Privacy Policy

For Students And Families

If you are a student, this means:

• Your teacher, school or parent may see your maths work and progress when you use a class code, school account or family account.
• We use your information to run maths activities, save progress, help your teacher plan lessons and keep the website working.
• If you practise without signing in and choose an age or year starting point, that starting point is only used on the current page to choose questions. It is not saved.
• We do not sell your information, show student advertising, or put student accounts into marketing email lists.
• Do not type private information, home addresses, phone numbers or secrets into answer boxes, feedback forms or class names.
• If you think something is wrong with your information, ask your teacher, parent or carer to help contact us.

Information We Collect

For teachers and school administrators, we may collect account details such as name, email address, school name or class setup choices, role, entitlements, billing ownership, consent choices and support messages.

For school-managed students, we may collect class code, first name/initial or classroom display name, class and school relationship, year level or learning band, teacher-set classroom password status, assigned activities, attempt metadata, correctness, progress summaries, test or session records and coarse progress dates. New classroom passwords are stored as salted password hashes. Older legacy classroom passwords may remain visible to the teacher until reset.

For independent student or parent-supported accounts, we may collect display name, account email, broad age band, guardian-consent acknowledgement where required, parent or carer contact details, practice answers, scores and progress summaries.

For parents and carers, we may collect name, email address, child profile settings, home practice preferences, consent or safety choices, support requests and account activity needed to run parent tools.

For register-interest forms, we may collect email address, role, feature or plan interest, source page, consent state and optional message so we can respond about the requested future feature, pilot, school plan or launch update.

For billing, we may collect plan choice, school or billing contact details, Stripe customer and subscription identifiers, invoice and refund references, payment status, billing period and tax or receipt records. Payment card details are handled by Stripe, not stored directly by Daily Maths Review.

For support, feedback and issue reports, we may collect name, email address, message content, page URL, replay or review link, screenshots or page context supplied by the app, user agent, viewport size, local timestamp, IP address and country-level location where needed for support, abuse prevention or security.

For technical, analytics and security purposes, we may collect browser type, device type, pages used, timestamps, local and server event logs, error logs, sign-in records, usage counters, referral information and whether a request appears automated or abusive. Usage and review analytics are minimised where practical: raw usage events should not store IP addresses or city-level location, and IP lookup is used only transiently to derive country-level aggregate statistics where configured.

We do not intentionally collect government identifiers, exact birth dates, health information or sensitive information from students. If that kind of information is sent to us accidentally, we will handle it only as needed to respond, secure the service, delete it or meet legal obligations.

How We Collect And Hold Information

We collect information directly from people using the service, from teachers or schools setting up classes, from students completing activities, from parents managing home practice, from billing and email providers, and from browser or server logs created when the website runs.

Personal information is held in Firebase, Google Cloud, support systems, email systems, Stripe billing records, local browser storage and limited administrator tools. Access is limited to people and providers who need it to operate, secure, support or improve Daily Maths Review.

How We Use Information

• To provide maths practice, review activities and assigned work.
• To save student progress and show it to the student, their teacher or their school where appropriate.
• To help teachers manage classes and plan future reviews.
• To help parents and carers support home practice where parent tools are used.
• To run teacher, school, parent and student accounts.
• To manage register-interest requests for future paid, school, parent, live review, testing, export or pilot features.
• To process subscriptions, invoices, cancellations, refunds and billing support.
• To send transactional emails such as account, support, billing, school and security messages.
• To respond to support requests, issue reports and privacy requests.
• To protect accounts, investigate misuse, prevent abuse and maintain service reliability.
• To improve the product using aggregated, de-identified or limited usage information.
• To meet legal, accounting, tax, consumer law, privacy and data protection obligations.

Student Privacy And School Use

School-managed student information is used for educational purposes connected to the teacher or school using Daily Maths Review. It is not reused for advertising, unrelated profiling, sale of data, or student marketing.

Students can use free practice without logging in. In that case, saved progress is limited to local device storage where available. Logging in with a class code lets the service save progress for the class.

Unsigned-in Daily Self Review may ask for an optional age or year level starting point. That starting point is a temporary page signal only: it is not written to Firestore, account records, local-storage preferences, usage analytics, support or issue reports, marketing systems, class records or parent records.

