Privacy Policy
- Effective date:
- 2026-05-01
- Last updated: 2026-05-01
- Version 1.0.2
1. About this policy
Day One Education Pty Ltd (ABN 52 696 719 561, ACN 696 719 561) ("we", "us", "our") operates the DOE GAMSAT preparation platform. This policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have in relation to it.
This policy applies to all users of the DOE platform, including our website, web application, and any related services ("the Service"), regardless of where you are located. We have registered users primarily in Australia, the United Kingdom, and Ireland.
We are subject to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). If you are located in the European Economic Area ("EEA") or the United Kingdom, additional protections under the EU General Data Protection Regulation ("GDPR") or UK GDPR, respectively, also apply to you. Where those regimes impose stricter obligations, we meet the stricter standard.
This policy should be read alongside our Terms of Service. If you have questions
about how any specific feature handles your data, contact us at
legal@dayoneed.com.
2. Information we collect
We collect personal information through your direct interactions with the Service, automatically when you use the Service, and — in limited cases — from third-party providers.
2.1 Information you provide directly
- Account details: name, email address, and password (or third-party sign-in credentials) when you register.
- Profile information: educational background, target exam date, and preferences you add to your profile.
- Assessment content: essay responses, practice-question answers, and written input you submit through the Service for AI grading or tutor interaction. This content is treated as personal data.
- Payment information: billing name, billing address, and payment card details processed by our payment processor and merchant of record located in the United Kingdom and United States. We do not store full card numbers or payment credentials.
- Communications: messages you send to our support team via email or in-app channels.
2.2 Information collected automatically
- Usage data: pages visited, features used, time spent on activities, and interaction events collected through our web analytics provider.
- Device and connection information: IP address, browser type, operating system, and session identifiers.
- Cookies and similar technologies: session cookies, persistent preference cookies, and analytics identifiers. See §5 for details.
- Application logs: server-side logs including request timestamps, response codes, and identifiers used for debugging and security monitoring.
2.3 Phone and voice support
If you contact us by phone, calls are handled through our business telephony platform. An audible announcement is made at the start of the call that the call is being recorded, in accordance with Victorian law (Surveillance Devices Act 1999 (Vic)). Calls may also be transcribed using AI transcription software. Recordings and transcripts are retained for up to 24 months and used for quality assurance, training, and resolving disputes.
2.4 Information from third parties
- Authentication provider: if you use a social sign-in option, we receive your name and email address from that provider.
- Subscription state: RevenueCat provides us with your subscription tier and entitlement status. We do not receive your full payment history from RevenueCat.
- Analytics aggregates: our analytics provider provides aggregated behavioural data that may be linked to your account.
3. How we use your information
We process your personal information for the following purposes. Where the GDPR or UK GDPR applies, we identify the legal basis for each purpose.
| Purpose | Description | GDPR legal basis (Art 6) |
|---|---|---|
| Service delivery | Operate your account, deliver AI grading and tutor responses, track your progress | Contract (Art 6(1)(b)) |
| Billing and payments | Process subscription and credit purchases, issue receipts, manage renewals and refunds | Contract (Art 6(1)(b)) |
| Legal compliance | Retain financial records per ATO requirements, respond to lawful requests from authorities, meet obligations under applicable law | Legal obligation (Art 6(1)(c)) |
| Security and fraud prevention | Detect and prevent unauthorised access, abuse, and fraudulent transactions | Legitimate interests (Art 6(1)(f)) |
| Service improvement | Understand feature usage, diagnose bugs, improve performance | Legitimate interests (Art 6(1)(f)) |
| Communications | Send transactional emails (receipts, account notices, password resets) | Contract (Art 6(1)(b)) |
| Marketing | Send newsletters, product updates, and promotional content | Consent (Art 6(1)(a)) — see §14 |
| AI training | Improve AI models using your content | Consent (Art 6(1)(a)) — see §7 |
| Support | Respond to your queries, maintain support records, review call recordings | Legitimate interests (Art 6(1)(f)) |
| Analytics | Measure platform-wide engagement and diagnose performance issues | Legitimate interests (Art 6(1)(f)) |
Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may request a copy of that assessment by contacting us.
We will not use your personal information for a purpose that is materially different from those described above without providing you with prior notice and, where required, obtaining your consent.
4. AI and automated decision-making
4.1 How AI is used in the Service
The Service uses large-language-model AI to grade your essay responses and to provide AI tutor interactions. These are core features of the product. AI-generated outputs (grades, feedback, scores) are intended to supplement your preparation and should not be treated as a definitive academic assessment.
