What we’ll do with your data, in writing.

The school is the data controller: it decides what personal information is collected from its students and staff, and why.

Big Wella (ABN 77 683 247 003), the sole trader behind WellRead, is the data processor: it holds and processes school data on the school’s instructions. Big Wella is based on the Sunshine Coast, Queensland, and trades under the registered business name Big Wella.

Categories of data we process

• Identifying information for students (name, year level, school email) and staff (name, school email, role).
• Reading activity (saved books, finished books, ratings, reading-streak progress, vibe-quiz answers).
• Curation actions performed by staff (carousels, holiday selections, content-suitability ratings, enrichment edits, withdrawals).
• Audit log entries.

Categories we explicitly do not process

• Location coordinates.
• Biometric data.
• Health data.
• Behavioural advertising profiles.
• Third-party social-graph data.

Purposes of processing

• Provide the WellRead reading-discovery experience to students.
• Provide the Library Hub and Teacher Dashboard to staff.
• Support the school.
• Improve the platform on the basis of aggregate, de-identified signal only.

Production tenant data is hosted in Australia on Amazon Web Services (AWS), Sydney region (ap-southeast-2). The application runs on ECS Fargate; the primary database is RDS Postgres; encrypted backups go to S3; observability is via CloudWatch — all provisioned in-region. The book catalogue, which contains no student data, is held alongside but in a separate data store.

WellRead is delivered as a managed cloud SaaS. Schools do not self-host. Each school receives its own subdomain on the platform; tenant data is logically separated by schoolId on every row, with hard foreign-key constraints preventing cross-tenant reads or writes.

The marketing site (wellreadreader.com) is hosted separately on Netlify and contains no tenant data. Some other sub-processors operate offshore — see §5 for the named list, the country of operation, and the type of data each one sees. We will not move production tenant data to a non-Australian region without giving the school at least 30 days’ written notice and an opt-out window.

The DPA documents our technical and organisational measures in detail. They are aligned with the Office of the Australian Information Commissioner’s “Guide to securing personal information” and with the Australian Cyber Security Centre’s Essential Eight at Maturity Level 1 baseline (targeting Maturity Level 2 on multi-factor authentication, patching, and backups within 12 months).

• TLS 1.2+ for all data in transit; HSTS preload.
• AES-256 encryption at rest for database and backups.
• Role-based access control: students see only their own data; teachers see only their classes; librarians see their school.
• Operator (Big Wella) access is logged, time-bounded, and only used for support tasks at a school’s request.
• Multi-factor authentication on every operator account (database, hosting, email, source control, password manager).
• Cross-site request forgery defence on all state-changing APIs; SameSite cookies; Content Security Policy on the public site.
• Critical CVEs patched within 48 hours; standard updates within 2 weeks.
• Daily encrypted off-site backups; quarterly restore drill; 90-day retention.
• Documented Data Breach Response Plan with a named incident captain.

The third-party services that process tenant data on our behalf. Each operates under back-to-back data-protection terms.

A current sub-processor list is provided to schools on request and reviewed quarterly. Schools will receive at least 30 days’ notice before any new sub-processor begins processing their data, with an opt-out window during which they may terminate the agreement without penalty if the addition cannot be reconciled.

Where any sub-processor is located outside Australia (see §5), Big Wella complies with Australian Privacy Principle 8 by:

• Disclosing the country of operation in the sub-processor list above.
• Ensuring each offshore sub-processor is contractually bound to data-protection terms substantively equivalent to the APPs (typically the provider’s standard Data Processing Agreement, plus a back-to-back addendum where the standard DPA is light on a specific APP).
• Limiting what each offshore sub-processor sees to the minimum required to perform its function — for example, book identifiers (no student data) to Google APIs, and staff email addresses (no student data) to Brevo.
• Maintaining records of the categories of personal information disclosed offshore and the purposes of disclosure, available to the school on request.

Students, parents, and staff exercise their data subject rights (access, correction, deletion, restriction) through the school. The school directs Big Wella to action requests on its behalf. We commit to actioning a documented request within 14 days of receipt.

Where a request is declined (for example, where retention is required by law or for audit-trail integrity), we will provide written reasons consistent with APP 12 / APP 13 and assist the school’s response to the individual.

Where Big Wella becomes aware of any incident affecting a school’s data, we will notify the school’s primary contact within 72 hours — typically much sooner.

Where the incident is an “eligible data breach” under Part IIIC of the Privacy Act 1988 (the Notifiable Data Breaches scheme), we assist the school with notification to the Office of the Australian Information Commissioner within the statutory 30-day window and with notification to affected individuals as soon as practicable.

Schools receive a written post-incident report within 15 business days of containment, covering root cause, remediation, and any new controls put in place.

• Active student datais retained for the duration of the student’s enrolment.
• After a student leaves, identifying fields are anonymised within 12 months while aggregate signals are retained.
• Staff data is retained for the duration of employment with the school.
• Audit logs are retained for 2 years rolling, then anonymised.
• Backups are retained for 90 days rolling.

On termination of the school agreement, we return or delete all school data within 30 daysat the school’s direction. Deletion is irreversible once executed and confirmed in writing.

The school may audit Big Wella’s processing activities once per calendar year, on reasonable notice and at the school’s cost, scoped to verifying compliance with this DPA. We respond to written compliance questionnaires (state DoE, AISNSW, AHISA, AISWA, NDPA, SDPC) at no charge.

On request, we provide our current security overview and our Essential Eight self-attestation. Where a school requires an independent attestation, we will work with them to scope and share the cost.

Liability under the DPA is governed by the limitation of liability clause in the Master Services Agreement, except that the cap does not apply to liability arising from a wilful breach, gross negligence, or fraud, or to liability that cannot be limited at law (including under the Australian Consumer Law).

The DPA runs for the same term as the underlying Master Services Agreement. Provisions relating to ongoing obligations — deletion, audit cooperation, breach notification for incidents discovered post-termination — survive expiry or termination.

We accept the Student Data Privacy Consortium’s National Data Privacy Agreement template as an alternative form of this DPA, on the following conditions:

• An Australian addendum maps the NDPA’s US-centric references (FERPA, COPPA, state-of-jurisdiction clauses) onto the Privacy Act 1988 and the 13 Australian Privacy Principles.
• Governing law is Queensland, Australia (or another Australian jurisdiction by agreement).
• The sub-processor list, retention windows, and breach notification SLAs published on this page are incorporated by reference.

Schools that are members of an SDPC chapter and prefer the NDPA can request the Australian addendum from info@wellreadreader.com.

This DPA is governed by the laws of Queensland and the Commonwealth of Australia. The courts of Queensland have non-exclusive jurisdiction.

Email info@wellreadreader.com and we’ll send the current draft DPA, the Master Services Agreement, the security overview, the sub-processor list, and the Essential Eight self-attestation. If your school sits under a state DoE or association vendor template (NSW DoE, VIC DET, Education QLD, AISNSW, AISWA, AHISA, the NDPA), we’ll respond on the appropriate template.

Related documents: Privacy Policy, Terms of Use.