An exception applies where a student has independently purchased a subscription plan. In such cases, the student’s account and associated personal data will be retained until the conclusion of their subscription period, even if that period extends beyond the end of the calendar year. Upon expiry of the subscription, data will be deleted in accordance with our standard data deletion protocols. This retention approach ensures that personal information is not held for longer than is necessary and aligns with our obligations under applicable privacy laws.Can You Export Your Data?
Schools with active licences may request a full export of their data at any time. Data will be provided in commonly used formats such as CSV or JSON to ensure compatibility and portability.Data Storage & Processing Locations
When And With Whom Do We Share Your Personal Information?
Exam Insights relies on third-party service providers to perform specific services on our behalf, such as content optimisation, functionality enhancement, infrastructure optimisation, and user account registration/authentication. These providers are instrumental in ensuring optimal website performance and user experience. In limited cases, some non-personal data may be processed overseas by trusted third-party service providers to enable platform functionality. We do not share personal identifiers or student-specific information with any third-party providers unless required to deliver the service and only with adequate safeguards in place. For EU/EEA users, any international transfers are governed by appropriate safeguards under the GDPR, including Standard Contractual Clauses.Where Is Your Personal Data Stored?
Our web application is hosted in multiple regions to support our global user base. For users located in the European Union (EU) or European Economic Area (EEA), personal data is stored on servers located within the EU. We maintain dedicated EU-based infrastructure to ensure compliance with the General Data Protection Regulation (GDPR) and to support local data residency preferences. For users located in Australia or other regions, personal data is stored on servers located in Australia, and we comply with the Australian Privacy Act and associated privacy principles. Where it is necessary to transfer personal data across jurisdictions-for example, to support platform operations-we apply appropriate safeguards. For EU/EEA data, any transfers outside the EU (such as to Australia) are governed by the European Commission’s Standard Contractual Clauses (SCCs), which ensure that the level of protection for personal data remains consistent with GDPR requirements.Countries Where Data May Be Processed
We use carefully selected sub processors to ensure the reliability, performance, and security of Exam Insights. Each provider is reviewed for compliance with privacy standards and data handling practices. A full list of sub-processors is available below. We notify schools at least 30 days before engaging any new sub-processor. Schools may object on legitimate grounds by submitting a written request within this period. All sub-processors are contractually bound to uphold data protection obligations that are no less protective than those required by the GDPR and include sufficient guarantees for technical and organisational safeguards.Third-Party Services and Sub-Processors
OpenAI
- Organisation: OpenAI, Inc.
- Website: https://openai.com
- Purpose: Supports AI-powered feedback and content generation features
- Data Shared: Only non-identifiable, question-based content is sent (no personal information)
- Lawful Basis: Performance of a contract (platform functionality)
- Country of Processing: United States
DigitalOcean
- Organisation: DigitalOcean, LLC
- Website: https://www.digitalocean.com
- Purpose: Infrastructure and server hosting
- Data Shared: Full application and database hosting (Australian data centre for non-EU users; EU data stored on EU-based servers)
- Lawful Basis: Performance of a contract
- Country of Processing: Australia
Notification of Data Residency and Access Changes
Exam Insights is committed to transparency regarding where and how your data is stored and accessed. If there is any planned relocation or expansion of:- Our cloud infrastructure (including system components, personal data, or backups) to a new country; or
- Access permissions granted to vendors, cloud infrastructure personnel, or contractors that would allow them access to unencrypted personal data or encryption keys
- Identify the nature of the change
- Specify the country or organisation involved
- Provide details on relevant safeguards or contractual protections