How we handle your data.

WellRead is operated by Big Wella, the registered business name of a sole trader based in Queensland, Australia.

This policy covers personal information handled by WellRead when:

• A school enables WellRead for its students and staff (“school data”).
• A staff member uses the marketing site (wellreadreader.com) — including booking a demo or contacting us.
• A visitor browses the marketing site without identifying themselves.

It does notoverride your school’s own privacy policy. Where a school is acting as the data controller for its students and staff, the school’s policy governs collection from those individuals; we act as data processor on the school’s instructions, as set out in the Data Processing Addendum.

The categories of personal information we collect, who we collect it from, and why:

We do not collect: location coordinates, biometric data, health data, behavioural advertising profiles, or third-party social-graph data.

• Directly — when staff enter information, book a demo, or use the Library Hub.
• From the school — when a school enables WellRead, the librarian provides initial roster data (manually or via CSV import).
• Automatically — as a student or staff member uses the app (saving a book, finishing a book, answering the vibe quiz, browsing the marketing site).

We use personal information to:

• Provide the WellRead reading-discovery experience to students.
• Provide the Library Hub and Teacher Dashboard to staff.
• Generate aggregate signals (popular titles, reading-state breakdowns by year level) for the school’s own use.
• Respond to enquiries from school staff who book a demo.
• Improve the platform on the basis of aggregate, de-identified signal — never on identifiable student data.
• Comply with our legal obligations (audit trails for staff actions, breach notification, financial records).

We do not use student data for advertising, profiling, resale, or any purpose outside the contracted reading and library functions. We do not train third-party AI models on student data.

The third-party services we use to operate WellRead. Each one processes data only as instructed by us, under back-to-back data-protection terms.

We do not sell personal information to anyone, and we do not disclose it to third parties for their independent use. Schools can request the current sub-processor list at any time. We will notify schools of any new sub-processor before it begins processing their data, with an opt-out window.

Production tenant data is held in Australia. The platform runs on Amazon Web Services (AWS) in the Sydney region (ap-southeast-2): containerised application via ECS Fargate, primary database via RDS Postgres, encrypted backups via S3, and observability via CloudWatch — all provisioned in-region. Each school receives its own subdomain on the platform; tenant data is logically separated by schoolId on every owned row.

WellRead is delivered as a managed cloud service. Schools do not self-host; we operate the infrastructure on their behalf.

Some sub-processors operate from offshore regions:

• Brevo (transactional email + campaign tooling) — European Union. Email metadata for staff-initiated communications only; no student data is ever sent through Brevo.
• Google APIs (Books API for cover lookups; Generative AI / Gemini for librarian-only enrichment workflows) — United States and other Google-managed regions. We send only book identifiers (ISBNs, titles) to these APIs, never student data.

The full data flow is mapped in the Data Processing Addendum. Where any sub-processor sits outside Australia, the safeguards in place (contractual and technical) are documented there per Australian Privacy Principle 8.

On termination of a school agreement, we return or delete all school data within 30 days at the school’s direction (see /dpa §9). Deletion is irreversible once executed.

We follow the Office of the Australian Information Commissioner’s guidance for securing personal information and apply controls aligned with the Australian Cyber Security Centre’s Essential Eight (Maturity Level 1 baseline, targeting ML2 on multi-factor authentication, patching, and backups within 12 months).

• In transit. TLS 1.2 or higher on every connection. HSTS enforced.
• At rest. AES-256 encryption on database and backups by the cloud provider.
• Access control. Role-based: students see only their own data; teachers see only their classes; librarians see their school. Operator access is time-bounded and logged.
• Authentication. Multi-factor authentication on every operator account (database, hosting, email, source control).
• Application security. Cross-site request forgery defence on every state-changing API; SameSite cookies; Content Security Policy on the public site.
• Patching. Critical CVEs patched within 48 hours; standard updates within two weeks.
• Backups. Daily encrypted off-site backups, quarterly restore drill.
• Incident response. Documented Data Breach Response Plan with a 72-hour notification SLA to affected schools; OAIC notification per the Notifiable Data Breaches scheme (§13).

Most personal information we hold relates to children. We treat that data with extra care, consistent with the OAIC’s expectations and the Children’s Online Privacy Code currently in development.

• We do not directly collect identifying information from students; the school is the source.
• Students cannot make their reading activity public to other students. Aggregate signals (e.g. “peer favourites”) are de-identified.
• We do not show advertising in the student app.
• We do not use student data for any commercial purpose outside the contracted service to the school.
• We do not enrol students in marketing or research communications.

Australian Privacy Principles 12 and 13 give you the right to access the personal information we hold about you and to request correction. You can also request deletion at any time.

For students and staff:the school is the data custodian. Direct your access, correction, or deletion request to your school’s privacy contact. The school will instruct us, and we will action the instruction within 14 days.

For visitors and demo enquirers: email info@wellreadreader.com. We will respond within 14 days. There is no charge for access or correction.

The marketing site (wellreadreader.com) uses minimal cookies and may use a privacy-preserving analytics service to count visits and understand which campaigns reach schools. We do not use behavioural advertising cookies. We do not share analytics data with advertisers or social platforms.

The student app and Library Hub use only the cookies needed to keep you signed in and your session valid.

The Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988) requires us to notify the Office of the Australian Information Commissioner and affected individuals when an eligible data breach occurs.

Our commitments:

• We will notify the affected school’s primary contact within 72 hours of becoming aware of any incident affecting their data — typically much sooner.
• We will assess each incident within the statutory 30-day window and, where it is an eligible breach, notify the OAIC and affected individuals as soon as practicable.
• We maintain a Data Breach Response Plan with a named incident captain, severity rubric, communication tree, and evidence-preservation steps.
• Schools receive a post-incident report covering root cause, remediation, and any new controls put in place.

If you think we have mishandled your personal information, please tell us first. Email info@wellreadreader.com with the details. We will acknowledge within 5 business days and provide a substantive response within 30 days.

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):

• Web: oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992

Schools may also raise concerns under their state or territory information-privacy regulator (NSW IPC, OVIC in Victoria, OIC in Queensland).

We will update this policy when our practices change or when law requires it. Material changes — sub-processor additions, retention changes, security control changes — will be communicated to schools by email at least 30 days before taking effect, with an opt-out window for sub-processor additions.

The “Last reviewed” date below is updated each time the policy changes.

• Data Processing Addendum — the contractual terms governing how we process school data on behalf of schools.
• Terms of Use — terms governing your use of the marketing site.
• Master Services Agreement (MSA) — the school contract. Provided on request to schools entering procurement.
• Sub-processor list — current detail provided to schools on request.
• Security overview + Essential Eight self-attestation — provided to schools on request.

This Privacy Policy is governed by the laws of Queensland and the Commonwealth of Australia. Disputes are subject to the non-exclusive jurisdiction of the courts of Queensland.