Privacy Policy
Last updated: April 2026 · Governing law: Queensland, Australia
1. Who We Are
Thynkr Pty Ltd (“Thynkr”, “we”, “us”, “our”) operates thynkr.com.au, an AI-adaptive study platform built for Australian secondary students preparing for the Queensland Certificate of Education (QCE).
Contact: privacy@thynkr.com.au
2. What This Policy Covers
This Privacy Policy explains how we collect, use, store, disclose and protect personal information from:
- Students who use the Thynkr platform
- Parents or carers who create linked accounts
- Teachers who access teacher dashboard features
- Visitors to thynkr.com.au
We comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Information Privacy Act 2009 (Qld), and the Education (General Provisions) Act 2006 (Qld).
3. What Personal Information We Collect
3.1 Account Information
- Full name
- Email address
- Password (stored as a salted hash — we never store plain text passwords)
- Profile image (optional)
- Year level (e.g., Year 11, Year 12)
- State (e.g., QLD)
- School name and/or school association
- Role (student, parent, teacher)
3.2 Learning Data
- Onboarding assessment answers (learning preferences, subject selection, goals)
- Practice session data (questions attempted, responses, time taken, hints used)
- Knowledge state per concept (mastery level, misconception flags)
- Spaced repetition scheduling data
- AI tutor conversation history (questions asked, explanations received)
- Exam session data (mock exam responses, timing, scores)
- Engagement metrics (session frequency, duration, streaks, return rate)
- ATAR-related data (assessment scores entered by the student, prediction snapshots)
- Career exploration conversations and saved insights
3.3 Technical Data
- Browser type and version
- Device type (desktop, mobile, tablet)
- IP address (for security and abuse prevention only — not used for profiling)
- Session cookies (authentication only — no advertising cookies)
3.4 Parent/Carer Data
- Name and email address
- Link to student account(s)
- Notification preferences
3.5 Teacher Data
- Name and email address
- School association
- Subject assignments
- Access to class-level (not individual) student analytics
4. How We Use Personal Information
We use personal information only for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Provide the adaptive learning platform | Performance of service |
| Personalise learning paths based on student performance | Performance of service |
| Generate AI tutor responses tailored to the student | Performance of service |
| Track mastery, misconceptions, and learning progress | Performance of service |
| Send study reminders and progress notifications | Consent (opt-in/opt-out per notification type) |
| Provide parent dashboard and progress reports | Consent (parent account linking) |
| Provide teacher dashboard with class analytics | School agreement / consent |
| Generate ATAR predictions and optimisation recommendations | Performance of service |
| Prevent abuse, fraud, and unauthorised access | Legitimate interest / legal obligation |
| Improve the platform (aggregated, de-identified data only) | Legitimate interest |
| Respond to support requests | Performance of service |
We do NOT use personal information to:
- Train AI models (student data is never used as training data for Claude or any other AI model)
- Serve advertisements
- Build advertising profiles
- Sell or share data with third parties for marketing
- Make automated decisions with legal or significant effects without human oversight
5. AI and Student Data
Thynkr uses Anthropic’s Claude API to power the AI tutor, AI mentor, and career discovery features. When a student interacts with these features:
- Conversation context (the student’s question and relevant learning profile) is sent to Anthropic’s API to generate a response
- Anthropic does not retain this data for model training (per Anthropic’s commercial API terms)
- Conversations are stored in our database so students can review past interactions
- AI-generated content is grounded in QCAA syllabus materials via retrieval-augmented generation (RAG) — not hallucinated from general knowledge
We do not use student data to fine-tune, train, or improve any AI model. The adaptive learning engine uses only the individual student’s own data to personalise their experience.
6. Data Storage and Security
6.1 Where Data is Stored
All personal data is stored in Australia. Our infrastructure uses:
- Australian-hosted PostgreSQL database (primary data store)
- Australian-hosted Redis (session caching only — no persistent personal data)
- Australian CDN for static assets
We do not transfer personal data outside of Australia except:
- API calls to Anthropic (US-based) for AI tutor responses — these contain only the minimum context needed to generate a response and are not retained by Anthropic for training
6.2 Security Measures
- All data encrypted in transit (TLS 1.2+)
- Database encryption at rest
- Passwords hashed with bcrypt (salted)
- Role-based access control (students see only their own data; teachers see only their assigned classes; parents see only their linked children)
- No shared accounts — every user has their own authenticated session
- Regular security reviews
7. Data Sharing
We do not sell, rent, or trade personal information. We share data only in these circumstances:
| Recipient | What is Shared | Why |
|---|---|---|
| Anthropic (AI provider) | Conversation context for AI responses | To generate AI tutor/mentor responses |
| The student’s linked parent | Progress summaries, mastery data | Parent dashboard feature (consent-based) |
| The student’s school (if school-enrolled) | Class-level mastery heatmaps, engagement metrics | Teacher dashboard feature (school agreement) |
| Law enforcement | As required by law | Legal obligation only — we will notify the user unless legally prohibited |
Teachers see class-level analytics — they can see which concepts the class is struggling with and per-student mastery levels. They can see AI tutor conversation summaries. They cannot access parent accounts or billing information.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Active student account data | Retained while the account is active |
| Learning data (practice sessions, mastery) | Retained while the account is active |
| AI conversation history | Retained while the account is active |
| Account after deletion request | Deleted within 30 days of request |
| De-identified, aggregated analytics | Retained indefinitely (not personal information) |
| Server logs (IP, access) | 90 days |
When a student, parent, or school requests deletion:
- All personal data is permanently deleted within 30 days
- De-identified aggregate data (e.g., “X% of Year 12 students had this misconception”) may be retained as it cannot identify individuals
- We confirm deletion via email
9. Your Rights
Under the Privacy Act 1988 and the Information Privacy Act 2009 (Qld), you have the right to:
- Access your personal information — request a copy at any time
- Correct inaccurate information — update your profile or contact us
- Delete your account and all associated data
- Withdraw consent for optional features (notifications, parent linking, school sharing)
- Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we’ve breached the APPs
For any of these requests, email privacy@thynkr.com.au. We will respond within 30 days.
Parents/carers can exercise these rights on behalf of students under 18.
10. Children’s Privacy
Thynkr is designed for secondary school students (typically aged 13-18). We take additional care:
- Students under 13 should not create accounts without parental consent
- Where a school facilitates student onboarding, the school is responsible for obtaining parental consent via the Queensland Department of Education’s Online Services Consent Form
- We do not knowingly collect personal information from children under 13 without parental/school consent
- Parents can request deletion of their child’s data at any time
11. Cookies and Tracking
Thynkr uses only essential cookies for authentication (session tokens). We do not use:
- Advertising cookies
- Analytics tracking pixels
- Third-party tracking scripts
- Social media tracking widgets
We do not use Google Analytics or any similar third-party analytics service that sends data offshore.
12. Changes to This Policy
We may update this policy from time to time. If we make material changes:
- We will notify active users via email
- We will update the “Last updated” date at the top
- Previous versions will be available on request
13. Contact
Privacy Officer: Suren Reddy
Email: privacy@thynkr.com.au
Postal: Thynkr Pty Ltd, Brisbane QLD 4000
Complaints: If you’re not satisfied with our response, you can lodge a complaint with:
- Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
- Office of the Information Commissioner Queensland (OIC): www.oic.qld.gov.au