Privacy Policy

Learn360 Privacy Policy

Last updated: 8 January 2026

Learn360 respects your privacy. We work with schools, early learning services, families and educators, and we understand that student information requires the highest level of care, transparency, and security.

This Privacy Policy explains how Learn360 collects, uses, discloses, stores and protects personal information when you:

  • visit our websites (including learn360.education);
  • use our Learn360 platform, applications, assessments and related services; and/or
  • participate in Learn360 programs delivered through a school or early learning service, including Learn360’s Precision Learning research programs.

This policy is written for Australian education contexts and is intended to align with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme.

Important note: This Privacy Policy is general information and does not replace your organisation’s legal advice or your school/centre’s own privacy obligations. Where a school or early learning service has a direct contract with Learn360, that agreement may include additional privacy and security terms (for example, onboarding documentation, consent templates, or data processing terms). If there is any inconsistency, the contract terms apply for that school/centre deployment.

1) Who we are

In this Privacy Policy, “Learn360”, “we”, “us” or “our” means the Learn360 service and the related entities responsible for operating and supporting the Learn360 platform and programs.

Privacy contact: [email protected]

2) Our privacy commitments to schools and families

For Learn360 school and early learning deployments in Australia, we are committed to the following:

  • We do not sell student data.
  • We do not use student data for targeted advertising.
  • We collect only what we need to deliver Learn360 services and programs.
  • We use strong security controls (encryption, access controls, monitoring, and secure development practices).
  • Research use is de-identified and opt-in for education deployments, with consent processes managed through the school/centre and the research program documentation (where applicable).

3) Key definitions

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Sensitive information (under the Privacy Act) includes health information and other categories that require higher protection. In a Learn360 education context, student photos/videos and body measurements may be treated as sensitive, and may also produce biometric-type inferences. We apply heightened controls accordingly.

Student data includes personal information relating to a child/student that is collected or generated through Learn360 services (including assessments, educator observations, reports, and program outputs).

School/centre deployment means Learn360 is provided via a school or early learning service, typically under a service agreement.

Research program means an opt-in Learn360 research study conducted with approved partners (for example, Southern Cross University and Parents International) where de-identified data may be analysed and reported in aggregated or de-identified form.

4) Roles: schools/centres and Learn360

In most school and early learning deployments:

  • the school/centre generally determines the educational purpose and provides notices and consent processes to parents/guardians; and
  • Learn360 processes information to generate and present results (reports, insights, and resources) to support the school community.

Parents/guardians can usually exercise privacy rights via their school/centre, and in many cases can also contact us directly (see Section 12).

5) What information we collect

The information we collect depends on how Learn360 is used (website visitor, educator user, parent user, or student participant).

A) Student information (school/centre deployments)

We aim to collect the minimum necessary information to deliver Learn360 services. Depending on the program, this may include:

  • student first name and/or student identifier, class/group;
  • parent/guardian contact details (as provided/authorised by the school/centre);
  • a standard assessment set (commonly four photos, a short video, and selected clothed body measurements);
  • limited questionnaire responses or “personality data” used to personalise outputs (where included in the program design);
  • educator observations relevant to learning and wellbeing supports; and
  • generated outputs, such as a personalised learning profile/report and recommendations.

We do not perform persistent face recognition or identity verification for school services.

We also do not request or store government identifiers for students unless specifically required by law and agreed in writing as part of a school deployment (and in most cases, we avoid this entirely).

B) Parent/guardian information

Where parents/guardians access Learn360 services, we may collect:

  • name and contact details;
  • account credentials (if an account is created);
  • communications with our support team; and
  • program engagement and progress information (where applicable).

C) Educator and school/centre staff information

We may collect:

  • name, role, school/centre contact details;
  • account credentials and access permissions;
  • usage information (for audit, support and security); and
  • communications and support records.

D) Website and platform technical information

When you visit our websites or use the platform, we may automatically collect:

  • device and browser details;
  • IP address and approximate location derived from IP (for security and fraud prevention);
  • logs relating to authentication, system activity, and performance; and
  • cookie/analytics data (see Section 13).

