1. Definition of Personal Information

Under the Privacy Act 1988 (Cth), "personal information" refers to any data or opinion about an identified individual, or an individual who is reasonably identifiable, irrespective of whether the information is true or recorded in any form. Information that does not disclose an individual’s identity is generally excluded from this definition and is not subject to this policy.

2. Collection of Personal Information

The type of personal information collected depends on your interaction with our website and Platform. We are committed to collecting only the minimum information necessary to provide our services effectively. While users are expected to provide information that allows the service to function as intended for their role, Vivedus permits the use of pseudonyms where functionally practicable and where it does not impede the necessary operations of the service or contractual obligations with the Client organisation. For instance, users providing general feedback may do so anonymously or pseudonymously where identification is not required to address the feedback.

Vivedus may collect details such as:

  • Contact name and telephone number (for organisational points of contact)
  • School name and address
  • Numbers of staff and students (for service setup)

Additionally, when using the Vivedus SaaS platform, the following information may be collected:

  • Full names and email addresses for registered users
  • Information about classes, subjects and year levels taught (as relevant to Platform function)
  • Lesson planning information, including content and metadata
  • Learning support information including support plans and student support requirements (where entered by authorised users)
  • User preferences and settings
  • User-generated content, such as comments and feedback provided within the Platform

As of the most recent update (2025-04), accounts within the platform are always created by an administrative user, or created via way of integration with a third-party LMS or school data management system. During administrative account registration and other information collection processes within the Platform, mandatory fields required for the service to function are clearly distinguished from optional fields.

Vivedus does not collect, use, or adopt government-related identifiers (such as tax file numbers, driver's licence numbers, or Medicare numbers) as its own identifier for individuals, nor do we require users to provide such identifiers unless specifically required by law for a particular transaction (which is not anticipated for the standard use of the Platform).

Vivedus does not collect or process specific user location data (e.g., GPS coordinates) as part of the Platform's core functionality. General regional information may be inferred from IP addresses for security and service optimisation purposes (e.g., routing traffic to the nearest server), but precise location tracking is not used.

2.1 Handling of Unsolicited Personal Information

If Vivedus receives unsolicited personal information (i.e., information received that was not actively sought, such as misdirected emails or data included inappropriately in user uploads), we will assess within a reasonable period (typically within 30 days) whether we could have collected this information under Australian Privacy Principle 3 had we solicited it. If we determine that we could not have collected the personal information, and the information is not contained in a Commonwealth record, we will, as soon as practicable, destroy the information or ensure that the information is de-identified, provided it is lawful and reasonable to do so.

3. Methods of Collection

Personal information is obtained through:

  • Direct input on the website or SaaS platform by users or authorised administrators within their organisation.
  • The use of cookies that track website usage to enhance user experience and monitor service performance. These cookies do not generally enable personal identification, focusing instead on aggregated usage patterns and necessary session management.

4. Purpose of Collection and Use of Personal Information

The primary reasons for collecting personal information include:

  • Delivering, maintaining, and optimising the Vivedus Platform and its features for our Client organisations and their authorised users.
  • Providing an optimised and responsive service experience.
  • Assisting prospective organisations and individuals seeking further information about Vivedus.
  • Managing user accounts, providing customer support, and responding to inquiries.
  • Facilitating direct marketing communications. Users will only receive direct marketing communications if they have explicitly opted-in to receive them. Sensitive information is never used for direct marketing. Each marketing message includes a straightforward option to unsubscribe or opt-out.
  • Sharing information strictly as necessary with authorised service providers (subprocessors, as detailed in Section 9) who assist us in operating the Vivedus website and Platform under strict confidentiality and data processing agreements, and only for the purposes outlined in this policy.
  • Meeting legal and regulatory obligations.

Vivedus will not otherwise disclose, share, or sell your personal information to third parties except under the following limited circumstances:

  • Where you (or your organisation, where applicable) have provided explicit consent;
  • Where disclosure is required or authorised by or under an Australian law or a court/tribunal order;
  • Where disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (as defined under the Privacy Act 1988); or
  • As otherwise permitted under the Australian Privacy Principles (e.g. permitted general situations).

Vivedus does not use, share, publish, sell, or provide access to any user personal information (including de-identified or aggregated data) for third-party advertising or market research purposes.

Certain features within the Platform may utilise technologies such as machine learning (ML) to enhance service functionality, for example, providing tailored recommendations based on anonymised or aggregated lesson planning content, as detailed in our subprocessor list (Section 9). Vivedus does not use personal information to train general-purpose artificial intelligence (AI) or ML models outside of the direct provision and improvement of the Vivedus Platform features described. Personal information is not shared with or used by AI/ML models for purposes other than those specified and necessary for delivering the contracted service.

The Vivedus Platform does not include functionality that allows users from one client organisation (e.g., a school) to find, discover, access, or share personal information or resources belonging to users from another, separate client organisation unless a data sharing agreement is in place between the two organisations. Aside from the aforementioned scenario, access is restricted to within the user's own registered organisation.

