🧪

School Data Handling Agreement

Between Word Labs and the subscribing school

Version 1.0 · March 2026

1. Parties

Service Provider ("Word Labs")	Nicholas Deeney, trading as Word Labs Education Email: nick@wordlabs.app Website: wordlabs.app ABN: registered sole trader
School ("the School")	School name: ___________________________________ School address: ___________________________________ Contact name: ___________________________________ Contact email: ___________________________________

2. Purpose

This School Data Handling Agreement ("Agreement") sets out how Word Labs collects, stores, processes, and protects personal information belonging to the School's students and staff in connection with the Word Labs educational platform ("Service").

This Agreement supplements Word Labs' Privacy Policy (available at wordlabs.app/privacy) and the Terms of Service (available at wordlabs.app/terms). In the event of a conflict, this Agreement takes precedence.

This Agreement is entered into on the date of last signature below and remains in force for the duration of the School's subscription to the Service.

3. Definitions

Personal Information — information about an identified or reasonably identifiable individual, as defined in the Privacy Act 1988 (Cth).

Student Data — the personal information of students entered into the Service by the School, limited to: student first name, a randomly generated 3-character login code, and in-game activity scores (correct answers, total attempts, time taken per activity).

Teacher Data — the personal information of teachers who create accounts on the Service, limited to: email address and school name.

School Data — Student Data and Teacher Data collectively.

Sub-processor — a third-party organisation that processes School Data on Word Labs' behalf.

4. What Data Is Collected

4.1 Student data

Data item	Purpose	Collected by
Student first name	Identify students in teacher dashboard	Teacher (entered manually)
3-character login code	Allow student to access their games	System-generated automatically
Activity scores (correct, total, time)	Teacher progress dashboard and heatmaps	Recorded during gameplay
In-game rewards (quarks, badges, character)	Student motivation and reward system	Earned during gameplay

Word Labs does not collect: student surnames, email addresses, dates of birth, photos, device identifiers, location data, or any other personal information about students.

4.2 Teacher/staff data

Data item	Purpose
Email address	Login, password reset, subscription receipts
School name	Dashboard identification and invoicing
Subscription/billing status	Access control (managed via Stripe — see Section 7)

5. Data Storage and Location

All School Data is stored in Australia using Supabase (PostgreSQL), hosted in the Sydney data centre (AWS ap-southeast-2). Data does not leave Australia except as required for payment processing (teacher/billing data only — see Section 7).

All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256.

6. Data Isolation and Access Controls

The Service implements database-level Row Level Security (RLS) policies that ensure:

Teachers can only access data belonging to their own school
Student records are only accessible to the teacher who created the class
No teacher can access another school's data
Students can only access their own in-game data via their 3-character code

Word Labs staff (Nicholas Deeney) may access School Data for the purpose of technical support, debugging, or responding to a request from the School. All such access is logged.

7. Sub-Processors

Sub-processor	Location	Purpose	Data shared
Supabase Inc. supabase.com	Australia (Sydney, ap-southeast-2)	Database, authentication, and edge functions hosting	All School Data
Stripe Inc. stripe.com	United States	Subscription payment processing	Teacher email, school name, billing details only. No student data.
Anthropic PBC anthropic.com	United States	AI-powered word analysis for custom word lists and spelling sets; AI generation of custom shop item images	Word content and image data only. No student data. No names.
Google Cloud (Google LLC) cloud.google.com	United States / global	Text-to-speech audio for Spelling Check-In assessment and EALD pronunciation features	Word text only. No student data. No names.
Resend Inc. resend.com	United States	Transactional email delivery (feedback forms, school quote requests)	Teacher email address only. No student data.
Vercel Inc. vercel.com	United States (CDN edge globally)	Website hosting and content delivery	Web request logs (IP, browser type) — not linked to user accounts. Retained ≤30 days.

Word Labs will notify the School of any changes to sub-processors that involve Student Data with at least 30 days' notice.

8. Retention and Deletion

Scenario	Action	Timing
Teacher deletes a class	All student records for that class (names, codes, scores, character data) are permanently deleted via cascade	Immediate
Subscription cancelled or expired	Data retained to allow reactivation	Retained for 90 days after expiry
90 days after expiry with no renewal	All School Data permanently deleted	Automated
School requests deletion	All School Data permanently deleted on request	Within 14 days of written request
Teacher account deleted	All associated school, class, and student data permanently deleted	On request — within 14 days

9. Data Breach Notification

Word Labs is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

In the event of an eligible data breach likely to result in serious harm to individuals whose information is involved, Word Labs will:

Notify the affected School by email as soon as practicable and no later than 72 hours after becoming aware of the breach
Notify the Office of the Australian Information Commissioner (OAIC) within 30 days of becoming aware
Provide a written statement describing the nature of the breach, the information involved, and steps taken or proposed
Take immediate steps to contain the breach and prevent recurrence

10. School Responsibilities

The School agrees to:

Ensure it has appropriate authority (including any applicable parental notification or consent requirements) to enter student first names into the Service
Keep teacher account credentials secure and not share them outside the school
Notify Word Labs promptly of any suspected unauthorised access to School Data
Ensure that students use the Service only under appropriate teacher supervision consistent with the School's acceptable use policies
Not enter any sensitive information about students beyond what is required (i.e. first name only)

11. Word Labs Responsibilities

Word Labs agrees to:

Process School Data only for the purposes described in this Agreement and the Privacy Policy
Not sell, rent, or share Student Data with any third party for commercial purposes
Not use Student Data for advertising, profiling, or any purpose beyond operating the Service
Maintain appropriate technical and organisational security measures as described in Section 6
Comply with the Australian Privacy Act 1988 and the Australian Privacy Principles
Handle School Data in a manner consistent with the Information Protection Principles (IPPs) under the PPIP Act, enabling NSW government schools to meet their obligations under that Act
Notify the School of material changes to this Agreement, sub-processors, or data handling practices
Respond to data access or deletion requests within 14 days

12. Audit Rights

The School may request a written summary of Word Labs' data handling practices, security measures, and sub-processor arrangements at any time by emailing nick@wordlabs.app. Word Labs will respond within 14 days.

The School may request deletion of all its data at any time for any reason, with no penalty.

13. Governing Law

This Agreement is governed by the laws of Queensland, Australia. The parties submit to the non-exclusive jurisdiction of the courts of Queensland. This Agreement is consistent with and subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Where the School is a NSW public sector agency, this Agreement is also consistent with and subject to the Privacy and Personal Information Protection Act 1998 (NSW).

14. Amendments

Word Labs may update this Agreement from time to time. Schools will be notified by email at least 30 days before any material changes take effect. Continued use of the Service after notification constitutes acceptance of the updated Agreement. Schools may terminate without penalty if they do not accept material changes.

15. Contact for Privacy Matters

Privacy contact	Nicholas Deeney
Email	nick@wordlabs.app
Website	wordlabs.app/privacy
External regulator	Office of the Australian Information Commissioner (OAIC) oaic.gov.au · 1300 363 992 NSW Information and Privacy Commission (IPC) ipc.nsw.gov.au · 1800 472 679

Signatures

By signing below, both parties agree to the terms of this School Data Handling Agreement.

For Word Labs

Signature

Nicholas Deeney

Word Labs

Date: ___________________

For the School

Authorised signatory signature

Name: ___________________

Title: ___________________

School: ___________________

Date: ___________________