Legal

Privacy Policy

Version 1.0.0 | Last updated: 15 February 2026

1. About This Policy

TEX Inc Pty Ltd ("TEX," "we," "us," or "our") operates the TEX Platform Schools application (the "Platform"), a software-as-a-service platform for Australian schools.

This Privacy Policy explains how we collect, hold, use, and disclose personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we process personal data of individuals located in the European Union, we also comply with the General Data Protection Regulation (GDPR). For schools in the United States, we support compliance with the Family Educational Rights and Privacy Act (FERPA) — see Section 11 for details.

This policy applies to all users of the Platform, including school administrators, teachers, students, parents, alumni, and other contacts. By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

Data Protection Officer: Kunal Bhusare — kunal@tex.inc
Contact for privacy enquiries: privacy@tex.inc

2. Kinds of Personal Information We Collect and Hold

We collect and hold the following categories of personal information. The types of information collected depend on your role and how you interact with the Platform.

a) Account Information

  • Email address (required for registration)
  • Password (hashed — never stored in plain text)
  • First name, last name, display name
  • Avatar or profile picture (stored in Vercel Blob)
  • Phone number (optional)
  • Bio (optional)

b) Educational Information

  • Graduation year, graduation month, class of year
  • Academic course enrolments
  • Skills assessment responses and competency scores
  • Class assignments (teacher and student)

c) Contact & Relationship Information

  • Family relationships (parent, guardian, sibling, spouse)
  • Emergency contact designations
  • Organisation membership and role

d) Communication Data

  • Emails sent and received (content, subject, timestamps)
  • Email delivery events (sent, delivered, opened, clicked, bounced)
  • Communication preferences and opt-out records

e) Career & Opportunity Data

  • Opportunity interactions and applications
  • Career pathway exploration queries
  • AI-generated opportunity recommendations

f) Technical & Usage Data

  • Authentication events and session data
  • Error reports (via Sentry — may include user identifiers, email, organisation ID)
  • Product analytics events (via PostHog)
  • IP addresses
  • Browser user agent strings

3. How We Collect and Hold Personal Information

We collect personal information through:

  • Direct collection: Registration forms, profile editing, and communication composition within the Platform.
  • Indirect collection: School Management Information System (MIS) synchronisation via Wonde, and CSV/XLSX bulk import by school administrators.
  • Automated collection: Error tracking (via Sentry), product analytics (via PostHog), and email delivery event webhooks (via Resend).

Storage and security: Personal information is stored in a managed PostgreSQL database (Supabase) with encryption at rest. Files are stored in Vercel Blob storage. All data is transmitted using TLS 1.3 encryption. Access is controlled through Row-Level Security (RLS) policies and role-based access control (RBAC) with 14 roles across 4 role groups. We conduct regular security audits and vulnerability assessments. For more details, please visit our Security & Compliance page.

4. Purposes of Collection, Use and Disclosure

We collect, use, and disclose personal information for the following purposes:

PurposeLawful Basis
Core service delivery and platform operationContract performance / Legitimate interest
Student progress tracking and assessmentContract performance
Parent-school communicationLegitimate interest
AI-powered features (opt-in)Consent
Product analytics and improvementLegitimate interest
Error monitoring and debuggingLegitimate interest
Marketing communicationsExplicit consent (opt-in required)

We do not sell personal information to any third party. We do not use student data for advertising purposes. We do not permit third-party advertising on our Platform.

5. How We Use Artificial Intelligence

The Platform includes AI-powered features. We are transparent about how AI is used, what data is processed, and your choices.

AI Features

  • Conversational assistant: Powered by OpenAI for general queries and task assistance.
  • Opportunity discovery: Uses search APIs (Tavily) to find relevant opportunities for students.
  • Opportunity URL extraction: Uses web scraping (Firecrawl) combined with OpenAI to extract structured opportunity data from URLs.
  • Career intelligence: Uses Lightcast for job market data queries. No personal information is sent to Lightcast.

Data Sent to AI Providers

  • OpenAI (United States): Conversation text and prompts. OpenAI does not train on data submitted through its API by default. OpenAI retains API inputs and outputs for up to 30 days for abuse monitoring purposes only.
  • Tavily (United States): Search queries for opportunity discovery. No personal information is included in queries.
  • Firecrawl (United States): URLs submitted for opportunity detail extraction.

