Shard Learning — Privacy Policy
Effective Date: 1 February 2026
Last Updated: 1 February 2026
1. Introduction
Shard Foundry (the "Platform") is operated by Shard Learning ("we", "us", "our"). We are committed to protecting the privacy of all users, particularly the Students who use our Platform.
The Platform is designed for children and young people. The majority of our Students are minors under the age of 18, and we treat all Student data with the heightened care appropriate for children's personal information.
This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). We also commit to complying with the Children's Online Privacy Code once it is finalised by the Office of the Australian Information Commissioner (expected by December 2026).
2. Our Role: Data Processor
When providing services through schools, Shard Learning acts as a data processor on behalf of the school. The school is the data controller and maintains the direct relationship with parents and guardians.
This means:
- We process Student data only as instructed by the school for educational purposes
- Schools are responsible for ensuring appropriate consent is in place before Students use the Platform
- For questions about how a school has authorised the use of the Platform, contact the school directly
For direct inquiries, complaints, or requests regarding your personal information, we act as data controller and you may contact us using the details in Section 15.
3. Information We Collect
We collect only the information necessary to provide our educational service. We practise data minimisation and collect minimal personally identifiable information.
3.1 Student Data
| Data Type | What We Collect | Purpose |
|---|---|---|
| Account information | Email address, display name | Account identification and login |
| Authentication | Password (bcrypt hashed) OR OAuth identity | Secure authentication |
| Preferences | e.g. Theme preference | User experience customisation |
| Educational progress | Lesson completions, time spent on lessons, quiz responses and scores, test results, module enrolment progress | Tracking learning and providing feedback to Students and Teachers |
| Class membership | Which classes the Student is enrolled in, invitation records | Organising Students into Teacher-managed classes |
3.2 Teacher Data
| Data Type | What We Collect | Purpose |
|---|---|---|
| Account information | Email address, first name, last name, display name | Account identification and communication |
| School affiliation | School name | Verification and organisation |
| Authentication | Password (bcrypt hashed) OR OAuth identity | Secure authentication |
| Preferences | e.g. Theme preference | User experience customisation |
| Verification status | Whether the Teacher has been verified by an administrator | Ensuring only authorised Teachers can invite Students |
| Class and Student information | Classes created by the Teacher, Students enrolled in those classes, class settings and configurations | Enabling Teachers to manage their classes and monitor Student progress |
3.3 Audit Logs
We maintain audit logs of key operations on the Platform for security and integrity purposes. These logs may include timestamps, user identifiers, and the nature of the operation performed.
3.4 Information We Do Not Collect
We do not collect:
- Physical or postal addresses
- Phone numbers or mobile numbers
- Payment or financial information
- Dates of birth or precise ages
- Location data
- Browsing history outside the Platform
- Information through third-party analytics, advertising, or tracking services
3.5 Information We Do Not Use for AI Training
We do not use your personal information to train artificial intelligence or machine learning models. Your data is used solely for the purposes described in this Privacy Policy.
4. How We Collect Information
Directly from you: When you create an account, update your profile, or interact with educational content on the Platform.
From schools and Teachers: Schools and Teachers provide Student information (email, display name, class enrolment) when inviting Students to classes.
Through OAuth providers: If you choose to sign in with Google or Microsoft, we receive limited information from those providers. See Section 5 for details.
Automatically through cookies: We collect session authentication data through essential cookies when you log in. See Section 6 for details.
5. OAuth Authentication (Google and Microsoft)
If you sign in using Google or Microsoft OAuth, the following applies:
What the OAuth provider sends to us:
- Your email address (to identify your account)
- Your first name and last name
- Confirmation that you have successfully authenticated
What we send to the OAuth provider:
- A request to authenticate you
- No other information is shared with Google or Microsoft
What the OAuth provider knows:
- That you have authenticated with Shard Foundry
- The time of authentication
What the OAuth provider does NOT receive from us:
- Your educational progress, quiz responses, or other submissions
- Your class memberships or Teacher relationships
- Any other Platform data
We do not receive or store your Google or Microsoft password. The OAuth providers' own privacy policies govern their handling of your data.
6. Cookies
We use only essential cookies required for the Platform to function. We do not use tracking cookies, advertising cookies, analytics cookies, or any non-essential cookies.