4.2 Automated grading and your right to human review
Our AI grading feature produces scores and detailed feedback automatically, without routine human review of each individual submission. Under GDPR Article 22, if you are located in the EEA or the UK, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. While we consider AI grading to be a study tool rather than a legally significant determination, we take the spirit of this right seriously and extend it to all users regardless of location.
You may request a human review of any AI-generated grade by emailing
support@dayoneed.com with the subject line "Human Review Request" and
identifying the submission in question. We will complete the human review and
provide you with written feedback within 10 business days of receiving your
request. Human review is provided at no additional charge.
4.3 Profiling
We use aggregated usage data to personalise your in-app experience — for example, surfacing content relevant to your progress. This is not automated decision-making that produces legal or significant effects. You may object to this use of your data at any time under §10.
5. Cookies and similar technologies
5.1 What we use cookies for
We use the following categories of cookies and similar technologies:
| Category | Purpose | Default |
|---|---|---|
| Strictly necessary | Session management, authentication, security tokens | Always on |
| Functional | Remembering your theme and preference settings | Always on |
| Analytics | Measuring platform usage via our analytics provider | On |
| Marketing | Tracking ad conversions and retargeting | Off unless consented |
5.2 Your cookie choices
You can control analytics and marketing cookies through the cookie preference centre, accessible from the footer of every page. Strictly necessary and functional cookies cannot be disabled without impairing the Service.
Your browser also provides controls to block or delete cookies. Note that blocking strictly necessary cookies will prevent you from logging in.
5.3 Google Analytics
We use Google Analytics 4 to collect aggregated usage statistics. Google Analytics collects information including your approximate location (derived from IP), device type, and pages visited. We have configured Google Analytics with IP anonymisation enabled and have Data Processing Addendum terms in place with Google. Data collected through Google Analytics is transferred to Google's servers in the United States under Standard Contractual Clauses.
6. How we share your information
We do not sell your personal information. We share it only as described below.
6.1 Subprocessors
We use third-party subprocessors to operate the Service. A current list of our
subprocessors, including their names, locations, and the categories of data they
process, is maintained at /legal/subprocessors. We update that list when we
add or change a material subprocessor.
At a category level, we share data with:
- Cloud infrastructure and database providers — to host the application and store your data.
- Authentication and session management providers — to manage your login credentials and session security.
- Payment processors — to process subscription and credit purchases.
- Subscription management providers — to track your subscription entitlements and usage.
- Transactional email providers — to send you receipts, notifications, and support replies.
- Business telephony providers — to provide phone support with call recording and AI transcription capability.
- AI and large-language-model API providers based in the United States — to power AI grading and the AI tutor.
- Web analytics providers — to measure platform-wide engagement.
- Feature flag providers — to control gradual feature rollouts.
All subprocessors are engaged under written agreements that require them to protect your data to a standard consistent with this policy and applicable law.
6.2 Legal disclosures
We may disclose personal information to government authorities or law enforcement where required by law, where necessary to protect our legal rights, or to prevent serious harm. Where practical and legally permitted, we will notify you of such disclosure.
6.3 Business transfers
If we are involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice of any such change before your data is subject to a materially different privacy policy.
7. AI training — opt-in only
We will only use your submitted content (including essay responses and AI tutor interactions) to train or fine-tune AI models if you have explicitly opted in through your account settings. This consent is:
- Off by default — your content is never used for AI training unless you actively enable this in your account settings.
- Freely given — declining to opt in will not affect your access to any feature, the quality of AI grading applied to your account, or the price you pay. Opting out carries no penalty of any kind.
- Granular — you consent to AI training separately from accepting these policies and separately from consenting to marketing communications.
- Revocable at any time — you may withdraw your consent by turning off the AI training toggle in your account settings. We will honour your withdrawal within 30 days, after which no further content from your account will be used for training purposes. Content already incorporated into a trained model may not be retroactively removable from that model's weights, but we will cease all new use.
Where GDPR or UK GDPR applies, your consent to AI training constitutes a withdrawal from the protections of GDPR Article 22 only to the extent expressly described above. The legal basis for AI training processing is consent (GDPR Art 6(1)(a)).
8. International transfers
8.1 Primary data location
Your personal information is primarily stored in Sydney, Australia (AWS ap-southeast-2 region). We have chosen this location to keep Australian user data within Australia where possible.
8.2 Transfers outside Australia
Operating the Service requires transferring certain data to subprocessors located outside Australia. These transfers include:
- United States — AI and large-language-model API providers, subscription management, transactional email, business telephony, and web analytics.
- United Kingdom — payment processing and merchant of record services.