5. Access and Correction

In line with the Australian Privacy Principles (APP 12 and APP 13), individuals associated with our Client organisations (such as teachers or administrative staff using the Vivedus platform) are entitled to request access to the personal information Vivedus holds about them and to request corrections to any information they believe is inaccurate, out-of-date, incomplete, irrelevant, or misleading. Furthermore, users or their organisation may request an export of their data held within the Vivedus platform, facilitating data portability as detailed in our Data Protection & Handling Policy. Requests for access, correction, or data export should be directed to Vivedus using the contact details provided in Section 12 of this policy. We will respond to such requests promptly, typically within 30 days, and in accordance with our legal obligations under the Privacy Act 1988. There is no charge for making a request for access or correction, nor for Vivedus providing access or making corrections to your personal information. Verification of identity will be required before processing such requests to ensure the security of personal information.

5.1 Data Deletion and Retention

Vivedus retains personal information only for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. Our specific data retention schedules for backups and production data are outlined in our Data Protection & Handling Policy.

  • Requested Deletion: You or your organisation have the right to request the deletion of your personal information under certain conditions, for instance, upon termination of your organisation's service agreement with Vivedus. The process and timelines for handling such requests are detailed in our Data Protection & Handling Policy.
  • Inactive Account Management: To adhere to data minimisation principles, Vivedus has a process for identifying and managing accounts that become inactive for a defined period. This process includes notification to the user and their organisation before eventual deactivation and deletion of the account and associated personal data. This process is fully described in our Data Protection & Handling Policy.

Please contact us using the details in Section 12 if you wish to inquire about or exercise your rights regarding data deletion or have questions about our data retention practices.

6. Complaint Procedure

Should there be any concerns regarding the handling of personal information, complaints should be addressed to the Managing Director, Paul Browning, at Vivedus Pty Ltd using the contact details in Section 12 of this document. Upon receiving a complaint, further details may be requested to clarify the matter. If the complaint is found to be valid, corrective measures will be implemented in consultation with the complainant. If the resolution is unsatisfactory, the matter may be referred to the Office of the Australian Information Commissioner.

7. Overseas Transfers

Personal information collected by Vivedus is primarily processed and stored within Australia. However, some of our authorised third-party service providers (subprocessors, listed in Section 9) may process or store data in other countries as specified in their respective details. Vivedus takes reasonable steps to ensure that any overseas recipient of personal information handles it in accordance with the Australian Privacy Principles, typically through contractual clauses imposing equivalent data protection obligations. We will not transfer your personal information overseas other than to these vetted subprocessors for the purposes outlined in this policy, unless we obtain your explicit consent or are required or authorised to do so by law. If you request us to transfer your data directly to an overseas entity not covered by our standard operations or agreements, please be aware that the receiving party may not be bound by the Australian Privacy Principles, and Vivedus cannot assume responsibility for their subsequent handling of the information.

8. General Data Protection Regulation (GDPR)

For individuals residing in the European Union whose personal information may be processed by Vivedus, additional protections under the General Data Protection Regulation (GDPR) may apply. Vivedus is committed to complying with the GDPR where applicable. Should personal information be processed in a manner that does not align with the GDPR, affected individuals may be entitled to additional rights and remedies as provided by the regulation. Please contact us using the details in Section 12 for GDPR-specific inquiries.

9. Subprocessors

Vivedus Pty Ltd engages several subprocessors to support and enhance its service offerings. These providers are bound by contractual agreements that include data protection obligations. The following provides details about each subprocessor, including their purpose, the types of data disclosed, the lawful basis for processing, and the jurisdictions in which data may be processed or stored.

Google Analytics:

  • Purpose: Gather usage data and statistics from the Vivedus website and SaaS platform, including tracking user interactions to improve service performance.
  • Data Types: Aggregated usage data, anonymised user interaction events, IP address (may be anonymised).
  • Lawful Basis: Legitimate Interest (Optimising service performance and user experience).
  • Processing Location(s): Jurisdictions where Google operates data centres (potentially global).
  • Contact: Website: https://analytics.google.com | Privacy Information: https://policies.google.com/privacy

Microsoft Azure:

  • Purpose: File storage (backups, SaaS application files like lesson planning resources and lesson attachments potentially containing user-uploaded content).
  • Data Types: Encrypted backups, application files (content depends on user uploads).
  • Lawful Basis: Contractual Necessity (Reliable operation of file storage services).
  • Processing Location(s): Australia (Sydney).
  • Contact: Website: https://azure.microsoft.com | Privacy Information: https://privacy.microsoft.com/en-us/privacystatement

fly.io:

  • Purpose: Cloud hosting services for the SaaS platform application code and operational data (excluding file storage handled by Azure).
  • Data Types: Platform code, application logs.
  • Lawful Basis: Contractual Necessity (Efficient and secure hosting services).
  • Processing Location(s): Australia (Sydney).
  • Contact: Website: https://fly.io | Privacy Information: https://fly.io/legal/privacy-policy

