Privacy Policy

RetZero ("we", "us", "our") operates BrainSprout (https://brainsprouts.app), an educational platform for Australian primary school children. This Privacy Policy explains how we collect, use, disclose and protect personal information in connection with the BrainSprout platform and any related services, applications or websites (collectively, the "Service").

We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act. This policy also reflects our obligations under the Online Safety Act 2021 (Cth) and the Spam Act 2003 (Cth).

If you have any questions about this policy, please contact us at privacy@retzero.io.

RetZero is a software development business based in Brisbane, Queensland, Australia. BrainSprout is one of our products.

• Website: retzero.io
• Privacy enquiries: privacy@retzero.io
• General support: support@retzero.io
• Location: Brisbane, Queensland, Australia

3.1 Parent / Guardian Account Information

When you create a family account, we collect:

• Name — used to personalise your experience and communications.
• Email address — used for account creation, sign-in and service communications.
• Password — stored as a one-way cryptographic hash (bcrypt). We never store or transmit your password in plain text.
• Google account identifier — if you sign in with Google, we receive your name, email address and a unique Google account ID. We do not receive your Google password.
• Subscription and billing status — we store your subscription tier (free, monthly or yearly) and subscription status. Payment card details are processed directly by Stripe and are never stored by us (see Section 5).
• Communication preferences — whether you have opted in to daily nudge notifications and your preferred notification time.

3.2 Child Profile Information

Child profiles are created by the parent or guardian. We collect:

• First name — used to address the child within the app.
• Year level (Foundation to Year 6) — used to deliver age-appropriate content. We do not collect date of birth.
• Avatar selection — an emoji or illustrated character chosen by the child or parent. We do not collect or store photographs of children.

We do not collect children's email addresses, phone numbers, home addresses or any government-issued identifiers.

3.3 Learning and Usage Data

As children use the Service, we collect:

• Quiz question responses and whether answers are correct or incorrect.
• Time taken per question.
• XP points, level, current streak and longest streak.
• Daily and weekly challenge completion records.
• Subject-specific difficulty tier progress (Maths, English, Science).
• Badges earned and the date they were earned.
• Virtual garden plant data (plant type, growth stage, position).
• Certificates earned.

This data is used solely to deliver and improve the educational experience and to provide parents with progress reports. It is not used for advertising or profiling.

3.4 Technical and Device Information

We and our hosting provider (Vercel) may automatically collect:

• IP address (used for security and fraud prevention; not linked to child profiles).
• Browser type, version and operating system.
• Device type (e.g., tablet, phone, desktop).
• Pages visited and features used (via Vercel Analytics — privacy-preserving, no cookies).
• Error logs for debugging.

We use personal information only for the purposes for which it was collected or directly related purposes, including:

• Creating and managing your family account and child profiles.
• Delivering personalised, curriculum-aligned learning content.
• Processing subscription payments via Stripe.
• Sending transactional emails (e.g., account creation confirmation, password reset).
• Sending weekly progress reports to parents who have opted in.
• Sending daily nudge notifications to parents who have opted in.
• Generating achievement certificates.
• Improving the accuracy, quality and safety of the Service.
• Detecting and preventing fraud, abuse and security incidents.
• Complying with legal obligations.

We do not use personal information for targeted advertising, sell data to third parties, or use children's learning data for any commercial purpose beyond operating and improving the Service.

We do not sell, rent or trade personal information. We share information only with the service providers listed below, and only to the extent necessary to operate the Service. All third-party providers are required to handle data in accordance with applicable privacy laws.

5.1 Neon / Amazon Web Services (Database Hosting)

All application data (account details, child profiles, learning records) is stored in a PostgreSQL database hosted by Neon, which runs on Amazon Web Services (AWS) infrastructure in the ap-southeast-2 (Sydney, Australia) region. Your data does not leave Australia for storage purposes.

5.2 Vercel (Application Hosting)

The BrainSprout web application is hosted on Vercel. Vercel may process request data including IP addresses for content delivery and security purposes. Vercel Analytics is used for privacy-preserving, cookie-free analytics.

5.3 Google (Authentication)

If you choose to sign in with Google, your authentication is handled by Google OAuth. We receive only your name, email address and Google account ID. We do not have access to any other Google account data. Google's use of your data is governed by Google's Privacy Policy.

