Privacy policy.

What we collect.

From the sign-in provider you choose (Google or Facebook) we receive your email address, your first and last name, and a URL for your profile image. Nothing else from your provider account comes through.

From you directly, during sign-up and afterwards, we collect:

• Programme choice (Physicians Exam, Australian Secondary School Practice, GCSE, A-Level, etc.).
• Year level or exam stage and the billing tier you picked.
• For child profiles set up by a parent: the child’s first name, an age band (month and year of birth — never the day), an avatar, and a parent-set secret word + PIN used by the child to log in.
• Practice activity — sessions started, questions answered, time taken, the topics each answer maps to, and the readiness signals derived from them. This lives primarily in Practice; ForMe surfaces summaries.
• Bookmarks, notes, and items you flag for follow-up.

Our servers also see standard request metadata (IP address, user agent, timestamps) and a cookie that holds your sign-in session. We do not run third-party advertising or behavioural-tracking scripts.

Why we collect it.

• Run the product — sign you in, remember your programme + stage, deliver the right practice questions, show your progress.
• Adapt to you — practice activity feeds the engine that picks what to ask next. Without it the product becomes a flat question bank.
• Bill you — for paid tiers we keep the minimum needed to issue receipts and meet tax obligations.
• Talk to you — service emails (welcome, billing, security), and only marketing emails if you’ve explicitly opted in.
• Improve the product — aggregated, de-identified analytics (e.g. “average accuracy on cardiology items”) inform content quality. These cannot be used to reconstruct your individual history.

We do not sell your personal data, and we do not use it to train third-party machine-learning models.

Lawful basis (GDPR / equivalent).

We rely on:

• Contract — to provide the practice service you signed up for.
• Consent — for marketing emails (always opt-in) and any cookies beyond strictly necessary ones.
• Legitimate interest — for security, fraud prevention, and aggregated product analytics, balanced against your right to object.
• Legal obligation — for record-keeping the law requires (e.g. financial records of paid subscriptions).

Who else sees your data.

ForMe is hosted on Google Cloud Platform. The following sub-processors handle pieces of the service on Janison’s behalf, under contracts that bind them to use the data only for the work we’ve asked them to do:

• Google Cloud Platform — application hosting (Cloud Run), database (Cloud Spanner, AlloyDB), object storage (Cloud Storage). Regions: Australia (Sydney) and the United States.
• Google & Facebook — sign-in providers. We see only the fields they return at sign-in (email, name, profile image URL).
• Stripe — payment processing for paid tiers (when the integration lands). Card details are submitted directly to Stripe and never touch our servers.
• Email delivery — transactional email (welcome, billing receipts, security alerts) goes via a transactional-email provider; the message bodies don’t carry sensitive data.

We disclose data outside this list only when compelled by a valid legal request, and we challenge requests we believe are disproportionate.

International transfers.

Janison is incorporated in Australia. Some of our infrastructure runs in the United States. Where personal data is transferred outside its origin region (e.g. UK / EU users’ data reaching US-hosted services) we rely on the appropriate transfer mechanism — Standard Contractual Clauses, the UK IDTA, or an adequacy decision — applied at the contract level with each sub-processor.

How long we keep it.

• Account + practice history — for as long as the account is active. Deletion requests are honoured per the schedule on our data deletion page (prod gone in 30 days, encrypted backups roll off after a further 90).
• Inactive accounts — accounts unused for 24 months are flagged for deletion; we email you first and give you the choice to keep the account.
• Service logs — request and error logs are retained for up to 90 days for security and debugging, then rolled off.
• Billing records — financial records (invoices, receipts) are retained for the period the law requires (typically 7 years in Australia).
• Aggregated analytics — content-quality and usage aggregates that don’t identify you may be retained indefinitely.

Your rights.

Wherever you live, you can ask us to:

• Access — see what data we hold about you.
• Correct — fix anything that’s wrong.
• Delete — remove your account and the data linked to it (see the deletion page).
• Export — receive a portable copy of your data.
• Object — to processing we do under legitimate interest.
• Withdraw consent — for anything we do because you opted in (e.g. marketing emails).

UK / EU residents have the right to lodge a complaint with their local supervisory authority. Australian residents can complain to the OAIC. We’d rather hear from you first so we can fix things — email privacy@janison.com.au.

Children’s data.

Practice for children (Primary School Practice, Secondary School Practice) is set up by a parent. The parent holds the account; the child has a profile under it with a first name, age band (month and year only — never the day), an avatar, and a parent-set secret word + PIN used to sign in.

We don’t collect children’s contact details, location, or photographs. Parents can delete a child profile from their hub at any time, or by emailing us. We verify parent ownership before actioning any request relating to a child profile.

Cookies.

We use a small number of strictly-necessary cookies — to remember your sign-in, your selected region, and the email you last used for the dev sign-in shortcut. We don’t use advertising, cross-site tracking, or analytics cookies that identify you personally.

Changes to this policy.

We’ll update this page when something material changes, with a new “last updated” date at the top. For significant changes (new sub-processors handling sensitive data, new categories collected) we’ll email you in advance and give you the chance to leave before the change takes effect.

Contact.

ForMe is operated by Janison Solutions Pty Ltd, ACN 081 273 837, Australia. Privacy questions, requests, or complaints:

privacy@janison.com.au