- Singapore — application hosting infrastructure.
For transfers from the EEA or UK to non-adequate third countries (including the United States and Singapore), we rely on Standard Contractual Clauses ("SCCs") as the legal transfer mechanism — specifically Module 2 (controller-to-processor) or Module 3 (processor-to-processor) of the European Commission's standard clauses, and their UK IDTA equivalent where UK law applies.
For transfers from Australia, we take reasonable steps to ensure that overseas recipients handle personal information consistently with the APPs, including through contractual protections. By using the Service, you acknowledge that your information may be transferred to these countries, which may have different privacy laws from those in Australia.
8.3 Adequacy
Where a transfer destination country has been recognised as adequate by the European Commission or the UK Secretary of State, we rely on that adequacy decision in addition to or in lieu of SCCs.
9. How long we keep your information
We retain personal information only as long as necessary for the purpose it was collected, subject to the following specific schedules:
| Category | Retention period | Reason |
|---|---|---|
| Account and profile data | Active period + 36 months from last activity, then deletion review | Service continuity and dispute resolution |
| AI grading and tutor interaction content | 24 months from date of submission | Service delivery and support |
| Payment and billing records | 7 years from transaction date | ATO tax record-keeping obligations |
| Support records (emails, tickets) | 24 months from case closure | Quality assurance and dispute resolution |
| Call recordings and transcripts | 24 months from call date | Quality assurance and dispute resolution |
| Consent and withdrawal records | Duration of consent + 3 years after withdrawal | Compliance and audit trail |
| Security and access logs | 90 days from creation | Security monitoring |
| Anonymised analytics | Indefinite (not personal data once anonymised) | Aggregate platform analytics |
At the end of the applicable retention period, we will either securely delete or irreversibly anonymise the data, unless a longer period is required by law.
You may request deletion of your account and personal data at any time under §10. We will action deletion requests within 30 days except where a legal obligation requires us to retain specific records for longer.
10. Your rights
10.1 Rights available to all users (Australia and worldwide)
Under the Privacy Act 1988 and generally, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or out-of-date personal information.
- Complain about a breach of the APPs to the Office of the Australian Information Commissioner ("OAIC").
- Request information about what data we hold and how we use it.
10.2 Rights under GDPR and UK GDPR (EEA and UK users)
If you are located in the EEA or the UK, you additionally have the right to:
- Erasure ("right to be forgotten") — request deletion of your personal data, subject to legal obligations.
- Restriction — ask us to pause processing your data while a complaint is resolved.
- Data portability — receive a copy of data you have provided to us in a structured, machine-readable format.
- Object — object to processing based on legitimate interests or for direct marketing.
- Not to be subject to solely automated decisions that produce legal or significant effects — see §4 for our human review process.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
10.3 How to exercise your rights
You may exercise most rights directly through your account settings. For
requests that cannot be completed in-app (such as full data export or account
deletion), email support@dayoneed.com with your request. We will respond
within 30 days for Australian and general requests, and within 1 month
(extendable to 3 months for complex requests, with notice) for GDPR/UK GDPR
requests.
We may ask you to verify your identity before actioning a request that would grant access to or delete personal data.
11. Security
We implement technical and organisational measures designed to protect your personal information against unauthorised access, loss, misuse, disclosure, alteration, and destruction. These measures include:
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of data at rest.
- Access controls and role-based permissions limiting who can access personal data.
- Managed database and authentication infrastructure with industry-standard security practices.
- Regular security reviews of application code and infrastructure.
- Staff access to personal data restricted to those who need it to perform their role.
No method of transmission over the internet or electronic storage is completely
secure. While we take reasonable steps to protect your data, we cannot guarantee
absolute security. If you believe your account has been compromised, contact
support@dayoneed.com immediately.
12. Data breach response
12.1 Detection and assessment
We maintain procedures for detecting, assessing, and responding to data breaches. When we become aware of a potential breach, we will investigate to determine whether personal information has been compromised and assess the likely harm to affected individuals.
12.2 Notification to regulators
- Australia (NDB Scheme): If a breach is likely to result in serious harm to any individual, we will notify the OAIC as soon as practicable after we are aware the breach has occurred, and no later than 30 days after forming a reasonable belief that a notifiable data breach has occurred.
- EEA (GDPR): We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, where feasible.
- UK (UK GDPR): We will notify the ICO within 72 hours on the same basis.
12.3 Notification to affected individuals
Where a breach is likely to result in high risk to affected individuals, we will notify those individuals without undue delay after discovery. Notification will include: a description of the nature of the breach, the categories of data affected, the likely consequences, the measures taken to address the breach, and contact details for further enquiries.
