Last updated · April 2026

Privacy Policy

Last updated: April 2026

BrightStead Tutoring ("we", "us", "our") respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, and your rights under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), as well as the EU General Data Protection Regulation (GDPR) where applicable.

1. Who we are

This site is operated by BrightStead Tutoring. For any privacy-related inquiries, contact us at privacy@brightstead.com.

2. Information we collect

When you create an account we collect:

  • Email address — required for account creation and login
  • Password — stored as a salted cryptographic hash, never in plain text
  • Date of birth — optional, collected only if you choose to add it on your profile
  • Name — first and last (required at signup)
  • Learning preferences — study goal (General English, AMEP, TESOL) and English level

We also automatically collect:

  • Technical data — IP address, browser type and user agent, timestamps
  • Cookies — session ID and CSRF token for security (essential); optional analytics/marketing cookies only if you consent
  • Cookie consent records — which categories you accepted, policy version, IP, user agent and timestamp (audit trail for compliance)

3. Legal basis for processing (GDPR)

  • Contract — email, password, preferences are needed to provide the service you sign up for
  • Legal obligation — your explicit age declaration at signup to comply with minimum-age rules; cookie consent records to demonstrate GDPR/APP compliance
  • Consent — optional analytics/marketing cookies; you can withdraw at any time via Cookie preferences in the footer
  • Legitimate interest — IP and user agent logs for security and fraud prevention

4. Age requirement

This service is not directed to children under the age of 16. When you create an account you must tick a checkbox confirming that you are at least 16 years old; we rely on this self-declaration as a reasonable effort to verify age (GDPR Art. 8(2)). We do not collect a date of birth at signup. If you believe a child under 16 has provided us personal data, contact us at privacy@brightstead.com and we will delete the account and associated data.

5. Email verification

After registration we send a verification email containing a time-limited signed link (valid for 3 days). Verification confirms you have access to the email address; unverified accounts have limited functionality.

6. Cookies

We use three categories of cookies:

  • Essential — session and CSRF cookies required for login and security. Always active, no consent required.
  • Analytics — to understand how visitors use the site (anonymised). Only set with your consent.
  • Marketing — to measure campaign effectiveness. Only set with your consent.

You can change your cookie preferences at any time via the Cookie preferences link in the footer. Third-party services (such as embedded Google Calendar) may set their own cookies under their respective privacy policies.

7. How we use your information

  • Create and manage your account
  • Send account-related emails (verification, password reset, security notices)
  • Personalise your learning experience
  • Respond to your inquiries
  • Maintain security and comply with legal obligations

8. Sharing your information

We do not sell your personal information. We share data only:

  • With service providers (email delivery, hosting) under confidentiality obligations
  • When required by Australian law, EU law, or in response to valid legal process
  • To protect rights, property, or safety

9. International transfers

We are based in Australia. If we use email or hosting providers located outside Australia or the EU, we ensure appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions) are in place.

10. Data retention

  • Account data — kept while your account is active; removed when you delete your account
  • Cookie consent audit records — retained for up to 3 years after the last consent, as evidence of compliance
  • Technical logs — typically retained for up to 90 days for security purposes

11. Data security

We take reasonable steps to protect your information, including:

  • Encrypted connections (HTTPS) in production
  • Passwords stored with salted hashing (PBKDF2)
  • Signed, time-limited email verification tokens
  • Protection against CSRF, XSS, and clickjacking

12. Your rights

You have the right to:

  • Access — download a copy of your data in JSON format from your profile page
  • Rectify — edit your profile information at any time
  • Erase — permanently delete your account from your profile page
  • Restrict or object — contact us to limit or object to specific processing
  • Withdraw consent — update cookie preferences at any time via the footer link
  • Portability (GDPR) — receive your data in a machine-readable format (our JSON export satisfies this)
  • Complain — lodge a complaint with a supervisory authority (see contacts below)

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or a prominent site notice. The "Last updated" date at the top shows when the policy was most recently changed.

14. Contact and complaints

Privacy inquiries: privacy@brightstead.com

If you are in Australia, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

If you are in the EU/EEA, you may lodge a complaint with your local data protection authority.