6) How we collect information

We collect information:

  • from the school/centre (for example, class lists, parent contact information where authorised, onboarding details);
  • from parents/guardians and educators directly (for example, consent forms, surveys, support requests);
  • through the Learn360 assessment process (photos/video/measurements submitted through approved workflows); and
  • automatically through system logs and cookies when our websites and services are accessed.

If we receive unsolicited personal information that we did not request, we will delete it or de-identify it where lawful and reasonable.

7) How we use information

We use personal information for the primary purpose of operating Learn360 and delivering the services requested by schools/centres and families, including to:

  • create and deliver student learning profiles/reports and practical recommendations;
  • provide resources and guidance for educators and parents/guardians;
  • administer accounts and authenticate access;
  • provide customer support and respond to enquiries;
  • monitor usage for platform performance, reliability, and safety;
  • detect and prevent misuse, fraud, and security incidents; and
  • meet legal and regulatory obligations.

Product improvement and quality

We may use de-identified and/or aggregated information to improve Learn360, including quality assurance, system testing, and product development. Where personal information is used for these purposes, we apply appropriate protections and minimisation.

Direct marketing

We do not use student personal/sensitive information for direct marketing. For adults (educators/parents), if we send optional marketing communications, you can opt out at any time (see Section 14).

8) Precision Learning research programs

From time to time, Learn360 operates Precision Learning research programs in partnership with research organisations (including Southern Cross University and Parents International) to evaluate wellbeing and learning outcomes and improve personalised education.

Participation is voluntary and consent-based

Research participation is opt-in. The school/centre (and/or the research team) may provide a participant information sheet and consent process. Parents/guardians are informed that they are free to withdraw without penalty, and can contact the research team with questions or concerns about ethical conduct.

What may be collected for research

Depending on the study, research participation may include:

  • the Learn360 assessment inputs (for example, measures of the body, a standard set of photos and brief video);
  • wellbeing surveys completed at baseline and follow-ups (commonly now, 6 months and 12 months); and
  • optional interviews or small group conversations at follow-up points (for example, at 6 and 12 months) to gather feedback.

De-identification and reporting

Where data is used for research analysis:

  • identifying details are removed before analysis;
  • research records are linked to a participant number rather than a name; and
  • results are reported as de-identified cases and/or group averages.

Publication and sharing

Research findings may be published in academic or professional contexts. Any published results are presented in de-identified and/or aggregated form so individuals are not reasonably identifiable.

Withdrawing from research

If a parent/guardian withdraws from a research program, this does not affect a student’s access to Learn360 services delivered by the school/centre (unless the school/centre program itself is research-only). Where withdrawal is requested, we will follow the study protocol and applicable law in relation to ceasing future research use and handling previously collected data.

9) How we disclose information

We do not sell personal information. We disclose personal information only as necessary to deliver Learn360, including:

A) School/centre and authorised family access

Student information and outputs are shared with:

  • the relevant school/centre; and
  • the student’s parent/guardian(s) or other authorised recipients as directed by the school/centre and consistent with consent arrangements.

B) Service providers

We use carefully selected service providers to host and protect Learn360 and to provide operational support (for example, cloud infrastructure, security services, and support tools). These providers:

  • act under contract to us; and
  • are permitted to access personal information only as necessary to provide their services to Learn360.

For Australian school deployments, core infrastructure providers may include Microsoft Azure (hosting) and Cloudflare (edge security/CDN/DDoS protection), configured for Australian data residency controls where feasible. A current list of operational sub-processors used for a particular deployment (for example, support or analytics tools, if any) is available on request and may be provided to schools during onboarding or renewal.

C) Legal requirements

We may disclose information where required or authorised by law, including in response to valid legal process, regulatory requests, or to protect the rights and safety of Learn360, our users, schools/centres, and the public.

10) Data hosting, residency and cross-border disclosures

Australian hosting

For Learn360 deployments with Australian schools and early learning services, our default configuration supports hosting in Microsoft Azure Australia East, so that data at rest remains within Australia. Replication for resilience occurs within Australia.

