Clearboard Privacy Policy
1. About this policy
Clearboard is a teaching platform for Australian primary and secondary schools (Foundation through Year 12). This policy explains what personal information we may collect about you, how we may use it, where it is stored, and what rights you have over it. It is published in accordance with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles, and Clearboard treats itself as fully subject to the Privacy Act regardless of organisational turnover.
Clearboard is operated by Ethan Sweet, sole trader (ABN to be issued on incorporation), with incorporation as Clearboard AI Pty Ltd planned before the first paid Standard Tier conversion. Our Privacy Officer is Ethan Sweet, reachable at info@clearboard.com.au. This policy applies to teachers who use the platform, schools that hold an active licence (pilot or Standard), parents and guardians who interact with us about a child's records, and visitors to clearboard.com.au.
Depending on the information being processed and our role in processing it, Clearboard may act as a data controller, a data processor, or both. For records about a student processed on a school's behalf, the school is the data controller and Clearboard is the data processor. For records about teachers (their accounts, lessons, and support communications), Clearboard is the data controller.
For schools entering a pilot, this policy is accompanied by companion documents (Privacy Impact Assessment, NCCD Security Document, Deletion Runbook, Breach Response Runbook), available on request from the Privacy Officer.
A few key terms are used throughout this policy. Personal information has the meaning given in the Privacy Act 1988 (Cth). Sensitive information has the meaning given in the Privacy Act and includes health information; Clearboard does not collect sensitive information about students. School means a primary or secondary school in Australia that holds an active licence. Teacher means a person who holds a Clearboard account under a school's licence. Student means a child or young person whose records are processed by their school on the platform; students do not have accounts. Draft means content produced by Clearboard's AI content engine in response to a teacher's request. Audit log means an append-only record of system events. Sub-processor means a third party we engage to help operate the platform.
2. Information we may collect, how we use it, and our AI processing
What we may collect
Depending on how you interact with Clearboard, we may collect personal information from four broad sources.
From you, when you use the platform. When you sign up, we may collect your name and school email address. As you use Clearboard, we may collect the class rosters you build (including student names and year levels), the lesson plans, activities, and worksheets you create or edit, and the student progress records you maintain, including achievement bands per ACARA strand, readiness states, and three boolean flags (NCCD, Gifted and Talented, and English as an Additional Language or Dialect, each recorded as true or false only). Where your school has activated the NCCD module, we may additionally collect the NCCD records described in Section 6. We also retain the text of any prompt you send to our AI content engine, along with any context you include in it, and any support communications you send us at info@clearboard.com.au.
From the school as customer. When a school signs up to Clearboard, we may collect the school's name and the contact details of its billing administrator and primary school admin (name, email, role). Once a paid licence is in place, we may also collect the school's ABN, together with any school-level configuration the administrator enters into the platform.
Automatically when you use the platform. As you use Clearboard, our servers may automatically log standard platform telemetry, including your IP address, browser type and version, device type, time zone, session identifier, the pages you load, and any error events the platform generates. We use this telemetry to operate, secure, and improve the platform, and we do not build profiles of individual teachers from it.
What Clearboard may generate. As part of operating the platform, Clearboard may also produce records of its own, including the drafts our content engine generates in response to your prompts, authentication records (such as login times, logouts, and password resets), and the system audit records described in Section 7.
What we deliberately do not collect. Several categories of personal information are excluded from Clearboard by design. We do not collect any disability category, diagnosis, medical history, or clinical information, nor any biometric data, photographs, video, or audio of students. We do not collect government identifiers (Medicare, USI, TFN, or state student identifiers), and we do not collect financial information beyond what is essential for school billing. We do not collect demographic information about students such as age beyond year level, gender, ethnicity, or religion, and we do not collect parental contact details beyond what a teacher may enter into a parent report. Students do not have accounts on the platform and do not enter information into Clearboard directly.
How we may use it, and why
We may use the information we collect for the purposes set out below, and for each purpose the lawful basis under the Privacy Act is shown in parentheses.