Student CSV exports are designed for teacher administration and show student first names/initials or classroom names, year levels and password status only. They do not export classroom passwords.

Daily Maths Review does not provide public student discovery. Parents and public users cannot search school rosters, look up students by name or email, use public student profile URLs, autocomplete school-managed student identities, or receive confirmation that a student exists. Parent linking must use a short-lived student-generated code for independent student accounts or a school-approved request workflow that gives no school data until approval and a parent-safe view exist.

Independent student signup uses broad age bands only. Students under 13 cannot create an independent account by default. Students aged 13 to 14 need parent or carer help, and the signup record stores the child privacy notice version and guardian acknowledgement version shown at signup.

Where a school or teacher uses Daily Maths Review for a class, the school or teacher is responsible for confirming that they have authority to provide student information and use the service for school purposes. Parents and carers should usually contact the school first about school-managed student records because the school controls the class relationship.

The School Agreement And Data Processing Terms set out school-specific rules for permitted educational purpose, school control of student data, export, deletion, incident notice, staff access removal and no marketing reuse.

Browser Storage, Analytics And IP Logs

Daily Maths Review uses browser storage such as session storage, local storage and service-worker cache to keep students signed in during a session, remember local practice counts, support offline/app-like loading and run the website properly. Class-code student sessions store a short verification proof, not the classroom password.

Daily Maths Review has removed the old Google Analytics and Google Tag Manager page tags from preserved legacy review pages. Current analytics should prefer Firebase/Google Cloud operational logs and server-side usage events controlled by Daily Maths Review.

Cloud Functions may use IP address transiently to derive country-level aggregate usage statistics when the server-side IP lookup provider is configured. Raw review and usage analytics should not store IP address or city-level location going forward. Product analytics events are minimised before storage and should not include student names, child names, emails, support messages, raw answers, room codes, class codes or raw student, class or teacher IDs. Support, feedback, issue-report, abuse-prevention and security records may keep IP address and country where needed to operate and protect the service. We use this information for service operation and aggregate reporting, not student advertising.

Where browser-based usage analytics is active, the browser supports a local opt-out setting. Opting out stops optional usage analytics on that browser, but does not stop essential security logs, support records, account records, classroom records or billing records needed to provide the service.

Browsers, hosting providers, CDNs and security tools may also create standard web logs when files, scripts, fonts or images are loaded.

Providers And Overseas Processing

We use third-party providers to run the service. Personal information may be processed in Australia and overseas, including the United States, European Union or European Economic Area, United Kingdom, Singapore and other countries where providers or their subprocessors operate. The exact country can depend on provider routing, hosting configuration, support access, CDN edge location and payment or email infrastructure.

• Firebase and Google CloudAuthentication, Firestore database, Cloud Functions, hosting, Firebase SDKs, operational logs, limited measurement and storage. Countries/regions: Australia, United States, Europe/EEA, Singapore and other Google data centre or subprocessor locations depending on the configured service.
• Google Fonts, gstatic and Google-hosted SDKsFont and script delivery, browser/device request logs and technical delivery logs. Countries/regions: United States and global Google infrastructure.
• StripeCheckout, Customer Portal, subscription billing, invoices, refunds, payment status, tax records and billing webhooks. Countries/regions: United States, Europe/EEA, United Kingdom and other countries where Stripe, payment methods, banks or subprocessors operate.
• BrevoTransactional email, support email delivery and optional marketing email for teachers or parents who opt in. Student accounts are not synced to marketing lists. Countries/regions: France/EU and other Brevo or subprocessor locations, including United States-based processors where used.
• IPGeolocation.ioOptional server-side IP lookup for country-level usage statistics, support context and abuse prevention. The lookup should run only when the API key is configured through server environment/config, and city-level location should not be stored going forward. Countries/regions: overseas/global provider and subprocessor locations.
• QRServer / goQR.meQR code image generation for live review links. The QR provider receives the encoded review or join URL needed to draw the QR image and may log technical request details such as IP address, browser, referring page and time. Countries/regions: Germany/EU and provider hosting locations.
• Public CDNs such as cdnjs, jsDelivr and unpkgDelivery of open-source scripts, styles, fonts or icon libraries on legacy pages. Countries/regions: global CDN edge locations, including United States and Europe/EEA providers or subprocessors.
• Google Workspace or email inbox providersSupport replies, privacy request handling and administrator communication. Countries/regions: Australia, United States and global provider infrastructure.