13. Minors
The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18.
We do not operate a parental-consent pathway for users under 18. If you are under 18, do not create an account or submit any personal information to the Service.
If we become aware that we have inadvertently collected personal information
from a person under 18, we will delete that information promptly. If you believe
we may have collected data from a minor, please contact us at
legal@dayoneed.com.
14. Marketing communications
We will only send you marketing communications (including newsletters, product updates, promotional offers, and exam preparation tips) if you have given us your express consent to do so.
Marketing consent is collected separately from your acceptance of these policies and our Terms of Service. Declining marketing consent does not affect your ability to use the Service or the price you pay.
You may withdraw marketing consent at any time by:
- Clicking the "unsubscribe" link in any marketing email we send you; or
- Updating your communication preferences in your account settings; or
- Emailing
support@dayoneed.comwith your request.
Withdrawal of marketing consent will be processed within 5 business days. You will continue to receive transactional and service communications (such as receipts, password resets, and important account notices) regardless of your marketing preference, as these are necessary for the operation of the Service.
15. Changes to this policy
We may update this policy from time to time. When we do:
- We will update the "last updated" and "effective date" fields at the top of this document.
- For material changes — that is, changes that meaningfully affect how we process your data or reduce your rights — we will provide at least 30 days' notice before the change takes effect, via email to your registered address and an in-app notice.
- For non-material changes (such as corrections, clarifications, or additions that do not reduce your rights), we will post the updated policy without prior notice, though the updated date will reflect the change.
If you object to a material change to this policy, you may close your account and request deletion of your data before the change takes effect. Continued use of the Service after the effective date of a material change constitutes acceptance of the revised policy.
Prior versions of this policy are available on request by contacting
legal@dayoneed.com.
16. Contact and complaints
Day One Education Pty Ltd Unit 1712, 7 Claremont Street South Yarra VIC 3141 Australia ABN 52 696 719 561
Legal and privacy enquiries: legal@dayoneed.com General support:
support@dayoneed.com
We aim to respond to all privacy enquiries within 10 business days.
Complaints
If you believe we have handled your personal information in a way that breaches applicable privacy law, we encourage you to contact us first so we can attempt to resolve the matter.
Australia: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.
EEA: You have the right to lodge a complaint with the data protection authority ("DPA") in your country of residence or establishment, or where the alleged infringement occurred.
UK: You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
We welcome feedback and will treat all complaints seriously and objectively.
Supplement: EEA users
If you are located in the European Economic Area, the EU GDPR applies to our processing of your personal information.
Our representative: We do not currently have a designated EU GDPR
representative. EEA users may contact us directly at legal@dayoneed.com. We
will review our representative obligations as our EEA user base grows.
Data controller: Day One Education Pty Ltd is the data controller for all personal information collected through the Service.
Legal bases: See §3 for the GDPR legal basis applicable to each processing purpose.
Supervisory authority: You have the right to lodge a complaint with the supervisory authority in your EEA member state. If you are located in Ireland, the relevant authority is the Data Protection Commission (DPC); in Germany, the relevant federal authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).
Transfers: As described in §8, transfers outside the EEA are governed by Standard Contractual Clauses (Module 2 or Module 3 as applicable).
Supplement: UK users
If you are located in the United Kingdom, the UK GDPR (as retained in UK law) and the Data Protection Act 2018 apply to our processing of your personal information.
Data controller: Day One Education Pty Ltd is the data controller.
Supervisory authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Transfers: Transfers of your personal information outside the UK rely on the UK International Data Transfer Agreement (IDTA), which serves as the UK equivalent of the EU's Standard Contractual Clauses.
UK adequacy: Australia does not currently hold a UK adequacy decision. We therefore rely on the IDTA for transfers of UK user data to Australia and our Australian-based infrastructure.
Supplement: AU users
If you are located in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") govern our handling of your personal information.
Access and correction: You may request access to, or correction of, your personal information held by us at any time. We will respond within 30 days and will not charge a fee for access requests.
Anonymity: Where it is lawful and practicable, you may interact with us anonymously or using a pseudonym. Note that you cannot use most core features of the Service anonymously, as we need to associate your progress and submissions with your account.
Sensitive information: We do not intentionally collect sensitive information as defined under the APPs. Please do not include health, ethnic, religious, or other sensitive information in your essay responses or support communications unless it is directly relevant to your GAMSAT preparation.
OAIC: The Office of the Australian Information Commissioner oversees compliance with the APPs. You can contact the OAIC at oaic.gov.au or on 1300 363 992 if you have a concern we have not resolved to your satisfaction.