We may use your information to deliver the platform itself (hosting your account, storing your records, and returning them to you on request) and to produce the drafts and reports you request from our AI engine (contract performance). Where your school has activated the NCCD module, we may use information to record and support its NCCD census obligations (legal obligation under the Australian Education Regulation 2013; see Section 6). We may also review anonymised, aggregated usage patterns to improve the product (legitimate interest), although we do not access the content of specific lesson plans, activities, or student records for product-improvement purposes.
We may use your information to secure the platform against fraud, abuse, and unauthorised access (legitimate interest), to respond to your support requests (contract performance), and to send you service communications such as outage notices, billing notices, and the breach notifications described in Section 10 (contract performance, and for breach notifications, legal obligation). Where required, we may use information to meet our legal and dispute-resolution obligations (legal obligation).
We may also use information about you to market Clearboard externally (through paid advertising, our website, conferences, and direct outreach to schools), but only information collected outside the platform, such as publicly available school contact details or anything you have supplied to us through our book-a-demo form (legitimate interest). We do not use information collected through the platform itself for any external marketing, and we do not use platform data to target advertising. If you have given us your details outside the platform and we send you marketing communications, you may opt out at any time by clicking the unsubscribe link in any such email or by emailing the Privacy Officer.
We do not use your personal information to train our own AI models.
AI processing and the closed-loop principle
Clearboard's content engine produces drafts in response to teacher prompts. When you make a request, we send the text of your prompt and any context you include in it (which may include student names if you put them in) to our AI inference provider. We do not send the structured database of student progress records, NCCD records, consultation notes, achievement bands, or flags; the AI engine sees only what you put into the request.
The inference happens in an Australian region of our AI inference provider's infrastructure wherever possible, and no Clearboard data is stored outside Australia. The provider's paid-tier commercial terms exclude customer prompt and response data from the training of provider models, and apply zero-retention or short-retention windows for prompt content; the exact terms applicable to Clearboard are documented in our Privacy Impact Assessment.
We may retain your prompt and the resulting draft, attached to your account, for as long as your school's licence remains active. You may delete an individual draft at any time, and a draft remains a draft until you publish it.
Every AI-generated output is a draft you review before it reaches any student or parent. No automated decision is made about any individual student, teacher, or parent without your review and explicit publication action, and no path in the platform allows AI output to bypass teacher sign-off. We refer to this throughout the policy as the closed-loop principle.
3. Where it is stored and who else may handle it
All Clearboard production data is stored in Australia, using third-party Australian cloud infrastructure providers. Database backups are kept in Australia and retained for up to 35 days, and our application logs are kept in Australia for up to 90 days. AI inference also happens in an Australian region (see Section 2). Static assets and routing metadata may transit global content delivery network edge nodes, but no personal information is stored outside Australia, and all Clearboard personnel and contractors with access to production data are located in Australia. The named providers, the regions they operate in, and the configuration applicable to Clearboard are all documented in our Privacy Impact Assessment. No Clearboard data leaves Australia.
We may engage third parties (sub-processors) to operate parts of the platform. The categories of sub-processor we may use are an Australian cloud infrastructure provider for compute, storage, and database; an AI inference provider for drafts (see Section 2); a transactional email provider for account invites, service reminders, and breach notifications; a public-website analytics provider for marketing pages only (see Section 4); an error monitoring provider for stack traces from the platform (which may include limited personal information); a payment processor (Standard Tier only); and professional advisors such as lawyers, accountants, insurers, and security reviewers, who may handle information under written confidentiality on a need-to-know basis. Each sub-processor operates under a Data Processing Agreement consistent with the Australian Privacy Principles, and the current list, the role each provider plays, and the applicable DPAs are available on request from the Privacy Officer.
Sub-processor change notice. We will notify each school by email at least 30 days before adding a new sub-processor that processes personal information, or materially changing the role of an existing one. A school that objects on reasonable grounds may terminate without penalty.
We may also share information with a successor entity in connection with incorporation, merger, or sale (subject to the successor assuming this policy or providing equivalent protections); with law enforcement where required by valid legal process (see Section 10); and with any other party where reasonably necessary to protect Clearboard, our users, or third parties from fraud or material harm. We do not share Clearboard data with advertising networks, marketing platforms, or government identifier systems.