Edge/network services and overseas handling

Some network services (such as edge security/CDN) may involve global infrastructure. Where Learn360 uses such services, we apply configurations designed to keep TLS termination and keys in Australia where available, and we apply APP 8 safeguards for any overseas handling.

If any personal information must be handled outside Australia for a specific reason, we take reasonable steps to ensure the overseas recipient protects the information in a way that is substantially similar to the APPs, and we remain accountable as required by the Privacy Act.

11) Security and cybersecurity practices

Learn360 uses a layered security program designed for the school environment.

Key controls may include:

  • Encryption
    • Encryption in transit (TLS 1.2 or higher).
    • Encryption at rest (AES-256) across storage and backups.
  • Identity and access management
    • Role-based access control and least privilege.
    • Multi-factor authentication for administrative access.
    • Audit logging of access to student records.
    • Periodic access reviews and staff security awareness training.
  • Platform and application security
    • Secure development lifecycle practices, code review, and dependency scanning.
    • Regular vulnerability assessment and change management controls.
    • Network segmentation, firewalls/WAF, DDoS protections, secrets management and key rotation.
  • Device and endpoint protections
    • Device encryption and endpoint detection/response for administrative devices.
    • Logging and monitoring to detect suspicious activity.

Security incidents and Notifiable Data Breaches

We maintain incident response procedures aligned to the OAIC’s model (contain → assess → notify → review). We assess suspected breaches promptly (ordinarily concluding assessment within 30 days). If an eligible data breach is confirmed, we notify affected parties and the OAIC as soon as practicable, as required.

12) Retention, deletion, access and correction

Retention and deletion

We retain personal information only as long as needed for the purpose it was collected, unless we must keep it for legal, security, or operational reasons.

For education deployments, typical retention settings may include:

  • Raw media (photos/video): deleted on request or automatically after an agreed period (for example, 12 months), unless a parent/school elects to retain it for longitudinal use.
  • Derived profile data/reports: retained while the student participates or while the school/centre contract remains active, then deleted or de-identified.
  • Backups: encrypted and rotated; aged-out backups are destroyed.
  • Security/audit logs: retained for a defined period for security/compliance, then purged.

Parents/guardians can request deletion through their school/centre (and in some cases directly through us). When we action deletion requests, we remove data from production systems and schedule backup removal through normal backup roll-over processes, subject to legal and safety requirements.

Access and correction

Parents/guardians and adult users may request:

  • access to personal information held by Learn360; and/or
  • correction of inaccurate information.

For student information, requests are commonly managed through the school/centre so that identity and authority can be verified. You can also contact our privacy team directly at [email protected]. We will take reasonable steps to verify the requester’s identity/authority and respond within a reasonable timeframe consistent with the APPs.

13) Cookies, analytics and website tracking

Our public websites may use cookies and similar technologies to:

  • enable core website functionality;
  • understand site usage and improve performance; and
  • support security and fraud prevention.

Where possible for education services, we avoid adtech and social tracking. You can usually manage cookies through your browser settings, but disabling cookies may affect website functionality.

If we maintain a separate Cookie Policy, it applies in addition to this Privacy Policy.

14) Communications and opt-out

We may send:

  • service communications (for example, account notices, security messages, onboarding updates), which you cannot opt out of while using the service; and
  • optional communications (for example, newsletters or product updates to adults), which you can opt out of at any time using the unsubscribe link or by contacting us.

We do not send direct marketing to students and do not use student personal/sensitive information for marketing.

15) Third-party links

Our websites or resources may link to third-party websites. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing personal information.

16) Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. The “Last updated” date at the top shows when it was most recently revised. Where changes are material, we will take reasonable steps to provide additional notice (for example, via the website or via school/centre channels).

17) Contact and complaints

If you have questions, requests, or concerns about privacy or security, please contact:

Privacy Team
Email: [email protected]

If you wish to make a privacy complaint, please email us with:

  • your name and contact details,
  • the school/centre (if applicable),
  • details of the concern, and
  • what outcome you are seeking.

We will acknowledge and investigate complaints in a timely manner. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).