Privacy Policy
Last updated: 22 March 2026
imSteyn (“we”, “us”, “our”) is operated by QR Scout Pty Ltd (ABN pending), an Australian company. We are committed to protecting the privacy of our users, especially the children who use our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the imSteyn website and service at imsteyn.com.
By using imSteyn, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the service.
1. Information We Collect
1.1 Account Information (Parents)
When a parent creates an account, we collect:
- Full name
- Email address
- Password (stored as a salted bcrypt hash — we never store plaintext passwords)
1.2 Child Profiles
When a parent adds a child to their account, we collect:
- Child’s first name or nickname only
- Year level (e.g. Year 7)
- Optional: username and password for child sign-in (password is hashed)
We deliberately minimise the data we collect about children. We do not collect surnames, dates of birth, school names, physical addresses, phone numbers, or photographs of children.
1.3 Learning Data
As children use the tutoring platform, we collect:
- Conversation messages between the child and the AI tutor
- Images uploaded by the child (homework photos, handwritten working via the drawing canvas)
- Assessment results (correct/incorrect answers, skill proficiency levels)
- Practice test scores and results
- Session metadata (start time, duration, topic, learning phase)
1.4 Technical Data
We automatically collect:
- IP address (for rate limiting and security only; not stored long-term)
- Browser type and version
- Device type (desktop, tablet, mobile)
- Pages visited and feature usage (via PostHog analytics)
1.5 Payment Data
Subscription payments are processed by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. Stripe provides us with a customer ID, subscription status, and billing email. See Stripe’s Privacy Policy.
2. How We Use Your Information
- Provide the tutoring service: Deliver AI-powered lessons, track learning progress, and generate parent reports.
- AI processing: Conversation messages and uploaded images are sent to Anthropic’s Claude API to generate tutoring responses. See Section 5 for details.
- Safety monitoring: We scan AI conversations for safety concerns (distress signals, inappropriate content). If detected, we notify the parent via email.
- Account management: Authentication, password resets, co-parent invitations.
- Service improvement: Aggregated, de-identified analytics to improve the product.
- Billing: Process subscription payments via Stripe.
- Communication: Send transactional emails (password resets, invites, safety alerts). We do not send marketing emails.
3. How We Protect Your Information
- All data is transmitted over HTTPS (TLS encryption in transit).
- Passwords are hashed using bcrypt with salt rounds before storage.
- The database is hosted on Neon (PostgreSQL) with encryption at rest.
- Uploaded images are stored in Cloudflare R2 with access controls.
- Authentication uses HTTP-only, secure cookies with JWT tokens.
- API endpoints are rate-limited (30 requests per minute per student) to prevent abuse.
- We use Sentry for error monitoring (with PII scrubbing enabled).
4. Children’s Privacy
imSteyn is designed to be used by children aged 12–13 under parental supervision. We take additional precautions for child users:
- Parent-first architecture: Only parents can create accounts. Children are added as profiles under a parent account.
- Minimal PII: We only store a child’s first name/nickname and year level. No surname, DOB, school, or address.
- Full parental visibility: Parents can view all conversation history, test results, and activity logs.
- Safety alerts: If the AI detects concerning content, the parent is notified immediately via email.
- No advertising: We do not serve ads to children or adults. We do not sell or share children’s data for advertising purposes.
- No social features: Children cannot communicate with other users. There are no chat rooms, forums, or public profiles.
- Content filtering: The AI is instructed to refuse all inappropriate content and redirect to learning.
5. Third-Party Services
We use the following third-party services to operate imSteyn:
| Service | Purpose | Data shared |
|---|---|---|
| Anthropic (Claude API) | AI tutoring responses | Conversation messages, uploaded images |
| Neon | Database hosting | All account and learning data |
| Cloudflare R2 | Image storage | Uploaded images |
| Upstash Redis | Session cache, rate limiting | Session context (temporary) |
| Stripe | Payment processing | Billing email, payment method (via Stripe) |
| AWS SES | Transactional email | Email address, email content |
| Fly.io | Application hosting | Application runtime data |
| PostHog | Product analytics | Anonymised usage events |
| Sentry | Error monitoring | Error logs (PII scrubbed) |
| Cloudflare Turnstile | Bot protection | Browser signals (no personal data) |
Anthropic’s data policy:Per Anthropic’s commercial API terms, data sent to the Claude API is not used to train their models. Conversations are processed in real-time and are subject to Anthropic’s data retention policy for API customers.
6. Data Retention
- Account data: Retained for the lifetime of the account. Deleted upon account deletion request.
- Conversation history: Stored for parent review. Deleted when the account is deleted.
- Uploaded images: Stored for parent review. Deleted when the account is deleted.
- Session cache (Redis): Automatically expires after 2 hours.
- Safety alerts: Retained indefinitely for child protection purposes, even after account deletion.
- Payment records: Retained as required by Australian tax law (minimum 5 years).
7. Your Rights
Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:
- Access your personal information held by us.
- Correct any inaccurate or outdated information.
- Request deletion of your account and associated data (subject to legal retention requirements).
- Withdraw consent by closing your account at any time.
- Complain to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.
To exercise any of these rights, email us at [email protected].
8. Cookies
imSteyn uses the following cookies:
- Authentication cookie (HTTP-only, secure): Stores your session token. Essential for the service to function.
- Cloudflare Turnstile: May set cookies for bot detection during sign-up.
- PostHog: Sets an anonymous analytics cookie to understand feature usage. No personal data is stored in this cookie.
We do not use advertising cookies or share cookie data with advertisers.
9. International Data Transfers
Our hosting and third-party services may process data outside Australia (primarily in the United States). We ensure all service providers maintain appropriate data protection standards. By using imSteyn, you consent to this transfer.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top of this page indicates when the policy was last revised.
11. Contact Us
If you have questions about this Privacy Policy or how we handle your data:
- Email: [email protected]
- Entity: QR Scout Pty Ltd
- Location: Australia