Human Oversight and Opt-Out

All AI outputs are presented as suggestions, not automated decisions. Users can choose not to use AI features. No automated decisions are made solely by AI that have legal or similarly significant effects on individuals. AI-powered features may produce inaccurate, incomplete, or outdated outputs and should not be relied upon as the sole basis for decisions.

6. Overseas Disclosure

We disclose personal information to the following overseas recipients. We remain accountable for overseas recipients under section 16C of the Privacy Act 1988.

Service ProviderPurposeCountry
SupabaseDatabase hosting and authenticationAustralia (Sydney)
VercelApplication hosting and file storageAustralia (Sydney)
OpenAIAI processing for conversational featuresUnited States
ResendEmail deliveryUnited States
SentryError monitoringUnited States
PostHogProduct analyticsUnited States
TavilySearch API for opportunity discoveryUnited States
FirecrawlWeb scraping for opportunity extractionUnited States
WondeSchool MIS integrationUnited Kingdom

Safeguards: We maintain Data Processing Agreements with our service providers. Our providers maintain industry certifications including SOC 2 Type II and ISO 27001. Where personal data is transferred outside Australia, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where applicable.

7. Access and Correction

You may request access to, or correction of, your personal information at any time by contacting our Privacy Officer at privacy@tex.inc.

  • We will respond to access requests within 30 days.
  • There is no charge for making a request or for corrections.
  • Self-service: You can edit your profile, manage communication preferences, and view your data through the Platform settings.

For student data, please contact your school's administration, as schools are the primary data controllers for student education records and can facilitate most requests directly through the Platform's administrative tools.

8. Data Retention and Deletion

  • Active data: Retained while your account is active and your school maintains an active subscription.
  • Soft-deleted data: Retained for 30 days after deletion, then permanently removed.
  • Communication history: Retained for the period configured by your organisation.
  • Activity logs: Retained for 12 months then archived.
  • Analytics data: Aggregated and anonymised analytics data may be retained for up to 24 months for product improvement.
  • Account deletion: You may request deletion of your account by contacting our Privacy Officer. Upon termination of a school's contract, student data will be deleted or returned within 30 days.

9. Cookies and Tracking Technologies

We use the following cookies and tracking technologies:

  • Authentication cookies: Supabase auth session cookies (httpOnly, secure, sameSite=lax) — essential for Platform operation.
  • Tenant context cookies: Used to identify your school organisation (httpOnly, 1-hour TTL) — essential for multi-tenant operation.
  • Local storage: Last authentication provider preference — for user convenience only.
  • Product analytics: PostHog analytics (client-side JavaScript) — for product improvement. Anonymised usage data only.

We do not use third-party advertising cookies or tracking pixels. We do not permit third-party advertising networks to place cookies on our Platform. For users in jurisdictions that require explicit consent for non-essential cookies (including the EU/EEA and UK), we provide a cookie consent mechanism.

10. Children's Privacy

The Platform is used by students, including minors under the age of 18. We take additional precautions to protect children's personal information:

  • Students under 15: Parent or guardian consent is required before their data is collected and processed.
  • Students aged 15–17: Student consent with parent notification is applied.
  • Schools are responsible for obtaining appropriate consent from parents and guardians for student data processed through the Platform.
  • Privacy-protective defaults are applied to all student accounts.

We will comply with the Children's Online Privacy Code (COPC) by its effective date of 10 December 2026. If we learn that we have inadvertently collected personal information from a child without appropriate consent, we will take prompt steps to delete that information. Parents or guardians should contact us immediately at privacy@tex.inc.

11. US Schools — Family Educational Rights and Privacy Act (FERPA)

This section applies to schools in the United States that are subject to FERPA (20 U.S.C. § 1232g; 34 CFR Part 99). Where this section addresses requirements that overlap with the Australian Privacy Principles or GDPR, the most protective standard applies.

a) TEX as a School Official

TEX operates as a "school official" with a legitimate educational interest under FERPA §99.31(a)(1). This means:

  • TEX performs an institutional service or function for which the school would otherwise use its own employees.
  • TEX is under the direct control of the school with respect to the use and maintenance of education records.
  • TEX uses education records only for the purposes for which the disclosure was made, as specified in the school's subscription agreement and our Data Processing Agreement.
  • TEX's use of education records is subject to the school's policies and FERPA re-disclosure restrictions.