Provider lists and countries can change as providers update their infrastructure. We review this list when the platform changes materially.

Marketing And Email

Transactional emails are used for service messages such as account access, school setup, support replies, billing notices, security messages and important platform changes.

Marketing emails are used only for teachers, schools, parents or carers where there is consent or another lawful basis. Student accounts are not added to marketing lists. Marketing emails include unsubscribe or preference controls where required.

Retention Schedule

We keep information only while it is needed for the purpose collected, for school or account administration, for support, for security, for accounting and tax records, or because the law requires it. Unless a school agreement or legal obligation requires a different period, our current retention guide is:

• Teacher, parent and school account recordsKept while the account is active, then deleted or de-identified after a verified deletion request once support, billing, security and legal needs are resolved.
• School-managed class and student progress recordsKept while the teacher or school uses the class, then archived, deleted or de-identified on verified school request or when no longer needed for the educational purpose.
• Independent student and family practice recordsKept while the account or child profile is active, then deleted or de-identified after a verified deletion request unless retention is needed for safety, support or legal reasons.
• Billing, invoice, refund and tax recordsKept for up to 7 years after the relevant financial year, or longer if required for accounting, tax, dispute or legal purposes.
• Support, feedback and issue reportsNormally kept for up to 2 years after the last contact, or longer where needed to resolve a dispute, investigate a safety or security issue, or improve repeated faults.
• Raw usage, analytics, IP and geolocation logsRaw review and usage events should avoid storing IP addresses and city-level geolocation going forward. Support, feedback, issue-report, abuse-prevention and security logs that need IP address or country are normally kept for up to 24 months in identifiable form. Aggregated or de-identified statistics may be kept longer.
• Email delivery, consent and unsubscribe recordsEmail queue and delivery records are normally kept for up to 2 years. Marketing consent and unsubscribe records are kept while needed to respect the person's preference and prove consent status.
• Local browser storageKept on the device until the browser, user, app cache or website clears it.
• Backups and provider logsMay persist for a limited period after deletion until backup or provider retention cycles complete.

Security And Data Breaches

We use reasonable technical and organisational steps to protect information, including account access controls, provider security features, hashed class passwords for new classroom passwords, HTTPS, limited administrator access, logging and review of higher-risk changes. No internet service can guarantee absolute security.

If we suspect a data breach, our process is to contain the issue, preserve relevant logs, assess what information may be affected, reduce the risk of harm, document the assessment, involve providers where needed, and notify affected people, schools and the Office of the Australian Information Commissioner where the Notifiable Data Breaches scheme requires notification.

If a school-managed student record is affected, we will work with the relevant teacher or school contact where appropriate because they may need to communicate with students, parents or carers under their own obligations.

Access, Correction, Deletion And Export

Teachers can manage many class and student records through their account tools. Parents, carers and students should usually contact the teacher or school first for school-managed student information because the school controls the class relationship.

For privacy questions, access requests, correction requests, deletion requests or export requests, contact Daily Maths Review through the contact page. Include enough detail for us to find the account or class record, such as the account email, school name, class code, student first name, initial, nickname or classroom name and the request you want handled.

We may need to verify identity, school authority, parent or carer authority, account ownership, or whether fulfilling a request would reveal another person's information. We aim to respond within 30 days where practical. If we cannot complete a request, we will explain the reason where we can.

We do not charge for making an access or correction request. If a request requires unusual retrieval work and privacy law allows an access charge, we will explain that before proceeding.

Privacy Complaints

If you think Daily Maths Review has mishandled personal information, contact us through the contact page with the details of the issue and the outcome you are asking for.

We will acknowledge the complaint, investigate the relevant records or provider information, and aim to respond within 30 days. If we need more time, we will tell you why.

If you are not satisfied with our response, or we do not respond within 30 days, you may be able to complain to the Office of the Australian Information Commissioner at oaic.gov.au.

Changes

We may update this policy as the app and classroom platform develop, providers change, law changes or new features launch. The updated policy will be posted on this page with a new date. If a material change affects school-managed student information, billing or account rights, we will take reasonable steps to make the change visible to affected users or school contacts.