6.1 Cookies We Use
The Platform uses separate portals for Students and Teachers, each with their own authentication cookies.
Student Portal Cookies:
| Cookie Name | Purpose | Duration |
|---|---|---|
slf_refresh_token | Stores refresh token for obtaining new authentication tokens | 30 days |
slf_token_student | Authentication token for the student portal | 8 hours |
slf_claim_student | Convenience information for frontend display (e.g. your first name) | 8 hours |
An equivalent set of cookies exists for the Teacher portal.
6.2 Cookie Security
All cookies containing identifiable or secure information are encrypted and HttpOnly, which is considered the most robust modern practice as of the time of writing. The non-HttpOnly cookies (the claim cookies) contain convenience information only, such as your first name, to improve user experience. All cookies are transmitted only over encrypted HTTPS connections.
6.3 Disabling Cookies
You can configure your browser to reject cookies or to alert you when cookies are being sent. However, if you disable cookies, you will not be able to log in to the Platform, as our authentication system requires session cookies to function.
7. How We Use Information
We use personal information solely for the following purposes:
| Purpose | Description |
|---|---|
| Platform operation | Creating and maintaining user accounts, authenticating logins, and delivering educational content |
| Educational progress tracking | Recording lesson completions, quiz responses, and other submissions; displaying progress to Students and their Teachers |
| Class management | Enabling Teachers to create classes, invite Students, and monitor class progress |
| Teacher verification | Verifying that Teachers are authorised educators who are legally employed by their school in accordance with applicable state requirements |
| Account communications | Sending account-related messages such as password resets and verification emails |
| Platform improvement | Analysing aggregated, de-identified usage patterns to improve the Platform |
| Legal compliance | Complying with applicable laws and responding to lawful requests |
We do not use personal information for:
- Advertising or marketing
- Behavioural profiling
- Sale or rental to third parties
- Training artificial intelligence models
- Any purpose unrelated to educational delivery
8. School-Mediated Consent
The Platform operates under a school-mediated consent model. This is the standard approach for educational technology in Australian schools.
How it works:
- Students cannot self-register
- Student access is provided exclusively through Teacher invitation
- Teachers must be verified by a Platform administrator before they can invite Students
School and Teacher responsibility:
By using the Platform and inviting Students, Teachers and schools confirm that they have obtained appropriate parental or guardian consent (whether through specific consent for this Platform or through the school's existing consent framework for school-approved digital tools), and that they are authorised by their school to use the Platform.
Our role:
We rely on the school's consent framework and do not collect consent directly from parents or guardians. This model is consistent with how educational technology platforms operate in Australian schools.
9. Disclosure of Information
We do not sell, rent, or trade personal information. We do not share personal information with advertisers, data brokers, or marketing companies.
We disclose personal information only in the following limited circumstances:
| Recipient | What is disclosed | Purpose |
|---|---|---|
| Teachers | Student educational progress within their classes | Enabling Teachers to monitor and support Student learning |
| Amazon Web Services (AWS) | All Platform data (encrypted) | Cloud hosting and infrastructure — see Section 9.1 |
| Google / Microsoft | Authentication confirmation only | OAuth login (if used by the user) |
| Law enforcement or regulators | As required by law | Compliance with legal obligations |
9.1 AWS Data Storage
Platform data is stored in Amazon Web Services' Sydney region (ap-southeast-2). All data is encrypted at rest using AWS-managed encryption keys. This means that while AWS provides the storage infrastructure, the data is stored in encrypted form and AWS does not have access to read the unencrypted contents of your data. AWS processes data on our behalf under our instructions and in accordance with their security and compliance standards.
10. Data Security
We implement appropriate technical and organisational measures to protect personal information:
| Measure | Implementation |
|---|---|
| Encryption in transit | SSL/TLS encryption for all data transmitted to and from the Platform |
| Encryption at rest | Database encryption using AWS RDS encryption |
| Password security | Passwords hashed using bcrypt (never stored in plain text) |
| Token security | Authentication tokens signed using HMAC-SHA256 |
| Network isolation | AWS Virtual Private Cloud (VPC) with private subnets |
| Session management | Token revocation capability for immediate session invalidation |
| Audit logging | Logs of key operations maintained for security purposes |
While we take reasonable steps to protect personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
11. Data Retention and Deletion
11.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Active accounts | Retained while the account is active |
| Inactive accounts | See Section 11.2 for retention and deletion process |
| Educational progress data | Retained with the account to support continuity of learning |
| Audit logs | Retained for 12 months for security purposes |
11.2 Inactive Accounts and Completion of Schooling
When a user has not been associated with a Teacher at a school for more than 12 months, or when a user is known to have completed their final year of schooling, they will be contacted within 3 months to advise on account retention or deletion. At that time, your account can be converted to an independent user account (allowing you to use it without a Teacher) or deleted, per your request. If no response is received, the account will be deleted after 12 months.
