Privacy Policy

Last updated: February 28, 2026

TebTally™ Pty Ltd (ABN 96 110 054 130) provides educational software including Spell Star™, Behaviour Tracker™, WriteTally™, Formative Check™, Class Builder™, HousePoints™, and Classroom Pro™. This policy explains how we collect, use, and protect your data.

Data We Collect

Account information: Name, email address, school/organisation name
Student data: Names, class rosters, and activity data provided by schools
Usage data: Feature usage, timestamps, and session information
Device information: Browser type, operating system (for PWA/mobile apps)
Authentication data: OAuth tokens from Google sign-in (not stored long-term)

Where Data is Stored

Application hosting: Vercel (Sydney region available for Australian schools)
Database: Neon PostgreSQL (encrypted at rest, SOC 2 Type II compliant)
Authentication: id.tebtally.com (self-hosted identity provider)
File storage: Vercel Blob (encrypted, region-locked)

Data is stored in secure, access-controlled databases. We use encryption in transit (TLS 1.3) and at rest for all sensitive information.

Security Measures

Row-level security: Database isolation ensures schools only see their own data
Role-based access: SUPERADMIN → ADMIN → TEACHER → STUDENT hierarchy
Rate limiting: Protection against abuse on authentication and API endpoints
Audit logging: All sensitive actions are logged for accountability
Password security: bcrypt hashing with secure salt rounds
Session management: JWT tokens with 24-hour expiry, httpOnly cookies

How We Use Data

To provide and operate the TebTally™ services
To authenticate users and manage access permissions
To provide customer support and respond to enquiries
To improve our services based on anonymised usage patterns
To send service-related notifications (not marketing without consent)

Data Sharing and Sub-Processors

We do not sell personal information. We only share data with the following third-party sub-processors when necessary to provide the service. The lawful basis for all processing below is legitimate interest (providing the contracted educational service) and contractual necessity under the Australian Privacy Act and GDPR.

Vercel Inc. — vercel.com

Purpose: Application hosting, serverless functions, edge network, and file storage (Vercel Blob)

Data disclosed: All application data in transit (HTTP requests, session tokens, uploaded files)

Countries: Australia (Sydney, syd1) for compute; United States for Vercel Blob file storage

Neon Inc. — neon.tech

Purpose: PostgreSQL database hosting (primary data storage)

Data disclosed: All persistent application data (accounts, student records, activity data, audit logs)

Countries: Australia (Sydney, ap-southeast-2)

Google LLC — cloud.google.com

Purpose: OAuth authentication (Google Sign-In) and Google Classroom API integration

Data disclosed: Email address, name, OAuth tokens; class rosters via Classroom API (teacher-initiated)

Countries: United States

Stripe Inc. — stripe.com

Purpose: Payment processing for paid subscriptions

Data disclosed: Organisation name, billing email, payment card details (handled directly by Stripe, PCI-compliant)

Countries: United States

OpenAI Inc. — openai.com

Purpose: AI-generated sentences and definitions (Spell Star); automated writing assessment and rubric generation (WriteTally)

Data disclosed: Redacted, de-identified text only. Student names and PII are automatically stripped before transmission.

Countries: United States

Amazon Web Services (AWS) — aws.amazon.com

Purpose: Text-to-speech pronunciation via Amazon Polly (Spell Star)

Data disclosed: Individual spelling words (no student data or PII)

Countries: Australia (Sydney, ap-southeast-2)

PostHog Inc. — posthog.com

Purpose: Anonymised product analytics to understand feature usage

Data disclosed: Anonymised usage events, page views, feature interactions. No student names or PII.

Countries: United States

Sentry (Functional Software Inc.) — sentry.io

Purpose: Error monitoring and application performance tracking

Data disclosed: Error stack traces, browser metadata, request URLs. PII is scrubbed before transmission.

Countries: United States

Upstash Inc. — upstash.com

Purpose: Redis caching and rate limiting

Data disclosed: Ephemeral rate-limiting keys (user IDs, IP hashes). No student content or PII.

Countries: Australia (Sydney, ap-southeast-2)

Resend Inc. — resend.com

Purpose: Transactional email delivery (verification, password reset, notifications)

Data disclosed: Recipient email address, email subject and body content

Countries: United States

Core student and school data (databases, authentication) is stored in Australia (Sydney, ap-southeast-2). No identifiable student data is sent to overseas services without prior de-identification or redaction, except where required for core functionality (e.g. payment processing via Stripe, email delivery via Resend).

Your Rights

Under GDPR and the Australian Privacy Act, you have the right to:

Access: Request a copy of your personal data
Export: Download your data in a portable format (JSON)
Correction: Update inaccurate personal information
Deletion: Request deletion of your account and data
Objection: Object to certain processing of your data

To exercise these rights, contact privacy@tebtally.com. We will respond within 30 days.

Data Retention

Account data is retained while the account remains active
Student data is retained according to school policies and applicable law
Deleted accounts are purged within 30 days of confirmed deletion request
Anonymised analytics data may be retained indefinitely
Audit logs are retained for 2 years for security and compliance

Data Breach Notification

In the event of a data breach affecting personal information, we will:

Notify affected schools within 72 hours of confirming the breach
Provide details of what data was affected and remediation steps
Report to relevant authorities as required by law (OAIC in Australia, supervisory authorities under GDPR)

Cookies and Analytics

We use essential cookies for authentication and session management. We use PostHog for anonymised product analytics to understand how features are used. We do not use cookies for advertising or tracking across websites.

Children's Privacy

TebTally™ services are designed for use in educational settings. Student accounts are created and managed by schools in compliance with COPPA (US), GDPR (EU), and Australian privacy requirements. We do not knowingly collect personal information directly from children under 13 without parental or school consent.

Privacy Complaints

If you believe your privacy has been breached or you have a concern about how we handle personal information, you may lodge a complaint by emailing privacy@tebtally.com.

We will acknowledge your complaint within 5 business days
We will investigate and respond with a resolution within 30 days
If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC)

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated to school administrators via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

Contact Us

For privacy questions, data requests, or concerns:

Email: privacy@tebtally.com
Support: support@tebtally.com

TebTally™ Pty Ltd
ABN 96 110 054 130
New South Wales, Australia

← Back to TebTally™