5.4 Stripe (Payment Processing)

Subscription payments are processed by Stripe, Inc. We do not receive or store your full payment card number, CVV or expiry date. Stripe stores this information in accordance with PCI DSS standards. We receive confirmation of payment status and a Stripe customer identifier. Stripe's use of your data is governed by Stripe's Privacy Policy.

5.5 Resend (Email Delivery)

Transactional and notification emails are delivered via Resend. Resend processes the recipient email address and email content solely for the purpose of delivery.

5.6 Disclosure Required by Law

We may disclose personal information if required to do so by law, court order, or regulatory authority, or if we believe disclosure is necessary to protect the rights, property or safety of RetZero, our users or the public.

BrainSprout is designed for children aged 5–12, but all accounts are created and managed by a parent or guardian (who must be 18 years of age or older). We do not knowingly collect personal information directly from children under the age of 13 without verifiable parental consent.

Child profiles are sub-profiles of a parent's account. Children do not communicate with other users on the platform. We do not display advertising to children. Children's learning data is used only to personalise their educational experience and to provide progress reports to their parent or guardian.

If you believe we have inadvertently collected personal information from a child without appropriate consent, please contact us immediately at privacy@retzero.io and we will promptly delete that information.

We comply with the Online Safety Act 2021 (Cth) and implement appropriate safeguards for child users, including restricting access to child profiles to the account's parent or guardian.

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration or destruction, including:

• HTTPS/TLS encryption for all data in transit.
• Passwords stored as bcrypt hashes (never in plain text).
• Database access restricted by role-based access controls.
• Authentication via signed, encrypted JSON Web Tokens (JWT).
• Regular dependency updates and security monitoring.
• Data stored in Sydney, Australia (AWS ap-southeast-2).

While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).

We retain personal information only for as long as necessary:

• Active account: Account data and child profiles are retained while the account remains active.
• After account deletion: We delete or anonymise personal information within 30 days of account deletion, except where retention is required by law (e.g., financial records retained for 7 years under the Corporations Act 2001 (Cth)).
• Learning records: Quiz attempt data is retained for 12 months after the last activity on a child profile, after which it is anonymised.
• Server logs: Technical logs are retained for up to 90 days.
• Aggregated analytics: Anonymised, aggregated data (e.g., average score by year level) may be retained indefinitely.

Under the Australian Privacy Principles, you have the right to:

• Access: Request a copy of the personal information we hold about you or your children.
• Correct: Request that we correct inaccurate, outdated or incomplete personal information.
• Delete: Request deletion of your account and all associated personal information (subject to legal retention requirements).
• Opt out: Unsubscribe from marketing emails at any time using the unsubscribe link in any email, or by contacting us directly.
• Complain: Lodge a complaint with us, and if not resolved, with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, please email privacy@retzero.io. We will respond within 30 days. We do not charge a fee for access requests unless the request is manifestly unfounded or excessive.

BrainSprout uses a minimal set of cookies and local storage:

• Authentication cookie (essential): A session cookie containing your encrypted JWT authentication token. This cookie is strictly necessary to keep you logged in and cannot be disabled without preventing use of the Service.
• Local storage (functional): We use browser local storage to store non-sensitive preferences such as install prompt dismissal state.

We do not use third-party advertising cookies. Vercel Analytics uses IP-based, cookie-free analytics that do not track individual users across sites and do not require consent under the Privacy Act 1988 (Cth).

We may send you promotional emails about BrainSprout features or offers where you have provided express or implied consent in accordance with the Spam Act 2003 (Cth). Each marketing email includes a one-click unsubscribe mechanism. We will process unsubscribe requests promptly and in all cases within 5 business days.

Transactional emails (e.g., account confirmation, password reset, subscription receipts, weekly progress reports) are sent as part of the Service and are not subject to unsubscribe requirements, though you may disable weekly progress reports in your account settings.

Your data is primarily stored in Australia (AWS ap-southeast-2, Sydney). Some service providers (including Vercel, Google and Stripe) may process data in jurisdictions outside Australia, including the United States and European Union. These providers maintain appropriate safeguards including standard contractual clauses and/or Privacy Shield certifications.

The Service may contain links to third-party websites. This Privacy Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Emailing the address associated with your account; and/or
• Displaying a prominent notice within the Service.

The updated policy will become effective on the date stated at the top of this page. Continued use of the Service after that date constitutes acceptance of the updated policy.

If you have questions, concerns or a complaint about how we handle your personal information, please contact our Privacy Officer:

We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):