4. Cookies, our marketing site, and external links
Inside the authenticated platform we use only the cookies strictly necessary to operate the service, a session cookie that expires when you close your browser or after 7 days of inactivity (whichever is sooner), a per-request CSRF token, and an HTTP-only authentication cookie. We do not set any advertising or analytics cookies inside the authenticated platform.
On clearboard.com.au, our public marketing pages may use standard, privacy-respecting website analytics (with IP truncation) and may run advertising campaigns on third-party platforms. We honour the Global Privacy Control signal: if your browser sends GPC, analytics and advertising cookies will not be set. Where required, a cookie consent banner manages your choices. Public-website analytics and advertising do not have access to any information collected through the authenticated Clearboard platform.
Our book-a-demo form may collect your name, school, role, school email, and a free-text note. We may retain demo leads for up to 24 months from last contact, and we use them only to follow up about Clearboard. You may ask us to delete a lead at any time.
The marketing site and the Clearboard platform may link to external websites we do not control. Please review the privacy practices of any external site you visit through one of our links.
5. Children's data
Students do not have Clearboard accounts, do not log in, and do not enter information directly into the platform. Clearboard supports Foundation through Year 12 (students aged approximately 5 to 18), and all students are minors, with the youngest students being under 13.
The school is the data controller for student records. The school's enrolment-time consent, which may include parental or guardian sign-off where required by state education law, is the lawful basis for processing student records on the platform, and we rely on the school to inform parents and guardians at enrolment that Clearboard may be used in their child's classroom. We do not market to children, we do not advertise on the platform, and there is no path by which a child may be contacted through Clearboard.
Parents and guardians seeking access to or correction of their child's records should contact the school in the first instance. If the school does not respond satisfactorily, parents and guardians may complain to Clearboard's Privacy Officer (Section 9) and, if our response also does not resolve the matter, escalate to the Office of the Australian Information Commissioner.
When a student reaches the age of 18 during an active enrolment, the school continues to be the data controller for as long as the school holds the enrolment, and the (now adult) student may direct access or correction requests through the school in the same way as before.
The Children's Online Privacy Code 2026, expected to be finalised on or around 10/12/2026, may impose additional obligations on platforms that handle children's data. Clearboard's architecture has been designed to comply pre-emptively: students do not log in, student-level personal information is prevented from reaching any AI provider as structured data, and any future student-facing feature will be paused until any required parental-consent flow is in place. We will endeavour to update this policy within 60 days of the Code being finalised and notify every school using the platform at that time.
6. The NCCD module
The NCCD module helps schools meet their obligations under the Australian Education Regulation 2013 and the Disability Standards for Education 2005, in support of the annual Nationally Consistent Collection of Data on Students with Disability census.
Where activated, the module may record adjustments (type, level, active dates, and optional notes), text-only consultation logs (date, participants, summary), termly or per-unit reviews, and append-only adjustment comments. Adjustment comments cannot be edited or deleted once saved; corrections are added as new comments, and the change is itself logged.
By design, the module does not record any disability category, diagnosis, or clinical information; no medical history; no file or audio attachments; and no per-lesson NCCD logging.
Access to NCCD records is restricted by role. Classroom teachers may see records only for students in their classes. NCCD coordinators, who are nominated by the school (one or more per school), have a cross-school view for the purposes of preparing the census. Principals and deputy principals have a verification view used during the annual census, and casual relief teachers see adjustment types only, with no access to consultation notes or reviews.
Every NCCD record creation, comment, review, and access event is captured in an append-only audit log, and entries cannot be modified or removed once written. We may retain this audit log for the longer of seven years or any statutory retention period applicable under federal or state education law, in order to support the NCCD census obligation. The exemption applies to the audit trail of NCCD records, not to the underlying records themselves, and the school's NCCD coordinator and principal may request access to the audit log.
