What we’ll do with your data, in writing.

The school is the data controller: it decides what data is collected from its students and staff, and why. Big Wella, the entity behind WellRead, is the data processor: we hold the data on the school’s behalf and only use it as the school instructs.

Categories of data we process: identifying information for students (name, year level, school) and staff (name, school email, role); reading activity (saved books, finished books, ratings, streak); curation actions performed by staff (carousels, holiday selections, content suitability ratings, enrichment edits, withdrawals); audit log entries.

Categories of data we do not process: location data, biometric data, health data, behavioural advertising profiles, third-party social graph data.

Purposes of processing, in order: providing the discovery experience, providing the Library Hub and Teacher Dashboard, supporting the school, improving the platform on the basis of aggregate signal only.

Production data: Australian-region cloud infrastructure. Backups: same region, encrypted at rest. The book catalogue and identifiable student data live in separate databases.

The final DPA will name each sub-processor in writing (currently includes our database provider, file storage, email transactional service, and AI providers used for librarian-only enrichment workflows). Schools will be notified of any new sub-processor before that sub-processor begins processing data, with an opt-out window.

The DPA documents our technical and organisational measures in detail. They include, at a minimum:

• TLS 1.2+ for all data in transit.
• Encryption at rest for both database and backups.
• Role-based access control: students see only their own data, teachers see only their classes, librarians see their school.
• Big Wella staff access is logged, time-bounded, and only used for support tasks at a school’s request.
• Multi-factor authentication on all administrative tools.
• Regular security review of dependencies and infrastructure.
• Tested backup restoration procedures.

Each sub-processor will be listed in the executable DPA with its country of operation, the scope of data it processes, and the contractual basis under which it processes that data. We maintain back-to-back data protection terms with each one.

Schools can request the current sub-processor list at any time.

Where any sub-processor is located outside Australia, the DPA discloses the country and the safeguards in place. Production data is held in Australia by default, and we will not move it to another region without prior notification.

Students, parents, and staff exercise their data subject rights (access, correction, deletion, restriction) through the school. The school directs Big Wella to action requests on its behalf. We commit to actioning instructions within fourteen days of receipt.

We will notify the affected school’s primary contact within 72 hours of becoming aware of any incident affecting their data. Where the incident is an “eligible data breach” under the Notifiable Data Breaches scheme, we assist the school with notification to the OAIC within the required 30 day window and with notification to affected individuals.

Active student data is retained for the duration of the student’s enrolment. After a student leaves, identifying fields are anonymised within twelve months while aggregate signals are retained.

Staff data is retained for the duration of employment plus the period required to maintain audit log integrity.

On termination of the school agreement, we return or delete all school data within thirty days, at the school’s direction. Deletion is irreversible once executed.

The school may audit our processing activities once per calendar year, on reasonable notice and at the school’s cost, scoped to verifying compliance with the DPA. We respond to written compliance questionnaires at no charge.

Liability under the DPA is governed by the limitation of liability clause in the Master Services Agreement, except where a wilful breach or gross negligence is established.

The DPA runs for the same term as the underlying school agreement. Provisions relating to ongoing obligations (deletion, audit cooperation, breach notification for incidents discovered post-termination) survive.

Email support@bigwella.com and we’ll send the current draft DPA, the security overview, and the sub-processor list.

For the related documents, see Privacy and Terms.