Cloudflare:

  • Purpose: DDoS protection, web application firewall (WAF), content delivery network (CDN), Intrusion Detection System (IDS), rate-limiting for website and SaaS platform.
  • Data Types: IP addresses, request metadata, potentially cached non-sensitive content.
  • Lawful Basis: Legitimate Interest (Maintaining security, performance, and availability).
  • Processing Location(s): Global network; processing typically occurs near the user.
  • Contact: Website: https://www.cloudflare.com | Privacy Information: https://www.cloudflare.com/privacypolicy/

Turso:

  • Purpose: Production database provider (secure-at-rest hosting and backups for the SaaS platform’s production database).
  • Data Types: All personal information stored in the Vivedus production database (e.g., user details, lesson plans, learning support info), encrypted at rest.
  • Lawful Basis: Legitimate Interest (Secure and reliable database operations); Contractual Necessity.
  • Processing Location(s): Australia (Sydney).
  • Contact: Website: https://turso.tech | Privacy Information: https://turso.tech/privacy

AWS (Amazon Simple Email Service - SES):

  • Purpose: Sending automated transactional emails from the Vivedus SaaS platform (e.g. notifications).
  • Data Types: Recipient email addresses, email content (typically non-sensitive transactional information).
  • Lawful Basis: Contractual Necessity (Effective communication with users).
  • Processing Location(s): Australia (AWS Sydney Region).
  • Contact: Website: https://aws.amazon.com/ses/ | Privacy Information: https://aws.amazon.com/privacy/

Freshworks (Freshdesk/Freshsales):

  • Purpose: Support portal, ticketing system, and customer relationship management (CRM).
  • Data Types: User email addresses, names, support request details, communication history, CRM data (contact information, organisational details).
  • Lawful Basis: Contractual Necessity (Providing customer support and managing customer relationships); Legitimate Interest.
  • Processing Location(s): Australia.
  • Contact: Website: https://www.freshworks.com | Privacy Information: https://www.freshworks.com/privacy/

Algolia:

  • Purpose: Securely indexes anonymised and aggregated lesson planning content from the Vivedus platform to enable fast and relevant search results within the service.
  • Data Types: Anonymised and aggregated lesson content (no personal information).
  • Lawful Basis: Legitimate Interest (Enhancing service delivery through efficient data retrieval, while ensuring user personal information is not processed for this purpose).
  • Processing Location(s): US.
  • Contact: Website: https://www.algolia.com | Privacy Information: https://www.algolia.com/policies/privacy/

OpenAI:

  • Purpose: Processes anonymised and aggregated lesson planning content to provide optional, tailored pedagogical recommendations within the Vivedus platform.
  • Data Types: Anonymised and aggregated lesson content (no personal information).
  • Lawful Basis: Legitimate Interest (Enhancing user experience via data-driven insights related to educational content, strictly within the service context). Personal information is not processed by OpenAI for this feature, nor is it used to train OpenAI's general-purpose models.
  • Processing Location(s): Jurisdictions where OpenAI operates its API services (primarily US).
  • Contact: Website: https://openai.com | Privacy Information: https://openai.com/policies/privacy-policy | API Data Usage Policies: https://openai.com/policies/api-data-usage-policies

Sentry:

  • Purpose: Performance monitoring and error detection/reporting on the SaaS platform.
  • Data Types: Application logs, error details, potentially including limited user identifiers necessary for debugging (e.g., user ID), IP address. Configured to minimize PII capture.
  • Lawful Basis: Legitimate Interest (Maintaining platform reliability and performance).
  • Processing Location(s): US.
  • Contact: Website: https://sentry.io | Privacy Information: https://sentry.io/privacy/

10. Data Security

Vivedus takes reasonable steps to protect the personal information it holds from misuse, interference, loss, unauthorised access, modification, or disclosure. These measures include technical safeguards (such as encryption, access controls, firewalls) and organisational measures (such as staff training, data handling policies). More detailed information about our security practices can be found in our Data Protection & Handling Policy.

11. Policy Updates and Notification

Vivedus may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. The 'Last Updated' date at the top of this policy indicates when revisions were made. We will notify Client organisations and/or registered users of significant changes to this Privacy Policy at least 14 days prior to the changes taking effect. Notification may be provided via email to registered account holders or administrators, or through a prominent notice within the Vivedus Platform. Following significant updates, users may be required to review and acknowledge the updated Privacy Policy before continuing to access or use the Platform.

12. Contact Details  

For any inquiries regarding this Privacy Policy, requests for access to personal information, or any concerns about privacy practices, please contact Vivedus Pty Ltd at: Email: privacy@vivedus.com

Effective Date:
January 1, 2025
Version Number:
2
Date Last Updated:
April 25, 2025