The NCCD module is feature-flagged off by default. Activation at a school requires the school to have executed an agreement with the module expressly enabled, to have nominated an NCCD coordinator, and to have had reasonable opportunity to seek independent advice. The Privacy Officer may refuse activation where these conditions are not satisfied.
7. Retention, deletion, and audit logs
Clearboard is built around longitudinal student progress: a Year 4 student's records continue to support them as a Year 5, Year 6, and beyond. We may retain personal information for as long as we have a lawful basis or legitimate interest to do so, and at minimum for as long as the school holds an active licence.
A core part of the Clearboard service is the ability to track student progress across multiple school years, and we may retain student records and historical learning data across school years provided the school's licence remains active. When a teacher leaves a school, records they authored stay with the school (the school is the controller for those records), and the teacher's personal account credentials are deactivated. The teacher may request a copy of personal information attached to their account (see Section 9).
A school may at any time, in writing, request deletion of all records under its account, or deletion of a specific student, teacher, or record. We will action a deletion request within 30 days, and backup copies will age out under the general 35-day backup window described in Section 3. We may retain a minimal record of the fact that a deletion took place, for audit purposes.
Where this policy refers to "deletion", we mean removal of the record and any identifying copies. Where we refer to "anonymisation", we mean stripping the record of identifiers so it is no longer reasonably linkable to an individual; anonymised data is no longer personal information under the Privacy Act and may be retained indefinitely for product improvement.
If a school chooses not to renew its licence, we may, subject to applicable data privacy laws, retain the school's account and historic data so that prior records remain available if the school chooses to return at a later date. If the account remains inactive for an extended period and we no longer have a lawful basis to retain identifying information, we may delete or anonymise the data, and we will notify the school's last known contact before doing so.
Clearboard also maintains a system audit log that records login events, role changes, deletions, and material configuration changes. We may retain this log for up to 13 months, in Australia, and a school administrator may request a summary covering their school. NCCD audit log retention is covered separately in Section 6.
8. Security
We take reasonable technical and organisational steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security outcomes include:
- Encryption of personal information at rest and in transit.
- Role-based access controls so users see only the records they are entitled to access.
- Passwords stored using one-way hashing; we cannot recover your password.
- Multi-factor authentication will be available to school administrators and teachers before Standard Tier launch.
- Session expiry after inactivity (see Section 4).
- Append-only audit logging (see Sections 6 and 7).
- Security certifications maintained by the third-party Australian providers we engage.
- An internal incident-response procedure (the Breach Response Runbook, available to schools on request).
- Personnel with access to production data have signed written confidentiality undertakings and complete privacy and security training.
- A vulnerability disclosure address: email
info@clearboard.com.auwith "Security" in the subject line. We will endeavour to acknowledge within five business days. - An annual third-party security review from Standard Tier launch.
No automated decision is made about any individual student, teacher, or parent without a teacher's review and explicit publication action (see Section 2).
Professional indemnity and cyber liability insurance will be in place before any school may convert from a pilot to a Standard Tier subscription. On Standard Tier conversion, Clearboard may place a copy of the platform source code in escrow with a reputable Australian escrow provider, with the converting school named as a beneficiary.
Detailed technical and organisational controls are documented in the Privacy Impact Assessment, which is available on request to schools and to authorised IT or security reviewers.
9. Your rights and complaints
Subject to applicable data privacy laws, you may have the right to ask us to give you a copy of your personal information, to correct anything that is wrong, to remove information where we have no legitimate interest or lawful basis to retain it, to receive a portable copy of information you have provided to us, and to withdraw any consent you have given where consent is the basis for our processing.
To make a request, please email info@clearboard.com.au and include your name, your role (teacher, school admin, parent, or other), the school you are associated with where relevant, and what you are asking for. We may ask you to verify your identity before we respond, particularly for access or deletion requests; we will use the least intrusive verification consistent with the request. We will endeavour to acknowledge requests within 14 days and to provide a substantive response within 30 days.
Teachers may access and correct their own information directly through the platform, or email us for anything not directly accessible. Parents and guardians should contact their child's school in the first instance (see Section 5). Schools may request a complete export of every record under their account, or deletion of all records under their account, in writing.
