Privacy policy.

What we collect.

From the sign-in provider you choose (Google or Facebook) we receive your email address, your first and last name, and a URL for your profile image. Nothing else from your provider account comes through.

The bulk of what Practice itself holds about you is your practice activity:

• Every session you start — start time, duration, completion.
• Every question you see and the answer you gave, with the time you took.
• The topic + sub-topic each answer maps to (so we can build the readiness picture).
• Bookmarks, notes, and items you flag for follow-up.
• Voice and audio session metadata if you use hands-free practice (length, completion, never the audio itself).
• Your active programme + any per-programme settings (year level, exam stage, billing tier).

Our servers also see standard request metadata (IP address, user agent, timestamps) and a cookie that holds your sign-in session. We do not run third-party advertising or behavioural-tracking scripts.

Why we collect it.

• Run the product — sign you in, deliver the right practice questions, show you progress.
• Adapt to you — the activity history feeds the engine that picks what to ask next. Without it Practice becomes a flat question bank.
• Talk to you — service emails (welcome, security, important product changes), and only marketing emails if you’ve explicitly opted in.
• Improve the product — aggregated, de-identified analytics (e.g. “average mastery on cardiology items”) inform content quality. These cannot be used to reconstruct your individual history.

We do not sell your personal data, and we do not use it to train third-party machine-learning models.

Lawful basis (GDPR / equivalent).

We rely on:

• Contract — to provide the practice service you signed up for.
• Consent — for marketing emails (always opt-in) and any cookies beyond strictly necessary ones.
• Legitimate interest — for security, fraud prevention, and aggregated product analytics, balanced against your right to object.
• Legal obligation — for record-keeping the law requires (e.g. financial records of paid subscriptions).

Who else sees your data.

Practice is hosted on Google Cloud Platform. The following sub-processors handle pieces of the service on Janison’s behalf, under contracts that bind them to use the data only for the work we’ve asked them to do:

• Google Cloud Platform — application hosting (Cloud Run), database (Cloud Spanner, AlloyDB), object storage (Cloud Storage). Regions: Australia (Sydney) and the United States.
• Google & Facebook — sign-in providers. We see only the fields they return at sign-in (email, name, profile image URL).
• Stripe — payment processing for paid tiers (when the integration lands). Card details are submitted directly to Stripe and never touch our servers.
• Email delivery — transactional email goes via a transactional-email provider; the message bodies don’t carry sensitive data.

We disclose data outside this list only when compelled by a valid legal request, and we challenge requests we believe are disproportionate.

International transfers.

Janison is incorporated in Australia. Some of our infrastructure runs in the United States. Where personal data is transferred outside its origin region (e.g. UK / EU users’ data reaching US-hosted services) we rely on the appropriate transfer mechanism — Standard Contractual Clauses, the UK IDTA, or an adequacy decision — applied at the contract level with each sub-processor.

How long we keep it.

• Account + practice history — for as long as the account is active. Deletion requests are honoured per the schedule on our data deletion page (prod gone in 30 days, encrypted backups roll off after a further 90).
• Inactive accounts — accounts unused for 24 months are flagged for deletion; we email you first and give you the choice to keep the account.
• Service logs — request and error logs are retained for up to 90 days for security and debugging, then rolled off.
• Billing records — financial records (invoices, receipts) are retained for the period the law requires (typically 7 years in Australia).
• Aggregated analytics — content-quality and usage aggregates that don’t identify you may be retained indefinitely.

Your rights.

Wherever you live, you can ask us to:

• Access — see what data we hold about you.
• Correct — fix anything that’s wrong.
• Delete — remove your account and the data linked to it (see the deletion page).
• Export — receive a portable copy of your data, including your full practice history.
• Object — to processing we do under legitimate interest.
• Withdraw consent — for anything we do because you opted in (e.g. marketing emails).

UK / EU residents have the right to lodge a complaint with their local supervisory authority. Australian residents can complain to the OAIC. We’d rather hear from you first so we can fix things — email privacy@janison.com.au.

Children’s data.

Practice for children (Primary School Practice, Secondary School Practice) is set up by a parent on ForMe. The parent holds the account; the child has a profile under it with a first name, age band (month and year only — never the day), an avatar, and a parent-set secret word + PIN used to sign in here.

We don’t collect children’s contact details, location, or photographs. Parents can delete a child profile from their hub at any time, or by emailing us. We verify parent ownership before actioning any request relating to a child profile.

Cookies.

We use a small number of strictly-necessary cookies — to remember your sign-in and your active programme. We don’t use advertising, cross-site tracking, or analytics cookies that identify you personally.

Changes to this policy.

We’ll update this page when something material changes, with a new “last updated” date at the top. For significant changes (new sub-processors handling sensitive data, new categories collected) we’ll email you in advance and give you the chance to leave before the change takes effect.

Contact.

Practice is operated by Janison Solutions Pty Ltd, ACN 081 273 837, Australia. Privacy questions, requests, or complaints:

privacy@janison.com.au