Compliance report

23 May 2026 · Australian Privacy Principles (APPs)

This summary is provided for school IT, principals, privacy officers, and parents considering LEP. The full report covers every Australian Privacy Principle, subprocessors, retention, incident response, and our honest assessment of what's not yet done. The canonical version is the Markdown document below.

Download full report (Markdown · ~12 KB)

At a glance

✓ AU data residency (Sydney; Supabase + Vercel syd1)
✓ Encryption: TLS 1.2+ in transit, AES-256 at rest
✓ Row-level access controls enforced at the database
✓ Notifiable Data Breaches response process
✓ No generative AI in the data path
⚠ Formal Privacy Impact Assessment recommended for government schools
⚠ Public privacy policy URL pending publication
○ SOC 2 / ISO 27001 not held (subprocessors are certified)

What we collect

Category	Purpose
Email, display name, role	Authentication + identifying student to teacher
Writing-process events (timing, paste metadata, caret position)	Process summary in teacher report
First 2000 chars of pasted text	So teacher conversations about pastes can be specific
Final draft text	Cross-device continuity + teacher review

What we don't

Every keystroke (only word counts and timing)
Anything outside the LEP editor window
Screen, webcam, microphone
Browser history, tabs, or other site content
Sensitive personal information (APP 3.3)
Government identifiers (USI, Medicare, etc.)
Cross-site tracking or advertising identifiers
Generative-AI training data

Subprocessors

Vendor	Role	Region
Supabase	Database + auth	Sydney (AWS ap-southeast-2)
Vercel	App hosting	syd1 region pinned
Google OAuth (optional)	Alternative sign-in	Global

How long we keep it

Documents & events: kept while your school uses LEP, and deleted on request
Account records: until you request deletion
Server access logs: 30 days
Auth logs: 90 days (Supabase default)

Your rights

Access, correction, deletion, and complaint rights are honoured within 30 days of a verified request to privacy@learningevidenceplatform.com. See the full report for the detail of how each Australian Privacy Principle is met.

Notifiable Data Breaches

LEP follows the NDB scheme. If an eligible breach occurs, affected users will be notified directly, the OAIC will be informed via the prescribed form, and the adopting school will be told as soon as practicable, regardless of NDB classification, so the school can fulfil its own obligations.

For the full technical detail, download the report above or read it on GitHub once the repo is public.