11.3 Standard Account Deletion
When a Student is removed from a class or a user account is deleted through standard means:
- The user's association with classes is removed
- Educational progress data may be retained in de-identified or aggregated form for the benefit of Teachers reviewing historical class performance
- Account credentials and personal identifiers are deleted
11.4 Purge Requests
Users (or parents/guardians on behalf of Students) may submit a purge request to permanently and completely delete all personal information associated with an account. Upon receiving a valid purge request:
- All account information, educational progress, quiz responses, submissions, and class membership records are permanently and irreversibly deleted
- Deletion is performed through cascading database deletes
- No data associated with the account will be retained
To submit a purge request, contact us at official@shardlearning.com with the subject line "Purge Request".
11.5 Important Notice: Data Storage Limitations
The Platform is in an early stage of development. You acknowledge that:
- We do not currently maintain backups of user data
- In the event of technical failure or data loss, your information may not be recoverable
- We may delete user data as part of Platform development or maintenance
We will endeavour to provide reasonable notice before any planned deletion affecting user data.
12. Your Rights
Under the Australian Privacy Principles, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete personal information
- Request deletion of your personal information through standard deletion
- Request a purge of all your personal information for complete and permanent removal (see Section 11.4)
- Complain about how we handle personal information
For Students: Because most Students are minors, requests regarding Student data should generally be made by a parent, guardian, or the Student's school. Students may also contact us directly.
To exercise your rights: Contact us using the details in Section 15. We will respond within 30 days.
We will not discriminate against you for exercising your privacy rights.
13. Third-Party Services
| Service | Purpose | Data Location | Notes |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database, email delivery, content delivery | Sydney, Australia (ap-southeast-2) | Data encrypted at rest; AWS cannot read unencrypted data |
| Google OAuth | Authentication (optional) | Google's infrastructure | Receives authentication confirmation, email, and name only |
| Microsoft OAuth | Authentication (optional) | Microsoft's infrastructure | Receives authentication confirmation, email, and name only |
We do not use third-party analytics services, advertising networks, social media tracking, or data brokers.
14. Children's Privacy
The Platform is designed for use by children and young people in Years 7-12. We take additional care with children's personal information in accordance with APP 3 and APP 5 of the Australian Privacy Principles.
Our approach includes:
- Data minimisation: Collecting only what is necessary for educational purposes
- Purpose limitation: Using data solely for educational delivery and progress tracking
- No third-party sharing: Not sharing children's information with advertisers or data brokers
- No tracking: Not using analytics, advertising, or tracking cookies
- Teacher oversight: Making Student activity visible to enrolled Teachers
- No AI training: Not using children's data to train AI models
- Account management: Contacting users and offering deletion when they complete schooling or become inactive
For parents and guardians: If you have questions about your child's data, contact your child's school or Teacher in the first instance. You may also contact us directly using the details below.
15. Changes to This Policy
Changes that do not materially reduce privacy or security: We may make minor updates, clarifications, or improvements to this Privacy Policy without prior notice, provided such changes do not materially reduce the level of privacy or security afforded to users.
Material changes: If we make changes that materially reduce your privacy rights or the security of your data, we will provide prominent notice to affected users or schools before such changes take effect.
In all cases, the updated policy will be posted on the Platform with a revised "Last Updated" date.
16. Contact Us and Complaints
If you have questions about this Privacy Policy, wish to exercise your privacy rights (including purge requests), or have a complaint, contact us at:
Shard Learning Pty Ltd
ACN 695 033 311 | ABN 26 695 033 311
Email: official@shardlearning.com
Website: https://shardlearning.com
Shard Foundry is a registered business name of Shard Learning Pty Ltd.
We will investigate and respond to complaints within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):