Where applicable, we provide exports in a machine-readable format (CSV or JSON). Audit logs are provided as a read-only export and are not modifiable.
We may refuse a request in the limited circumstances permitted by the Privacy Act, including where the request is frivolous or vexatious, where providing the information would unreasonably affect another individual's privacy, where the information relates to legal proceedings, or where another exemption applies. If we do refuse, we will tell you why and how you may complain. Where consent is the basis for a specific use (for example, opting out of anonymous product-improvement analytics, or opting back in), you may change your choice at any time by emailing the Privacy Officer.
While we do our best to keep your personal information safe by following high standards, no security system is one-hundred-percent secure. You also have to play your part by keeping your username and password safe, and by notifying us promptly if you believe your account has been accessed without your permission.
If you believe Clearboard may have breached this policy or your privacy rights under the Privacy Act 1988, please email info@clearboard.com.au with "Privacy complaint" in the subject line. Include your name, your role, the school you are associated with where relevant, what happened, and what outcome you are seeking. We will endeavour to acknowledge complaints within 14 days and provide a substantive response within 30 days, and if our response does not resolve the matter, you may escalate to the Office of the Australian Information Commissioner (oaic.gov.au).
Access requests, correction requests, complaints, and breach reports are free of charge, and we will not treat you adversely for exercising any of your privacy rights or making a complaint.
10. Data breaches and legal disclosure
An eligible data breach under the Privacy Act 1988 occurs where there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by Clearboard, and a reasonable person would conclude that the breach is likely to result in serious harm to one or more individuals. Where an eligible breach occurs, the Privacy Act requires us to notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable, and in any case within 30 days of becoming aware of the breach.
Our additional commitment to schools is that we will endeavour to notify each affected school within 48 hours of confirming an eligible breach, work with the school to notify affected individuals (the school is often best placed to communicate with parents and guardians), and share a post-incident report. Affected individuals will be told a description of the breach, the kinds of information involved, the steps we are taking, the steps we recommend, and how to contact us. We may detect breaches through logging, automated alerting, periodic review by Clearboard personnel, and reports from schools, teachers, and security researchers. If you believe a breach may have occurred, please email info@clearboard.com.au immediately with "Suspected breach" in the subject line.
We may also be required to disclose Clearboard data in response to a valid legal demand (subpoena, search warrant, court order, or other lawful instrument). Where compelled, we will assess the validity and scope of the demand, push back on demands that appear overbroad or that exceed legal authority, disclose only the data the demand requires, and endeavour to notify the affected school unless the legal instrument itself prohibits notification.
Voluntary disclosure to law enforcement or other authorities is not made except where reasonably necessary to prevent a serious and imminent threat to life or safety, and even then only on the advice of the Privacy Officer and, where time permits, with the school's consent.
From Standard Tier launch, we will publish an annual transparency note recording the number of legal demands received and the number complied with, in each case without identifying the requesting authority or the affected schools.
11. Service tiers, changes to this policy, and contact
Clearboard is offered in two tiers. The pilot is a no-fee or reduced-fee evaluation period under a written pilot agreement, with limited service-level commitments. Standard Tier is a paid subscription under a Standard Tier agreement, which adds the insurance, escrow, annual third-party security review, and transparency note described in Sections 8 and 10. This policy applies to both tiers.
We will not make material changes to this policy that are inconsistent with the lawful basis on which we currently process your information, or with any consents previously given, without first obtaining further consents where required by applicable data privacy laws. Where a change is material (including a change in the categories of information we collect, a change in the lawful basis for processing, the addition of a new sub-processor that processes personal information, or a material change in retention), we will notify each school by email to its primary admin contact at least 30 days before the change takes effect. The version number and effective date at the top of this document are updated on every material change, and previous versions are available on request. The latest version is always published at clearboard.com.au/privacy. A school that does not accept a material change may terminate the licence without penalty before the change takes effect.
If you have any questions, our Privacy Officer is Ethan Sweet, reachable at info@clearboard.com.au (preferred) or `ethan.sweet15@outl