b) Education Records

Under FERPA, "education records" are records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. On the TEX Edu, this includes:

  • Student profile information (name, email, phone, avatar)
  • Academic data (enrolments, class assignments, year levels, graduation dates)
  • Assessment data (skills assessments, competency scores, self-ratings)
  • Career data (opportunity interactions, pathway exploration, AI recommendations)
  • Communication records (emails between school staff and students)

c) Directory Information

FERPA allows schools to designate certain student information as "directory information" that may be disclosed without prior consent, provided parents (or eligible students) are notified and given the opportunity to opt out. The TEX Edu supports school administrators in configuring which fields are designated as directory information and provides an opt-out mechanism for parents and eligible students through the privacy settings.

d) Parental and Eligible Student Rights

Parents of students under 18, and students aged 18 or older ("eligible students"), have the following rights under FERPA:

  • Right to inspect and review education records. Schools must comply within 45 days of a request. Parents and eligible students can contact their school to access records maintained in the Platform.
  • Right to request amendment of education records the parent or eligible student believes are inaccurate, misleading, or in violation of privacy rights. Requests should be directed to the school.
  • Right to consent to disclosures of personally identifiable information from education records, except to the extent FERPA authorises disclosure without consent (such as the school official exception described above).
  • Right to file a complaint with the U.S. Department of Education concerning alleged FERPA violations. Complaints may be filed with the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Avenue SW, Washington, DC 20202.

e) Transfer of Rights

When a student turns 18 years old or enrols in a postsecondary institution, FERPA rights transfer from the parent to the student. The Platform supports this transition through role and permission adjustments managed by the school.

f) Re-disclosure Restrictions

TEX does not re-disclose education records to third parties except as authorised by the school or as permitted by FERPA. Where student data is processed by sub-processors (listed in Section 6), those processors are contractually bound to use the data only for the purposes for which it was disclosed and to comply with applicable re-disclosure restrictions.

g) Data Processing Agreement

Schools subject to FERPA should execute our Data Processing Agreement, which includes FERPA-specific provisions covering school official designation, legitimate educational interest, re-disclosure restrictions, and data return and deletion obligations upon contract termination. To request a DPA, contact privacy@tex.inc.

12. Your Rights

Under Australian privacy law, GDPR (where applicable), and FERPA (for US schools — see Section 11), you have the following rights:

  • Right to access your personal information (APP 12 / GDPR Article 15)
  • Right to correction of inaccurate information (APP 13 / GDPR Article 16)
  • Right to erasure of your personal data (GDPR Article 17 — where applicable)
  • Right to data portability (GDPR Article 20 — where applicable)
  • Right to object to processing (GDPR Article 21 — where applicable)
  • Right to withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing carried out before the withdrawal
  • Right to complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, phone 1300 363 992

To exercise any of these rights, please contact us at privacy@tex.inc. We will respond to all verified requests within 30 days. If we require additional time, we will notify you of the reason and extension period (not to exceed an additional 60 days). For users in the EU/EEA, you may also lodge a complaint with your local data protection authority.

13. Data Breach Notification

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme of the Privacy Act 1988 (Part IIIC), we will:

  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
  • Notify affected individuals with details of the breach, the types of information involved, and recommended steps to take.
  • Notify affected schools immediately so they can take appropriate action to protect their students and staff.

Where applicable under GDPR, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay. Our full Data Breach Response Plan is maintained internally and reviewed annually.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will notify you by email and via an in-app notification.
  • For changes that affect student data practices, we will provide schools with at least 30 days' advance notice.
  • Material changes that affect how we process your data may require you to provide fresh consent (re-consent).
  • We maintain version tracking with effective dates for all policy changes. Previous versions are available upon request.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of those changes. If you do not agree with the updated Privacy Policy, you should discontinue your use of the Platform and contact us to request deletion of your data.

15. Contact Information

If you have questions about this Privacy Policy or wish to make a privacy-related request:

Data Protection Officer: Kunal Bhusare — kunal@tex.inc
Privacy enquiries: privacy@tex.inc
General enquiries: support@tex.inc

You also have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

For student data requests, we recommend contacting your school's administration first, as they are the primary data controllers for student education records.