Privacy Policy

1. About this policy

FoxLoop ("we", "us", "our") operates the FoxLoop platform at foxloop.app. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Health Records and Information Privacy Act 2002 (NSW), and the Notifiable Data Breaches (NDB) scheme.

Because our platform handles information about children, we apply a heightened standard of care to all personal information we process. We are committed to protecting the privacy of children and their families.

2. Information we collect

We collect the following categories of personal information:

2.1 Account information

When a school or business creates an account, we collect: business name, owner's name, email address, and password (stored in hashed form). When a parent registers, we collect: full name, email address, and password.

2.2 Child information

When parents enroll a child, they may provide: child's name, date of birth, gender, medical information (allergies, medications, immunisation status), current school, and additional notes. This information is collected on behalf of the school operating on our platform.

2.3 Health information

Some enrollment forms collect health-related information such as allergies, medical conditions, medications, and immunisation records. This information is classified as health information under the Health Records and Information Privacy Act 2002 (NSW) and is subject to the Health Privacy Principles. We collect it only as necessary for the school to safely care for enrolled children.

2.4 Payment information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe's handling of payment data is governed by their own privacy policy and PCI DSS compliance.

2.5 Documents

Parents may upload documents such as immunisation records or medical reports. These files are stored securely and are accessible only to the relevant school and the parent who uploaded them.

2.6 Technical information

When you use our platform, we automatically collect: IP address, browser type, device information, and pages visited. This information is used for security, troubleshooting, and maintaining the service. We do not use tracking pixels or behavioural analytics on children's data.

3. How we use your information

We use personal information for the following purposes:

• Providing and operating the enrollment management platform
• Processing enrollments, waitlist management, and offers
• Sending transactional emails (enrollment confirmations, status updates, password resets)
• Processing payments through Stripe
• Providing customer support
• Maintaining the security and integrity of the platform
• Complying with legal obligations

We do not use personal information for marketing to children, behavioural profiling, or selling to third parties.

4. Legal basis for processing

Under the Australian Privacy Principles, we collect and process personal information on the following bases:

• Consent: Parents consent to the collection of their and their children's information when registering and enrolling.
• Contractual necessity: Processing is necessary to provide the service to schools that have subscribed to our platform.
• Legal obligation: We may process information as required by Australian law, including record-keeping and reporting obligations.

5. Disclosure of information

We may disclose personal information to:

• The school you are enrolling with: Your enrollment data is shared with the school operating on our platform. They are responsible for how they use that information in their capacity as the service provider.
• Stripe: Payment details are shared with Stripe for payment processing.
• Hosting and infrastructure providers: We use cloud hosting services to store data securely. These providers are contractually bound to protect your data.
• Law enforcement or regulators: Where required by law, court order, or to protect the safety of children.

We do not disclose personal information to advertisers, data brokers, or any party for marketing purposes.

6. Data isolation and multi-tenancy

Each school on FoxLoop operates in an isolated environment. School A cannot access School B's data. Parent and child information is only visible to the school the parent enrolled with and to the parent themselves. Our team accesses tenant data only when necessary for technical support, and such access is logged.

7. Data storage and security

We protect your information through:

• Encryption of data in transit using TLS (Transport Layer Security)
• Encryption of data at rest
• Passwords hashed using modern, industry-standard algorithms
• Role-based access controls limiting who can view what
• Isolated per-tenant databases
• Regular security reviews of our infrastructure

While no system can guarantee absolute security, we take all reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, in accordance with APP 11.

8. Data retention

We retain personal information for as long as the school's account is active, plus a reasonable period after account closure to allow for data export and to comply with legal obligations. After that period, data is permanently deleted.

Schools can delete individual enrollment records at any time through the admin dashboard. Parents can request deletion of their account and their children's data by contacting us or by contacting their school.

9. Your rights

Under the Australian Privacy Principles, you have the right to:

• Access: Request a copy of the personal information we hold about you or your child (APP 12).
• Correction: Request that we correct inaccurate or incomplete information (APP 13).
• Deletion: Request deletion of your personal information where it is no longer needed for the purpose for which it was collected.
• Data export: Request an export of your data in a portable format.
• Withdraw consent: Withdraw your consent to the collection of information at any time, noting that this may affect your ability to use certain features of the platform.

To exercise these rights, contact us at [email protected].

10. Children's privacy

We recognise that our platform handles sensitive information about children. We apply the following protections:

• Children's information is collected only through their parent or guardian
• We do not create accounts for children or allow children to interact with the platform directly
• Children's data is never used for marketing, profiling, or analytics
• Health and medical information about children is treated as sensitive information under APP 3 and as health information under NSW health privacy legislation
• Schools are responsible for ensuring they have appropriate consent from parents before collecting children's information through the platform

11. Notifiable Data Breaches

In compliance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988, if we become aware of an eligible data breach that is likely to result in serious harm to any individual, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals as soon as practicable
• Include in our notification: the nature of the breach, the types of information involved, and steps individuals can take to protect themselves

12. Cross-border data transfers

Our hosting infrastructure may involve data storage in locations outside Australia. Where this occurs, we take reasonable steps to ensure that overseas recipients handle personal information in accordance with the Australian Privacy Principles, as required by APP 8. We use reputable cloud providers with strong data protection practices and contractual commitments.

13. Cookies and tracking

We use essential cookies to maintain your session and keep you logged in. We do not use third-party advertising cookies, social media tracking pixels, or behavioural analytics tools that track children's activity.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make significant changes that affect how we handle children's information, we will notify affected users by email before the changes take effect. The latest version is always available at this page.

15. Complaints

If you believe we have breached your privacy or have not handled your information appropriately, please contact us at [email protected]. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

16. Contact

For any privacy-related questions or requests, contact us at:

FoxLoop
Email: [email protected]
Jurisdiction: New South Wales, Australia